The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
We have a customer that is trying to use security groups to control access to different role within AppPortal. We can add the security group without issue and I see no clear issues.
The security groups are not granting the access. Example, trying to give Catalog access to a specific group. Adding the group does not allow the users of the group access but adding the user directly allows access. Removing the direct access while the security group still has access does not allow access once again.
Has anyone run into this or have any ideas why this could be happening.
Mar 10, 2020 05:41 PM
I can't say that I've done much with SSO other than to configure it. Certainly no in-depth testing, so I'm not sure how that would affect user group membership enumeration. One thing you might try is setting the HasUntrustedDomains flag in the WD_AppSettings table to true and see if that makes a difference.
Mar 11, 2020 05:46 PM
It's probably worth noting that this implementation is using CAC authentication as well. Not sure that should matter for a security group but just wanted to be transparent.
Mar 11, 2020 07:57 AM
I can't say that I've done much with SSO other than to configure it. Certainly no in-depth testing, so I'm not sure how that would affect user group membership enumeration. One thing you might try is setting the HasUntrustedDomains flag in the WD_AppSettings table to true and see if that makes a difference.
Mar 11, 2020 05:46 PM
It looks like that worked. Do you have these WD_AppSettings values documented anywhere that can be shared? This is the 2nd time we've had to go into the database and manipulate the WD_AppSettings table.
Mar 12, 2020 11:56 AM
We don't have a published list of the settings that can't be configured through the admin UI. These are generally settings that get added because a specific customer/partner has either requested new functionality or run into an issue that seemed to be unique to them and we implemented it for them as a hotfix. These are not typically things we expect or want many customers to use, as they don't always go through the same level of testing/validation, but they are needed on occasion. For the more common ones that we are comfortable with anyone using, these generally get published in the release notes for the release where they are first introduced or are available in KB articles from our Support team. The two that I commonly see used are the HasUntrustedDomains flag and the ShowFSGEndPoints flag.
Mar 12, 2020 01:34 PM