User criteria is not working as expected.

saibharath · ‎10-10-2024

Hi!

I have a question about Can View/Cannot View User Criterias, and adding them to groups from Can View and Cannot View, both.

Consider there are two groups, groupA and groupB, and we add groupA in Can View User Criteria and groupB in Cannot View User Criteria. User A who is in groupA will have access to page/widget and user B who is in groupB will not. Now, add user A in group B and user B in group A

According to the documentations, Cannot View holds more precedence. So, the user A who is in group B should not be able to access the page/widget. But he is able to access the page

I tried clearing cache, in cache.do which worked. I want to understand why this happens. And if we will have to clear cache every time a user is added to a group/added a role? Anyone who know why this happens? Or if there's an alternate approach?

Thank you

Brad Bowman · ‎10-10-2024

You definitely need to sign out / end impersonation after changing user criteria or role access. Clearing the cache depends on where you are using/testing this. It shouldn't be necessary in the native UI for Catalog Items or Knowledge articles.

Mark Manders · ‎10-10-2024

If the user is logged in and you change something about their access (group member ship/roles), you need to either have them login again, or let them do a hard refresh of the browser, otherwise it remembers the old access privileges.

So if you do anything with group membership (adding/removing roles should always be done by updating group memberships), just tell them to log out and back in again. If they aren't logged in, the system login will do the same, so no cache clearing necessary.

When in doubt if something works related to user criteria: use the 'user criteria diagnostics' where you can easily check on a user's access.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark