Forum Discussion
membersOf Dynamic group based on other dynamic groups
Hi!
Please advice, I've been reading the entire documentation related to memberOf-based Dynamic groups, however, I would like to have a confirmation of the feasibility of the following scenarios before we commit to Dynamic groups on AD.
Let's imagine the following scenario:
Group Name | Rule |
Dynamic Group A | Attribute blah -eq bli |
Dynamic Group B | Attribute bleh -eq blo |
Static Group C | Manual Assignment |
Are the following dynamic group rules supported?
Group Name | Rule |
Dynamic Group D | memberOf –any A,B |
Dynamic Group E | memberOf –all A,B |
Dynamic Group G | memberOf –any A,C |
Dynamic Group H | memberOf –any A,B,C |
If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.
Below is a dummy example related to your Dynamic Group E scenario.
This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.
The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.
The second round of output is purely confirmation that the two groups being compared are indeed dynamic.
The final output is simply a count of how many members the first group contains as a result of the rule processing.
Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.
Cheers,
Lain
- This scenario is specifically called out in the documentation:
You can't use one memberOf dynamic group to define the membership of another memberOf dynamic groups. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D).- PlafoCLCopper ContributorYes, I read that, but I just wanted to make sure that there are no differences between dynamic groups made using memberOf attribute vs the rest (of attributes).
So looks like the rule apply to all dynamic groups, not depending on the attribute used to create them.
Thanks!
- LainRobertsonSilver Contributor
If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.
Below is a dummy example related to your Dynamic Group E scenario.
This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.
The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.
The second round of output is purely confirmation that the two groups being compared are indeed dynamic.
The final output is simply a count of how many members the first group contains as a result of the rule processing.
Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.
Cheers,
Lain
- PlafoCLCopper ContributorAwesome!
Thanks Lain! , I am going to test it straight away!
Cheers