Applies to: Centrify DirectControl 5.0.x
When attempting to control/manage user roles through group membership: i.e. Assign roles to AD groups and then put users in those groups, it is noticed that if a user is moved from one group to another, dzinfo sometimes reports the user as still having the roles of the old group. This also results in the user getting denied by Centrify as the roles/rights are in place. The issue auto-corrects over a period of time or by manually clearing cache (adflush -a).
Is there any reason for this?
User role assignments are always computed via local cache lookups, and In Centrify 5.0.x and earlier, there are two different ways:
1) By looking up a user, determining the user’s group membership and the roles assigned to those groups
2) By looking up groups with role assignments and seeing if the user is a member.
When users are moved from group to group, Method 1) is the most accurate way. However if the user’s information in the cache is over an hour old, Method 2) is used.
Method 2) misses the fact that the user has been moved to a different group, and therefore reports the roles for the original group.
A special build/one-off for this problem has been released, that always uses Method 1).
Note that whenever a user authenticates, the user’s group membership is always updated. Periodically the group membership is again updated after that, so eventually the user will be shown as having the roles for the new group and will never appear to revert back to the old roles.
Please contact Support for additional information.
For support, the version is Centrify DirectControl 5.0.2-413. This has been fixed in Centrify DirectControl 5.1 as well.