Security

Short version: Does the AD group type (universal, global or domain local) have any bearing on role derivation in CPPM?  User is in a global group "elementary" which is then part of domain local group "Employees".  I keep getting failures to authenticate because CPPM does not indicate the user is in "Employees" but AD clearly shows that it is there.  The user in question does show up in the groups he is directly added to but not the nested group (in CPPM details).  SubTree Search is turned on for the AD authentication source.

 

I've done this before at a previous job but I had no access to AD at that location.  I suspect it doesn't matter but I could be wrong.

Are you using "Groups" or "memberOf" in your authorization?

memberof  CONTAINS

 

Learned that the hardway previously.

Can you try using Group instead? memberOf sometimes has issues with nested
groups.



You should be able to see the contents of Group in access tracker under
authorization.

I tried "groups CONTAINS"

 

This was added to the "Input" -> "Authorization Attributes" when I used groups but still not seeing "Employees" show up.

Authorization:Active Directory:Groups:   Elementary, Elementary Teachers   

Remember when you are testing you must clear the cache if you make a change on the AD side. we only auth live each time but AD groups and etc are only pulled on the cache intervals.

Still not showing up in CPPM.  I'll work on getting upgraded to the latest CPPM release and see if it corrects the issue.

Did this ever get resolved?  I am seeing similar issues and have tried configuring for nested groups in several ways, but with no success.