As this is not a typical user group authorization scenario where an AD userGroup is used, there is a slight workaround we use which we feel is the easiest way to filter out all other users and only include users in custom Container CANorthRyde in the policy configurations.
To achieve this, in CA EEM Admin Console > Congifure > User Store where you configure the LDAP Directory, include the custom Domain path in the Base DN. This will ensure only the users in container CANorthRyde will show up in any user search in CA EEM.
: You can remove the CN=CANorthRyde value from the Base DN after the Domain Access Policy setup is completed for users in this container, and repeat the same for other custom containers.
Once the users filtering workaround is done, there are two options to assign the Domain Access Policy to these users.Option 1: - Use this option if you want to control domain access of these users directly on the Policy level
1. In CA EEM Admin Console, click on Manage Access Policies, and expand Access Policy node in the policies tree on the bottom left panel.
2. Click on the icon preceding the Domain node to create a New Access Policy
3. You will see that only the users in CANorthRyde container are showing when you search for users, which you can then select all and add to this policy.
4. Once you've added all the users for this policy, scroll down to add the resource.
5. In this case, we would like to restrict these users access to only a domain named "W3_T1Domain
". Just type the domain name in the Add Resource field and click the
6. Save the changes and you have completed the steps required to restrict users in custom container CANorthRyde to have access to only domain W3_T1Domain.Option 2 - Use this option if you want to control domain access of these users on the User Group level
1. In CA EEM Admin Console, click on Manage Access Policies, and click on the icon preceding the Domain node to create New Dynamic Group Policy:
2. Add the users from container CANorthRyde to this policy, and use Add Resource to create the Dynamic Group name:
3. Make sure the belong action is checked.
4. Save the changes and this will create an EEM Dynamic Group that includes all the users from AD custom container CANorthRyde.
5. Repeat the steps in Option 1 to assign the Domain Access Policy to this Dynamic Group.
6. A slight variation is to search for Dynamic Group instead of User when adding Identities to the policy:
7. Click Save and the domain access policy will be applied on the dynamic group CANorthRyde AD Group.