Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

Chapter 5. Authentication, authorization... > Groups and group gathering in IBM Ti... - Pg. 121

Group membership should be used to reduce the number of aclEntry and entryOwner values required in the directory. When considering groups, one must consider the choice of dynamic groups versus static groups. When using filtered access control, the union, intersect, and replace operators can be leveraged to reduce the number of aclEntry values required in the directory. Instead of trying to have an aclEntry value for every possible situation dictated by the client's dynamic information, an incremental approach can be used such that all cases can be covered with a minimal number of values. The GetEffectiveAcl extended operation should be leveraged to verify the configuration, even if not using filtered access control. 5.5 Groups and group gathering in IBM Tivoli Directory Server for z/OS To help simplify authorizing users to entries in the LDBM, TDBM, and CDBM back ends, an LDAP administrator can place similar users (such as those in the same department or project) into static, dynamic, or nested groups, and then authorize those groups to the desired resources in the directory. See 5.4, "Authorization using Tivoli Directory Server Access Control Lists (ACL)" on page 108 for more information about authorization. This section discusses: 1. 2. 3. 4. The supported LDAP static, dynamic, and nested groups How to query group membership The pros and cons of static, dynamic, and nested groups How group gathering works after successfully authenticating to the LDAP server