Object_diff for "roles" does not account for team membership mapped via LDAP

[rezfarsh]

Running the object_diff role for "roles" objects, I have noticed "admin" and "member" roles are getting set to "absent" for users(System Administrator) that are mapped to teams via LDAP. Is this the expected behavior?

[adonisgarciac]

Hi @rezfarsh, why a system administrator need to belong to teams? If it is a system administrator, it will have whole access to every component.

[rezfarsh]

@adonisgarciac this is because how our AD is setup.

All of our users are member of 140+ groups. One of these groups is for organizational team membership which we are (re)using them for AAP team mappings. We also have created another group called "AAP Administrators" for AAP system administrator. Now, all the users in any team are mapped to the correct team on AAP but only a few of them may have administrator access.

As you mentioned, system administrators will have access to every component and their RBAC is not affected. But on every login to AAP, their user will be mapped to team they belong in the company and on every object_diff run they will be removed from that team, which is not idempotent behavior.

I am guessing this is going to be a same case for other users who need to use existing AD groups in their environment.

[Tompage1994]

@rezfarsh would it be possible to put an example code snippet and an actual and expected output please?

[rezfarsh]

@Tompage1994 we have done some more tests with object_diff for "roles" and opened #552.

I think we should focus on #552 for now as it may resolve the issue mentioned above.