• State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 93 subscribers
  • Views 5626 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to remove AD group tied with system role from user

ruchita.mantri
over 6 years ago

Hi,

 

I have tied AD group with system role in Manager. When I assign system role to user, the corresponding AD group gets assigned to user but now when I try to remove the system role from user, corresponding AD group doesn't get removed. Why is it so? Do we need to modify or configure anything for this scenario?

  • 0 over 6 years ago
    For starters, what version are you using?
  • 0 over 6 years ago

    So you directly assigned the system role to the person and you have seen that the AD user linked to the person got the new AD group membership. Then you directly removed the assignment of the system from the person put the AD group membership was not revoked for the linked AD User.

    • Is the membership still present in OneIM or has it just not been removed from AD?
    • Did you check the DB queue and the Job Queue for pending jobs?
  • 0 over 6 years ago
    One more thing, when I remove(Delete Membership) the system role assignment from ITshop logging in with Manager(user->Entitlement->System Role) , AD group assigned for that user gets removed. But when I do the same thing of removing the system role through backend that is through Manager, only system role gets removed and not the corresponding group
  • 0 over 6 years ago
    yes this is what is happening in the backend through direct removal of system role from the user.

    Is the membership still present in OneIM or has it just not been removed from AD?
    - yes the AD group membership is still present and yes it has not even removed from AD

    Did you check the DB queue and the Job Queue for pending jobs?
    - when I remove system role directly, I just get one job of deleting the data from PersonHasESet table not any other job
  • +1 over 6 years ago

    I tried to reproduce this in my version 8 environment and it worked.

    • Did you check that for the AD Group membership the System Role is the only source of the entitlement? You can check the origins of the Person using the report "Show entitlement origin" If the system role is not the only source, that would explain why there is no removal triggered.

    In one of your other threads, you wrote about the IT Shop. Just for clarification, did you request the System Role assignment for the Person or did you manually assigned it in the Manager?

  • 0 over 6 years ago
    I checked "Show entitlement origin" and could see that there were more that one source of origin. When I removed and kept only system role as the source of origin, it started working. Thank you.