Creating Role Membership Rules

Use the Role Policy page to define the rules that are read by Dynamic Role Rule PeopleCode and populate PeopleSoft roles with members. The rules return the DNs of "people" directory entries, which supply the system with the user IDs specified on the user profile mapping.

This section provides an overview of role membership rules and discusses how to define role membership rules.

PeopleSoft security roles are comparable to LDAP directory groups. Roles enable you to group user IDs in logical sets that share the same security privileges. PeopleSoft enables you to keep your external directory groups synchronized with the data stored within the PeopleSoft database.

Important! You must keep the data within PeopleSoft consistent with any changes made to the structure or content of the external directory server, especially when you are dealing with security data. The Role Membership Rules page enables you to modify a PeopleSoft role based on directory criteria.

Access the Role Policy page (PeopleTools > Security > Directory > Role Membership Rules).

Image: Role Policy page

This example illustrates the fields and controls on the Role Policy page.

Role Policy page

Field or Control


Rule Name

Displays the directory search name that you entered on the search page.


Enter a short description of the rule.

User Profile Map

Select the user profile map to associate with the rule.

Directory ID

Displays the directory associated with the user profile map that you select.

Assign to Role

Click this link to automatically start the Dynamic Members page in the Roles component of the Security menu. On that page, select Directory Rule Enabled and specify the server on which to carry out the rule.

Directory Search Parameters

Field or Control


Search Base

Enter the entry (or container) at which to begin the search.

Search Scope

Select the search scope for this search from the following options:

Base: The query searches only the value in the Search Base field.

One: The query searches only the entries one level down from the value in the Search Base field.

Sub: The query searches the value in the Search Base field and all entries beneath it.

Build Filter

Field or Control


( )

Parentheses; on either side of the filter expression select the check boxes below the parentheses to group expressions.


Select the attribute that the system will filter.


Assign an operator to your rule, such as <, <=, <>, =, >, or >=.


Enter the value to assign to the attribute that you specified.


To add another line to your rule, select AND or OR, depending on your rule logic. Select END to signify the end of the search. Select NONE if you are not using this kind of filter.

Refresh Search Filter

After you make changes using the Build Filter options, click this button to update the Search Filter edit box to reflect the changes.

Clear Search Filter

Click this button to delete all values from the Search Filter edit box and the Build Filter selections.

Search Filter

The purpose of this field depends on whether you also specify values in the Directory Attribute field, as follows:

  • No directory attributes specified.

    Enter a name=value pair that identifies a key field and value on the user record. The system applies this criterion to search for an individual user, regardless of group membership.

  • One or more directory attributes specified.

    Enter a name=value pair that the system applies to the search for the DN of the defined container or group. This value typically displays the directory object class of the container in the form “objectclass = GroupOfUniqueNames”, for example. This indicates what type of container to search. To retrieve the correct container DNs, the system adds the name of the container to the search filter at runtime.

Search Attributes

Field or Control


Directory Attribute

Select attributes that identify the user to add to this membership. The system searches only for members within the group that is specified by the Search Filter field.

Note: You can also write PeopleCode to determine group membership using any arbitrary LDAP search criteria.