Anyone having any issues with DaaS admin RBAC after the latest Cloud Connector (6.138.0.11493 / 4.416.0)? After our CC's auto-updated last Friday, SAML auth'd admins, using AD based RBAC role assignment is failing for our service desk, preventing access to Monitor. FWIW, if I create an explicit Citrix Login with mirrored permissions, that works.

Im not sure i understand what you mean. If you are using EntraID to logon to the cloud console then your admin permission to get to monitor would need to be applied as a custom role based on an EntraID group. How do AD permissions factor in?

Yeah, this threw me for a loop as well Rob. Okta -> Cloud Console via SAML admin login, I was told by support that the group membership validation for RBAC occurs at the Cloud Connector doing an ldap lookup. Authentication happens at Okta, attribs are passed to saml.cloud.com/acs, prelim access is granted, call is made to cloud connector to do ldap lookup for for group membership to allow access to IAM \ Admins \ RBAC permissions based on AD groups (second screenshot). This worked flawlessly up until this weekend... in the "what changed" conversation, the only thing was the Cloud Connector update this weekend.

Ok I see it now for SAML two group membership is from a synced AD group https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/administrator-groups I can say i cant really find any support cases on this as an issue. Have you tried rebooting the cloud connectors one at a time

Yeah, first thing I tried was "turning them off and on again".