Thanks Gene - We are fully aware of the multiple LDAP objects including the inability to handle nested groups. Have inquired numerous times with product management about such features and numerous community ideas on the topic.
Here is the scenario from support case. It is suggested dropping all Liferay tables to fix "site template" propagation issue which root cause could not be determined. As result, this means having to recreate sites (intent is to export/import) but then have to associate users to each site. Does not look good to be going back to organizational resources to perform first time authentication just to configure users. Desired authentication method is AD LDAP not local as result of the excessive overhead involved in managing local user for infrastructure teams which can change resources.
Another method thought of was to create another AD group dedicated to each UMP site to avoid the ACL conflict. Can sync group memberships behind the scenes for UIM security group. Then would look to associate UMP group to Liferay group which would be associated to the site. Has anyone tried this?
Non-CA content on this topic from other forums.
https://blog.ancud.de/home/-/blogs/creating-sites-and-users-programmatically
RE: Liferay API question Get UserGroup members - Community Forums | Liferay