IBM Support

How to configure nested group support for Microsoft Active Directory

Technote (FAQ)


You want to leverage nested groups for managing access control via the Resource Permissions portlet. How can nested group support be configured for IBM WebSphere Portal when using Microsoft Active Directory as the LDAP server?


While usage of the memberOf attribute can increase performance when determining group membership for a user, it will only return the direct groups for a user. In order to return nested groups for a user, it is important to also leverage the member attribute and set its scope to be nested.

The following is an example snippet from the <wp_profile>/config/cells/<cellname>/wimconfig.xml file which can be used to enable nested group support:


      <config:memberAttributes dummyMember="" name="member" objectClass="group" scope="nested"/>
      <config:membershipAttribute name="memberOf" scope="direct"/>

Related information

MSAD user security attribute including memberOf

Document information

More support for: WebSphere Portal

Software version: 6.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, i5/OS

Software edition: Enable, Express, Extend, Server

Reference #: 1321308

Modified date: 07 April 2009