cancel
Showing results for 
Search instead for 
Did you mean: 

double condition in order to assign a role: domain membership and group membership

Highlighted
Occasional Contributor

double condition in order to assign a role: domain membership and group membership

Hi all,

I want this behaviour:

 

-if my pc is on the right domain and my group is X then I can reach the role XY

-if my pc is on the right domain and my group is W then I can reach the role WY

 

-if my pc is not on the right domain and my group is X then I can reach the role XZ

-if my pc is not on the right domain and my group is W then I can reach the role WZ

 

I can't find the way to use in the correct way the role mapping.

Is it right to use the role mapping feature for my goal??

 

Thanks,

Lorenzo

3 REPLIES 3
Highlighted
Regular Contributor

Re: double condition in order to assign a role: domain membership and group membership

You would need to use a Custom Expression to build the conditions for the role mappings. You can combine different types such as group lookups and Host Checks using local operators, e.g.:

group.GROUPNAME AND hostCheckerPolicy = "HCPolicy"

group.GROUPNAME AND ! hostCheckerPolicy = "HCPolicy"

On the role mapping change Rules Based on to "Custom Expression", click Update and then the Expressions button will be displayed. Click this and then get a box where you can build the required expression.

 

Highlighted
Occasional Contributor

Re: double condition in order to assign a role: domain membership and group membership

I agree, this is a good solution, thanks.

 

I did a role with the restriction-> host checker->rightdomain and another identical role with the restriction->host checker->unkdomain. I assigned these two roles to the same AD group in role mapping.

 

In your solution I must manage a double number of checks for every group, in my solution I must mange a double number of roles for every group.

 

What, in your opinion, could be the best solution?

Do you think can exist an easiest solution?

 

Thanks,

Lorenzo

 

 

Highlighted
Regular Contributor

Re: double condition in order to assign a role: domain membership and group membership

I can't think of a simpler way.

Both options are valid so I think its more down to which one you prefer. For me  a downside of using the restriction on the role is it is when looking at the role mappings page you wouldn't know about it unless you drilled down into the role.