Active Directory Group permissions takes long to propagate - Community

Janco (9 posts)

July 20, 2016 05:00 AM

Accepted Answer

We're experiencing some problems with permissions taking a long time to propagate through to individual (dynamic) logins in adTempus. On the dynamic login properties, we can see the correct domain groups for the user, and the last date/time when permissions were copied from the group(s).

We're observing the following:

1. In at least one case, the copying of permissions has not been done in about 2 years now.

2. In all cases, even though appropriate permissions reflect correctly, the user is unable to perform the expected functions. Eventually (anything from 15 minutes to a couple of days) the permissions are copied across.

Is this a bug in 4.1? Do we need to upgrade to get around the problem? Is there any manual way for us to force the permissions to propagate immediately after a change?

Bill Staff (599 posts)

July 20, 2016 06:44 AM

Accepted Answer

Permissions get copied each time the user logs in. There's no way to force a refresh. If they're not getting copied at login, then something is going wrong, or adTempus isn't matching the user to the AD group in the way you expect.

There was a bug related to dynamic logins that was fixed in version 4.2, but I don't think it would be related to what you're seeing--it would cause the login operation to fail with an error message.

You can turn on diagnostic logging for the adTempus service and then have the user log in. Review the debug log and you will see the login operation happening and information about what groups permissions are being copied from.

For help reviewing the logs or figuring out what the problem is, please open a support case and include the debug log.

Janco (9 posts)

July 21, 2016 02:18 AM

Accepted Answer

Thanks for the reply.

The logs indicate that the permissions are being updated for the dynamic login. However, it still seems to take a while before the availability of certain operations change in the adTempus console.

Example:
Given an AD Group ("MyGroup") with permissions to run jobs, and user "MyUser" being a member of the group,
When removing "MyUser" from "MyGroup" on Active Directory,
Then It takes anything from a few minutes to a couple of days for the "Run..." option on a job to become unavailable for that user.

Note that in the above example, the adtempus console was restarted after making the change to the AD group.

Bill Staff (599 posts)

July 21, 2016 03:28 PM

Accepted Answer

I can't explain your first problem ("copying of permissions has not been done in about 2 years"). That should happen every time the user logs in to adTempus. If you have a user where that is the case, have them log in and then check the debug log to see what's happening.

I did some testing and was able to reproduce your second problem. The issue is that permission lookups for the user are cached on the server but the cache isn't being cleared when the permissions are updated for the user at login. Therefore the user will still have the previous permissions for any object that's in the cache. The new permissions are kicking in the next time the cache gets cleared by another event or by a restart of the adTempus service. So you can work around the problem by restarting the service.

If you open a support case we can get a fix for you next week.