RapidIdentity Product Guide: Legacy UI

Membership
Static Membership

When the Membership tab is accessed, Static Membership is the initial starting point. Static Membership allows a Role owner to include or exclude users individually. To populate the inclusion or exclusion boxes, click the plus sign icon. When the plus icon is selected, viable search input includes First Name, Last Name, or Email address. To remove a user, click the desired user first and then click the minus icon.

The purpose of a Static Exclusion is to override the status of a Role member added with Dynamic Inclusion but needs to be removed from the Role membership list.

Static Membership limitations

RapidIdentity Portal currently imposes an upper limit of 500 with respect to the static membership size. Roles that include relatively long user DNs will exhaust the attribute in Active Directory, and the limit will occur at a value less than 500.

To facilitate scalability, one recommendation is to use Static Membership for exceptions and to use a dynamic role to create role membership. With this approach, the dynamic role would look for a specific attribute whose only purpose is to define membership for that role. This attribute would then be included in the Dynamic Include Filter. One possible attribute is idautoPersonAppRoles1.

Dynamic Membership

Dynamic Membership allows a Role owner to add members to a Role based on attributes in their user profile; the benefit is to create department Roles quickly. For example, a Role can be formed within the directory where only members with 'HR' listed as their department will be added. The filtering attribute is limited only by the information available in the base user profile.

dynamic_membership1.png

The purpose of a Dynamic Exclusion is to exclude subsets of users that match the Dynamic Inclusion filtering attribute but are not wanted in the Role membership list. In the previous example of a Role with all HR department members included, any user that is a member of the HR department but works in building 250 can be excluded based on office location.

Prior to saving, Role Membership can be previewed by clicking the Preview Membership button.

preview_membership.png

Membership Inclusion/Exclusion Hierarchy

Members will be included and excluded from a Role based on the following action hierarchy.

  1. All members who fit the Dynamic Inclusion filter will be added.

  2. All members who fit the Dynamic Exclusion filter will then be removed.

  3. All statically included members will be added back to the list.

  4. Finally, all statically excluded members will be removed.