rtruscot wrote:

> Why not add a group entitlement/resource to your role (deploy the edir
> loop back if you dont have it already) and base the auth policy on
> that?
> You could even make the loopback driver create the group for you if it
> doesn't exist.

but then you would still have to create the authorization policies for
those groups. True that it'll save on the roles bit and you only need
to configure one policy rather than two.

If you would use this make sure you configure a attribute set that
forwards the attributes to the ESP so the ESP won't have to query the
IDP for every authorization policy to obtain the right information.