NERM:: Users cannot be provisioned the sponsor role without APIs

Hi we have noticed an issue with our NERM tenant.
We can add users in NERM but we cannot add the role to them when we create them.
We do have a connection to Azure, but NERM wont allow anyone to login without a role.
When we try to provision the SSO group for sponsor nothing reflects on the NERM side.
We asked support and their suggestion was to login on the first try using incognito as this refreshes the session and NERM uses that refresh to sync with Azure.

It is off course not a great user experience to have.
Has anyone else experienced this issue when trying to onboard new users onto NERM?
How did you go about fixing it?
I have a workflow in ISC as a workaround.
I figured out that you can assign roles via the APIs so when the SSO group gets assigned to the user via ISC it will add the sponsor role to their account.
I have done this manually in the past and it always works.

So roles are not applied until the user logs in. At the time they login the connection is made with your IDP and the information is then populated in NERM. And you should not have to add a sponsor directly in NERM just add them to the group that is assigning the role.

To add to the previous response, “when you try to provision the SSO group for the sponsor, nothing is reflected on the NERM side.”- Have you checked the SAML response to see if the group name or ID is being included? If the group name or ID is present in the SAML response, check under which attribute it is being sent. As far as I know, NERM expects the groups or roles from Azure to come under the “group” claim attribute. Reviewing the SAML response should provide more clarity. Another question to consider: has this setup ever worked before?

I addressed this with a NERM Users source in ISC. It allows you to assign roles directly in NERM. This will get managers in place as potential Sponsors before they log in on their own. You’ll want to also ensure you assign the associated AD groups.

NERM Users Source.json (25.8 KB)

1 Like

Kevin, I believe the reason it’s working for you is that you’re doing SSO to NERM through ISC.

No, the reason it is working for me is that I am making the API calls to provision users into NERM and assign them the appropriate role. I’m just showing an alternative way that I did it. @Yaseenl indicated they made these calls via workflow. I am making them via a WebService source.

@Yaseen : Did you try using step called “Auto assign” in create workflow ? This automatically assigns the role in NERM to contributors.

Or another option will be use rest api action , where you can call post method for API : “https:///api/user_role” , this should assign the role to user. you need to pass proper payload.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.