Reset Search



KB40723 - Custom expressions using group attribute fails with Standard (AD) Active Directory mode

« Go Back


Last Modified Date7/27/2017 3:22 PM
This article describes an issue where role mapping are not applied when custom expressions using group attribute fails with Standard (AD) Active Directory mode.
Problem or Goal
After authentication, end users may not be mapped to the correct role due no matching role mapping rule when custom expression using groups fails.
No match on rule 'groups="XXX/PULSE" '
This issue occurs due to a behavior change between Standard AD and Legacy AD mode.  Only group names added using the group membership option will be cached and used for custom expression.  This change was done to avoid caching all groups returned for every authentication and only caching the groups configured on the group membership option.

This issue is only applicable to Standard (AD) Active Directory mode and does not apply to Legacy AD mode.
To resolve this issue, group name used for role mapping should be added as an available group using the group membership. 
  1. Login to admin console
  2. Navigate to Users > User Realms > [REALM NAME] > Role Mapping
  3. Click New Rule
  4. From Rule Based On drop-down, select Group Membership
  5. Click Update
  6. Click Groups...
  7. From the server catalog menu, click Search
  8. From the results, select all group names used for all custom expressions rules
  9. Click Add Selected
  10. Click OK
Once the group name are added under Available Groups, please have the end user attempt to authenticate again.
Related Links
Attachment 1 
Created ByK. Kitajima



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255