User Access Manager Help >> Operation Guide >> User Access Policy >> LDAP Service >> Sync Policy >> Supplement About Relationships Between LDAP Groups and Services

Supplement About Relationships Between LDAP Groups and Services

Suppose that the following group structure exists on the LDAP server:

Query Level Examples

In the above figure, A has three children (B1 to B3), B1 has three children of its own (C1 to C3), and so on. The service query level number increases in the direction from child to parent. For example, for users in C1, C1 is at Level 1, B1 is at Level 2, and A is at Level 3. Users in C1 have nothing to do with C2. For users in B1, B1 is at Level 1, A is at Level 2. Users in B1 have nothing to do with C1 and B2. A level having a smaller level number is closer to the user.

Service Priority Examples

During AD group-based synchronization, you can set a priority of an AD group. In the above figure, if a user belongs to both group C1 and group C2 and the two groups are configured in LDAP synchronization policy configuration, the user will use the service configured for the AD group with a higher priority.

Precautions

• The group a user belongs to is also counted when calculating the service query levels. For example, for users in C1, the service query level of C1 is 1, that of B1 is 2, and so on. If only A is configured with a service and the service query level limit is 2, users in C1 will use the default service. This is because A has a service query level of 3, which is beyond the service query level limit of 2.
• If a user belongs to more than one groups, the system will request the service that is closest to the user and is of the highest priority for the user.
• Too complex an LDAP group structure may result in search confusion and is therefore not recommended.