If the maximum number of members in a group has been reached, Domino adds so called extension groups. These extension groups are imported into the One Identity Manager database by synchronization and cannot be edited. The connection to the dynamic group is created using the Parent Notes group property (UID_NotesGroupParent column). Excluded and additional lists are maintained exclusively for parent dynamic groups. Extension groups are only shown on the overview form.
You cannot assign members directly to dynamic groups. Members are determined over the home servers assigned to the group. All user accounts that are assigned as mail server to this server are automatically members of the dynamic group. In addition, memberships can be edited through an excluded and additional list. At the same time, user accounts that are assigned to both the excluded and additional lists cannot be members of the dynamic group. User accounts and groups can both be added to the excluded and additional lists.
When Domino is calculating effective members, it finds all the user accounts that:
-
The home server is assigned to as mail server
-
Are directly assigned to an additional list
-
Are assigned to an additional list as a member of a Notes group
-
Are assigned to an excluded list
-
Are assigned to an excluded list as a member of a Notes group.
Effective memberships in dynamic groups (table NDOUserInGroup) are not maintained in One Identity Manager, but only loaded in the One Identity Manager by synchronization. Excluded and additional lists can be edited in the Manager. Changes are immediately provisioned in the target system. Membership lists are recalculated there. After resynchronizing, the changes to the effective memberships are visible in One Identity Manager and can be taken into account by, for example, compliance checking.
If you use One Identity Manager's identity audit functionality and also check memberships in dynamic Notes groups in compliance rules, note the following:
NOTE: Changes to the excluded and additional lists in the Manager, cannot be immediately acted upon as effective memberships in dynamic groups are not updated until after resynchronization. Customize the synchronization schedule for your Domino environment such that changes to effective memberships are promptly transferred to the One Identity Manager database.
For more information about editing synchronization schedules, see the One Identity Manager Target System Synchronization Reference Guide.
You can assign home servers to dynamic groups. All user accounts, only using this server as mail server become members of the dynamic group.
To assign a home server to a dynamic group
-
In the Manager, select the HCL Domino > Groups category.
-
Select the dynamic group in the result list.
-
Select the Assign home server task.
-
In the Add assignments pane, assign the servers.
- (Optional) To filter the servers, select a domain in the Notes domains input field.
TIP: In the Remove assignments pane, you can remove assigned servers.
To remove an assignment
- Save the changes.
Use the excluded list to specify which objects you want to exclude from membership in a dynamic group.
To exclude user accounts from a dynamic group
-
In the Manager, select the HCL Domino > Groups category.
-
Select the dynamic group in the result list.
-
Select the Edit additional list task.
-
Select the Users tab.
-
Assign user accounts in Add assignments.
TIP: In the Remove assignments pane, you can remove assigned user accounts.
To remove an assignment
- Save the changes.
To exclude groups from a dynamic group
-
In the Manager, select the HCL Domino > Groups category.
-
Select the dynamic group in the result list.
-
Select the Edit additional list task.
-
Select the Groups tab.
-
In the Add assignments pane, assign groups.
TIP: In the Remove assignments pane, you can remove the assignment of groups.
To remove an assignment
- Save the changes.
To exclude servers from a dynamic group
-
In the Manager, select the HCL Domino > Groups category.
-
Select the dynamic group in the result list.
-
Select the Edit additional list task.
-
Select the Server tab.
-
In the Add assignments pane, assign the servers.
TIP: In the Remove assignments pane, you can remove assigned servers.
To remove an assignment
- Save the changes.
To exclude mail-in databases from a dynamic group
-
In the Manager, select the HCL Domino > Groups category.
-
Select the dynamic group in the result list.
-
Select the Edit additional list task.
-
Select the Mail-in DB tab.
-
In the Add assignments pane, assign mail-in databases.
TIP: In the Remove assignments pane, you can remove assigned mail-in databases.
To remove an assignment
- Save the changes.