X.500 Standard status
X.509 Related activities
How to be involved
Tutorial section 1
Tutorial section 2
Other PKI organizations
The real world has a number of hierarchies. The top of the figure above shows the organisational structure of a small organisation. If such an organisational structure is to be represented in a directory, the traditional thinking has been to let the structure of the directory (DIT structure) reflect organisational structure. However, for several reasons, an organisation may not want to do that. As an example, it would require the directory to be re-built every time the organisational structure changes. Instead, the organisation may want to have a flat structure just below the organisation entry. This is shown in the lower part of the figure. Also, the hierarchical group feature, as described here, provides functionalities not available if one just maps the organisational structure onto the DIT structure.
The hierarchical group concept allows an independent hierarchical relationship to be established. This is simply done by establishing pointers within each member entry of a hierarchical group. Each member entry has pointer to the entry above in the hierarchy, if it is not the top entry of the hierarchy. It has also pointers to all entries just below in the hierarchy, if it is not at the bottom of the hierarchy.
Such pointers could be established without requiring any special directory features.
The hierarchical group feature allows users in a search request to ask for information to be returned not only from matched entries, but also other entries within the hierarchical groups to which the matched entries belong. In some cases, the user may not even want information returned from the match entries. The returned entries contain sufficient information for the user equipment to reconstruct the hierarchies.
The user equipment could alone in theory establish such a support by using hierarchy information returned from the entries. However, this would result in several interactions between the user equipment and the directory just to serve a single user request. This will give unacceptable response times.
An entry can only be member of one hierarchical group.
A hierarchical group has to be contained completely within a single DSA.