cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

514
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

Can a Sponsor User belonging to more than one Sponsor Portal Group

My Customer is trying to validate that the following use case is possible.

My Customer has two sponsor groups and each are using AD Groups for the matching criteria:

a.      All AD Users – Can see guests created by that user or guests that listed them as a sponsor via guest flow.

          Match AD Group = Domain Users

b.      Admin Users – Helpdesk users that can see any and all guest users for support.

          Match AD Group = Administrators

The problem is if a User logs into the Sponsor Portal and belongs to both the "Domain Users" and "Administrators" AD Groups, that are being used to matched both "All AD Users" and "Admin Users" Sponsor Groups, the "All AD Users"  Sponsor Group is the only Policy that is being matched.

The result is Admin Users are matched to the All AD Users Sponsor Group with limited none administrative Sponsor Portal Privileges

khsieh joelalle

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Yes, a sponsor user can belong to more than one Sponsor Group.    In general, the user belongs to each SG where the matching criteria are satisfied.    If a user belongs to multiple SG’s, that user gets permissions from all of those groups.  This is true in all versions since ISE 1.3

a sponsor that belongs to both AD groups should belong to both Sponsor Groups.  We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

What version of ISE are you on?

Highlighted
Cisco Employee

Yes, a sponsor user can belong to more than one Sponsor Group.    In general, the user belongs to each SG where the matching criteria are satisfied.    If a user belongs to multiple SG’s, that user gets permissions from all of those groups.  This is true in all versions since ISE 1.3

a sponsor that belongs to both AD groups should belong to both Sponsor Groups.  We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case

View solution in original post

Content for Community-Ad