We have two domains in our forest, CORP and PARTNER. CORP-users are allowed to access PARTNER-resources, but PARTNER-users are not allowed to access CORP-resources. Also, most Security Groups in CORP are of scope "Global", so trying to add any PARTNER-users in them would fail.
We are managing Security Groups for both domains in the MIM Portal with full self-service for group owners. But I need to get a fail-safe switch in place to stop any owners/requestors from adding (or requesting to add) PARTNER-users to CORP-groups:
- If the request target is a CORP-group, deny request if trying to add PARTNER-members
- If the request target is a PARTNER-group, allow requests for both PARTNER and CORP-members
I guess I should utilize AuthZ somehow, but I'm really not sure how to sort it out. PS: I do have MIMWAL in place.
Any guidance is much appreciated, thanks!