Group Membership ANDing

We're having difficulty designing a portal where users have
several diminsions (groups):
- User Department (e.g. HR, IT, Finance, Engineering)
- User Type/Role (e.g. contractor, employee, manager, etc)
- User Locations (e.g. Chicago, Seattle, Paris, Berlin, Tokyo)
How do I set it up, so that items can be set along these
dimensions? For example:
DeptGrp RoleGrp LocationGrp
UserA - Dept:HR, Role:Mgr, Location:Seattle
UserB - Dept:IT, Role:Emp, Location:Seattle
UserC - Dept:HR, Role:Emp, Location:Chicago
UserD - Dept:IT, Role:Emp, Location:Paris
So userA would belong to 3 groups: HR, Mgr, and Seattle, etc.
Now there are 3 items to publish:
Item1: For all people in HR dept.
Item2: For HR mgrs only.
Item3: For employees in the US only.
Can publish:
- item1 with group HR. This works!
- item2 with groups ???
***If use HR AND Mgr, then all people in either group can see them.
(Need people in intersection, not union of the groups).
- item3 with groups ???
***If use Employees AND Seattle AND Chicago groups, than all people
in any of the groups can see them (vs the intended audience).
Creating a HR_Mgr, HR_Emp, HR_Cont, etc group will not work,
as there are 15 dep x 8 emp types x 20 locations = 2400 groups!!!!!
How do we design this properly? We were thinking of using
persepectives for the locations. (Category is already used
for DocType).
What is the recommendation on groups and user dept/role/location?

We're facing the same problem and have made similair posts to the forum. I've been told it's a common problem in domain user management as well. If we're dealing with a dynamic page, we've let the page do some dynamic determinations, but with folder items, you're stuck to a group-based permission.
The best we've been able to do was to create a form to make it easier for publishers to make groups from the intersections of existing groups. There is a big drawback in that if a person (in your case) moves from one department to another, the "AND" groups you've created based on who was in the department would not be automatically updated. The best workaround we could develop was to develop another online utility for updating these "AND" groups. We've even gone so far as to consider building some triggers and procedures.
We're interested in a better solution.

Similar Messages

  • Check group membership and export result to file

    Hi everyone,
    Could you please assist?  I need a script that get's a samAccountName from a text or csv file, then checks if the user belongs to Group A or Group B or Group C.  If user belongs to group A, then output "Group A" and so on.  Sample
    output file:
    JDoe Group A
    JSmith Group B
    KSmith  Group C
    DDoe Group A Group B Group C
    Thanks in advance,

    Hi Phathuynh,
    We always recommend you can start your own script, and post the current script and the issue for a better response.
    In addition, you can also refer to the cmdlet "Get-ADGroupMember" to list the members in group, and the script below is for your reference:
    $output = @()
    $groups = "user1","user2"
    $array1 = Get-ADGroupMember Group1|select -ExpandProperty samaccountname
    $array2 = Get-ADGroupMember Group2|select -ExpandProperty samaccountname
    Foreach($u in $groups){
    $user = Get-ADUser $u|select -ExpandProperty samaccountname
    $param = @{"user" = $user
    "group A" = ""
    "group B" = ""}
    $p = New-Object Psobject -Property $param
    if ($array1 -contains $user){
    $p."group A"= "YES"
    if ($array2 -contains $user){
    $p."group B" = "YES"
    $output += $p
    $output
    The screenshot of result:
    If there is anything else regarding this issue, please feel free to post back.
    Best Regards,
    Anna Wang
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • ACS 5.3 Group Mapping based on AD group membership

    Hi,
    I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
    What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
    It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
    I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
    Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
    Thank you,
    Sami

    Ok, my case is like this.
    I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
    I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
    In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
    Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
    I have a case with Cisco engineer now and still in the middle to sort things out.
    The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
    Wondering whether there is a fix for this.
    Thanks.

  • Report of Groups owned along with group memberships for each group, all in a single .csv file

    Hello all,
    What I'm trying to do is generate a report of all groups owned by a specific user, along with the group memberships, and output it all to a single .csv file. In the .csv file, I would like to have the group names as the column headers, and underneath
    the group name, list all the members of the group down through the column. So for example, if User1 owns 3 groups, the output would look like:
    What I'm having trouble with is outputting the objects to the .csv using New-Object psobject, and I'm starting to wonder if there is an easier way to do this and my brain is just fried.
    Any ideas?

    OK so I can try and give some code here, but I'm asking more of a concept question about how PowerShell builds objects so I'm not sure it will help....
    $User = "User1"
    get-adgroup -filter {managedby -eq $user} -pr member | %{
    $_.name
    $_.member
    OK so this is a simple script that outputs a group name followed by the membership, all in a single column. What I would like is for the group names to each be the header of a column, and have the membership listed underneath. For example:
    Is this possible in PowerShell?

