Permissions not being applied to new or existing users by domain


(Jane Hornickel) #1

Hello all,

We use Groups to set permissions for our customers to certain topics. We’ve been utilizing the feature that allows us to grant permissions to users based on their email domain. This should apply the group permissions for new users as well as existing users within the domain.

Unfortunately, we’ve been running into a number of issues with newly onboarded customers. In many cases, even though their domain was added to the approved list, new user accounts aren’t being added to the group or inheriting the correct permissions. We’ve also had this issue with a few existing customers when they bring in new staff.

We’ve had to manually add user accounts to the group, which is defeating the purpose of the approved email domains. It’s also a yucky user experience when they get “Sorry, you don’t have access to that topic!” when going through our onboarding instructions or help links.

Has anyone else experienced this?

Thanks!
Jane


(Jeff Atwood) #2

Can you repro this @jomaxro?


(Joshua Rosenfeld) #4

Hi Jane!

How are your users being added to the site? Are they using a standard Discourse registration modal? Social logins? Invites? SSO?


(Jane Hornickel) #5

Hi Joshua,

Thanks for your quick reply!

Our user accounts are created via SSO from our product app. This feature had been working for us for a long time but we’ve noticed this issue more and more in the last 6 months or so.

Please let me know what other information would be helpful for troubleshooting!


(Jane Hornickel) #6

Hi @jomaxro, thanks for your reply.

As I mentioned, we use SSO from our product app for account creation. This is now failing for almost every new customer domain that we add. Any insight that you have would be great!

Thanks,
Jane


(Simon Cossar) #8

I have tested this with SSO. On my development site, when a user is created through SSO, they are being added to the appropriate group if their email address matches the domain set in the Automatic group rule.

Is there anything unique about the way you are creating or updating users with SSO? Are the email addresses that should be granting group membership the same as the email address that is in the user’s SSO record? You can see the user’s SSO record at the bottom of the Admin/Users page for a particular user.


(Jane Hornickel) #9

Thanks for that tip, Simon. I confirmed that one of the customers recently having trouble has a matching email address and SSO email, and both are in a domain added to our approved group list.

Is there any limit to the number of approved domains we can have per group? As I mentioned, this has happened most recently for our newest customers, who were added last. Or is there a wait period where a domain is added before the permissions could take effect for new users?

Thanks,
Jane


(Simon Cossar) #10

There isn’t a limit on the number of domains you can have per group.

What can prevent a user from being added to a group is if the user is staged, or not active, or if their email address is not confirmed. When Single Sign On is enabled, a user’s email is considered to be confirmed if their email address matches the email address in their Single Sign On record.


(Jane Hornickel) #11

Thanks Simon. My teammate discovered we were running a version of Discourse where this is a known bug. SSO users aren't automatically added to email domain-based groups

We’re working on an upgrade that will resolve the issue.

Thanks!
Jane


(Jeff Atwood) #13