cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

SGT for users belonging to multiple groups

Marvin Rhoads
Hall of Fame
Hall of Fame

I'm looking for a design guide covering the use case of user belonging to multiple AD groups, each assigned a unique SGT with associated SGACLs.

Everything I've seen in the various resources seems to assume that a given user is only ever a member of one group and thus the classic ISE first-match AuthZ policy works just fine.

How do we accommodate the case where users may belong to multiple groups and we need a multi-match sort of logic? It doesn't scale to have n*(n-1) ...much less n! SGTs.

Who Me Too'd this topic