5 Replies Latest reply on May 20, 2016 11:31 AM by jest4kicks

    Group membership changes not reflected in Orion

    jest4kicks

      Hey all, I may have found a bit of a bug, but it seems odd that there's no mention of it already.

       

      We have multiple users across multiple teams that access our Solarwinds instance.  To delegate access, we use AD security groups.

       

      Today, I discovered a user accessed Solarwinds, added a custom poller, and created an alert.  The problem is that, months ago, I removed the user from the AD group that is associated with the permissions to perform those actions.

       

      I've also seen this kind of behavior on a test account of mine.  I changed the test account's group membership to a different group, but when I access Solarwinds with that account, the user name in the top right corner still shows it as belonging to its original group.

       

      I did a little digging in the database and found the Accounts table.  In it, I see both the old admin's account, and my test account.  The table contains delegation permission entries, including the group that those permissions are associated with.  In the case of both of the accounts, their respective entries (and the listed group) reflect the information from their previous group membership.

       

      Why isn't Solarwinds checking the user's current group information when they login?  Considering delegating access according through security groups is a best practice, this is a pretty significant flaw.  Is there any way to correct this?  I need to immediately lock-out several admins that previously had permissions.