What is group.mapping

Similar Messages

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• How can I find what scom group a specific server belongs to using powershell?

  Environment:  SCOM 2007 r2
  Server in question:  Running Windows 2003 Std. (yes I know this sounds crazy)
  Why do I need this:  I noticed at the console level we have had server unexpected shutdown events which are not generating email notifications. 
  Source shows: Windows 2003 Server Standard Edition
  Alert Rule:  Windows Shutdown Unexpectedly
  From what I see these are all windows 2003 server Std edition systems.  I did a track and trace using our exchange tracking system which confirmed the alerts were not being emailed. Not sure if there is a better approach for this, but not being a sql
  expert (however I do have someone I can leverage) I am trying to see if I can somehow extract this information using powershell.
  Secondary general question:  How can I find out the current size of our scom 2007 database and the number of objkects\servers being monitored? This is prep work for a migration over to 2012.
  Thanks in advance for the help!

  1. what scom group a specific server belongs to
  function Get-GroupNames {
   [cmdletbinding()]
   param($computerFQDN)
   $containmentRel = Get-RelationshipClass -name:’Microsoft.SystemCenter.InstanceGroupContainsEntities’
  $computerClass = Get-MonitoringClass -name:”Microsoft.Windows.Computer”
  $criteria = [string]::Format(“PrincipalName = ‘{0}’”,$computerFQDN)
   try {
   $computer = Get-MonitoringObject -monitoringClass:$computerClass -criteria:$criteria
   $relatedObjects = $computer.GetMonitoringRelationshipObjectsWhereTarget($containmentRel,[Microsoft.EnterpriseManagement.Configuration.DerivedClassTraversalDepth]::Recursive,[Microsoft.EnterpriseManagement.Common.TraversalDepth]::Recursive)
   catch {
   $_
   write-host “An error occurred while querying groups of $computerFQDN”
  foreach($group in $relatedObjects)
   [array]$Groups = $groups + $group.SourceMonitoringObject.DisplayName
   if($groups) {
   return $groups
   } else {
   write-host “No groups available for $computerFQDN”
  Usage:
   Get-GroupName -ComputerFQDN myserver1
  for detail, pls. refer to
  http://techibee.com/powershell/powershell-get-scom-groups-of-a-computer-account/1129
  Roger

• How Do I determine what AP Group an AP Belongs to with WCS?

  I am running WCS 7.0.164 and I can't seem to find where I can determine what AP Group an AP belongs to. Can anyone point me in the right direction?
  i'd expect it to be a field under Monitor/Access Point but I don't see it and my google-fu is getting me nowhere.
  Thanks!
  Mike

  Hi,
  From the Monitor page of the WCS >> Configure                                     >                                      Access Points  > Click on the AP >> Access Point Detail >> here you can see AP Group Name.
  This will let us know..
  Lemme know if this answered your question.
  Regards
  Surendra
  ====
  Please

• What is M_ACTOR_N_ENDING mapping to the XI 3.1 schema?

  Hi,
  I don't know the M_ACTOR_N_ENDING mapping to the XI 3.1 schema.
  Please can anybody tell me What is M_ACTOR_N_ENDING mapping to the XI 3.1 schema?
  Thanks in advance
  Amol Mali

  BusinessObjects 6.5 schemas do not translate over to XI 3.1 schema.
  Furthermore, unlike 6.5, the XI schemas are not for public use - most relevant non-indexed fields are Blob objects that you'd not be able to parse.
  Sincerely,
  Ted Ueda

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• What is Multi mapping

  Hi All,
  What is Multi Mapping ??
  How many Types of Multi mappings r there ???
  Please Explain a Little bit
  Regards
  Vamsi

  Multi-Mapping can only be used in ccBPM. It is used to map abstract interfaces. Development is the same as Message Mappings
  n:1 Transformation
  Bundles multiple messages into one message, for example, individual purchase order items into one purchase order.
  1:n Transformation
  Splits a message into multiple messages, for example, a purchase order into the individual purchase order items.
  n:m Transformation
  Converts a message into another message, for example, a message that is defined by interface A is converted to message that is defined by interface B.
  Multi-Mappings reference multiple message structures:-
  a) All source message structures are combined into 1 source structure.
  b) All target message structures are combined into 1 target structure.
  Therefore, there is only one source structure mapped to one target.
  Multi Mapping
  BPM involved:
  /people/sudharshan.aravamudan/blog/2005/12/01/illustration-of-multi-mapping-and-message-split-using-bpm-in-sap-exchange-infrastructure
  /people/narendra.jain/blog/2005/12/30/various-multi-mappings-and-optimizing-their-implementation-in-integration-processes-bpm-in-xi
  Without BPM:
  /people/jin.shin/blog/2006/02/07/multi-mapping-without-bpm--yes-it146s-possible
  Regards,
  Kumar

