• Locked Locked
  • Replies 4 replies
  • Subscribers 94 subscribers
  • Views 2364 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Idea: Provide conditional group inheritance

CVU
over 6 years ago

In my scenario I need to provide AD groups to several departments and users based on certain business or system roles.

To avoid creating excesive roles and their corresponding time consuming, cpu burning, database clogging dynamic roles,  it would be nice if we could :

  1. Assign all possible AD groups to a department.
  2. Accounts inherit these groups based on a database condition, or filter.

This way, computation of group assignment would be carried out only when an account is created and assigned to a deparment instead of a scheduled dynamic role that is executed no matter what.

Regards!

ps: Maybe there's a way to achieve this but I'm too lost to have noticed.

Parents
  • over 6 years ago

    Conditional inheritance leads to many problems and difficulties during audits, generates myriads of support calls if something is not working as expected etc.

    In your case, you should consider using categories to distinguish the groups and account types into categories. The inheritance calculation then is taking care of the separation.

    Or, assign only those groups that every member should receive to the department and for all other groups create IT shop requests based on your conditions. A script could generate the requests based on your conditions.

  • over 6 years ago in reply to Markus Weiss-Ehlers

    Thanks , Markus.

    I reviewed the categories option but it is too tied to AD and I'm looking for something more high level oriented. Also there's more to take into account besides AD membership. I am aware I made a short, light description of my scenario.

    I like the idea of script driven IT shop requests though. I'll dig into it.

    Thanks again Slight smile

  • over 6 years ago in reply to CVU

    Categories are not AD based but are available for all target systems. The thing is that you have to assign the categories to the user and groups. But this task can be done by scripts as well as long as you have the rules in place and 32 categories are enough.

  • over 6 years ago in reply to Markus Weiss-Ehlers

    Hmmm... I'll check that out too. Maybe 32 are not enough for me, but I'll try.

    Thanks !

Reply Children
No Data