Resolving Authorization Issues with LDAP Authentication When Restoring Backups from Different Deployments
In Core, restoring backups from one deployment to another can cause authorization issues when using LDAP (Lightweight Directory Access Protocol) or SAML authentication with external group mapping.
When restoring a backup from a different deployment, the source group names and memberships in the restored groups may not align with the actual external groups. As a result, users may not get matched to external groups, resulting in the loss of user access privileges granted through group membership.
Example Scenario:
A customer restores a prod instance to a dev instance. The curators of the dev instance belong to a local Tamr group called "curators". However, as a result of the restore, this local group is now mapped to an external group called "prod_curators", to which these users do not belong. Therefore, when these users log in, they lose the local “curators” group membership and associated privileges.
To effectively resolve any group authorization issues for the affected groups:
- Access the swagger docs, go to the users page/tab, and use endpoint GET /groups to review the source group names of all valid groups
- If there are any misconfigured groups, use the endpoint PUT /groups/{id}/source-group-names API. This allows users to set the correct source group names, aligning group memberships with LDAP configurations.
Updated 9 months ago