Thanks Hubert !
Please see my comments inline -
Configuration
Statement-1 : Authentication Directory = CA Dir and Authorization Directory = AD. So we are using Directory Mapping. My next question will be which Directory Mapping i.e. the one under Legacy OR Identity Mapping?
<Vishal> We have Legacy Auth/AZ directory mapping configured for CA directory and AD on Universal ID. Universal ID configured for CA Directory is one of the attribute from user’s CA directory profile i.e. XID(used as SAMAccountName in AD) and SAMAccountName for AD.
Statement-2 : We only have a GET/POST Rule in the Realm.
<Vishal> In realm, we have below 2 rules configured–
- GET/POST
- OnAccessReject
Statement-3 : The Realm has the Directory Mapping selected.
<Vishal> Yes, Active Directory UD is selected under “Legacy Authorization Directory Mapping” in realm.
Statement-4 : In the Users Tab in Policies there is nothing added under CA Directory, but under AD you have users OR groups OR members OR 'All' added. Also there is the GET/POST Rule added to this Policy.
<Vishal> Yes, there is no filter added under CA Directory. For AD, parent group is added & “Allow Nested Groups” is selected to authorize users from nested groups. Yes, only GET/POST rules are added to this policy.
Statement-5 : When using SM_USERGROUPS only in Response, you are seeing the nested group (i.e. the Group the User is directly mapped to) returned from AD in SM_USERGROUPS.
<Vishal> Yes
Statement-6 : When using SM_USERNESTEDGROUPS only in Response, you are seeing the nested group (i.e. the Group the User is directly mapped to) returned from AD in SM_USERNESTEDGROUPS.
<Vishal> Yes
Issue statement is correct.
Issue Statement
- When using a single directory as Authentication and Authorization directory (i.e. no Directory Mapping), SM_USERNESTEDGROUPS populates Parent Group and Nested Group.
- When using two user directories e.g. CA Directory as Authentication Directory and AD as Authorization Directory (i.e. with Directory Mapping), SM_USERNESTEDGROUPS is populated with only the Nested Group from Authorization Directory (i.e. AD).
Please let me know if you need any further details.