I want this behaviour:
-if my pc is on the right domain and my group is X then I can reach the role XY
-if my pc is on the right domain and my group is W then I can reach the role WY
-if my pc is not on the right domain and my group is X then I can reach the role XZ
-if my pc is not on the right domain and my group is W then I can reach the role WZ
I can't find the way to use in the correct way the role mapping.
Is it right to use the role mapping feature for my goal??
You would need to use a Custom Expression to build the conditions for the role mappings. You can combine different types such as group lookups and Host Checks using local operators, e.g.:
group.GROUPNAME AND hostCheckerPolicy = "HCPolicy"
group.GROUPNAME AND ! hostCheckerPolicy = "HCPolicy"
On the role mapping change Rules Based on to "Custom Expression", click Update and then the Expressions button will be displayed. Click this and then get a box where you can build the required expression.
I agree, this is a good solution, thanks.
I did a role with the restriction-> host checker->rightdomain and another identical role with the restriction->host checker->unkdomain. I assigned these two roles to the same AD group in role mapping.
In your solution I must manage a double number of checks for every group, in my solution I must mange a double number of roles for every group.
What, in your opinion, could be the best solution?
Do you think can exist an easiest solution?
I can't think of a simpler way.
Both options are valid so I think its more down to which one you prefer. For me a downside of using the restriction on the role is it is when looking at the role mappings page you wouldn't know about it unless you drilled down into the role.