9 Replies Latest reply on Jun 20, 2013 4:53 AM by Sami Halonen

    Syncing users and roles over domain trust

      Here's our scenario. We have users in an Active Directory domain, let's call it USERS and bunch of security groups in another domain called GROUPS. There is a one way external trust between the domains, so that the security groups in GROUPS domain have members from USERS domain.


      Now, what I would need to accomplish is synchronizing user accounts from domain USERS to Bladelogic and maybe give them a dummy role doing the normal RBACRole syncUsers etc.etc. BUT, give them roles according to their group memberships in GROUPS domain. (By the way, is it possible to only sync users and not assign them to any role? Just a side question) I have managed to sync the user accounts from the USERS domain and I have mapped the roles on BSA to domain groups, but BSA doesn't seem to understand group members that reside in another domain.


      The reason we need to do this, is we have no power or control over the USERS domain, we can only authenticate against it. However, the GROUPS domain is our "own" and we need to keep the roles and access right in our own hands for security and legal reasons.


      Any help (even "not supported") is greatly appreciated!