Support Article

User group provisioning based on SSO URL fails

SA-34811

Summary



The environment has multiple SSO URLs (A, B) and access groups (X, Y). When User1 logs into URL A, their default access group is assigned as X. When User1 logs in via URL B, their default access group should then be assigned as Y instead of X. Currently, User1 logging in via URL B find that their default access group is still set as X.

Error Messages



2017-01-30 11:24:44,960 [ WebContainer : 18] [ STANDARD] [ ] [te_RxEnroll:01.01.01] ( internal.mgmt.Executable) ERROR app domain|127.0.0.1 - Only authenticated client may start this activity: RULE-OBJ-ACTIVITY DATA-ADMIN- LOOKUPLIST #20130919T000420.088 GMT
com.pega.pegarules.pub.PRRuntimeException: Error: You lack access required to execute RULE-OBJ-ACTIVITY DATA-ADMIN- LOOKUPLIST #20130919T000420.088 GMT.


Steps to Reproduce

  1. User logs into application via one SSO URL.
  2. Check access group.
  3. User logs out.
  4. User logs in via second SSO URL.


Root Cause



Whenever a new operator is created or the access group is changed, the list retained in .pyAccessGroupsAdditional must be updated to include the access group. For example, the XML on an operator record will show :

<pyAccessGroup>SRA87935:Administrators</pyAccessGroup>

Additionally will show this access group in the list :

<pyAccessGroupsAdditional REPEATINGTYPE="PropertyList">
<rowdata REPEATINGINDEX="1">SRA87935:Administrators</rowdata>
<rowdata REPEATINGINDEX="2">PRPC:Administrators</rowdata>
</pyAccessGroupsAdditional>

Resolution



Added a Property-Set step to update pyAccessGroupsAdditional.

Published March 9, 2017 - Updated March 10, 2017


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.