Group Membership ANDing
We're having difficulty designing a portal where users have
several diminsions (groups):
- User Department (e.g. HR, IT, Finance, Engineering)
- User Type/Role (e.g. contractor, employee, manager, etc)
- User Locations (e.g. Chicago, Seattle, Paris, Berlin, Tokyo)
How do I set it up, so that items can be set along these
dimensions? For example:
DeptGrp RoleGrp LocationGrp
UserA - Dept:HR, Role:Mgr, Location:Seattle
UserB - Dept:IT, Role:Emp, Location:Seattle
UserC - Dept:HR, Role:Emp, Location:Chicago
UserD - Dept:IT, Role:Emp, Location:Paris
So userA would belong to 3 groups: HR, Mgr, and Seattle, etc.
Now there are 3 items to publish:
Item1: For all people in HR dept.
Item2: For HR mgrs only.
Item3: For employees in the US only.
Can publish:
- item1 with group HR. This works!
- item2 with groups ???
***If use HR AND Mgr, then all people in either group can see them.
(Need people in intersection, not union of the groups).
- item3 with groups ???
***If use Employees AND Seattle AND Chicago groups, than all people
in any of the groups can see them (vs the intended audience).
Creating a HR_Mgr, HR_Emp, HR_Cont, etc group will not work,
as there are 15 dep x 8 emp types x 20 locations = 2400 groups!!!!!
How do we design this properly? We were thinking of using
persepectives for the locations. (Category is already used
for DocType).
What is the recommendation on groups and user dept/role/location?
We're facing the same problem and have made similair posts to the forum. I've been told it's a common problem in domain user management as well. If we're dealing with a dynamic page, we've let the page do some dynamic determinations, but with folder items, you're stuck to a group-based permission.
The best we've been able to do was to create a form to make it easier for publishers to make groups from the intersections of existing groups. There is a big drawback in that if a person (in your case) moves from one department to another, the "AND" groups you've created based on who was in the department would not be automatically updated. The best workaround we could develop was to develop another online utility for updating these "AND" groups. We've even gone so far as to consider building some triggers and procedures.
We're interested in a better solution.
Similar Messages
-
Check group membership and export result to file
Hi everyone,
Could you please assist? I need a script that get's a samAccountName from a text or csv file, then checks if the user belongs to Group A or Group B or Group C. If user belongs to group A, then output "Group A" and so on. Sample
output file:
JDoe Group A
JSmith Group B
KSmith Group C
DDoe Group A Group B Group C
Thanks in advance,Hi Phathuynh,
We always recommend you can start your own script, and post the current script and the issue for a better response.
In addition, you can also refer to the cmdlet "Get-ADGroupMember" to list the members in group, and the script below is for your reference:
$output = @()
$groups = "user1","user2"
$array1 = Get-ADGroupMember Group1|select -ExpandProperty samaccountname
$array2 = Get-ADGroupMember Group2|select -ExpandProperty samaccountname
Foreach($u in $groups){
$user = Get-ADUser $u|select -ExpandProperty samaccountname
$param = @{"user" = $user
"group A" = ""
"group B" = ""}
$p = New-Object Psobject -Property $param
if ($array1 -contains $user){
$p."group A"= "YES"
if ($array2 -contains $user){
$p."group B" = "YES"
$output += $p
$output
The screenshot of result:
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
ACS 5.3 Group Mapping based on AD group membership
Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
SamiOk, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks. -
Hello all,
What I'm trying to do is generate a report of all groups owned by a specific user, along with the group memberships, and output it all to a single .csv file. In the .csv file, I would like to have the group names as the column headers, and underneath
the group name, list all the members of the group down through the column. So for example, if User1 owns 3 groups, the output would look like:
What I'm having trouble with is outputting the objects to the .csv using New-Object psobject, and I'm starting to wonder if there is an easier way to do this and my brain is just fried.
Any ideas?OK so I can try and give some code here, but I'm asking more of a concept question about how PowerShell builds objects so I'm not sure it will help....
