My Oracle Support Banner

OUD Virtual Attributes are not Merged when a user is a Member of Several Groups (Doc ID 2928260.1)

Last updated on MARCH 06, 2023

Applies to:

Oracle Unified Directory - Version and later
Information in this document applies to any platform.


Multiple virtual attributes are created to assign various "ds-privilege-name:values" to various groups. It is found that if a user is a member of several groups then only one set of virtual attributes will be assigned.


1) Create first virtual Attribute with:
"attribute-type: ds-privilege-name"

2) and values:
"ldif-import" & "ldif-export;" <<--if the semi-colon is not actually part of the command, then remove it

3) then assign to:
"group-dn: cn=ldifPriv,ou=groups,c=COUNTRY"

4) Create second virtual Attribute with:
"attribute-type: ds-privilege-name"

5) and values:
"backend-backup & backend-restore;" <<--if the semi-colon is not actually part of the command, then remove it

6) and assign to
"group-dn: cn=ServPriv,ou=groups,c=COUNTRY"

If a user is a member of "cn=ldifPriv,ou=groups,c=COUNTRY" AND "cn=ServPriv,ou=groups,c=COUNTRY", it is expected that the user should get a UNION of all the virtual attributes (ds-privilege-name) with values: ldif-import, ldif-export, backend-backup & backend-restore.

Instead the user is assign virtual attributes based on the first group that applies. This user will only get ldif-import & ldif-export privileges.

There is no apparent conflict which would preclude the multiple virtual attributes from being active concurrently.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.