  • Get AD group membership doesn't work for global groups

    I want to pull the group membership for OBIEE directly from AD.
    This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
    DBMS_LDAP package methods
    with one exception that additionally to it also uses
    DBMS_LDAP_UTL.get_group_membership
    ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
    The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
    I've done some research and found there are three types used for defining group's scope by AD:
    Domain Local, Global, or Universal
    (http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
    leaving the first one out of the scope as we don't use it
    - I've verified and found ALL missing ONES are defined as GLOBAL
    All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
    Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
    and so AdFind can list both..
    so why Oracle limits the search to UNIVERSAL ones only?
    Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
    I've really tried a lot of this code in different combinations but no joy
    Has anyone got some ideas?

    ...I try to block the usage of the command prompt only on this server.
    I have the same question as jrv: Why? It doesn't increase security. The command prompt is a program, not a security boundary.
    Disabling the command prompt does NOT increase security
    -- Bill Stewart [Bill_Stewart]

  • OIM Group membership rules

    Hi Friends,
    I want to create groups in oim on the basis of complex rules(It requires some Java coding) but for attaching group membership rule we use Rule Designer and in rule designer we can't user adapter that means no java code.
    What is the solution for this problem?
    One solution could be create entity adapter for group membership and execute it on pre-update.
    Thanks
    Edited by: user10968321 on Oct 28, 2009 7:06 AM

    The entity adapter on the user form in pre or post update mode is the standard way to solve complex membership rules.
    Works well as long as you can accept a slight performance decrease on user updates (including things like password resets). Make sure your code is decently fast.
    Good luck
    /Martin

  • Getting list of all users and their group memberships from Active Directory

    Hi,
    I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
    ==================
    import javax.naming.*;
    import java.util.Hashtable;
    import javax.naming.directory.*;
    public class GetUsersGroups{
         public static void main(String[] args){
              String[] attributeNames = {"memberOf"};
              //create an initial directory context
              Hashtable env = new Hashtable();
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
              env.put(Context.SECURITY_AUTHENTICATION, "simple");
              env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
              env.put(Context.SECURITY_CREDENTIALS, "p8admin");
              try {
                   // Create the initial directory context
                   DirContext ctx = new InitialDirContext(env);     
                   //get all the users list and their group memberships
                   NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                   while (contentsEnum.hasMore()){
                        NameClassPair ncp = (NameClassPair) contentsEnum.next();
                        String userName = ncp.getName();
                        System.out.println("User: "+userName);
                        try{
                             System.out.println("am here....1");
                             Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                             System.out.println("am here....2");
                             Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                             System.out.println("-----"+groupsAttribute.size());
                             if (groupsAttribute != null){
                                  // memberOf is a multi valued attribute
                                  for (int i=0; i<groupsAttribute.size(); i++){
                                  // print out each group that user belongs to
                                  System.out.println("MemberOf: "+groupsAttribute.get(i));
                        }catch(NamingException ne){
                        // ignore for now
                   System.err.println("Problem encountered....0000:" + ne);
                   //get all the groups list
              } catch (NamingException e) {
              System.err.println("Problem encountered 1111:" + e);
    =================
    The following exception gets thrown at every user entry:
    User: CN=Administrator
    am here....1
    Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
    000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
    ]; remaining name 'CN=Administrator'
    I think it gets thrown at this line in the code:
    Attributes attrs = ctx.getAttributes(userName, attributeNames);
    Any idea how to overcome this and where am I wrong?
    Thanks in advance,
    Regards.

    In this sentence:
    Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
    It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
    userName + ",CN=Users,DC=filenetp8,DC=com"
    But I still have some problem with it.
    Hope it will be useful for you.

  • Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

    Good morning all,
    I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
    Here's what I would like to be able to do:
    1) create/manage public calendars / rooms in exchange 2013
    2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
    3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
    Any one got any resources they can give to point me in the right direction?
    I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
    membership.
    I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
    Any help on this is greatly appreciated, thank you!

    1) I recommend using Room Mailboxes for resource calendars because it just works better.
    2) This is a standard feature of a Room Mailbox.
    3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
    I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

  • Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?

    Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?

    Hi
    "Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
    If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
    "Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
    http://support.apple.com/kb/HT1822
    HTH?
    Tony

  • Read group membership for a user object and populate every group with matching user from another domain

    I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
    I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
    for instance
    LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
    LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
    The outcome of the script should be
    LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
    How can i do it?
    Navgup

    Hi Navgup,
    Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
    import-module activedirectory
    get-adgroupmember "group"|foreach{
    $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
    Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
    To get users across domain, please also refer this blog:
    Adding/removing members from another forest or domain to groups in Active Directory:
    http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
    I hope this helps.

