search

discord / access

Access, a centralized portal for employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
Apache License 2.0
311 stars 35 forks source link

Please help troubleshoot issue of user not removed from group in Okta on expire #119

Closed nonefaken closed 2 months ago

nonefaken commented 2 months ago

Hello!

can you please help troubleshoot issue of user not removed from group on expire?

  1. If i add user to group in Access Portal, the user is added in Okta;
  2. If user is remove from group in Okta, syncer removes it in Access Portal.

However if i add user to group in Access Portal with expire

127.0.0.6 - - [23/Aug/2024:10:48:40 +0000] "PUT /api/groups/--redacted-id---/members HTTP/1.1" 200 117 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"

..the user is removed in Access portal after expire, but not in Okta. After syncer run, the user is synced back from Okta to Access Portal (re-added back).

In the portal log i see no request to DELETE / etc. group resource, but GET to site pages and POST /api/bugs/sentry HTTP/1.1.

Would very much appreciate if you help troubleshoot the issue 🙇‍♂️

somethingnew2-0 commented 2 months ago

Thanks for trying out Access!

Do you have the --sync-group-memberships-authoritatively flag configured on the flask sync command?

https://github.com/discord/access/blob/main/examples/kubernetes/cron-job-syncer.yaml#L21

We also have a Discord server in case you want to debug in real time https://discord.gg/access-enjoyers

nonefaken commented 2 months ago

I suppose i misunderstood purpose of --sync-group-memberships-authoritatively and decided not to use it. Thank you for the tip on https://discord.gg/access-enjoyers 🙇‍♂️