We are trying to limit access to a set of roles through the use of the memberof attribute in Active Directory. Support has already told us that the "endswith, beginwith, contains, >,<, etc are not supported in Active Directory. And wildcards do not appear to work as PIM uses encloses the filter string in quotations ( "cn=*,ou=group,dc,abc,dc=com" ) thus forcing AD to interpret the "*" literally.
1. We want to set up a rule like allow "ou=group,dc=abc,dc=com""
allow "memberof endwith ou=group,dc=abc,dc=com"
We are already going to create thousands of groups to be applied in scoping roles across several roles.
We want to create another role that will provide a base set of capabilities as to anyone who exists in one those thousands of groups. Otherwise we have to manage a separate group for end-users who have already been authorized under their own delegated groups. This single group will be extremely large and would not make sense since they will already be in a group under a common OU structure.
2. Bonus (if possible)
Additionally as a plus (but not required) if the memberof value could be evaluated like a regular expression with a parameter value in the expression extracted into a scoping role, that would also help collapse our scoping rules in our roles.
If a group is structured like above "cn=XYZ-%DeptNumber%-PIM,ou=group,dc=abc,dc=com" where %DeptNumber% is a variable which can be mapped into a scoping rule such as CUSTOM1_Field=%DeptNumber%, that would enable us to no only have one rule defined for all of our groups, but reduce manual effort to update these scoping rules whenever a change (such as a re-organization) occurs.
#1 is the main idea we are looking to get limited.