Users not being removed from groups

Solved87 viewsLDAP synchornization Users/Groups
1
2 Comments

Hi Dojo,

In our set up we have Azure AD groups which enable users to use SSO when connecting to that DM cluster. Once the Azure AD group has been added, we create a new group in Users / Groups with the same name and then through the LDAP settings in System Settings, the users that are part of that group are synced.

I'm carrying out user access reviews and I've removed people from the Azure AD group that should no longer have access, however they still show up in Cube when I look at that same group.

Is there a step I'm missing to keep these in sync?

Thanks!

Carl Stanley [DevOps Advocate] Selected answer as best
Miguel Obregon [SLC] [DevOps Catalyst] commented

Hi Carl,
Can you trigger manually the Windows scheduled task "Skyline DataMiner LDAP Resync" and verify that the groups were updated?
Carl Stanley [DevOps Advocate] commented

HI Miguel,

I found the scheduled task to be disabled, but I enabled it and ran it manually and it reported as completing successfully however the groups didn't update in cube.

1 Answer

2
5.06K 2 Comments

Hi Carl,

You mention that you manually create a group with the same name in DataMiner. This procedure is what is used for automatic creation of users authenticated by Entra ID using SAML, see step 8. In this workflow, users only get added to that group the next time they login (or removed from groups they no longer are a member of).

If you want to import the users beforehand, you need to configure DataMiner to import users and groups from Microsoft Entra ID. By configuring the <AzureAD /> tag in DataMiner.xml, you can import a group from Azure with the "Add existing group..." button. In this workflow, you do not create an empty group with the same name.

Carl Stanley [DevOps Advocate] Selected answer as best
Carl Stanley [DevOps Advocate] commented

HI Bert,

That's right, we're using automatic creation of users using SAML and we have the Dataminer.xml configured correctly with the matching claims. So the users are created correctly when they log in, however when I remove a user from an Azure AD group, they still exist in Dataminer.

Do I have to manually go into Cube and remove them there as well or is there something else I'm missing?

Thanks!
Bert Buysschaert [SLC] [DevOps Advocate] commented

If you want them gone, you will indeed have to remove them manually.
DataMiner only gets updated with group membership at the moment that a user logs in, so if they will never login anymore, the user will remain displayed in that group.