OnDemand User Group
Support Forums => MP Server => Topic started by: SacramentoUser on October 24, 2019, 04:36:30 PM
-
Hey all,
We are implementing LDAP synch,ARSLSYNC, that will synch users and groups from Active Directory. We are multi-platform Linux.
So far so good until today, users previously defined in CMOD with individual user query restrictions can now see the entire report versus the pages they are limited to view.
How is that supposed to work? The group has permissions to view the application group and folder. The queries are at the user level. My users are seeing the whole report.
If anyone can point me in the right direction to resolve this...I'll bake you cookies!!
Thanks.
-
I suspect you'll need to create a new group that includes a query restriction under the Application Group Permissions tab, and remove their individual access rights to that App Group. Otherwise, it does sound like a bug, and should probably be reported to IBM as a PMR.
-JD.
-
Sounds like permissions may have changed for the user by some other process. ARSLSYNC doesn't assign permissions it just creates users, groups and assigns group membership. I would look in the system log for message 36 to see if there are any user updates after the fact.
Thanks,
Rob
-
Thanks D and R.
R - I checked the 36 message and the only changes were some I had made to accommodate the password case sensitivity.
It looks to me like the queries at the user level are just being ignored. We had to cancel our implementation until we can resolve this issue. :(
-
Sorry about that. Sounds like the process of applying the query restrictions/permissions isn't quite correct. ARSLYNC doesn't do that part.