$User = "User1"
get-adgroup -filter {managedby -eq $user} -pr member | %{
$_.name
$_.member
OK so this is a simple script that outputs a group name followed by the membership, all in a single column. What I would like is for the group names to each be the header of a column, and have the membership listed underneath. For example:
Is this possible in PowerShell? -
Get AD group membership doesn't work for global groups
I want to pull the group membership for OBIEE directly from AD.
This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
DBMS_LDAP package methods
with one exception that additionally to it also uses
DBMS_LDAP_UTL.get_group_membership
ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
I've done some research and found there are three types used for defining group's scope by AD:
Domain Local, Global, or Universal
(http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
leaving the first one out of the scope as we don't use it
- I've verified and found ALL missing ONES are defined as GLOBAL
All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
and so AdFind can list both..
so why Oracle limits the search to UNIVERSAL ones only?
Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
I've really tried a lot of this code in different combinations but no joy
Has anyone got some ideas?...I try to block the usage of the command prompt only on this server.
I have the same question as jrv: Why? It doesn't increase security. The command prompt is a program, not a security boundary.
Disabling the command prompt does NOT increase security
-- Bill Stewart [Bill_Stewart] -
Hi Friends,
I want to create groups in oim on the basis of complex rules(It requires some Java coding) but for attaching group membership rule we use Rule Designer and in rule designer we can't user adapter that means no java code.
What is the solution for this problem?
One solution could be create entity adapter for group membership and execute it on pre-update.
Thanks
Edited by: user10968321 on Oct 28, 2009 7:06 AMThe entity adapter on the user form in pre or post update mode is the standard way to solve complex membership rules.
Works well as long as you can accept a slight performance decrease on user updates (including things like password resets). Make sure your code is decently fast.
Good luck
/Martin -
Getting list of all users and their group memberships from Active Directory
Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
public static void main(String[] args){
String[] attributeNames = {"memberOf"};
//create an initial directory context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "p8admin");
try {
// Create the initial directory context
DirContext ctx = new InitialDirContext(env);
//get all the users list and their group memberships
NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
while (contentsEnum.hasMore()){
NameClassPair ncp = (NameClassPair) contentsEnum.next();
String userName = ncp.getName();
System.out.println("User: "+userName);
try{
System.out.println("am here....1");
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
System.out.println("am here....2");
Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
System.out.println("-----"+groupsAttribute.size());
if (groupsAttribute != null){
// memberOf is a multi valued attribute
for (int i=0; i<groupsAttribute.size(); i++){
// print out each group that user belongs to
System.out.println("MemberOf: "+groupsAttribute.get(i));
}catch(NamingException ne){
// ignore for now
System.err.println("Problem encountered....0000:" + ne);
//get all the groups list
} catch (NamingException e) {
System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you. -
Good morning all,
I need some help achieving the following in our Exchange 2013 Environment. First off, we have Exchange 2013, but all our clients have Outlook 2010.
Here's what I would like to be able to do:
1) create/manage public calendars / rooms in exchange 2013
2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
Any one got any resources they can give to point me in the right direction?
I have already created two mailbox room resources, and have them set up in a room list in AD. But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
membership.
I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining. I just want it to show up.
Any help on this is greatly appreciated, thank you!1) I recommend using Room Mailboxes for resource calendars because it just works better.
2) This is a standard feature of a Room Mailbox.
3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
I don't know any way to just make them "show up". You'll have to teach them. Well written instructions can work wonders.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?
Hi
"Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
"Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
http://support.apple.com/kb/HT1822
HTH?
Tony -
I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
for instance
LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
The outcome of the script should be
LON\JSmith; DEL\JimSmith should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
How can i do it?
NavgupHi Navgup,
Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
import-module activedirectory
get-adgroupmember "group"|foreach{
$email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
To get users across domain, please also refer this blog:
Adding/removing members from another forest or domain to groups in Active Directory:
http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
I hope this helps. -
AD Group Membership revoked on adding new group through role and acespolicy
Hi all,
when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
The ootb AD task, remove user from group is triggered.
