4.8 Nested Groups

By default, the Metadirectory engine, when reading or searching the Member and Group Member attributes of Identity Vault objects, returns only those values that are "static" values. Static values are objects that received group membership by direct assignment to the group rather than inherited assignment through a nested group.

If you want the Metadirectory engine’s searches to return values inherited through nested groups, you can create policies (and stylesheets) that search for and read the "calculated" values for the Member and Group Membership attributes. Calculated values include objects that are either 1) statically assigned membership or 2) dynamically assigned membership by virtue of the nested group and the dynamic group hierarchy calculations used by eDirectory. You implement this behavior in policies and stylesheets by using the following pseudo attributes: [pseudo].Member and [pseudo].Group Membership. A single query operation can contain only the pseudo attributes or the real attributes; mixing both attributes in the same query will result in an error.

If you want to change the Metadirectory engine default so that it always searches for and reads the “calculated” values for the Member and Group Membership attributes, use the Revert to Calculated Membership Value Behavior engine control value. Changing this value causes the Metadirectory engine to revert to the method used prior to Identity Manager 3.6.1. In pre-3.6.1 versions,the Metadirectory engine's search of the Member and Group Member attributes retrieved all "calculated" values. For information about changing the value, see Driver Properties in the Identity Manager 3.6.1 Common Driver Administration Guide.