One undocumented feature of CloudAccess is support for dynamic groups in policy management. This provides the administrator ability to map policies to essentially any LDAP query. In this example, we will configure a dynamic group and use it to restrict an AppMark to employees located in India.

Creating the dynamic group

Creating dynamic group objects in eDirectory is fairly straightforward. Log into iManager and use the group menu to create a new group. Make sure to use a context in which you are authorized to create and modify objects. One way to do this is to create a new context for CloudAccess groups and give the CloudAccess administrator ownership of the group. Enable the dynamic group option and disable all other options in the group creation dialog.

Once the group is created, modify it to include your search filter. After you apply the settings, you should be able to see the members of the group.

Dynamic Group Configuration

Note for Active Directory - While AD does not inherently support dynamic security groups, it is possible to achieve a similar effect through the query and dmod commands. More information on this can be found at http://social.technet.microsoft.com/Forums/windowsserver/en-US/ea39e821-50ba-494e-b608-df879a0e28ca/access-permission-ad-sites-level?forum=winserverDS.

Mapping the policy

Aside from possibly adding a new search context, the policy mapping should work just as it would with static groups. In our example, we took the India Payroll AppMark and unchecked the public option. After applying the change, we mapped the AppMark to the newly created dynamic group. After this, the AppMark will only be visible to employees located in India.

CloudAccess will query this group for changes every minute, so changes in the group will quickly be reflected in the policy.

Mapping the India Payroll AppMark to the "co-India" Dynamic Group

Viewing the Configured Policy Mapping