Hi Charles,

Rather than export their AD group membership, export their roles. Have identical roles on the IC. When they are imported into the IC they will be given the same roles as on the SA.

Remeber that your enforcers need to be configured to provision the auth table "as required" to support IF-MAP.

Sam.

JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC

Thanks for the feedback, Sam.

I guess my only concern with mapping AD group to user role on the IVE is that now we will need to do the role mappings twice. Once on the IVE and then again on the UAC. So now, when there is a need to change role mappings in the future, we'll have to do it twice - on the UAC and the IVE.

It seems it would be easier to have all role mapping done on the UAC only. Or am I missing something?

There is that, or what I do is have a group in AD for each of the roles, and the role mapping rules just map one group to one role.

If a user needs to change roles they just get moved in AD.

This has the added advantage for me that our first line support guys can make such modifications without touching the SA or IC.

Sam.

This is interesting. Juniper's JTAC is telling me that AD group membership info cannot be exported via IF-MAP. I hope this is incorrect.

How exactly would I export that session info? Would I do this with 'IF-MAP Identity'?

Thanks.

In case anyone is interested. JTAC is correct, you cannot export AD group member info via IF-MAP. Kind of disappointing as that functionality would have simplified our design immensely.