Crowd 2.0 : Nested Groups in Crowd
This page last changed on Jul 29, 2009 by smaddox.
This page describes the way Crowd handles nested groups, i.e. groups which contain other groups as members and groups which are members of other groups. On this page:
Summary of Nested Groups in CrowdSome user directories allow you to define a group as a member of another group. Groups in such a structure are called 'nested groups'. In Crowd, you can map any group to an application, including a group which contains other groups. Crowd supports nested groups for LDAP directory connectors, Crowd internal directories, Delegated Authentication directories and custom directories. You can enable or disable support for nested groups on each directory individually. For more information, refer to the documentation on configuring a directory. Here's the effect on authorisation and presentation of group members to integrated applications:
The rest of this page describes the above functionality in more detail. In addition, you can follow the instructions to: Definition of Nested GroupsA 'nested group' is a group which is a member of another group. If you are using groups to manage permissions, you can create nested groups to allow inheritance of permissions from one group to its sub-groups. In an LDAP directory, a nested group is defined as a child group entry whose DN (Distinguished Name) is referenced by an attribute contained within a parent group entry.
member=CN=John Smith,OU=Users,OU=OrgUnitA,DC=sub,DC=domain member=CN=Group Two,OU=OrgUnitBGroups,OU=OrgUnitB,DC=sub,DC=domain Supported Directory TypesCrowd supports nested groups for the following directory types:
The directory importer does not support nested groups when importing users, groups and roles from LDAP into a delegated authentication directory. See CWD-1334. Group Management via the Crowd Administration ConsoleThe Crowd administrator can view group memberships, add a group as a member of another group, and remove a group's membership of another group. Verifying a User's Access to an ApplicationWhen verifying a user's login to an integrated application, Crowd will search the groups mapped to the application, plus all their sub-groups. If the username exists in one of the groups, Crowd will allow the user access to the application. Presenting Flattened Lists of Users to Integrated ApplicationsIntegrated applications may ask Crowd for a list of members in a group. Crowd will present all users who are members of the group and all users belonging its sub-groups, consolidated into one list. We call this list a 'flattened' group. This is necessary because many integrated applications do not understand the concept of nested groups. For that reason, Crowd makes the nesting transparent to integrated applications.
|
![]() | Recommendation: Enable External User Management If you have JIRA, Confluence, Bamboo, FishEye or Crucible connected to Crowd, and you have nested groups in your directory, we recommend that you turn on external user management, via the administration screen of the integrated application. This will avoid confusion in the user-management screens of the integrated application, since these applications do not understand the concept of nested groups. |
If an integrated application adds a user to a flattened group, the user is added to the named group and not to any of its sub-groups.
If an integrated application attempts to remove a user from a flattened group, Crowd will do the following:
Managing Groups and Roles
Adding a Group or Role
Managing Group Members
Adding a Sub-Group
Removing a Sub-Group
Crowd Documentation
![]() |
Document generated by Confluence on Jul 30, 2009 01:29 |