  • AD Group Membership revoked on adding new group through role and acespolicy

    Hi all,
    when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
    when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
    The ootb AD task, remove user from group is triggered.
    The problem is happening only in Testing environment.
    In development envi it is working fine.
    it is not removing the default group memberships.
    any ideas? thoughts? which I need to check.
    my oim server is 11.1.1.3.0, with weblogic setup.
    Edited by: Venu on Dec 2, 2011 1:06 PM

    Do one thing:
    Take New User
    Assign First BILLING
    Assign Second Group
    And then ASSIGN CONTRACT
    Update the results.
    It is happening in one env so you might have done some configuration or it could be env issue as well.

  • Samba winbind and group membership.

    I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
    The users are working fine however their group membership is not.
    Users that should be members of certain groups do not seem to be: in that if I run
    "groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
    winbind has the following parameters set
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    I am at a loss as to why it picks up some groups and not others.
    Has anyone come across something similar or know how to solve this issue?
    Regards,
    James

    Hi,
    I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
    Regards,
    Oliver

  • RDBMSRealm and Group membership

    Hello.
    I would like to us an RDBMSRealm implementation behind some form of caching implementation.
    I have looked at and run the RDBMSRealm example that ships with 6.0.
    The major drawback is that I expect to have some groups where the number of members
    can be up to 1 million. The examples for RDBMSRealm and Custom Realm say to use
    a hash table to hold the membership of a group. This seems unrealistic in cases
    where the group membership is this large.
    Has anyone implemented an RDBMSRealm or custom realm that does not use the "hash
    table" approach?
    I am currently using WLS 6.0 sp2 and am connecting to an Oracle 8.1.7 database.
    Thanks for your time,
    Bubba

    This article from Sarge's Blog might help:
    http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30

  • SAML 2.0 and AD Security Group Membership

    In ADFS 2.0, as a part of the token, I can pass the AD
    security groups the user is in. Does SAP SSO have the ability to send and
    receive SAML 2.0 tokens with AD security group membership?

    Hi Jeff,
    SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
    These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
    So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
    Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
    Regarding the receiving part:
    In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
    Regards,
    Stefan

  • AD - import users and check AD group membership

    Hi I'm relatively useless with PowerShell and I am wanting to write a script that will do the following and am just getting stuck with part B.
    Part A- import a list of users from a CSV
    Part B- check if the users are members of an ad group and if so remove from group A and add to group B 
    Can anyone point me in the best direction ? that would be amazing.

    Hi,
    I happen to have something already written that will do what you're after:
    Import-Csv .\userList.csv | ForEach {
    $userDetails = Get-ADUser -Identity $_.Username -Properties memberOf
    If ($userDetails.memberOf -contains 'CN=Test Group 1,OU=Security Groups,DC=domain,DC=com') {
    Remove-ADGroupMember -Identity 'Group A' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
    Add-ADGroupMember -Identity 'Group B' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
    This will require in input CSV file with a header of Username that contains the usernames to test. You'll also need to update the names of the groups for 'Group A' and 'Group B' along with the DN of the group to test against.
    Remove the -WhatIf parameters from the Remove/Add lines if you're happy with what you see in the output.
    Don't retire TechNet! -
    (Don't give up yet - 12,830+ strong and growing)

Maybe you are looking for

  • "Apply" and "Sync" buttons not working in the iPod summary...?

    I had just previously purchased a few tv episodes and movies through the iTunes store. Before I had done this, in the iPod summary when connected, I chose which movies to sync to my iPod instead of syncing all of them. Now when I go to check the boxe

  • Store locator does not work on the HomeDepot and Lowes sites

    When I enter my zipcode and try to find a store on the Lowes or Home Depot sites nothing happens. I set NoScript to allow the page.

  • How display chinese character

    i use data table ,but the data from oracle can not display normally,because it is chinese the code is : i want the value of outputText3 encoding, how do? <h:column binding="#{Page1.column2}" id="column2">                             <h:outputText bin

  • How to move 1 field from 1 region to another region of same page persnaliz

    dear friends, i m geting some problem reagrding the Oracle Apps personalization. i dont have much more knowledge about personalization of OA Framework. i want to change one field from one region to another region of the same page. can u please guide

  • Sound quit working with game apps?

    Sound quit working with my game apps and email. Radio, facetime & music work fine. Has anyone had this issue? I did not change any settings. It worked fine yesterday and today no sound.