Symantec Access Management

Expand all | Collapse all

Nested Groups in Response and in Policies

Jump to Best Answer
  • 1.  Nested Groups in Response and in Policies

    Posted 08-01-2018 06:48 AM

    Hi.

    We are using SSO 12.7 and have several applications with user store based on Active Directory.

     

    We would like to achive these aspects:

     

    1: We need to send as Response ALL NESTED GROUPS that a user belongs to. We are able to send response with standard groups, but not able to collect Nested Groups of a specific user. How we can do?

     

    2. Is it possible while configuring a Policy/Domain/Realm in Adminui to see in the policy configuration the Nested Groups? In this case we would like to authorize only users that belong to a specific Nested Group selecting them as for the standard group that usually appears automatically.

     

    Any feedback is really appreciated!!



  • 2.  Re: Nested Groups in Response and in Policies
    Best Answer

    Posted 08-01-2018 10:12 AM

    fmoro

     

    Question : 1: We need to send as Response ALL NESTED GROUPS that a user belongs to. We are able to send response with standard groups, but not able to collect Nested Groups of a specific user. How we can do?

     

    Answer : SM_USERNESTEDGROUPS. Refer to https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/responses-and-response-groups/ca-single-sign-on-generated-user-attributes 

     

     

    Question : 2. Is it possible while configuring a Policy/Domain/Realm in Adminui to see in the policy configuration the Nested Groups? In this case we would like to authorize only users that belong to a specific Nested Group selecting them as for the standard group that usually appears automatically.

     

    Answer : In the Policy, under Users Tab we have a checked box "Allow Nested Groups"; have we tried that.



  • 3.  Re: Nested Groups in Response and in Policies

    Posted 08-02-2018 03:51 AM

    Thanks Dennis: it is very clear.

    We'll use the option1 using SM_USERNESTGROUPS.

     

    In regard to Question2, can you explain us how policy in nested group works?

    We would like to permit a user to access into a resource based of a nested group he belongs to.

    If we enable the flag, in any case we'll not see the nested group in the Adminui. What filter we can insert in the search?

     

    thanks



  • 4.  Re: Nested Groups in Response and in Policies

    Posted 08-02-2018 12:35 PM

    fmoro

     

    In Policy, under Users Tab. We have three buttons.

    • Add Member.
    • Add Entry.
    • Add All.

     

    After having selected "Allow Nested Groups"; try "Add Entry" and enter the complete DN of the Group. See if this helps / works.

     



  • 5.  Re: Nested Groups in Response and in Policies

    Posted 08-06-2018 04:16 AM

    Thanks!

    We were able to see Nested Group enabling it in the policies!

     

    Regards