I hope someone can help me with this. I have recently deployed a private cloud on vCloud Director 5.5. We run a Development and Test Lab that have multiple projects running at any given time. We also have several different companies collaborating on different projects. Do to this fact, there are customers that require access to some projects but not others.
I have found that as soon as I complete an AD Query that satisfies a Group membership, APM quits searching and provides resources allowed in that Resource Assignment. Unfortunately, there may be a project that authenticates to a different group later in the APM Policy. The user never gets to see this resources displayed.
I have devised an If/Then logic that searches through each possible combination of AD Groups. We currently have only four different AD groups that a user could authenticate. This APM Policy is huge to cover all the scenarios. I believe with further growth that this will be unmanageable. Am I just missing something on how to lay out the policy to support this deployment, or does anyone have any suggestions on how to do this differently? Any help would be greatly appreciated.
Did you try to work with the option "Nested Groups" in your AD authentication ?
It will help you to avoid this kind of problems as for each group, the APM will check your conditions.
You would have to define only one ressource assign box with your groups membership conditions.
Here is a solution link to use nested groups : http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193
Into your Visual Policy Editor (VPE) when you want to split your configuration depending on group membership, you have to do that :
I hope this is clear enough.
Thank you for your reply. I am tracking and have completed that design, for the most part. I have attached diagram of the macro I have created which satisfies all the current possibilities of AD group associations. It just seems as if this will become unmanageable as the infrastructure grows.
On which version are you running on ?
Also, why do you use the same macro whether the result is "Success" or "Fail" ?
I think you can optimize it, the problem is just to understand every scenario you can encounter.
I just wanted to give an update. I ended up configuring an AD Group Resource Assign. This took care of any issues I had with users being part of multiple AD groups.
Thank you again for all the assistance.
You're welcome, it's a pleasure to read that everything goes fine for you!