APM Advanced USer Query

There are probably a few different ways to do this, but here's my interpretation.

1. Create a data group (ex. "citrix_sa_datagroup") that consists of the memberOf value (string trimmed) and the smartaccess filter for that membership.

Ex.

CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := FOO

CN=TEST2_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := BAR

CN=TEST3_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := TEST

2. Create an Access policy that performs an AD query. If the user is a member of multiple groups it'll show up as a session value (session.ad.last.attr.memberOf) - a list of AD memberships separated by "pipe" delimeters.

Ex.

session.ad.last.attr.memberOf = | CN=TEST3_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=TEST2_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=Domain Users,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=Users,CN=Builtin,DC=MYDOMAIN2K3,DC=COM |

3. At the end of the access policy evaluation, in the VPE, and after the AD query, insert an iRule event agent and give it a unique ID (ex. "QUERYPROC").

4. Create an iRule that parses and loops through this list and dynamically creates the smartaccess filter value.

when ACCESS_POLICY_AGENT_EVENT {
   set smartaccess ""
   if { [ACCESS::policy agent_id] equals "QUERYPROC" } {
      set memberOfList [split [ACCESS::session data get session.ad.last.attr.memberOf] "|"]
      foreach x $memberOfList {
         if { [class match [string trim $x] equals citrix_sa_datagroup] } {
            append smartaccess [class match -value [string trim $x] equals citrix_sa_datagroup]
         }
      }
      if { $smartaccess ne "" } {
         ACCESS::session data set session.citrix.smart_access $smartaccess
      }
   }
}

This should produce the same value that the smartaccess agent produces in the VPE. I haven't tested this against a Citrix environment yet, so your mileage may vary. The above also won't work if the user is a member of only one group (the primary group). If that's a possibility in your environment, you can also filter on the session.ad.last.attr.primarygroupID or session.ad.last.attr.primarygroup.dn values.