04-06-2017 04:23 AM
Hello Team, Jason,
I have the following question on ISE 2.1 p3
Let's say we have the LDAP group "A" with all users, LDAP group "B" with user Bob. User Bob is also member of group A, since this group contains all users.
Sponsor Group ALL_ACCOUNTS has mapping to LDAP group B;
Sponsor Group OWN_ACCOUNTS has mapping to LDAP group A;
Sponsor Group ALL_ACCOUNTS is set to Approve and view requests from self-registering guests with option Any pending accounts selected.
Sponsor Group OWN_ACCOUNTS is set to Approve and view requests from self-registering guests with option selected.
When Bob which is member of both group logs into sponsor portal, he can see only Only pending accounts assigned to this sponsor.
My expectation will be since Bob is member of both groups, so less restrictions will be applied and he should see Any pending account.
Please let me know if my expectations are right, so I will file a bug.
The issue is the same if we use local ISE groups.
Thanks!
small icon is indication that You can only limit the viewing/approving of pending accounts to the sponsor who is associated with the request if the sponsor belongs to an ISE-internal or a SAML identity provider. For AD/LDAP please choose the first option
So looks like it is not supported with ISE 2.1 at all. Is is correct?
Eugene Korneychuk
Solved! Go to Solution.
04-11-2017 11:18 AM
The general intent is that when a sponsor matches multiple groups, the sponsor should get the broadest set of permissions allowed by the matching groups.
For example:
Sponsor Can Manage
Only accounts sponsor has created |
Accounts created by members of this sponsor group |
All guest accounts |
If one matching group has “Only accounts sponsor as created” selected, and another matching group has “All guest accounts” selected, then the sponsor is able to manage all guest accounts.
For:
Approve and view requests from self-registering guests |
Any pending accounts |
Only pending accounts assigned to this sponsor |
it sounds like there is a defect here. If any matching group has “Any pending accounts” selected, then the sponsor should have that permission. If that’s not the case, we need to fix it. I don’t think CSCur94729 is the right defect for this; a more specific defect should be created for this issue.
04-11-2017 07:28 AM
I am seeing the same behavior with ISE 2.2
We have opened a TAC Case and they stated that this is how ISE works. Bug ID CSCur94729 was reflected in the case.
Are there any work around options to achieve the desired behavior while this feature (bug) is resolved?
04-11-2017 11:18 AM
The general intent is that when a sponsor matches multiple groups, the sponsor should get the broadest set of permissions allowed by the matching groups.
For example:
Sponsor Can Manage
Only accounts sponsor has created |
Accounts created by members of this sponsor group |
All guest accounts |
If one matching group has “Only accounts sponsor as created” selected, and another matching group has “All guest accounts” selected, then the sponsor is able to manage all guest accounts.
For:
Approve and view requests from self-registering guests |
Any pending accounts |
Only pending accounts assigned to this sponsor |
it sounds like there is a defect here. If any matching group has “Any pending accounts” selected, then the sponsor should have that permission. If that’s not the case, we need to fix it. I don’t think CSCur94729 is the right defect for this; a more specific defect should be created for this issue.
04-11-2017 11:49 AM
I can confirm that a sponsor that matches both of the options of "Only pending accounts assigned to this sponsor" and "Any pending accounts" only really sees the "Only pending accounts assigned to this sponsor" Guests. If I disable the Sponsor Group that has the "Only option" then the Sponsor can see all accounts. If I disable the Sponsor Group with the "Any option" of course I am limited to just Guests that referenced the Sponsor. Of course TAC said that this was not a bug but a feature request.
04-11-2017 12:27 PM
I talked to the developer on this feature and they said it’s a bug. Please ask for one to be open.
04-11-2017 12:34 PM
Will do. Thanks for verification that this is a bug.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide