Support Article
User group provisioning based on SSO URL fails
SA-34811
Summary
The environment has multiple SSO URLs (A, B) and access groups (X, Y). When User1 logs into URL A, their default access group is assigned as X. When User1 logs in via URL B, their default access group should then be assigned as Y instead of X. Currently, User1 logging in via URL B find that their default access group is still set as X.
Error Messages
2017-01-30 11:24:44,960 [ WebContainer : 18] [ STANDARD] [ ] [te_RxEnroll:01.01.01] ( internal.mgmt.Executable) ERROR app domain|127.0.0.1 - Only authenticated client may start this activity: RULE-OBJ-ACTIVITY DATA-ADMIN- LOOKUPLIST #20130919T000420.088 GMT
com.pega.pegarules.pub.PRRuntimeException: Error: You lack access required to execute RULE-OBJ-ACTIVITY DATA-ADMIN- LOOKUPLIST #20130919T000420.088 GMT.
Steps to Reproduce
- User logs into application via one SSO URL.
- Check access group.
- User logs out.
- User logs in via second SSO URL.
Root Cause
Whenever a new operator is created or the access group is changed, the list retained in .pyAccessGroupsAdditional must be updated to include the access group. For example, the XML on an operator record will show :
<pyAccessGroup>SRA87935:Administrators</pyAccessGroup>
Additionally will show this access group in the list :
<pyAccessGroupsAdditional REPEATINGTYPE="PropertyList">
<rowdata REPEATINGINDEX="1">SRA87935:Administrators</rowdata>
<rowdata REPEATINGINDEX="1">SRA87935:Administrators</rowdata>
<rowdata REPEATINGINDEX="2">PRPC:Administrators</rowdata>
</pyAccessGroupsAdditional>
Resolution
Added a Property-Set step to update pyAccessGroupsAdditional.
Published March 10, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.