Forum Discussion

PlafoCL's avatar
PlafoCL
Copper Contributor
Oct 06, 2022

membersOf Dynamic group based on other dynamic groups

Hi!

 

Please advice, I've been reading the entire documentation related to memberOf-based Dynamic groups, however, I would like to have a confirmation of the feasibility of the following scenarios before we commit to Dynamic groups on AD.

 

Let's imagine the following scenario:

 

Group Name

Rule

Dynamic Group A

Attribute blah -eq bli

Dynamic Group B

Attribute bleh -eq blo

Static Group C

Manual Assignment

 

Are the following dynamic group rules supported?

Group Name

Rule

Dynamic Group D

memberOf –any A,B

Dynamic Group E

memberOf –all A,B

Dynamic Group G

memberOf –any A,C

Dynamic Group H

memberOf –any A,B,C

 

 

 

 

  • PlafoCL 

     

    If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.

     

    Below is a dummy example related to your Dynamic Group E scenario.

     

    This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.

     

    The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.

     

    The second round of output is purely confirmation that the two groups being compared are indeed dynamic.

     

    The final output is simply a count of how many members the first group contains as a result of the rule processing.

     

     

    Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.

     

    Cheers,

    Lain

  • This scenario is specifically called out in the documentation:

    You can't use one memberOf dynamic group to define the membership of another memberOf dynamic groups. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D).
    • PlafoCL's avatar
      PlafoCL
      Copper Contributor
      Yes, I read that, but I just wanted to make sure that there are no differences between dynamic groups made using memberOf attribute vs the rest (of attributes).

      So looks like the rule apply to all dynamic groups, not depending on the attribute used to create them.
      Thanks!
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    PlafoCL 

     

    If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.

     

    Below is a dummy example related to your Dynamic Group E scenario.

     

    This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.

     

    The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.

     

    The second round of output is purely confirmation that the two groups being compared are indeed dynamic.

     

    The final output is simply a count of how many members the first group contains as a result of the rule processing.

     

     

    Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.

     

    Cheers,

    Lain

    • PlafoCL's avatar
      PlafoCL
      Copper Contributor
      Awesome!

      Thanks Lain! , I am going to test it straight away!
      Cheers

Resources