Problem with Service Catalog user rights
We have two groups of users: all users and staff users. Staff users have some Service Offerings the other users cant see in the self-service portal. We have two end user roles, one for all users and one for staff users , which scope what service offerings and request offerings the groups can see in the self-service portal.
If we add AD users directly to the end user roles the self-service portal shows the right service offerings (and request offerings) to these users. BUT if we add an AD group to the end user role the self-service portal does not show the service offerings to the users who are members of the AD group.
Has anyone else found this problem? What might be the solution?
Comments
I would actually need to have a look at your cachebuilder log files to see what is happening when the cache tries to enumerate these groups and users.
Can you open a ticket and provide this information so I can further investigate?
Merle
I investigated the cachebuilder log file. The groups we use in restricting service catalog end user rights are AD groups, not Service Manager groups (AD connectors do not bring them to SM). The cachebuilder.log shows that Cache Builder uses only Service Manager groups that AD connectors syncronize from AD. The AD groups are quite big - there are about 10 000 merbers in the biggest group.
We can bring the big AD groups to Service Manager using AD connectors that is no problem. BUT how big groups Cache Builder is designed to handle? Can we use groups that have 10 000 or even more members in end user roles? The final question is how well dows the Cache Builder scale when the groups get bigger?
Does anyone have experiences in using big groups with end user roles?
We brougth the big AD groups to Service Manager by AD conntector. This portal user rights worked fine.
So this is not a problem.