cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2192
Views
0
Helpful
5
Replies

Sponsor Group vs LDAP Group

Eugene Korneychuk
Cisco Employee
Cisco Employee

Hello Team, Jason,

I have the following question on ISE 2.1 p3

Let's say we have the LDAP group "A" with all users, LDAP group "B" with user Bob. User Bob is also member of group A, since this group contains all users.

Sponsor Group ALL_ACCOUNTS has mapping to LDAP group B;

Sponsor Group OWN_ACCOUNTS has mapping to LDAP group A;

Sponsor Group ALL_ACCOUNTS is set to Approve and view requests from self-registering guests with option Any pending accounts selected.

Sponsor Group OWN_ACCOUNTS is set to Approve and view requests from self-registering guests with option selected.

When Bob which is member of both group logs into sponsor portal, he can see only Only pending accounts assigned to this sponsor.

My expectation will be since Bob is member of both groups, so less restrictions will be applied and he should see Any pending account.

Please let me know if my expectations are right, so I will file a bug.

The issue is the same if we use local ISE groups.

Thanks!

small icon is indication that You can only limit the viewing/approving of pending accounts to the sponsor who is associated with the request if the sponsor belongs to an ISE-internal or a SAML identity provider. For AD/LDAP please choose the first option


So looks like it is not supported with ISE 2.1 at all. Is is correct?



Eugene Korneychuk