Hi,
I believe this can be accomplish by doing the following:
- Set the default role as limited, which it seems you already have.
- Create a new user role with less restriction.
- On the INTERNAL server, create a derivation rule that would place a user in the less restrictive role. You would have to use a common string in each username. Maybe something like "gst-user01". When creating the derivation rule, set the condition to "User-name", Operation "Starts-with", and value "gst-".
I haven't tried this myself but give it a whirl and see if it works. When creating users via the Guest Provisioning Portal, you cannot assign the role, or at least I'm not aware of this. When you create the users from the admin interface, you can assign a specific role.
Hope this helps.
-Mike