• AXL SQL Query user-extension- line group-hunt group mapping

  Hi all
  I want to take an export  about user-extension- line group-hunt group mapping
  Can somebody help me about it   I have CUCM 9.1

  There's a lot of table joins in that full mapping! I'll break it down into steps. When you say extension you need to bear in mind that a number and a device are two different things, and a user is associated to these things separately. I'll break it down into chunks.
  User to Device:
  SELECT enduser.userid, device.description FROM enduser, device, enduserdevicemap WHERE enduser.pkid = enduserdevicemap.fkenduser AND enduserdevicemap.fkdevice = device.pkid AND enduser.userid='FOO'
  User to Directory Number:
  SELECT enduser.userid, numplan.dnorpattern FROM enduser, numplan, endusernumplanmap WHERE enduser.pkid = endusernumplanmap.fkenduser AND endusernumplanmap.fknumplan = numplan.pkid AND enduser.userid='FOO'
  Number to Hunt List:
  SELECT numplan.dnorpattern, device.name FROM numplan, device, devicenumplanmap, typeproduct WHERE numplan.pkid = devicenumplanmap.fknumplan AND devicenumplanmap.fkdevice = device.pkid AND device.tkproduct = typeproduct.enum AND typeproduct.name = "Hunt List" AND numplan.dnorpattern='FOO'
  Hunt List to Line Group
  SELECT device.name, linegroup.name FROM device, routelist, linegroup WHERE device.pkid = routelist.fkdevice AND routelist.fklinegroup = linegroup.pkid AND device.name="FOO"
  Line Group to Directory Number
  SELECT linegroup.name, numplan.dnorpattern FROM linegroup, linegroupnumplanmap, numplan WHERE linegroup.pkid = linegroupnumplanmap.fklinegroup AND linegroupnumplanmap.fknumplan = numplan.pkid AND linegroup.name="FOO"
  All of this (and more!) is fully documented in the CUCM Database Data Dictionary.
  GTG
  Please rate helpful posts.

• What will I learn at the Hour of Code lesson next week at Apple retail stores? Also, what age group will be attending?

  What will I learn at the Hour of Code lesson next week at Apple retail stores? Also, what age group will be attending?

  If you had searched for it you would have found  Apple Retail Store - Hour of Code Workshop

• What is Data Mapping

  HI Experts,
  Please explain abt:
  1) What is Data Mapping
  2) Some senarios like, SAP Data map with BW Data
  3) Which case Data mapping Error while load occur & how to rectify it.
  Ponits  awarded. Thanks,
  RR.

  Hi,
  For Mpping pls check the links......
  For Source System Mapping
  Re: Source System Mapping
  Re: Source System Mapping
  For " Settings for BI Statistics"
  http://help.sap.com/saphelp_nw04s/helpdata/en/8c/131e3b9f10b904e10000000a114084/frameset.htm
  https://www.sdn.sap.com/irj/sdn/webinar?rid=/library/uuid/d09864c5-0bb0-2910-8e8a-a306a886dcd9
  http://help.sap.com/saphelp_nw70/helpdata/en/46/f9bd5b0d40537de10000000a1553f6/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5401ab90-0201-0010-b394-99ffdb15235b
  /message/5117472#5117472 [original link is broken]
  /message/4978537#4978537 [original link is broken]
  Hope it is helps you.
  Thanks & Regards,
  santo

• What is Grouping field for?

  Hello,
  I'm trying to find out what the Grouping field is made for?
  Can someone explain it to me? I have well organized music collection, but not sure what I should do with this field...
  Thanks

  hey
  I use to record the original source of the file. So I have groups for "Own CD", "Own Cassette", "Own MP3", "Downloaded MP3" etc

• What is XSLT mapping ? where it can be carrid out in PI?

  Hi all,
  What is XSLT mapping ?
  Where it can be carrid out in PI?
  How it is useful in excel to RFC scenario ?
  Can some one help on this please?
  Regards
  Venkat

  Hi
  XSLT is one type of mapping that Xi supports. XSLT mapping also do have certain advantages like if you need a formatted output like HTML in XSLT it would be easy to implement... XSLT is a W3C standard so if also works in any other integration s/w other than XI so it is portable.
  Advantage
  the changes to XSD's loses all mappings with graphical mappings but with XSLT's you just add the field changed or added, instead of starting over
  XSLT Mapping:
  Step – By – Step Simple Approach for XSLT Mapping
  File to Multiple IDocs (XSLT Mapping)
  The specified item was not found.
  http://help.sap.com/saphelp_erp2005vp/helpdata/en/43/03fe1bdc7821ade10000000a1553f6/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/73/f61eea1741453eb8f794e150067930/content.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/30ac53f2-21d7-2a10-afa2-ce1a0577ca18
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/01a57f0b-0501-0010-3ca9-d2ea3bb983c1
  Regard's
  Chetan Ahuja