Support Article

User group provisioning based on SSO URL fails



The environment has multiple SSO URLs (A, B) and access groups (X, Y). When User1 logs into URL A, their default access group is assigned as X. When User1 logs in via URL B, their default access group should then be assigned as Y instead of X. Currently, User1 logging in via URL B find that their default access group is still set as X.

Error Messages

2017-01-30 11:24:44,960 [ WebContainer : 18] [ STANDARD] [ ] [te_RxEnroll:01.01.01] ( internal.mgmt.Executable) ERROR app domain| - Only authenticated client may start this activity: RULE-OBJ-ACTIVITY DATA-ADMIN- LOOKUPLIST #20130919T000420.088 GMT Error: You lack access required to execute RULE-OBJ-ACTIVITY DATA-ADMIN- LOOKUPLIST #20130919T000420.088 GMT.

Steps to Reproduce

  1. User logs into application via one SSO URL.
  2. Check access group.
  3. User logs out.
  4. User logs in via second SSO URL.

Root Cause

Whenever a new operator is created or the access group is changed, the list retained in .pyAccessGroupsAdditional must be updated to include the access group. For example, the XML on an operator record will show :


Additionally will show this access group in the list :

<pyAccessGroupsAdditional REPEATINGTYPE="PropertyList">
<rowdata REPEATINGINDEX="1">SRA87935:Administrators</rowdata>
<rowdata REPEATINGINDEX="2">PRPC:Administrators</rowdata>


Added a Property-Set step to update pyAccessGroupsAdditional.

Published March 9, 2017 - Updated March 10, 2017

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.