I have granted a user that is currently in the “CERN Registered”-Group the “Editor” access by adding her to the corresponding egroup (yesterday), but her role stays “CERN Registered” and she of course can’t access the editor options.
I have tried the same with one of my service accounts, same problem.
This is on a Drupal 8 test site for EN department.
How can I force this roles to get updated?
Hello Catharina and welcome,
Probably there is a misconfiguration somewhere. Some quick debugging questions:
- Have you mapped the Drupal role to the egroup in the setting of SimpleSAML? If not you can find instructions in this link. If yes, are you sure that the mapping of e-groups/roles in SimpleSAML settings is correct? In general a new role should be like:
|<MACHINE_NAME_OF_EGROUP>:egroups,=,<NAME_OF_EGROUP_EXACTLY_AS_IT_IS_WRITTEN_IN_EGROUPS>. If you are not sure about the mapping you post the link of the site or just paste mapping field as an answer.
- Has this user logged out and back in again? (in order to get a role, re-logging in is required)
yes, of course I configured the SimpleSAML, I am far from being new to Drupal.
And yes, we tried to re-log, no change.
The editor access is also successfully used since several months via this egroup by a different user.
On D7 there was an otion to (un)tick of role being sticky. Is there something similar on D8?
Or anything else I missed?
Please feel free to take a look at http://cern.ch/test-en-d8
i had a look in the website and I confirm that the configuration of the SAML is correct since, as you mentioned in your comment too, there are already accounts that have the editor role
As a result the issue is not related to SAML configuration. In that case and if you are sure that the user is already added in the e-group, I believe that the issue is related to browser caching:
- You try to logout, completely close the browser window or application, clear the caches of the browser and then re-login.
- If you are using chrome or Firefox you can also try incognito mode or Private Browsing modes since they do not use caches.
Let me know if one of those solution works.
I had tried all of that already before plus flashing all cashes and the problem persists.
I really have the impression that there is no updating of the permission roles as e.g. mbartolo should also be part of “EN Members” and “EN Staff Members” but is only “CERN Registered” …
Could you please look into that?
Unfortunately there is not much more I can personally do at that point. Apparently it is a synchronisation issue between e-groups and the Drupal infrastructure so I don’t have more access to help. What you can do now is open a Service Now ticket to the Drupal infrastructure team so that they can resolve it.
This line in your configuration administrator:egroups,=,^drupal-admins-en$ breaks all the roles that follow.
It should be administrator:egroups,=,drupal-admins-en
I have updated it for you. Give it a few hours and try again.
thanks for the hint!
There was an additional “s” added to one of the roles too which I corrected as well and now it’s working :-
just a small follow-up on that issue as I encountered the same problem with another site that I migrated from D7 to D8:
It seems that the part with the “^” (e.g. administrator:egroups,=,^drupal-admins-en$) is added during the “automated”(?) procedure of the site migration to the egroup which is the admin egroup of the D7 site …
Could you please open a ticket to Drupal Infrastructure so the admins are aware of that?