nrfGroupRoles not listing all groups that cause role assignment

I've run into an issue with the nrfGroupRoles attribute not being populated with all of the groups that cause a role assignment. Here is my setup.

I have a role called :
TestRole

This role has two groups directly assigned that role called:
TestGroup
TestGroup2

Now, if I add a user to TestGroup, I see the following user attribute values:

groupMembership: cn=TestGroup,ou=Groups,ou=Data,o=Dev
nrfGroupRoles: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev#0#<assignment><start_tm>20191105210853Z</start_tm><cause><group>cn=TestGroup,ou=Groups,ou=Data,o=Dev</group></cause></assignment>
nrfMemberOf: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET01,ou=Servers,o=Dev

Looks good so far. I'd expect the #0# value of the nrfGroupRoles entry to mean revoked, but that doesn't seem to be the case. Not sure, but anyways, I'll continue.

I add the user to TestGroup2. I see the following:
groupMembership: cn=TestGroup,ou=Groups,ou=Data,o=Dev
groupMembership: cn=TestGroup2,ou=Groups,ou=Data,o=Dev
nrfGroupRoles: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev#0#<assignment><start_tm>20191105210853Z</start_tm><cause><group>cn=TestGroup,ou=Groups,ou=Data,o=Dev</group></cause></assignment>
nrfMemberOf: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev

You can see that TestRole2 was not added to nrfGroupRoles.

The final piece is this. If I remove the user from TestGroup, which is in nrfGroupRoles, I get this:
groupMembership: cn=TestGroup2,ou=Groups,ou=Data,o=Dev
nrfGroupRoles: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev#0#<assignment><start_tm>20191105211740Z</start_tm><cause><group>cn=TestGroup,ou=Groups,ou=Data,o=Dev</group></cause></assignment>
nrfMemberOf: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev

You can see the user is still assigned to nrfMemberOf. This is correct. TestGroup is still in nrfGroupRoles, which is incorrect.

I'm seeing this behavior in RRSD 4.7.0.0 and 4.7.3.0. Maybe there are other components involved that I am not aware of? I have browsed the RRSD and iMonitor traces but nothing is jumping out at me.

Any ideas? Do I have some fundamental misunderstanding of these attributes?

  • Sounds like a RRSD bug, there have unfortunately been lots of these in recent years.

    Please raise a SR to get this fixed.

  • Maybe a silly question, but is this incorrect state permanent? I mean, is it still wrong if you restart te RRSD or wait till it recalculates dynamic groups at rate specified in it's configuration? I found this tricky fact recently when roles granted were not provisioned to one system until dynamic groups were recalculated a bit later.

  • I am not using dynamic groups and an RRSD restart does not correct the attribute.

    I opened an SR with Microfocus and they have acknowled this issue as a bug(1156142). They did provide workarounds:

    1. Perform a migrate-from on the user on the Role and Resource Service Driver. This is a reactive measure but it works.

    2. Disable the following rule in the "Convert the event into a custom command to send to the driver" policy.

    <do-if> <arg-conditions> <or> <if-op-attr name="Group Membership" op="changing"/> <if-op-attr name="nrfDynamicGroupMembership" op="changing"/> </or> </arg-conditions> <arg-actions> <do-set-xml-attr expression="../nrf:*" name="changingAttribute"> <arg-string> <token-text xml:space="preserve">Group Membership</token-text> </arg-string> </do-set-xml-attr> <do-append-xml-element expression="../nrf:*" name="driver-operational-data"/> <do-clone-xpath dest-expression="../nrf:*/driver-operational-data" src-expression="../modify/modify-attr"/> </arg-actions> <arg-actions/> </do-if>

     

    The second workaround is proactive. I deployed it to our development environment but I have not tested it yet.