Have you tried using the expression groups!= ("grp1" or "grp2" or "grp3") and asisgn the all catch role if it matches this rule

Regards,

Jay

you need to map each group into a role? isn't that means you need to create as many roles as your groups?

There will be a one to one match of AD group and roles.  What I am trying to avoid is creating 150 seperate role mapping rules.  If a customer logs into the system and is a member of AD group "Test-1" I would like to build a custom expression that maps him to the matching role of the same name. Then if there isn't a matching role name drop the user into a catch-all rule

Are these so differnt that you need 150 roles. What is differences

Each role is accessing different servers via an RDP session.

I don't believe there is any way to do the kind of role-assignment you want to do.  But there may be something which would work and be very simple.

If you can store the RDP destination names or IP addresses in a multivalued attribute in the AD group structure, you should be able to define a terminal services bookmark using that variable.

My users are defined in an LDAP (not AD) which includes a multivalued field (rdpdest) which has names or addresses of the RDP destinations which they can access.  I then define a terminal services profile with the name and server name/address being "<userAttr.rdpdest>".  This generates a terminal services bookmark for each value of the field.

In my case, these destinations are associated with an individual, but I assume you might be able to do something like that to associate the destinations with a group.

Do it this way, and there is only one role with RDP bookmarks.  If the value of the field is null, the users could fall through to your "catch-all" role.

Ken

Can also use AD extended attributes Example follows

extensionAttribute15

Must define this in server catalog.