Conflicting roles

There are some roles in the Control Room that cannot coexist due to certain restrictions and result in an error.

For example, an error appears if you assign a Control Room user with an Admin role, along with one of the following roles:
  • AAE_Bot Insight Admin
  • AAE_Bot Insight Consumer
  • AAE_Bot Insight Expert

This validation also applies to the system-scheduled sync process of user and roles. In the above scenario, the roles sync for that particular user is ignored, before proceeding to the next user.

An audit log is captured in the system logs when:
  • A mapping is created or deleted.
  • A role sync is triggered from either a user login or by the background process.

    All role syncs are audited.

  • There are role conflicts.
Additionally, user roles will not synchronize for the following scenarios even if the system scheduled process is triggered:
  • There are role conflicts in the combination of mappings and user-assigned roles, or just in the mapping itself as these are not validated when mapping is created.
  • If a mapping was deleted and associated users have no other roles assigned.

    A user must have at least one role (no empty roles) for a successful sync.

Note: A user's AD security group cannot be retrieved if there are no URLs with the same domain.

For example, assume that the Control Room has the following URLs configured:

  • 'ldap://host.domainA.com'
  • 'ldap://host.domainB.com'
If a user with 'user@domainC.com' tries to log in, no AD security group is returned as there is no URL with the 'domainC.com'.