Enhance LDAP Support in hmc

We want to be able to manage hmc users in specific groups and not as single users.
Clarification based on the fact that:
1) Users belonging to a group has the role and auhorization define for this group.
2) if for example, user "xxxx" belongs to Group "ADMIN", user "xxxx" should have the right given to the group "ADMIN".
3) Belonging to one of the groups, define the needed user role (Admin,operator,...).
4) it should work similar to RACF
5) we do not want to add extra attribute in the AD schema too.
.
Extract from mail's exchanges:
The HMC does not know which AD groups a user is in, or which one of a user's groups (possibly many) should control the user's authorities.
No, it is not possible with the current LDAP support in the HMC to do exactly what the customer wants. The approach I described is the best way the HMC has to give many users the same authority based on information in an LDAP directory. I know that it does require an extra step on the LDAP side; the customer must define a new attribute in the AD schema and put the appropriate template name in that attribute for each user.
--> Allowing the customer to do it, the way they have suggested would require new functionality in the HMC.
.
Workaround proposed to the system engineer and not agreed:
'Depending on what support AD provides and how the schema is defined, it is possible to do what the customer wants, but it will require some work in their AD schema, as well as some setup on the HMC. The basic approach is as follows:
1. Create an LDAP Server Definitionon the HMC
o It must point to the AD server
o Depending on the specific attributes in the AD schema, set the Distinguished Name (DN) Pattern, or the Search DN Tree and Search Filter, so it will locate a user's AD account using the HMC userid (or associated AD account name)
§ The HMC userid (or associated AD account name) is substituted for "{0}" in the DN Pattern or the Search Filter
2. For each AD group, create a User Template on the HMC
o It must point to the LDAP Server Definition created above
o Give it the desired task/object permissions
o For example, create templates named "Oper", "Admin" and "System Programmer"
3. Create a User Pattern
o The pattern must match all of the HMC userids for the users in all of the AD groups to be included in this plan
§ That might require a glob-likepattern of *
o It must point to some User Template with very little or no privileges; this will be the default
o The additional LDAP-based lookup and validation settings must be:
§ The LDAP Server Definition created above
§ The name of an attribute in the AD schema for a user object.
§ The value of this attribute will be the name of one of the User Templates created above.
§ This is used to name the User Template that contains the appropriate permissions for the users
4. Define an attribute in the AD schema for a user object.
o A good name for this attribute is something like: HMCUserTemplateName
o For each AD user, set this attribute to the name of the User Template that contains the appropriate permissions for that user
§ For example, "Oper", "Admin", or "System Programmer"
During HMC logon, the processing goes something like this:
1. The user enters his HMC userid (or associated AD user account name) and password on the HMC logon panel
2. The HMC matches that userid/name against all specific HMC userids; no match
3. The HMC matches that userid/name against the User Patterns; it matches the User Pattern created above
4. The HMC contacts the AD server (identified by the LDAP Server Definition identified in the User Pattern)
5. The AD server uses the DN/Subtree/Filter in the LDAP Server Definition to find the AD account.
6. The AD server validates the password; if successful, it returns the value of the HMCUserTemplateName attribute for that AD user (for example "Oper").
7. The HMC uses the HMCUserTemplateName value to get the User Template to use for the HMC user permissions (For example, the "Oper" User Template created above).
8. HMC logon completes; the user has the permissions specified in the appropriate User Template (the "Oper" User Template, in this example).