Support Wildcard filter in PIM Role for Memberof

Idea created by TheQuietMan on Jul 20, 2016
    • tiffster
    • SuziSG
    • michael.j.konopka
    • TheQuietMan

    We are trying to limit access to a set of roles through the use of the memberof attribute in Active Directory. Support has already told us that the "endswith, beginwith, contains, >,<, etc are not supported in Active Directory. And wildcards do not appear to work as PIM uses encloses the filter string in quotations ( "cn=*,ou=group,dc,abc,dc=com" ) thus forcing AD to interpret the "*" literally.

    1. We want to set up a rule like allow "ou=group,dc=abc,dc=com""

    allow "memberof endwith ou=group,dc=abc,dc=com"

    We are already going to create thousands of groups to be applied in scoping roles across several roles.


    We want to create another role that will provide a base set of capabilities as to anyone who exists in one those thousands of groups. Otherwise we have to manage a separate group for end-users who have already been authorized under their own delegated groups. This single group will be extremely large and would not make sense since they will already be in a group under a common OU structure.


    2. Bonus (if possible)

    Additionally as a plus (but not required) if the memberof value could be evaluated like a regular expression with a parameter value in the  expression extracted into a scoping role, that would also help collapse our scoping rules in our roles.

    If a group is structured like above "cn=XYZ-%DeptNumber%-PIM,ou=group,dc=abc,dc=com" where  %DeptNumber% is a variable which can be mapped into a scoping rule such as CUSTOM1_Field=%DeptNumber%, that would enable us to no only have one rule defined for all of our groups, but reduce manual effort to update these scoping rules whenever a change (such as a re-organization) occurs.


    #1 is the main idea we are looking to get limited.