Organization of Users and Groups in LDAP Directory

Entries in an LDAP directory are organized in a tree-like structure called the Directory Information Tree (DIT). SAP User Management Engine (UME) supports certain methods of arranging users and groups in a DIT in the corporate LDAP directory, which are:

·       Groups as tree

·       Flat hierarchy

These options for the DIT are described in more detail below.

Groups as Tree (Deep Hierarchy)

The main characteristic of this method of organizing users and groups is that users are entries below the group of which they are a member.

The disadvantage of this schema is that users can only appear at one point in the directory tree and can therefore only be members of one group and its supergroups (the groups above it in the tree).

The following diagram illustrates a schema where a group is a tree.

Flat Hierarchy

In a flat hierarchy, the DIT has separate branches for user and group data. There are two possibilities:

·       either each group has an attribute that lists the members of that group, for example by providing the user IDs of the members

·       or each user in the people branch has an attribute listing the groups that that user is a member of

Whichever option you choose, this structure has the advantage that a user can be a member of more than one group. The disadvantage is that when you add a user to the hierarchy, the user is not assigned to any groups. The administrator must assign groups explicitly.

The following diagram illustrates a simple example of a flat hierarchy where each group has an attribute listing the members of that group. More complex trees containing more than one people or group branch are also possible.