Entries in an LDAP directory are organized in a tree-like structure called the Directory Information Tree (DIT). The user management engine (UME) supports the following methods of arranging users and groups in a DIT in the corporate LDAP directory, which are:
The main characteristic of this method of organizing users and groups is that users are entries below the group of which they are a member.
The disadvantage of this schema is that users can only appear at one point in the directory tree and can therefore only be members of one group and its supergroups (the groups above it in the tree). You cannot change this group assignment with identity management or the UME API.
The following figure illustrates a schema where a group is a tree.
In a flat hierarchy, the DIT has separate branches for user and group data. Each group must have an attribute that lists the members of that group, for example by providing the user IDs of the members.
You can include an attribute in the people branch, which lists the groups to which that person is a member. This can be used by the UME to increase performance, during logon, for example. We recommend that you only do this if your LDAP supports automatic maintenance of an is-member-of attribute of the person. Trying to maintain group and people branches independently has a high potential for creating inconsistencies.
This structure has the advantage that a user can be a member of more than one group. The disadvantage is that when you add a user to the hierarchy, the user is not assigned to any groups. The administrator must assign groups explicitly.
The following figure illustrates a simple example of a flat hierarchy where each group has an attribute listing the members of that group. More complex trees containing more than one people or group branch are also possible.