Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-6629: If the same role is assigned from multiple role assignments, only the last one is used

Centrify DirectControl ,  

15 April,16 at 06:26 PM

Applies to:
Centrify Suite 2015.1 (5.2.3) and below.


The issue applies to all the releases prior to Centrify Suite 2016. 

If the same role is assigned  from multiple role assignments  only the  settings in the last role are used.


Due to a design limitation, for a given role with multiple role-assignments, it will only recognize the last one, even though it can list all of them. The problem is that later in processing, the role assignments wind up in a map keyed by role name which only has one slot. Therefore the last one wins.


This issue can be reproduced on Fedora Server 22 with cdc build 5.2.3-429

1. Install cdc and join to domain
2. Assign Unix Login role to zone AD user nekou1 then assign same role to nekog1(group of nekou1)
3. Run "adflush -f; dzinfo nekou1"
[root@fcs22v3 523429]# dzinfo nekou1
User: nekou1
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
UNIX Login/neko Yes None
UNIX Login/neko No None
>>> Get two same roles here. This is incorrect.
4. Run "dzinfo -f nekou1"
[root@fcs22v3 523429]# dzinfo -A -f nekou1 nekou1:ROLE:Local User:No nekou1:ROLE:Role Name:UNIX Login/neko nekou1:ROLE:Description:Predefined system role for general UNIX login users.
nekou1:ROLE:Restricted Env:None
nekou1:ROLE:Available Hours:Always
nekou1:ROLE:Role Name:UNIX Login/neko
>>> Get two same roles. This is incorrect.


This is fixed in Suite 2016 ( adclient version 5.3.0).

In this version  when same role is assigned to an user through multiple role assignment, 
previously dzinfo incorrectly displayed as there were multiple roles assigned to user 
and the shown-up as multiple role properties and role assignment properties.
This issue has been fixed, and dzinfo will show one role, with one role properties and 
multiple role assignment properties.


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.