You would need to use a Custom Expression to build the conditions for the role mappings. You can combine different types such as group lookups and Host Checks using local operators, e.g.:

group.GROUPNAME AND hostCheckerPolicy = "HCPolicy"

group.GROUPNAME AND ! hostCheckerPolicy = "HCPolicy"

On the role mapping change Rules Based on to "Custom Expression", click Update and then the Expressions button will be displayed. Click this and then get a box where you can build the required expression.

I agree, this is a good solution, thanks.

I did a role with the restriction-> host checker->rightdomain and another identical role with the restriction->host checker->unkdomain. I assigned these two roles to the same AD group in role mapping.

In your solution I must manage a double number of checks for every group, in my solution I must mange a double number of roles for every group.

What, in your opinion, could be the best solution?

Do you think can exist an easiest solution?

Thanks,

Lorenzo

I can't think of a simpler way.

Both options are valid so I think its more down to which one you prefer. For me  a downside of using the restriction on the role is it is when looking at the role mappings page you wouldn't know about it unless you drilled down into the role.