01-18-2016 08:24 AM
Hi experts,
Are there indications or suggestions on the maximum number of sub-levels for MAB group structure?
We are talking about:
1 main group with 20 indentation subgroups. These 20 subgroups will have indentation again in a total (max) of 110 groups (ditributed between the mentioned 20 groups), and again an indentation of a total of 1.000 groups whouch would be distributed between the 110 groups.
Solved! Go to Solution.
01-29-2016 09:43 AM
HI Falvio,
I'm not sure I understand what follow-up you are looking for. You can only have 500 endpoint groups.
You can have sub-groups, I think the limitation is 32 sub groups - but honestly that is not what endpoint Identity groups were ever meant to do / be structured as. You would be much better off leveraging a combination of groups/attributes, such as Network Device Groups + Endpoint Identity Groups. Trying to manually maintain 500 endpoint groups just doesn't seem logical from an operational expense perspective.
Aaron
01-19-2016 11:48 AM
[EDIT - sorry, I answered originally for NDGs, not Endpoint Groups]
Endpoint groups is ~500 max. Keep in mind, they are for MUCH more than just MAB, so calling them MAB groups is a bit of a limiting misnomer. I would like to know a little more about your use case if that's ok. WHat types of classifications of endpoints are you looking at, and with a tree that deep/wide - how do you plan to maintain the endpoint groups and their members?
01-21-2016 04:55 AM
Use case: we need to maintain a "memory" of the locations in which the endpoints are placed (1000 locations more or less), with 20 endpoints per location as an average.
The classification (of endpoints) will be associated to a static policy, therefore, an endpoint will have a static policy (classification) and a MAB group (membership), tied to the installation location.
The authorization would be simpler, being based on the main group which will contain these child groups, divided in macro areas and sharpened in indentation groups (something like Region > District > Location).
01-29-2016 06:15 AM
Hey sir, any updates on it?
01-29-2016 09:43 AM
HI Falvio,
I'm not sure I understand what follow-up you are looking for. You can only have 500 endpoint groups.
You can have sub-groups, I think the limitation is 32 sub groups - but honestly that is not what endpoint Identity groups were ever meant to do / be structured as. You would be much better off leveraging a combination of groups/attributes, such as Network Device Groups + Endpoint Identity Groups. Trying to manually maintain 500 endpoint groups just doesn't seem logical from an operational expense perspective.
Aaron
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide