Idea Details

Support Wildcard filter in PIM Role for Memberof

Last activity 12-17-2016 10:55 AM
TheQuietMan's profile image
07-20-2016 07:44 AM

We are trying to limit access to a set of roles through the use of the memberof attribute in Active Directory. Support has already told us that the "endswith, beginwith, contains, >,<, etc are not supported in Active Directory. And wildcards do not appear to work as PIM uses encloses the filter string in quotations ( "cn=*,ou=group,dc,abc,dc=com" ) thus forcing AD to interpret the "*" literally.

1. We want to set up a rule like allow "ou=group,dc=abc,dc=com""

allow "memberof endwith ou=group,dc=abc,dc=com"

We are already going to create thousands of groups to be applied in scoping roles across several roles.


We want to create another role that will provide a base set of capabilities as to anyone who exists in one those thousands of groups. Otherwise we have to manage a separate group for end-users who have already been authorized under their own delegated groups. This single group will be extremely large and would not make sense since they will already be in a group under a common OU structure.


2. Bonus (if possible)

Additionally as a plus (but not required) if the memberof value could be evaluated like a regular expression with a parameter value in the  expression extracted into a scoping role, that would also help collapse our scoping rules in our roles.

If a group is structured like above "cn=XYZ-%DeptNumber%-PIM,ou=group,dc=abc,dc=com" where  %DeptNumber% is a variable which can be mapped into a scoping rule such as CUSTOM1_Field=%DeptNumber%, that would enable us to no only have one rule defined for all of our groups, but reduce manual effort to update these scoping rules whenever a change (such as a re-organization) occurs.


#1 is the main idea we are looking to get limited.