ForgeRock Identity Platform
Does not apply to Identity Cloud

isMemberOf attribute does not return current group membership details for a user in AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide information on getting up-to-date group membership details for a user in AM using the REST API and the DS isMemberOf attribute.

2 readers recommend this article


The value of the isMemberOf attribute does not show the latest group membership data when queried via REST. For example, if you update a user's group membership and then perform a simple GET on that user (assuming your data store has been configured to use the isMemberOf attribute for group membership), you will see old membership data returned for the user:


  1. Check user's group membership: $ curl -X GET ... "isMemberOf": [ "cn=adminGroup,ou=groups,dc=example,dc=com"
  2. Add the user to a new group: $ curl -X PUT -H "Content-type: application/json" -H "Accept-API-Version: resource=3.0" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -d'{ "uniquemember":["uid=demo,ou=people,dc=example,dc=com"] }'
  3. Check the user's membership again: $ curl -X GET ... "isMemberOf": [ "cn=adminGroup,ou=groups,dc=example,dc=com"The expected result is: "isMemberOf": [ "cn=newGroup,ou=groups,dc=example,dc=com"

You can see the correct group membership details on the Identities page in the AM admin UI.

Recent Changes



The 'isMemberOf' attribute is a virtual operational attribute in DS. Virtual attributes are not updated by the persistent search mechanism, which means AM does not receive notifications of changes to cached data that would normally occur with a regular attribute and therefore assumes that all the attributes still have the same values.

The Identities page within the AM admin UI queries the membership of LDAP static groups and does not rely on caching at all, which is why this view is accurate.


You can use one of the following options to ensure current information is returned when using the isMemberOf attribute:

  • Perform a pseudo update on a user entry when group memberships are changed to trigger the persistent search notification. For example, when you change the group membership you could also do one of the following at the same time to trigger the persistent search notification:
    • Update a user attribute that's not used for other purposes.
    • Update an existing regular attribute (for example, mail) with the same value it already has. This is not an option if you use REST calls to do the update because AM will not update a value if the data is the same.
  • Use time-based IdRepo cache aging (Time-to-Live) to give you confidence in data accuracy based on the cache age configured. See FAQ: Caching in AM (Q. How can I control caching for configuration and user data using ssoadm? > Time-to-Live) for further information on setting these properties.
  • Disable the IdRepo cache completely. See Turn off global user data caching for further information. You should test this in a pre-production environment first to assess what impact this has on your setup.

Disabling the IdRepo cache can have a severe negative impact on performance, since AM must query the data store each time it needs data when caching is disabled.

Alternatively, Realm Admins can query groups for an individual using the users endpoint. For example:

$ curl -X GET -H 'Accept: application/json' ''

Example response:

{ "result": [ { "_id": "newGroup", "_rev": "635651178", "groupname": "newGroup" } ], "resultCount": 1, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": 0 }

See Also

FAQ: Caching in AM

Best practice for managing groups in DS (All versions)

Related Training


Related Issue Tracker IDs

OPENAM-15317 (specific attributes should be excludable from IdRepo cache)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.