This is what we've done to get by with one role for most people...

We usa AD for our core auth, so we did everything in the user record. We allow people into the role by an AD user group.

In everyone's AD record, we took the "pager" field and put in their workstation name. We then wrote a Terminal Services role that used : <USER>@<userAttr.pager>.domain.com for the shortcut. added the same string to the TerSvc acl's and we were golden.

I just realized a couple days ago, that if you put multiple entries in to the "otherpager" field in AD, that the IVE creates a separate shortcut for each one, so in effect we can use this one role and one field to give everyone access to all the sessions they need without having to do anything in the IVE, just add to AD and we're done..

-S

An easy way to clean up both the role-mapping rules and the user's portal is to allow the usesr to create their own bookmarks. The user only needs to know his workstation name or IP to create the bookmark.

make sure you have a terminal server users group in AD, make a role mapping from the AD group to Terminal Server/RDP rule, set your options in the role, now any user that is authorized and is in the TS Users group will get the RDP link and if you have DNS correctly for all the users workstations they can rdp to PC-SONICBOOM or whatever it is called. this way in the future, if theres any new users that need access, all you have to do is add them to the TS Users group in AD and never have to touch the Juniper

It won't be possible to have a list as you mentioned; but if there is an attribute on your auth server you can pull, you can do that (as several others mentioned) as the bookmark host.

If you wanted a list, you could put all the servers in one role and then in the ACL use a detailed rule and define who is allowed and who is not (but this adds additional administrative overhead).

You could do a resource profile for the computers and assign roles from there.