sesu access policy is not working on a Unix endpoint when the AD authorization group is nested inside of another AD group. Has anyone out there gotten this to work? If so, what did you need to do? I have tried setting this up in the past and never got it to work. I suspect we need to make sure that all groups (both top level and nested one) have to be Unix enabled. We are using Vintela as the AD client, not UNAB. Feedback is appreciated!
As per the documentation
PIM / PAM SC supports authorization of nested groups to protected resources.
When being logged on as that user please run
$ sewhoami -a
It should reflect all the group membership of this user.
If in case of an AD user via UNAB this is not the case please open a support ticket and we will walk you through the various checks.
@Andreas Mueller - We are running 12.8.1 version of the endpoint, not 14.1. Also, we are not using UNAB - we use a competing product for Unix LDAP client. I am looking to find out if anyone with 12.8.* has gotten this to work. I will open a case to get better help.