12-31-2013 08:38 AM - edited 03-10-2019 09:13 PM
Currently i have group mapping like this
ACS Groups Window Groups
Grp-A-B Grp-1 and Grp-2
Grp-A Grp-1
Grp-B Grp-2
For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?
Solved! Go to Solution.
01-02-2014 01:49 AM
Salam Muhammad,
If you have a local user in ACS, that user can not be a member of two groups at the same time.
The same concept applies to the external users. They can not be mapped to two different groups at the same time.
If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
'''snip'''
Group Mapping Order
ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
'''snip'''
Reference:http://goo.gl/cvc474
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
01-02-2014 01:49 AM
Salam Muhammad,
If you have a local user in ACS, that user can not be a member of two groups at the same time.
The same concept applies to the external users. They can not be mapped to two different groups at the same time.
If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
'''snip'''
Group Mapping Order
ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
'''snip'''
Reference:http://goo.gl/cvc474
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
01-05-2014 11:48 PM
Wa Alikum Asalam Amjad,
Yes i agree its not possible do you think its possible in version 5.x because my customer have 100's of groups in AD and users are part of multiple groups so in this case we have to create lot of combinations do you think any other solution is available ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: