You can add users and user groups from external identity sources to a user group in the internal database. This offers the following benefits:
Improved authentication performance for users in an external identity source.
Including these users directly in a group in the internal database reduces the need to access the external identity source when these users authenticate, which reduces network traffic to the directory server. Users in member groups within a user group do not benefit from this improved performance.
Greater control over organizing users, especially users in an LDAP directory, where you cannot use the Security Console to control the group structure of the directory.
Reduces administrative burden for the following reasons:
You can create a single user group for a restricted agent, and include all the users you want to grant access to the agent, rather than create separate groups for each identity source.
When an LDAP administrator modifies a group in the LDAP directory, you can minimize or eliminate the need to reconfigure restricted agents because access is granted through user groups residing in the internal database, and is unaffected by modifications to groups in the directory.
Membership in user groups residing in external identity sources is still restricted to member users and member users groups residing in the same external identity source as the user group.
When you configure user groups for restricted agents, you may want to add or “nest” multiple user groups within a single user group. This allows you to enable several groups on a restricted agent. Using nested groups eases the administrative burden of restricting access to authentication agents, but can affect authentication performance when groups are deeply nested or contain large numbers of users.
Nested user groups have the following characteristics:
A user group in the internal database can contain user groups that reside in the internal database or an external identity source. A user group in an external identity source cannot contain user groups from any other identity source.
You can nest user groups using one of the following means:
Using the Security Console to nest two or more user groups stored in the internal database.
Using the LDAP directory user interface to nest two or more user groups stored in the same external identity source.
Using the Security Console to nest a user group stored in an external identity source within a user group stored in the internal database.
Members of nested groups inherit access to restricted agents from the parent user group that is granted access to the restricted agent. If a nested group is also granted access to the same agent, its members may have additional access permissions.
A user who is a member of a nested group can be granted access to a restricted agent for two reasons:
Because the user is a member of a nested user group that has access to the restricted agent
Because the user is a member of a user group that is nested in another user group that has access to a restricted agent
In general, members of nested user groups have the same access privileges as the parent user group. Members of the nested user group can access an agent when the group is nested inside another user group that can access the agent.