I’m tempted to post this one as a bug, however, I believe it’s currently functioning as designed… so here we are.
In the User Account Review module, when using the LDAP connector, it can result in a poor user experience due to how the review is shown to the reviewer.
To review the current steps -
0. Assume that the company uses LDAP heavily for access to all of its applications and many users can have 50-100+ different roles associated with their accounts to grant access to various systems and permission levels. This could also be true if you’re hooking up Okta via its LDAP interface.
-
Add an Account Feed using an LDAP Group connector and in that process, select one or more LDAP groups that represent access to whatever is being reviewed (i.e. Application A has 2 roles - Admin and User that are tied to two specific LDAP groups).
-
When the Account Pull happens and the reviewer is presented with a list of users, what ends up happening is say there is 1 admin and 3 users to the app - it will correctly display the 4 users to the reviewer, however, in the Roles column, it will list every single LDAP group that the member is a part of, even though they have nothing to do with granting access to whatever happens to be reviewed. In the cases I’ve seen over the past week, this means a single user takes up more than a screen of real estate due to the sheer number of groups and the reviewer has to manually search for the group names in question to see exactly what roles are present for them.
Suggested Improvement → When returning the list of Roles for an access review, only return it if it matches the list of roles configured for the account feed. Thus, in the case above, each user should only show 1 or 2 roles (Admin, User or Admin + User) on the reviewer pane.
From a prioritization perspective, I have at least two clients that are running into issues related to this using the LDAP connector so I’d imagine anyone else using it will likely have similar issues.