Community Tip - Did you know you can set a signature that will be added to all your posts? Set it here! X
I cannot verify exactly but have seen enough cases where I thought I might task field. We have some custom apps in Navigate controlled by a group. If your in the group, you get access. Randomly, users report that they cannot see the custom app tiles like they used to. Sure enough, I check and they are not in the group. Simple, you add them to the group and move on.
Except, I've seen a handful of these cases and was almost certain that these folks were there before. Has anyone see this or know the cause? Running 8.5.3. I guess I can make an export of the group and see if it changes in future to prove that they were there before and not now. Very strange.
Do you have SSO configured? If you are using an SSO Authenticator and a mapping of the group attribute.
Like in this example?
If the user doesn't have the appropriate group listed in their group "attribute" (in the SAML assertion) the user will get removed from the appropriate group.
One other idea that might also affect user priviledges and groups is users in ThingWorx are case sensitive.
Depending on your authentication method it could be that a user is authorized correctly even if they sometimes write their name in different captialization (e.g. Username vs. username) - ThingWorx would create two separate users in this case with different access rights.
Not using SSO here. This are local thingworx groups. I've manually added them in Composer. Not an issue with user login though I know that issue well. When I checked group, they were not there.
Thorsten relayed the most common cause of this issue, but it is associated with the ThingworxSSOAuthenticator which is only active when EnableSSO is set to true in platform-settings.json.. ThingworxSSOAuthenticator will reset users group memberships to match those in the LDAP Directory Service if the User Modification Enabled box is checked. That also means that they will be removed from any TWX group that does not also occur in the Directory Service.
What authentication type have you configured? With Navigate, the choices are Fixed Authentication, Windchill Authentication, and PingFederate SSO.
We are using Windchill Authentication. I am aware of the username case issue and that does not seem to be the case. As I mentioned, it was hard for me to determine if the user had been there and suddenly was not part of the group. I have exported copies of the groups to make a snapshot in time. This way I can determine if it occurs again. I do not have these groups links to an LDAP so not sure if the reset you spoke of is correct. These are local Navigate groups. I will close this thread as complete and wait for it to occur again.