How do you setup nested groups in Reporter, version 9.2.x?

<< Back to Knowledge Search



I hear Reporter, version 9.2.x , has a new feature where you can search for nested groups. How do I use this?

Where do I set up the new 'nested group' feature.

What does the "is in LDAP group" feature mean, and how do I set it up?



This new feature is configured by use of a check box, when you go to configure your Role  Based Services, in Reporter.

With reporter, version 9.2x,  there are two places you can setup nested groups.  

1: The first location is in the LDAP group configuration wizard where we link a ROLE to LDAP group. Here we allowing everyone in this LDAP group to have the same privileges  given to this role.  Reporter, while authenticating the user using the LDAP protocol, also ensures that this user is allowed access to the database based on group membership.   To  setup this up follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click on Access control > LDAP groups
  • Click on the 'new' button.
  • Here you'll see the option to turn on nested groups.

2: The next location you will see an option to set Nested groups is in Role configuration wizard,  where we are restricting access to parts of a database, based on LDAP group membership. Here we set a user filter up, and locate a LDAP group we want this user to be restricted to, thereby only allowing this user to see those parts of that database that contain this group information.  To set this up, follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click on Access control > Roles
  • Click on the 'new' button.
  • Enter the name of the role you are about to create, and press Next.
  • Select a database.
  • Select 'Add Criteria'  to create your filter.
  • Select User, and then select the drop down list next to the user.
  • Select " Is in Ldap Group, or Is not in Ldap group'
  • Here, once you select the next drop down list, called groups, you'll see a list of currently available LDAP groups in your AD tree.

Note on group membership syntax:   Often your group information, as collected in the access log, will be presented in a slightly different syntax than the LDAP protocol declares it.  Here, you will need to check your database configuration, to ensure they match.  To do this,  follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click Databases, and select your database.
  • On the right hand side of this screen,choose the drop down arrow, and select "set other options"
  • At the bottom of this screen you will see 'Username log settings'
  • Here you will choose the groupname syntax that matches your access log.

All access logs can be unzipped, and opened with a text editor, which we suggest you do,  to ensure these two match.  Look for the cs-groupname access log field.  For more information on the proper access log fields, required by Reporter, see 000021974

NOTE1: Turning on this 'Nested groups  feature means that every group you look at in AD will be searched for a match to the 'member of' attribute.  And, then those groups will be searched as well.   Bluecoat recommends you talk to your AD, or eDirectory administrator first before turning on this feature.

NOTE2: For  information on setting up the entire LDAP realm please see 000013348

NOTE3: For informatoin on troubleshooting LDAP, see 000014773

NOTE4: For a list of the LDAP error codes you may see in the journal see 000015695






Additional Information
Bug Number
InQuira Doc IdKB3826

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/30/2014
Last Published      10/30/2014
Article Audience
Product      Reporter 9.2
Topic      Access Logging, Authentication, Reporting
Article Number      000010794
Was this helpful?
Previous MonthNext Month