PingDirectory

Managing groups

The administrative scope for users determines which users are visible to the group administrator.

You can use dsconfig to delegate a user as a group administrator. An administrator can be configured to edit users and manage group memberships. When configuring an administrator, consider the following:

  • The group administrator can view, add, and remove any of the users within their administrative scope to the membership of groups within the groups' administrative scope.

  • Static groups can be nested.

  • Users who belong indirectly to a group through nesting are visible as group members but cannot be removed.

  • Users can be removed only from the groups of which they are a member. For example, an Employees group might include a Developers group as a nested member. In this scenario, a user in the Developers group is a direct member of that group and an indirect member of Employees. This member can be removed only when viewing the Developers group, not when viewing the Employees group.

  • If a group is configured as a dynamic or virtual static group rather than a static group, then the group and its members are visible, but the group membership cannot be modified.

Example

In the following example, all users in the subtree ou=org1,dc=example,dc=com are visible:

$ bin/dsconfig create-delegated-admin-rights \
  --rights-name group-admin1 \
  --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
  --set enabled:true

$ bin/dsconfig create-delegated-admin-resource-rights \
  --rights-name group-admin1 \
  --rest-resource-type groups \
  --set admin-scope:resources-in-specific-subtrees \
  --set "resource-subtree:ou=Groups,dc=example,dc=com" \
  --set admin-permission:manage-group-membership \
  --set admin-permission:create \
  --set admin-permission:read \
  --set admin-permission:update \
  --set admin-permission:delete \
  --set enabled:true

$ bin/dsconfig create-delegated-admin-resource-rights \
  --rights-name group-admin1 \
  --rest-resource-type users \
  --set admin-scope:resources-in-specific-subtrees \
  --set "resource-subtree:ou=org1,dc=example,dc=com" \
  --set admin-permission:read \
  --set enabled:true

Set group attributes

The default settings for group attributes specify cn and description as group attributes, with cn used for the group title in Delegated Admin. To create the default settings, use the following commands with a search DN and parent DN ("dc=example,dc=com"):

$ bin/dsconfig create-rest-resource-type \
  --type group \
  --type-name groups \
  --set "display-name:Groups" \
  --set enabled:false \
  --set "search-base-dn:dc=example,dc=com" \
  --set primary-display-attribute-type:cn \
  --set resource-endpoint:groups \
  --set "search-filter-pattern:(cn=%%)" \
  --set structural-ldap-objectclass:groupOfUniqueNames
  --set parent-dn:dc=example,dc=com

$ bin/dsconfig create-delegated-admin-attribute \
  --type-name groups \
  --attribute-type cn \
  --set "display-name:Name"

$ bin/dsconfig create-delegated-admin-attribute \
  --type-name groups \
  --attribute-type description \
  --set "display-name:Description"

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name groups \
  --set enabled:true

Set group search filter

When entering text to search for groups, the groups' search-filter-pattern property specifies the attributes to be searched in PingDirectory server.

To satisfy the query, define the appropriate attribute indexes for PingDirectory server. The default setting searches the attribute cn for the search text, which is represented by %%.

Use the following command to set the group search filter:

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name groups \
  --set 'search-filter-pattern:(cn=%%)'

Rename the Members and Nonmembers columns

An administrator can assign custom names for Members and Nonmembers columns in the Delegated Admin application for the following rest resource types:

  • Groups

  • Users

  • Generic rest resource types

To set these column titles, run dsconfig set-rest-resource-type-prop:

dsconfig set-rest-resource-type-prop \
    --type-name users \
    --set "members-column-name:<custom member label>" \
    --set "nonmembers-column-name:<custom non member label>"