mickers Absent Member.
Absent Member.
200 views

Roles assignment issue


Hi,
We are finding an intermittent issue that is causing us some concern.

A quick overview of our system.
-Access Manager Appliance (v4.2.0.0.221-FFA243041FA2D86C)
-User Source is a AD (Windows 2012 R2) Global Catalog (:3268) which
contains 2 x Domains.
-IDP has role assignment policy, including multiple roles assigned per
ROLE ASSIGNMENT rule.
-Roles are based on either Group Membership, or OU Subtree
-(Although we can apparently assign multiple ROLES per Rule, the docs
say that we can only assign a single role per rule? Anyone have any
info on this?)

We are finding that in random cases, a user is logging into the system
(Basic Form), and it is being validated OK, but the audit log file is
showing:
"Roles assignment policy evaluaton Assigned Roles: [No Role(s)]"
even though the user is a member of the group. A reboot of the
appliance seems to have rectified the issue, at least temporarily.
The user will remain with 'No Roles' until we bounce the appliance.
Other users will be working fine during this time.

Can anyone offer any insight into this, or point me to where I could
start looking to debug better?

Thanks







Assigned Roles: [No Role(s)]


--
mickers
------------------------------------------------------------------------
mickers's Profile: https://forums.netiq.com/member.php?userid=1122
View this thread: https://forums.netiq.com/showthread.php?t=55095

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Roles assignment issue

mickers wrote:

>
> Hi,
> We are finding an intermittent issue that is causing us some concern.
>
> A quick overview of our system.
> -Access Manager Appliance (v4.2.0.0.221-FFA243041FA2D86C)
> -User Source is a AD (Windows 2012 R2) Global Catalog (:3268) which
> contains 2 x Domains.
> -IDP has role assignment policy, including multiple roles assigned per
> ROLE ASSIGNMENT rule.
> -Roles are based on either Group Membership, or OU Subtree
> -(Although we can apparently assign multiple ROLES per Rule, the docs
> say that we can only assign a single role per rule? Anyone have any
> info on this?)
>
> We are finding that in random cases, a user is logging into the system
> (Basic Form), and it is being validated OK, but the audit log file is
> showing:
> "Roles assignment policy evaluaton Assigned Roles: [No Role(s)]"
> even though the user is a member of the group. A reboot of the
> appliance seems to have rectified the issue, at least temporarily.
> The user will remain with 'No Roles' until we bounce the appliance.
> Other users will be working fine during this time.
>
> Can anyone offer any insight into this, or point me to where I could
> start looking to debug better?
>
> Thanks


when you enable the web service consumer and provider debug logs you
can see the queries to the user store and attributes being returned
(not values tho, those are masked). I'd enable those to troubleshoot
this. Just be aware that if you have a very busy IDP your logs will
grow very large with those debug settings enabled.

--
Cheers,
Edward
0 Likes
mickers Absent Member.
Absent Member.

Re: Roles assignment issue


Thanks, Edward.


--
mickers
------------------------------------------------------------------------
mickers's Profile: https://forums.netiq.com/member.php?userid=1122
View this thread: https://forums.netiq.com/showthread.php?t=55095

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.