The problem is happening only in Testing environment.
In development envi it is working fine.
it is not removing the default group memberships.
any ideas? thoughts? which I need to check.
my oim server is 11.1.1.3.0, with weblogic setup.
Edited by: Venu on Dec 2, 2011 1:06 PMDo one thing:
Take New User
Assign First BILLING
Assign Second Group
And then ASSIGN CONTRACT
Update the results.
It is happening in one env so you might have done some configuration or it could be env issue as well. -
Samba winbind and group membership.
I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
The users are working fine however their group membership is not.
Users that should be members of certain groups do not seem to be: in that if I run
"groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
winbind has the following parameters set
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
I am at a loss as to why it picks up some groups and not others.
Has anyone come across something similar or know how to solve this issue?
Regards,
JamesHi,
I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
Regards,
Oliver -
RDBMSRealm and Group membership
Hello.
I would like to us an RDBMSRealm implementation behind some form of caching implementation.
I have looked at and run the RDBMSRealm example that ships with 6.0.
The major drawback is that I expect to have some groups where the number of members
can be up to 1 million. The examples for RDBMSRealm and Custom Realm say to use
a hash table to hold the membership of a group. This seems unrealistic in cases
where the group membership is this large.
Has anyone implemented an RDBMSRealm or custom realm that does not use the "hash
table" approach?
I am currently using WLS 6.0 sp2 and am connecting to an Oracle 8.1.7 database.
Thanks for your time,
BubbaThis article from Sarge's Blog might help:
http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30 -
SAML 2.0 and AD Security Group Membership
In ADFS 2.0, as a part of the token, I can pass the AD
security groups the user is in. Does SAP SSO have the ability to send and
receive SAML 2.0 tokens with AD security group membership?Hi Jeff,
SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
Regarding the receiving part:
In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
Regards,
Stefan -
AD - import users and check AD group membership
Hi I'm relatively useless with PowerShell and I am wanting to write a script that will do the following and am just getting stuck with part B.
Part A- import a list of users from a CSV
Part B- check if the users are members of an ad group and if so remove from group A and add to group B
Can anyone point me in the best direction ? that would be amazing.Hi,
I happen to have something already written that will do what you're after:
Import-Csv .\userList.csv | ForEach {
$userDetails = Get-ADUser -Identity $_.Username -Properties memberOf
If ($userDetails.memberOf -contains 'CN=Test Group 1,OU=Security Groups,DC=domain,DC=com') {
Remove-ADGroupMember -Identity 'Group A' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
Add-ADGroupMember -Identity 'Group B' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
This will require in input CSV file with a header of Username that contains the usernames to test. You'll also need to update the names of the groups for 'Group A' and 'Group B' along with the DN of the group to test against.
Remove the -WhatIf parameters from the Remove/Add lines if you're happy with what you see in the output.
Don't retire TechNet! -
(Don't give up yet - 12,830+ strong and growing)
Maybe you are looking for
-
"Apply" and "Sync" buttons not working in the iPod summary...?
I had just previously purchased a few tv episodes and movies through the iTunes store. Before I had done this, in the iPod summary when connected, I chose which movies to sync to my iPod instead of syncing all of them. Now when I go to check the boxe
-
Store locator does not work on the HomeDepot and Lowes sites
When I enter my zipcode and try to find a store on the Lowes or Home Depot sites nothing happens. I set NoScript to allow the page.
-
i use data table ,but the data from oracle can not display normally,because it is chinese the code is : i want the value of outputText3 encoding, how do? <h:column binding="#{Page1.column2}" id="column2"> <h:outputText bin
-
How to move 1 field from 1 region to another region of same page persnaliz
dear friends, i m geting some problem reagrding the Oracle Apps personalization. i dont have much more knowledge about personalization of OA Framework. i want to change one field from one region to another region of the same page. can u please guide
-
Sound quit working with game apps?
Sound quit working with my game apps and email. Radio, facetime & music work fine. Has anyone had this issue? I did not change any settings. It worked fine yesterday and today no sound.