Let's say we have the LDAP group "A" with all users, LDAP group "B" with user Bob. User Bob is also member of group A, since this group contains all users.
Sponsor Group ALL_ACCOUNTS has mapping to LDAP group B;
Sponsor Group OWN_ACCOUNTS has mapping to LDAP group A;
Sponsor Group ALL_ACCOUNTS is set to Approve and view requests from self-registering guests with option Any pending accounts selected.
Sponsor Group OWN_ACCOUNTS is set to Approve and view requests from self-registering guests with option selected.
When Bob which is member of both group logs into sponsor portal, he can see only Only pending accounts assigned to this sponsor.
My expectation will be since Bob is member of both groups, so less restrictions will be applied and he should see Any pending account.
Please let me know if my expectations are right, so I will file a bug.
The issue is the same if we use local ISE groups.
Thanks!
small icon is indication that You can only limit the viewing/approving of pending accounts to the sponsor who is associated with the request if the sponsor belongs to an ISE-internal or a SAML identity provider. For AD/LDAP please choose the first option
So looks like it is not supported with ISE 2.1 at all. Is is correct?