isMemberOf attribute does not return current group membership details for a user in AM/OpenAM (All versions)

Last updated Sep 23, 2020

The purpose of this article is to provide information on getting up-to-date group membership details for a user in AM/OpenAM using the REST API and the DS/OpenDJ isMemberOf attribute.

1 reader recommends this article


The value of the isMemberOf attribute does not show the latest group membership data when queried via REST. For example, if you update a user's group membership and then perform a simple GET on that user (assuming your data store has been configured to use the isMemberOf attribute for group membership), you will see old membership data returned for the user:


  1. Check user's group membership:
    $ curl -X GET
     "isMemberOf": [
  2. Add the user to a new group:
    $ curl -X PUT -H "Content-type: application/json" -H "Accept-API-Version: resource=3.0" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -d'{
  3. Check the user's membership again:
    $ curl -X GET
     "isMemberOf": [
    The expected result is:
     "isMemberOf": [

You can see the correct group membership details on the Identities page (previously the Subjects tab) in the AM/OpenAM console.

Recent Changes



The 'isMemberOf' attribute is a virtual operational attribute in DS/OpenDJ. Virtual attributes are not updated by the persistent search mechanism, which means AM/OpenAM does not receive notifications of changes to cached data that would normally occur with a regular attribute and therefore assumes that all the attributes still have the same values.

The Identities page within the console queries the membership of LDAP static groups and does not rely on caching at all, which is why this view is accurate.


A new option has been added to the users endpoint in AM 6 that allows you to query groups for an individual user. For example:

$ curl -X GET -H 'Accept: application/json' ''

Example response:

  "result": [
      "_id": "newGroup",
      "_rev": "635651178",
      "groupname": "newGroup"
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": 0

isMemberOf attribute

You can use one of the following options to ensure current information is returned when using the isMemberOf attribute:

  • Perform a pseudo update on a user entry when group memberships are changed to trigger the persistent search notification. For example, when you change the group membership you could also do one of the following at the same time to trigger the persistent search notification:
    • Update a user attribute that's not used for other purposes.
    • Update an existing regular attribute (for example, mail) with the same value it already has. This is not an option if you use REST calls to do the update because AM/OpenAM will not update a value if the data is the same.
  • Use time-based IdRepo cache aging (Time-to-Live) to give you confidence in data accuracy based on the cache age configured. See FAQ: Caching in AM/OpenAM (Q. How can I control caching for configuration and user data using ssoadm? > Time-to-Live) for further information on setting these properties.
  • Disable the IdRepo cache completely. See Maintenance Guide › To Turn Off Global User Data Caching for further information. You should test this in a pre-production environment first to assess what impact this has on your setup.

Disabling the IdRepo cache can have a severe negative impact on performance, since AM/OpenAM must query the data store each time it needs data when caching is disabled. Additionally, there is a known issue in OpenAM 13.0: OPENAM-8269 ("AuthId JWT Signature not valid" error in multi-instance deployments on 13). See Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error for further information.

See Also

FAQ: Caching in AM/OpenAM

Best practice for managing groups in DS/OpenDJ (All versions)

Related Training


Related Issue Tracker IDs

OPENAM-15317 (specific attributes should be excludable from IdRepo cache)

OPENAM-9030 (Improve group management implementation)

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.