Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
HawthorneJ_SCFT
Contributor III
Contributor III

Assigned security roles to an AD group not working

Hi there,

I have assigned security roles of Analytics Admin and Private Content Creator to our admin AD group but the permissions are not working for member of that group. They will only work when I add the roles to their individual user. I'm sure this isn't what's meant to happen so does anyone know what causes this?

thanks, Julie

Labels (3)
6 Replies
Leigh_Kennedy
Employee
Employee

Are you sure your tenant is seeing the groups? 

After logging in as one of the users you expect to get the roles, add "/api/v1/diagnose-claims" after your tenant URL.  This will show you what is being sent from your IDP and what is mapped, e.g:

Leigh_Kennedy_0-1720390030711.png

If the groups are missing in both sections, your IDP configuration is incorrect.  If they appear in the "claimsFromIDP" section but not the "mappedClaims" section, your tenant's claims mapping is incorrect.  

Regards.

HawthorneJ_SCFT
Contributor III
Contributor III
Author

Thanks for the response Leigh, the groups seem to be coming through fine:

HawthorneJ_SCFT_1-1720427748691.png

When I add the group to the Analytics Admin in the Permissions section here:

HawthorneJ_SCFT_2-1720428008673.png

It doesn't change the role for those users and I have to add it separately to the users in the All Users Section which seems to defeat the object of being able to assign roles to AD groups and not have to manage the roles on a completely individual basis. Both these users are in the admin add group and therefore should have the role assigned but don't.

HawthorneJ_SCFT_3-1720428217229.png

 

Another other ideas what is causing this?



Leigh_Kennedy
Employee
Employee

So it won't change what you see assigned to the user.  As we have no way on knowing if a user has been added/removed from a group since the last time they logged in, it will not show on the user directly - it's applied at runtime for that session.  If you have a rule which says "GROUP A" has "can edit" access to "SPACE B" and you can see using the above method that the user is in "GROUP A" and yet they don't have access, I would raise a support case.

HawthorneJ_SCFT
Contributor III
Contributor III
Author

Hi Leigh, thanks for your response. 

I have assigned AD Group which I am in to Steward role, I have logged out and back in again and I still cannot see the options related to glossary under the Add new button. If I assign myself as a user (rather than through the group) i then have those options available so something is not working and I will raise a support case. Thanks for you help anyway.

youngaaron
Partner - Contributor II
Partner - Contributor II

Hey @HawthorneJ_SCFT - did you get a resolution for this? We're experiencing the exact same issue. 🙂

HawthorneJ_SCFT
Contributor III
Contributor III
Author

Hi, I'm afraid I didn't raise a case in the end and life took over. Sorry