Group mapping by group set membership, Group mapping by – Cisco 3.3 User Manual
Page 632
Chapter 16 User Group Mapping and Specification
Group Mapping by Group Set Membership
16-4
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Note
For more information about group specification for RADIUS token
servers, see
RADIUS-Based Group Specification, page 16-14
. For more
information about group specification for ODBC databases, see
Cisco Secure ACS Authentication Process with an ODBC External User
Database, page 13-58
.
Group Mapping by Group Set Membership
You can create group mappings for some external user databases based on the
combination of external user database groups to which users belong. The
following are the external user database types for which you can create group
mappings based on group set membership:
•
Windows domains
Note
Group mapping for Windows authentication supports only those users
who belong to no more than 500 Windows groups.
•
Novell NDS
•
Generic LDAP
When you configure a Cisco Secure ACS group mapping based on group set
membership, you can add one or many external user database groups to the set.
For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the
user must match all external user database groups in the set.
As an example, you could configure a group mapping for users who belong to both
the Engineering and Tokyo groups and a separate one for users who belong to both
Engineering and London. You could then configure separate group mappings for
the combinations of Engineering-Tokyo and Engineering-London and configure
different access times for the Cisco Secure ACS groups to which they map. You
could also configure a group mapping that only included the Engineering group
that would map other members of the Engineering group who were not members
of Tokyo or London.