05-22-2018 04:36 AM - edited 03-11-2019 01:38 AM
I'm looking for a design guide covering the use case of user belonging to multiple AD groups, each assigned a unique SGT with associated SGACLs.
Everything I've seen in the various resources seems to assume that a given user is only ever a member of one group and thus the classic ISE first-match AuthZ policy works just fine.
How do we accommodate the case where users may belong to multiple groups and we need a multi-match sort of logic? It doesn't scale to have n*(n-1) ...much less n! SGTs.
Solved! Go to Solution.