- MinIO optionally queries the AD/LDAP server for a list of groups that the user is a member of.
- MinIO then checks if there are any policies [explicitly associated](#managing-usergroup-access-policy) with the user or their groups.

    }

    public String[] getUserGroups() {
        String[] userGroups = DocumentUtil.getValue(attributes, "groups", String[].class);
        if (userGroups == null) {
            userGroups = getDefaultGroupsAsArray();
        }
        return userGroups;
    }

    public OpenIdUser getUser() {

		err = errServerNotInitialized
		return
	}

	userOrGroup := r.User
	var isGroup bool
	if userOrGroup == "" {
		isGroup = true
		userOrGroup = r.Group
	}

	if isGroup {
		_, err = sys.GetGroupDescription(userOrGroup)
		if err != nil {
			return
		}
	} else {
		var isTemp bool
		isTemp, _, err = sys.IsTempUser(userOrGroup)
		if err != nil && err != errNoSuchUser {
			return

		adminRouter.Methods(http.MethodPut).Path(adminVersion+"/set-user-or-group-policy").
			HandlerFunc(adminMiddleware(adminAPI.SetPolicyForUserOrGroup)).
			Queries("policyName", "{policyName:.*}", "userOrGroup", "{userOrGroup:.*}", "isGroup", "{isGroup:true|false}")

		// Attach/Detach policies to/from user or group

}

// LoadPolicyMapping - reload a specific policy mapping
func (client *peerRESTClient) LoadPolicyMapping(ctx context.Context, userOrGroup string, userType IAMUserType, isGroup bool) error {
	_, err := loadPolicyMappingRPC.Call(ctx, client.gridConn(), grid.NewMSSWith(map[string]string{
		peerRESTUserOrGroup: userOrGroup,
		peerRESTUserType:    strconv.Itoa(int(userType)),
		peerRESTIsGroup:     strconv.FormatBool(isGroup),
	}))
	return err

	var prev madmin.SRPolicyMapping
	for i, p := range policies {
		if i == 0 {
			prev = p
			continue
		}
		if prev.IsGroup != p.IsGroup ||
			prev.Policy != p.Policy ||
			prev.UserOrGroup != p.UserOrGroup {
			return false
		}
	}
	return true
}

func isUserInfoReplicated(cntReplicated, total int, uis []madmin.UserInfo) bool {
	if cntReplicated > 0 && cntReplicated != total {

	objAPI := newObjectLayerFn()
	if objAPI == nil {
		return np, grid.NewRemoteErr(errServerNotInitialized)
	}
	userOrGroup := mss.Get(peerRESTUserOrGroup)
	if userOrGroup == "" {
		return np, grid.NewRemoteErr(errors.New("user-or-group is missing"))
	}

	userType, err := strconv.Atoi(mss.Get(peerRESTUserType))
	if err != nil {

	}, nil
}

// PolicyMappingNotificationHandler - handles updating a policy mapping from storage.
func (store *IAMStoreSys) PolicyMappingNotificationHandler(ctx context.Context, userOrGroup string, isGroup bool, userType IAMUserType) error {
	if userOrGroup == "" {
		return errInvalidArgument
	}

	cache := store.lock()
	defer store.unlock()

	var m *xsync.MapOf[string, MappedPolicy]
	switch {
	case isGroup:

	ng := WithNPeers(len(sys.peerClients)).WithRetries(1)
	for idx, client := range sys.peerClients {
		client := client
		ng.Go(ctx, func() error {
			if client == nil {
				return errPeerNotReachable
			}
			return client.LoadPolicyMapping(ctx, userOrGroup, userType, isGroup)
		}, idx, *client.host)
	}

	objectAPI, _ := validateAdminReq(ctx, w, r, policy.AttachPolicyAdminAction)
	if objectAPI == nil {
		return
	}

	vars := mux.Vars(r)
	policyName := vars["policyName"]
	entityName := vars["userOrGroup"]
	isGroup := vars["isGroup"] == "true"

	if !isGroup {
		ok, _, err := globalIAMSys.IsTempUser(entityName)
		if err != nil && err != errNoSuchUser {