Hello! We are seeing issues with overall policies since upgrading to the latest version. Even though we have policies created and connected to groups, users in that group cannot perform basic actions (e.g. adding owners to datasets (metadata policy) or adding users to groups (platform policy). Even when activating 'All Users - All Platform Policies' we receive the error message as per below. However, when we use GraphQL through postgres and add a header 'X-Datahub-actor' as datahub we are able to add users programatically. Is there any option to roll-back to version 8.0.26 or bypass the GraphQL work-around?

Hi @adventurous-dream-16099 - Can you detail which metadata policies are failing for users in groups? This is definitely not expected. I'd like to try to reproduce this locally

Hi @big-carpet-38439 - Mainly the issue is the default policy "All Users - All Platform Privileges" which should provide "MANAGE_USERS_AND_GROUPS" to All users. Our understanding is that if this policy is activated any logged-in user would be able to create groups and add members to those groups but in our case we are only able to create groups, "add members" operation fails with unauthorized exception. Our Datahub frontend app authenticates users against ldap with following config : WHZ-Authentication { com.sun.security.auth.module.LdapLoginModule sufficient debug="true" _userProvider="{LDAP_PROVIDER}"_ userFilter="(&(objectClass=person)(sAMAccountName={USERNAME}))" java.naming.security.authentication="simple" _java.naming.security.principal="{LDAP_USER}"_ _java.naming.security.credentials="{LDAP_USER_PW}"_ useSSL="false"; }; We have ingested users from ldap server with following source recipe : source: type: "ldap" config: _ldap_server: {LDAP_SERVER}_ _ldap_user: "{LDAP_USER}"_ _ldap_password: "{LDAP_USER_PW}"_ _base_dn: "dc=tcad,dc=telia,dc=se"_ filter: "(objectClass=person)" In addition we have tested e.g. adding owner to a data set when having All metadata editing access to Datadsets and have received the same error. We can however create and add members to groups from the backend. Worth mentioning, some of the users when they click on their profile they don't see their details fetched from ldap (email, name etc.) while others can see their details. Grateful for any help and input!

On managing group editing • To create groups + view the tab, you currently need MANAGE_USERS_AND_GROUPS • To edit Groups (add / remove members, change description), you need a separate Metadata Policy for the Groups Entity (you can use all groups) On users not seeing their info • You need to make sure that the user's urn (urnlicorpuser:x) that was created at login time is exactly the same as what was ingested -- my hunch is that in some cases this is not happening and therefore part of your team isn't correctly associating with the information you've ingested from the LDAP source • If this is the case, you'll likely be able to search for the user, and find them, but it won't be the same profile as the person who is logged in. On adding owners to a Dataset • I'm assuming this is also related to the above^ If the urns created at login do not match the urn on the policy itself, then you can have an issue where the user is unable to make a change. First step would be to get a hold of a user for who this is happening. Confirm that #2 and #3 are happening at the same time. Then we can triage by comparing what's in the DB (what's been ingested) to the URN being resolved at login time!

@big-carpet-38439 Big thanks for this! Adding group members works after adding the new Metadata priviledge. When it comes to the two other issues we have triaged and like you say it seems to be a LDAP issue and we will investigate using OIDC instead. Thanks again!

Amazing.. Glad we can help get things working - but totally hear you that this is non-intuitive. I'm sure others will also trip up 😞