cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Catalog Security + Security Group

We have a customer that is trying to use security groups to control access to different role within AppPortal. We can add the security group without issue and I see no clear issues. 

The security groups are not granting the access. Example, trying to give Catalog access to a specific group. Adding the group does not allow the users of the group access but adding the user directly allows access. Removing the direct access while the security group still has access does not allow access once again.

Has anyone run into this or have any ideas why this could be happening.

(1) Solution

I can't say that I've done much with SSO other than to configure it.  Certainly no in-depth testing, so I'm not sure how that would affect user group membership enumeration.  One thing you might try is setting the HasUntrustedDomains flag in the WD_AppSettings table to true and see if that makes a difference.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

(4) Replies

It's probably worth noting that this implementation is using CAC authentication as well. Not sure that should matter for a security group but just wanted to be transparent.

I can't say that I've done much with SSO other than to configure it.  Certainly no in-depth testing, so I'm not sure how that would affect user group membership enumeration.  One thing you might try is setting the HasUntrustedDomains flag in the WD_AppSettings table to true and see if that makes a difference.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

It looks like that worked. Do you have these WD_AppSettings values documented anywhere that can be shared? This is the 2nd time we've had to go into the database and manipulate the WD_AppSettings table.

We don't have a published list of the settings that can't be configured through the admin UI.  These are generally settings that get added because a specific customer/partner has either requested new functionality or run into an issue that seemed to be unique to them and we implemented it for them as a hotfix.  These are not typically things we expect or want many customers to use, as they don't always go through the same level of testing/validation, but they are needed on occasion.  For the more common ones that we are comfortable with anyone using, these generally get published in the release notes for the release where they are first introduced or are available in KB articles from our Support team.  The two that I commonly see used are the HasUntrustedDomains flag and the ShowFSGEndPoints flag.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".