Problem:
Active Directory users are added to an Active Directory Group and that AD group is assigned to a role assigned in the Centrify Infrastructure tenant. When the user logs into the Infrastructure Portal, the tenant role is not assigned.
For example, the AD user, testAdmin, is assigned to AD group cfyA_Global_CentrifyAdmins, and the group is assigned to the tenant role System Administrator:
When testAdmin logs into the Infrastructure Portal, the System Administrator role is not assigned.
Cause:
The connector machine searches for the AD user attribute "tokenGroupsGlobalAndUniversal" to determine group membership of the AD user. This is done for performance on the connector so the connector does not have to loop through group memberships to locate all the correct members.
If the connector machine does not have "read" access to this constructed AD attribute, the group membership is not expanded and the connector does not see the user as a member of the group.
Workaround:
The tenant administrator can "reload" the user information from AD.
Solution: