Define computed group membership in Global Identity Builder

The virtual view of group entries needs a computed attribute defined for the membership attribute. Steps to define a computed attribute are described in this section.

1. With the ou=ADDomain1 level selected, select the Objects tab.
2. In the Primary Object section, select Add.
3. Select the object class associated with the group entries in the backend directory (for example group) and select OK.
4. Select the group object class in the Primary Object table and select Edit next to Define Computed Attributes (at the bottom).
5. Select Add.
6. Enter the computed attribute name. Since the existing groups maintain members in the member attribute, this should be the computed attribute name.
7. For the expression to compute the member attribute, select Function.
8. Select the remapDN(attr2remap,dataSourceID,externalBaseDN,scope,externalIdAttr) function and select OK.
9. Select the member attribute as the attr2remap attribute. This the existing group entry attribute that contains the information needed to lookup the member in the global profile view.
10. Select vds as the data source ID.
11. Check the External Base DN option and enter the container where the global profile view was mounted below the ou=Users described in this chapter (for example ou=Users,o=rli).
12. The externalIdAttr attribute must be the one in the global profile that contains that matching value of the RDN in the existing group member DNs. In this example, it is the cn attribute.
13. Select Ok.
14. Select Validate.
15. Select OK and OK again to exit the computed attributes window.
16. Select Save.
17. Select Yes to apply the changes to the server.
18. On the Objects tab, in the Virtual Attribute Name table, select the member attribute. It is noted that the attribute is populated from both the primary backend and a computed attribute: . To avoid returning the existing actual member DNs and return only the computed value, select Edit Attribute.
19. In the Priority drop-down list for the GLOBAL (Computed) origin, choose Highest (or High – as long as the value has more priority than the one assigned to the group origin).
20. Select OK.
21. Select Save.
22. Select Yes to apply the changes to the server.
23. Repeat steps 1-22 for the container representing the groups in the second backend directory.

After defining a computed attribute, you can get a runtime view of the result from the Main Control Panel > Directory Browser.

In the following example, a global profile identity, Don Jacobs, is selected. Note that his DN in the virtual namespace is: vuid=2dce80b7-055f-48b4-90c1-474a555d53a4,ou=Users,o=rli.

Before RadiantOne is configured to compute the member attribute for groups, you can see in the following screen that Don Jacobs is a member of the Accounting group in the ADDomain1 backend.

After RadiantOne is configured to compute the group members, you can see that Don Jacob's DN associated with his global profile identity is returned as an Accounting group member. This is essential for client applications that will identify and authenticate Don Jacobs with a DN of vuid=2dce80b7-055f-48b4-90c1-474a555d53a4,ou=Users,o=rli to be able to find the corresponding groups that he is a member of for enforcing authorization and personalization.

To learn more about Global Identity Builder, please read the chapter that describes how to integrate and configure a Global Identity Builder custom data source