Use nested groups with caution in Oracle Access Manager for authorization

One can specify which users/groups can be authorized to access an application using Oracle Access Manager.

In general there are 3 types of group memberships allowed in the directory server:

  • Static group membershipIn this type of group, each user is explicitly defined as a member.
  • Dynamic group membershipThis type of membership is defined by an LDAP rule. Each user that satisfies this LDAP rule is a member of the group.
  • Nested group membershipA nested group consists of one or more static groups, dynamic groups, or both.

The way you can authorize groups in Authorization Rule (of Policy Domain) is shown in the below screenshot.

Hardly you will notice the Groups tab here.

However, from the performance  perspective one has to be very careful while specifying authorization to groups.Dynamic Groups will provide better performance than Static and Nested groups.

Try to avoid Nested group membership if possible.

If your environment does not have nested groups at all, then you can turn off a parameter to improve the performance.

The parameter that we are talking about is this TurnOffNestedGroupEvaluation.

You can see this parameter in the globalparams.xml file of Access Server installed location $OAM_Access_Server/access/oblix/apps/common/bin. If you have multiple access servers, modifying this parameter in all the access servers.

I have got you a screenshot of this param default value  in this file globalparams.xml.

To turn off this parameter, change the value to true as shown below.

Restart the access servers for this parameter to take effect.

Helpful Docs:

Oracle Documentation

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog:

Leave a Comment:

Atul Kumar says October 28, 2010

Thanks Mahendra , very useful post.

Add Your Reply