Forum Discussion

davidfarje's avatar
davidfarje
Icon for Nimbostratus rankNimbostratus

Hi F5_design_engineer,

Resource assignment based on LocalDB group works.  What I want to know is, if I assign a user to multiple LocalDB groups.  Will the resource assigns for each group be cumulative? or mutually exclusive?

Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Jul 08, 2024

The important thing to remember about this part of APM is that *everything* is done using session variables. APM has 2 main agents that operate on the "assigned" session variables, Advanced Resource Assign and AD Group Assign.

Advanced Resource Assign operates like 'Evaluate each rule and run assignments based on first match". So in this regime you have to do tricks like "if a user is a member of A and B, then give them A and B resource", "if a user is a member of A and C, give them A and C resource", etc. This is fine for like up to 3 groups, but the number of rules you must have increase geometrically with the number of groups, so it's not useable for ordinary group-based assignments.

AD Group Assign operates like 'Evaluate each rule and run assignments based on each match'. Its input source is "session.ad.<AD SERVER NAME>.attr.memberOf", which is a pipe-delimited list of AD / LDAP-ish DNs. AD Group Assign runs EACH rule and doesn't stop on the first match. The trouble comes when you want to do this with group data that's not exactly like how AD returns it. It should be possible to transform and load whatever group data you have from other AAAs into the format expected by this agent.

 

You can of course use the "variable assign" agent to put any values you want into any session variable to modify the behavior. All session variables are just text strings, where arrays delimited by pipe characters.