|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 or later
|Issue||It is possible to limit the scope of an external identity source down from the top-level domain that is defined in the Authentication Manager Operations Console to a specific group in Active Directory. Any users that are members of this Active Directory group will show up when searching for users in the identity source via the Security Console. Any users that are removed from the Active Directory group will be removed from the Authentication Manager after running the clean-up process.|
|Tasks||The following tasks will be completed when following the steps in this article:|
1. Create a universal group in Active Directory.
2. Add Active Directory users to the group.
3. Map this group as a CN= in your identity source for Group Base DN, not User Base DN.
4. Change the User Search Filter in the external identity source to include the memberof= search filter. Note: Using the memberof filter only works with Active Directory. The memberof function does not work correctly in a SunONE/Oracle LDAP directory server identity source. In SunONE, the users are placed into an OU instead of into a group then make the OU a part of the User Base DN and User Group Base DN on the Map tab when configuring the identity source (Operations Console > Deployment Configuration > Identity Source > Manage Existing > Map).
There are variations on how this process can be done, so test the configuration options in a development or pre-production environment.
The two users Jo Aaberg and Kvive Aaby from the example above would now be searchable in the Security Console under Identity > Users > Manage Existing under this new identity source: