Oct 05 2022 08:04 PM
Hi!
Please advice, I've been reading the entire documentation related to memberOf-based Dynamic groups, however, I would like to have a confirmation of the feasibility of the following scenarios before we commit to Dynamic groups on AD.
Let's imagine the following scenario:
Group Name | Rule |
Dynamic Group A | Attribute blah -eq bli |
Dynamic Group B | Attribute bleh -eq blo |
Static Group C | Manual Assignment |
Are the following dynamic group rules supported?
Group Name | Rule |
Dynamic Group D | memberOf –any A,B |
Dynamic Group E | memberOf –all A,B |
Dynamic Group G | memberOf –any A,C |
Dynamic Group H | memberOf –any A,B,C |
Oct 05 2022 11:45 PM
Oct 06 2022 02:32 AM
Solution
If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.
Below is a dummy example related to your Dynamic Group E scenario.
This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.
The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.
The second round of output is purely confirmation that the two groups being compared are indeed dynamic.
The final output is simply a count of how many members the first group contains as a result of the rule processing.
Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.
Cheers,
Lain
Oct 06 2022 05:15 AM
Oct 06 2022 05:19 AM
Oct 06 2022 02:32 AM
Solution
If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.
Below is a dummy example related to your Dynamic Group E scenario.
This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.
The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.
The second round of output is purely confirmation that the two groups being compared are indeed dynamic.
The final output is simply a count of how many members the first group contains as a result of the rule processing.
Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.
Cheers,
Lain