About Dynamic Groups (CornellAD Group Management)
This article applies to: Group Management
Setting up a dynamic group can be a complicated process. CIT's Identity Management group will be happy to help you.
The simplest way to make someone (or an object) a member of a group is to add them to that group manually. If conditions change and they should no longer be a member, you remove them manually.
Dynamic groups allow for membership to be determined automatically, based on criteria you have specified. (A related concept is Temporal group membership, where you can specify a beginning and/or ending date for membership.)
The term "dynamic group" can be confusing because, at a simple level, group membership can change automatically even when the group is not a dynamic group. This occurs when you make a group a member of another group. For example, let's say you had a group called SaturdayWorkers (with members Phil and Dolores) and a group called WeekendWorkers. By making SaturdayWorkers a member of the WeekendWorkers group, Phil and Dolores automatically become members of WeekendWorkers. If you remove Phil from SaturdayWorkers, he will no longer be a member of WeekendWorkers.
More complex relationships among groups are possible using the ARS Console (not the web interface) to explicitly make a group into a dynamic group, then by defining the rules for group membership. Once a group has been made a dynamic group, you cannot add members to it manually.
To give some examples, you can use dynamic groups to create a group where, to be a member, a person or object must be:
- a member of GroupA and GroupB
- a member of GroupA or GroupB
- a member of GroupA but not a member of GroupB
In all these cases, as the membership of GroupA or GroupB changes, the membership of the dynamic group will change appropriately.
You can also use dynamic groups to grab a "snapshot" of the membership of another group. This snapshot group will have a static list of members, regardless of changes made to the underlying group.