Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
299
Views
0
Helpful
1
Replies

Multi-Sponsor Approve Problem

desweiler
Level 1
Level 1

ā€Ž01-13-2016 12:09 AM - edited ā€Ž03-10-2019 11:23 PM

Hello,

we have ISE 2.0 Patch 2 running (2.0 without Patch is the same behaviour).

We configured two Guest Portals, two Guest Types and two Sponsor Portals with two Sponsor Groups.

Each Sponsor group should only manage its own Guests and not see or manage the other Guests from the other Portal.

In the Sponsor Group we configured "This sponsor group can create accounts using these guest types:". This does work. The Sponsor can only create the selected Guest Types.

We also configured "Sponsor Can Manage: Accounts created by members of this sponsor group". This does also work.

We configured "Sponsor can: Approve requests from self-registering guests" because he needs to approve guests.

The problem is that all Sponsors see all guest approval requests regardless of the Guest Portal they originate from and also if the Guest Type is one they are not allowed to create.

They can also approve all requests. If they actually approve requests from guest types they are not allowed to manage they still can manage them afterwards because obviously "appoval" is "creation" and therefore they can manage
"Accounts created by members of this sponsor group".

Is this by Design or a Bug?

We don't want Sponsors to be able to approve all requests from all guests, better not even be able to see those requests.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

silla
Level 1
Level 1

ā€Ž06-15-2016 07:02 AM

I have a similar problem: just one guest portal, but two groups of sponsors.

One that can manage all guest accounts and another one whose users can only manage accounts each individual sponsor has approved.

However, since both groups have the "Approve requests from self-registering guests" option flagged, they can approve ALL self-registering guests. What my customer wants it to be able to match the email of the person being visited to the Active Directory account that is used to approve the request, so that the sponsors in the second group can only approve requests directed to them. This shouldn't be hard to do, because the email address is already present as an attribute in Active Directory.

For example, if a guest is requesting an account and his sponsor email is bill@example.com and he is a member of the second sponsor group (the restricted one), then bill would only see the pending accounts that have been requested using his own email address as a sponsor.

Bill's boss, Max, who is a member of the unrestricted sponsor group, would be able too see all accounts.

Anyone else with this problem?

Cisco, can we hope to see this improvement anytime soon?

Regards,

Silla Rizzoli

0 Helpful
Customers Also Viewed These Support Documents