The role membership is defined by having an attribute assigned in ldap, which this user had. The screenshot I showed with that checkbox set, wasn't me setting it, it was from "view user", so IDM was itself recognizing that user as meeting the membership criteria.
Here's my latest info. I created another really basic user, called test1237, they worked and saw correct tasks. Then I went through, a couple items at a time, and removed the "extra" items off kbruzek1 till it had nothing assigned that test1237 didn't. kbruzek1 still doesn't work. Test1237 does. Between each incremental test, I'd open a "private window", log in, test, logout, and close the window completely to avoid risk of old cookies or cache.
At this point the only differences weren't access, but things like name, phone number, etc, as I had just used "dummy" data when creating the test account. To make sure it wasn't some wierd value in one of those fields causing the issue, instead of trying to fix kbruzek1 I started updating test1237's fields to match what was left of kbruzek1 to see where it broke. I went through test1237 and updated everything I could to match kbruzek1. When done, the only remaining ldap attribute differences are: dn, uid, and iMpasswordData. Kbruzek1 still doesn't work. Test1237 does.
So now...the workaround I found, that I can't explain why it works.
I did an ldap export of the original kbruzek account. I updated just the uid and dn from "kbruzek" to "kbruzek2" in the ldif file and re-imported into ldap. That successfully created a new user called kbruzek2…and guess what, kbruzek2 gets the appropriate menu items.
Our support just calls these "corrupt" user IDs. While that's a simple way to define those accounts and allow the end customer to move on….that just doesn't sit well with me. There shouldn't be any such thing as a "corrupt account"…it's either defined in ldap correctly or it's not. It really seems like one of two things are happening…
- IDM looked up the record when it was in a different state…and is caching it. I know how to clear an individual user item from cache for SiteMinder PolicyServer. Is there a way to do that in IDM? Is there a way to see what the cache interval is in IDM? (Does IDM even have a cache, or does it check ldap every time?)
- IDM is failing to look up the record correctly. Any way to get IDM to log what query it is executing and what results it is getting back when it's making those authorization checks? (preferably without just making it log "Everything" in which case we'd never find the needle of info we needed in the haystack.)
The user is OK with transitioning to use the new "kbruzek2" account, but if anyone has thoughts to my two theories above...or a whole new theory, I'm still open to listen for next time. (when you can't explain it...there's always a next time, just varies how long before it happens again)
Thanks for your input.
Original Message:
Sent: 02-06-2020 07:51 AM
From: Bill Patton
Subject: Identity Manager User Console not displaying correct tasks/menu items
Next you will have to add a screenshot of the membership tab for the Master Customer User Manager admin role.
Usually, admins set that screen to make a modification to the user when they are made a member of a role.
even though it is on the screenshot as checked that the user is a member, maybe the actual modification to the user attribute failed?
Bill Patton
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
Original Message:
Sent: 02-05-2020 03:55 PM
From: Amon Beckler
Subject: Identity Manager User Console not displaying correct tasks/menu items
First...I'm new to the communities. I should of cross posted this between Identity and Access mgmt...but didn't realize till afterwards, so this is duplicate post to one I posted to the other community.
CA Identity Manager 12.6.8.0.423
We have an existing user, kbruzek, who is supposed to be authorized to do a "view user" task. For some reason, it stopped working. Restarted IDM. Still not working. Created new user, kbruzek1, with all correct access/admin roles. Still doesn't work. Need assistance with how to troubleshoot further.
I have the users credentials. if I log into IdentityManager UI, I do not see the expected tasks in the menu. We have another app that does TEWS calls. It is making the calls, and IDM is clearly logging that user does not have access to the "View User" task. However, looking at the definition of the task, and the user's configuration, they should.
See attached screen shots. Not really sure what to check...this is basic functionality that typically just works. I should call out, other users don't seem to be impacted.