Hello Rafael,
we have four domains, one of them is a subdomain of the other. This subdomain will be the "one domain" some day. However, groups need to be assigned wildly across domains.
I solved it like this in 7.2, should work similar in 8.0. I don't know if I remember it 100% correctly without looking:
- No master priv assign task for any of the domains. I think, you could do it for your primary domain though
- Creation of the user like normal. The only priv of the user's domain is set (no DIRECT_REFERENCE=1) from the request / massimport the user shall be created of. Then the provisioning begins. The groups of the user's domain are assigned after the creation.
- Assignment of the groups in other domains is done with a batch job. This one also sets the Only privs of the other domains with DIRECT_REFERENCE=1. No system priv for these domains though.
- Reconciliation is done in the night and if the user is needed on the same day the AD approver checks the user. They have to do some manual steps anyway like homeshare creation
Best regards
Dominik