In order for users to be able to synchronize their data using DME, they must be members of a certain group in the directory (LDAP or Active Directory), usually called DME_User. The group name can be different, but in the following it will be referred to as DME_User.
(A note on terminology: In DME, LDAP and Active Directory are called directory servers. Sometimes the term LDAP is used to cover both - AD is just a specific implementation of LDAP.)
Some LDAP servers only return the group of which a particular user is a direct member. In most enterprises, however, the DME_User group would consist of other groups, resulting in a nested structure. In order to be able to verify that users belong in the DME_User group, even when the group is nested several layers deep, DME system builds a so-called "group graph". The group graph provides an efficient way to evaluate if a subgroup is actually given the right to synchronize or not.
For example: You want to allow the use of DME for the following groups: Sales, Marketing, Development.
You then create a DME_User group, and add those subgroups into DME_User. This can be represented as follows:
When DME requests user information about user Tubbs, the LDAP server might return that Tubbs is member of the following groups: Sales, All Users, US Users, SaaS.
Using the group graph, DME is able to recognize that the group Sales has actually been given DME_User rights.
In the Domain setup panel of the connector you can specify if the current connector should be used for reading the group graph. For more information, see Domain.