We currently are looking into implementing Nested groups within CA SSO. Are there any things we should take a look at ? Or just by enabling it in the UI and making changes to our roles and policies is enough ? We fear that there might be a performance downgrade going with nested groups.
I've read somewhere that there's a different between INGROUP() an MEMBEROF() regarding performance is there any documentation about that ?
There might be some performances impact as we act as LDAP Cloent and request may take more time if we are using NESTED groups.
For your questions regarding INGROUP() and MEMBEROF(), there was an issue in previous release when using INGROUP() that was generating more LDAP Search (fix in 12.52SP1CR02)
Defects Fixed in 12.52 SP1 CR02 - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
When the INGROUP expression is used to search for user membership of an Application object, excessive LDAP search calls are generated.
This problem has been fixed.
STAR Issue: 22051787-1
Hope it helps,
Is it recommended to use nested groups ?