"Stream Access" - Active directory groups are used,all users all members of this group
"App Access" - Active directory groups are used here also, and Custom property to filter access.
If user is member of AD group that is equal to the name of Custom property associated to the App, users have access to the APP
Changes are made in Active Directory, specifically to group names that are related to "App Access"
Changes are made in QMC, specificaly to Custom property values to match to new AD group names
User is trying to Access HUB, but APP is not visible
- Active Directory User Directory Connector
is using optimized query always
when pulling data from LDAP connection.
- That means if an environment has plenty users and groups (example 13 000 users / 5000 groups) , and changes are made in AD group names, by accessing the HUB from user side, changes are synchronized for the connected user (see following link
- Without synchronizing changes in the QMC, at connection point, the AD User Directory Connector would pull data and synchronize changes for current connected user. However, with optimized query
, there is a likeliness that new group changes wouldn't be captured due the large number of objects that the User Directory Connector is trying to fetch.
- Generic LDAP have option to configure optimized/non-optimized query,
and in larger environments like this one, it might be a better solution to have it Generic LDAP with non-optimized query,
therefore ensure that all changes would be propagated properly, whether user is logging to the HUB or/and SYNC to AD is occuring.
Synchronizing changes from AD User Directory Connector, user is able to see the application again