Nested group memberships and SSO

We're rolling PDP out across many of our datasets to enable us to use embeded cards throughout our internal systems.  We may have just stumbled upon what is either a bug or a use case that wasn't properly expressed during development.  It appears that Domo isn't properly decomposing these group relationships and our SSO-authenticated users don't have the permissions to data they should.

 

We make considerable use of nested groups within our AD as it allows us to describe our hierarchical structure in a way that is maintainable.

 

Here's an example.

  - We have 40 stores (Store A, Store B, etc.)

  - The stores are managed in "regions" (Region 1, Region 2, etc.)

  - A regional manager may be in the "Region 1" group which itself may be a member of "Store A", "Store B", "Store C", etc.

 

Currently when this regional manager logs into Domo, he is not able to see data for Store A, B and C even though AD says he should.  Domo ONLY sees the Region 1 membership and no further.

 

 

Has anyone else run into this issue?  Were you able to work around it without abandoning your AD group architecture?

Best Answer

Answers

  • Is anyone able to help out with this request?

  • We solved this ourselves.  It involves writing two custom claims rules and substituting one for the generic "Group" claim included in Domo's documentation.

     

    If anyone would like more detail, please feel free to DM me.