Have you tried enabling the plugin log level to debug and see the log whats going on?
Two things to check:
- I've seen this happen when a user was using incorrect capitalization in their username. AREA still authenticated them (case-insensitively), but the user did not have all of the permissions they should. Please make sure they are matching their login name EXACTLY as seen in the User form.
- Try deleting and re-adding their permissions. I've seen cases where, after an upgrade, a user had all appropriate licenses set, but needed to have them reapplied before they would work. This applied to both application permissions and the system write license.
Hope these help! If not, get a copy of the arjavaplugin.log file in Debug mode. Note: in 9.1, you'll find the configuration for that in the Plugin Server Configuration, rather than Server Information page.
If you put a password in the User form for these users and login does it work as expected?
We encountered this defect (have an open issue on it) with our dev environment that was upgraded from 8.1 to 9.1. We don't get our administrator permissions unless we put a password in our User record. We are waiting on a fix.
Interesting, I did not face this when upgraded from 8.1 to 9.0 SP 01 to 9.1. I have a one administrator user who is authenticated from LDAP without any issue.
Yes,its working fine if we put password in user form.
Its not just for admin user, users with floating license and non admin permissions are also facing the same issue.
When I go to license review form,it shows that user has got the correct license as per User form but doesn't have any permission as per the user form.
I have also tried the same in our another environment where we have upgraded from 8.1 SP2 to 9.0 SP1 and then 9.1, but still the same issue.
I dont remember whether I have tried it on 9.0 SP1 or not.
My colleague said its working for him for 9.1 fresh install , so there might be something broken during the upgrades.
Are you on windows or linux?
I will recommend to turned on the logging in debug mode and try to login and see the results.
I am sure, you are aware how to set the log level to DEBUG.
Here is the how to set in case, Login to Remedy as admin user and navigate to Applications -->AR System Administration -->AR System Administration Console --> System --> General click on Centralized Configuration
select the com.bmc.arsys.Pluginsvr --> select the PluginServer_your host name_port (default 9999)_IDxxx
Make sure the pluginSvrLogLevel set to value to DEBUG.
Reset the arjavaplugin.log under <AR System Installed>/db/, Login with user which failed authentication and see the errors.
Note:- Please make sure Plugin Server configuration all the plugins are pointing to right version jar files. ( In my case when i reviewed these files many of the plugins were still pointing to 8.x jar files or 9.0 jar files, which i changed the 9.1 jar files in the same folders.
I have already verified the debug logs but not much to do in arjavaplugin.log as user gets authenticated properly without any error.
After that i have captured API+FLTR+SQL logs to compare with working environment and observed that the GLG(ARGetlistGroup) and GLR(ARGetListRole) API for user are not getting fired after login using AREA hence several service calls in SHR:LandingConsole related to admins are getting failed and hence user looks like normal user without any permissions.
I can feel your pain, I have gone through pains after upgrading to 9.1 rolling into production and still work in progress to stabilize my production environment. I can wish everyone best of luck who is upgrading to 9.1.
2 of 2 people found this helpful
The defect ID we are experiencing is SW00503582 if you want to ask BMC about it.
I think the defect describe the same issue what we have.
earlier we use ldap with group container having group base and was working in8.1
I tried again by removing the group container information and it worked
3 of 3 people found this helpful
That's right, If you are not mapping Ldap group to AR group then no need to enable group membership in version 9.X. However it was working in 8.1 so they have slightly restructured it I guess.
Also if you want to use Ldap to AR group mapping and want to assign administrator permission to user which is not possible from version 9.x.
Below are some notes from BMC docs.
•If the group information is returned through external authentication, you cannot be a part of any administrator group. You can be a part of the administrator group only from the User form
•You can get group information from external authentication only if the Group List is NULL.
At last, what i observed ldap to ar group mapping does not assign computed groups to user like it does when we add it in user form and hence not able to access some parts of application.