I just had a thought. You could use the random number generator transform to generate random numbers to randomly split between two WIFI groups in any location. To do this, you would need to create a new identity profile mapping attribute called something like wifiGroup. The source would be your authoritative source that specifies the employee’s location, the attribute will be the location, and the transform will be a custom transform with the following logic.
POST /v3/transforms
Request Body:
{
"name": "Random WIFI Group",
"type": "concat",
"attributes":
{
"values": [
{
"type": "accountAttribute",
"attributes": {
"sourceName": "Employees",
"attributeName": "location"
}
},
":",
{
"type": "lookup",
"attributes": {
"table": {
"0": "1",
"1": "1",
"2": "1",
"3": "1",
"4": "1",
"5": "2",
"6": "2",
"7": "2",
"8": "2",
"9": "2"
},
"input": {
"type": "randomNumeric",
"attributes": {
"length": 1
}
}
}
}
]
}
}
Once you run the aggregation, all of your identities should now have a new identity attribute called wifiGroup with the name of the location and the random WIFI group number, like London:1 or Dallas:2. Then, you can create roles for each WIFI group that you need to manage, and use the standard criteria builder to automatically assign users to roles based on their wifiGroup.
Each role can grant the appropriate AD group membership via an access profile.
This approach would have the benefit of being easily maintained and certified, since it’s using standard processes and roles to manage the access to WIFI groups, rather than a custom script. It would also make it easier to assign temporary WIFI access to identities that travel between locations, since the roles can be requestable.
However, the caveat here is the randomness, which you don’t really have control over. You can’t control the random number generator, which could produce more users in WIFI group 1 than group 2. Also, as users leave the company, you could see an imbalance if, coincidentally, more users in WIFI group 1 leave than group 2. If you truly need an even split, for reasons like WIFI load balancing, then you may want to look to your WIFI hardware vendor to see if there is a solution within their product that can do this, or at least plan for the event where you need to redistribute users across the two WIFI groups to balance them out. One contingency could be to add a “WIFI Group” account attribute to your authoritative source, and leave it blank. In the event you need to balance WIFI access, you could then manually set the “WIFI Group” attribute in the source for select identities. Just make sure you roles prefer to use the “WIFI Group” account attribute over the calculated identity attribute if it is present.