Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2956: Duplicate and incorrect role assignment granted to user.

Authentication Service ,  

12 April,16 at 11:12 AM

Applies to: Centrify DirectControl 5.0.x 
When  attempting to control/manage user roles through group membership: i.e. Assign roles to AD groups and then put users in those groups, it is noticed that if a user is moved from one group to another, dzinfo sometimes reports the user as still having the roles of the old group.  This also results in the user getting denied by Centrify as the roles/rights are in place. The issue auto-corrects over a period of time or by manually clearing cache (adflush -a). 
Is there any reason for this? 
User role assignments are always computed via local cache lookups, and In Centrify 5.0.x and earlier, there are two different ways: 
1) By looking up a user, determining the user’s group membership and the roles assigned to those groups 
2) By looking up groups with role assignments and seeing if the user is a member. 
When users are moved from group to group, Method 1) is the most accurate way. However if the user’s information in the cache is over an hour old, Method 2) is used. 
Method 2) misses the fact that the user has been moved to a different group, and therefore reports the roles for the original group. 
A special build/one-off for this problem has been released, that always uses Method 1). 
Note that whenever a user authenticates, the user’s group membership is always updated. Periodically the group membership is again updated after that, so eventually the user will be shown as having the roles for the new group and will never appear to revert back to the old roles. 
Please contact Support for additional information.
For support, the version is Centrify DirectControl 5.0.2-413. This has been fixed in Centrify DirectControl 5.1 as well.

Related Articles

No related Articles