This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
My Customer is trying to validate that the following use case is possible.
My Customer has two sponsor groups and each are using AD Groups for the matching criteria:
a. All AD Users – Can see guests created by that user or guests that listed them as a sponsor via guest flow.
b. Admin Users – Helpdesk users that can see any and all guest users for support.
The problem is if a User logs into the Sponsor Portal and belongs to both the "Domain Users" and "Administrators" AD Groups, that are being used to matched both "All AD Users" and "Admin Users" Sponsor Groups, the "All AD Users" Sponsor Group is the only Policy that is being matched.
The result is Admin Users are matched to the All AD Users Sponsor Group with limited none administrative Sponsor Portal Privileges
Solved! Go to Solution.
Yes, a sponsor user can belong to more than one Sponsor Group. In general, the user belongs to each SG where the matching criteria are satisfied. If a user belongs to multiple SG’s, that user gets permissions from all of those groups. This is true in all versions since ISE 1.3
a sponsor that belongs to both AD groups should belong to both Sponsor Groups. We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case
What version of ISE are you on?
Yes, a sponsor user can belong to more than one Sponsor Group. In general, the user belongs to each SG where the matching criteria are satisfied. If a user belongs to multiple SG’s, that user gets permissions from all of those groups. This is true in all versions since ISE 1.3
a sponsor that belongs to both AD groups should belong to both Sponsor Groups. We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case