Solved: Multiple "MemberOf"

cpaquet · ‎12-17-2012

Good afternoon,

How would ISE deal with an user that has multiple entries for "memberOf"for group assignment? Would ISE use the 1st MemberOf value it encounter to assign a group?

Thanks.

Cath.

nspasov · ‎12-18-2012

Yes, that was a typo on my end You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users

View solution in original post

nspasov · ‎12-17-2012

Hello Cath-

ISE will "read" the groups in the order that you have configured them in your authorization rules. So I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom. For example:

IF member of executives then authorization profile executives_users

IF member of domain users then authorization profile regular_users

Thank you for rating!

cpaquet · ‎12-18-2012

Thanks Neno.

Could you please clarify your suggestion "...I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom".

You mean placing the specific at the top and the generic at the bottom, right?

Thank you.

Cath.

nspasov · ‎12-18-2012

Yes, that was a typo on my end You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users

cpaquet · ‎12-19-2012

Thank you Neno for all your help.

Regards,

cath.