4 Replies Latest reply on Jun 4, 2014 4:11 PM by Amit Gupta

    AD RBAC Role Synchronization Using Nested User Groups

    Chris Blanks

      I am using BSA 8.3 SP2 and Active Directory authentication.  I am doing RBACRole syncUsers for various roles in my environment in order to automate my account provisioning/deprovisioning as users change roles/departments/companies.  This has been working well for us as long as we put user objects directly into the security group that we have targeted for access.


      A recent request has come to us to allow nested security groups in these authentication groups.  IE.  Team X already has Group A and our automation standards look at Group X, so they would like to put Group A into Group X rather than manage the users inside directly.  This group has a lot of turnover and is sensitive to additional groups to manage, but regardless of the reason, this sounds like it should be fairly simple to accomplish.  That is with one big problem...I don't know how...  :$


      Has anyone asked this question/solved this problem before?  Although I would be flattered to be the first person on the planet to think of this, I feel that this may be a bit far-fetched.


      My existing group query sets the Base DN as the security group in question, uses a filter of (objectClass=*), and an attribute of member.  My existing user query has no Base DN specified, uses a filter of (objectClass=user), and an attribute of userPrincipalName.


      I have read a bit about AD's LDAP_MATCHING_RULE_IN_CHAIN, and it sounds promising, but I have made no progress to date.  :'-(


      Any assistance pointing me in the right direction or supplying me with a working example would be amazing!!!  Thanks in advance!!!