• State Verified Answer
  • Replies 1 reply
  • Subscribers 28 subscribers
  • Views 1957 views
  • Users 0 members are here
Options
Related

Safeguard user from AD belonging to multiple groups

one identity_28272
over 4 years ago

I created two AD groups (Group1 and Group2) and added them as User Groups in Safeguard. I configured different permissions on both groups (Group1 with no permissions so for Standard User, Group2 with Auditor permission)

I added an AD user as member of Group1 in AD, a Safeguard user was created for them with permission of Standard User.

I then added the same AD user as member of Group2 in AD - permissions of the related Safeguard user did not change.

According to the below I was expecting the Auditor permission to be configured for the user.

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/2.11/administration-guide/94#TOPIC-1350409

Users permissions across multiple directory groups

Users have permissions based on the directory user groups to which they are assigned. If a user is removed from a directory user group, the permissions related to that group are removed but the permissions for all other groups the user is assigned to remain in place.

User permissions on import

When a directory user group is imported, newly created Safeguard users are assigned the selected permissions. If the user exists in Safeguard, the selected permissions are added to the existing user permissions.

Please explain the correct behaviour and, should this be necessary, update documentation to reflect it.

Parents
  • +1 over 4 years ago

    Hi,

    Yes - the expected behavior is once the user is associated with Group2 in Safeguard the it should inherit the Auditor rather than the Standard permission.

    Directory Sync might have not run yet at the time when you checked possibly? If so, you can always force a directory sync to perform a sync now using the Settings > External Integration > Identity and Authentication > select the AD provider and click the icon with circular arrows which will perform a sync now operation and update the imported directory groups.

    Once this is completed, go back to the Users pane and click the refresh arrow on the top to refresh the users list then select the member user in question to verify which permission is assigned to it under the general tab. 

    Thanks!

Reply
  • +1 over 4 years ago

    Hi,

    Yes - the expected behavior is once the user is associated with Group2 in Safeguard the it should inherit the Auditor rather than the Standard permission.

    Directory Sync might have not run yet at the time when you checked possibly? If so, you can always force a directory sync to perform a sync now using the Settings > External Integration > Identity and Authentication > select the AD provider and click the icon with circular arrows which will perform a sync now operation and update the imported directory groups.

    Once this is completed, go back to the Users pane and click the refresh arrow on the top to refresh the users list then select the member user in question to verify which permission is assigned to it under the general tab. 

    Thanks!

Children
No Data