cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1760
Views
0
Helpful
5
Replies

Sponsor Group vs LDAP Group

Eugene Korneychuk
Cisco Employee
Cisco Employee

Hello Team, Jason,

I have the following question on ISE 2.1 p3

Let's say we have the LDAP group "A" with all users, LDAP group "B" with user Bob. User Bob is also member of group A, since this group contains all users.

Sponsor Group ALL_ACCOUNTS has mapping to LDAP group B;

Sponsor Group OWN_ACCOUNTS has mapping to LDAP group A;

Sponsor Group ALL_ACCOUNTS is set to Approve and view requests from self-registering guests with option Any pending accounts selected.

Sponsor Group OWN_ACCOUNTS is set to Approve and view requests from self-registering guests with option selected.

When Bob which is member of both group logs into sponsor portal, he can see only Only pending accounts assigned to this sponsor.

My expectation will be since Bob is member of both groups, so less restrictions will be applied and he should see Any pending account.

Please let me know if my expectations are right, so I will file a bug.

The issue is the same if we use local ISE groups.

Thanks!

small icon is indication that You can only limit the viewing/approving of pending accounts to the sponsor who is associated with the request if the sponsor belongs to an ISE-internal or a SAML identity provider. For AD/LDAP please choose the first option


So looks like it is not supported with ISE 2.1 at all. Is is correct?



Eugene Korneychuk

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

The general intent is that when a sponsor matches multiple groups, the sponsor should get the broadest set of permissions allowed by the matching groups.

For example:

Sponsor Can Manage

Only accounts sponsor has created

Accounts created by members of this sponsor group

All guest accounts

If one matching group has “Only accounts sponsor as created” selected, and another matching group has “All guest accounts” selected, then the sponsor is able to manage all guest accounts.

For:

Approve and view requests from self-registering guests

Any pending accounts

Only pending accounts assigned to this sponsor  

it sounds like there is a defect here.  If any matching group has “Any pending accounts” selected, then the sponsor should have that permission.  If that’s not the case, we need to fix it.  I don’t think CSCur94729 is the right defect for this; a more specific defect should be created for this issue.

View solution in original post

5 Replies 5

jgriesel
Level 5
Level 5

I am seeing the same behavior with ISE 2.2

We have opened a TAC Case and they stated that this is how ISE works.  Bug ID CSCur94729 was reflected in the case.

Are there any work around options to achieve the desired behavior while this feature (bug) is resolved?

Jason Kunst
Cisco Employee
Cisco Employee

The general intent is that when a sponsor matches multiple groups, the sponsor should get the broadest set of permissions allowed by the matching groups.

For example:

Sponsor Can Manage

Only accounts sponsor has created

Accounts created by members of this sponsor group

All guest accounts

If one matching group has “Only accounts sponsor as created” selected, and another matching group has “All guest accounts” selected, then the sponsor is able to manage all guest accounts.

For:

Approve and view requests from self-registering guests

Any pending accounts

Only pending accounts assigned to this sponsor  

it sounds like there is a defect here.  If any matching group has “Any pending accounts” selected, then the sponsor should have that permission.  If that’s not the case, we need to fix it.  I don’t think CSCur94729 is the right defect for this; a more specific defect should be created for this issue.

I can confirm that a sponsor that matches both of the options of "Only pending accounts assigned to this sponsor" and "Any pending accounts" only really sees the "Only pending accounts assigned to this sponsor" Guests.  If I disable the Sponsor Group that has the "Only option" then the Sponsor can see all accounts.  If I disable the Sponsor Group with the "Any option" of course I am limited to just Guests that referenced the Sponsor.    Of course TAC said that this was not a bug but a feature request.

I talked to the developer on this feature and they said it’s a bug. Please ask for one to be open.

Will do.  Thanks for verification that this is a bug.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: