Nested group memberships and SSO
We're rolling PDP out across many of our datasets to enable us to use embeded cards throughout our internal systems. We may have just stumbled upon what is either a bug or a use case that wasn't properly expressed during development. It appears that Domo isn't properly decomposing these group relationships and our SSO-authenticated users don't have the permissions to data they should.
We make considerable use of nested groups within our AD as it allows us to describe our hierarchical structure in a way that is maintainable.
Here's an example.
- We have 40 stores (Store A, Store B, etc.)
- The stores are managed in "regions" (Region 1, Region 2, etc.)
- A regional manager may be in the "Region 1" group which itself may be a member of "Store A", "Store B", "Store C", etc.
Currently when this regional manager logs into Domo, he is not able to see data for Store A, B and C even though AD says he should. Domo ONLY sees the Region 1 membership and no further.
Has anyone else run into this issue? Were you able to work around it without abandoning your AD group architecture?