First, enable DEBUG level logging in the AMS server, as discussed in KB article
000045262. Then consider the following possible causes and related AMS log entries that identify each cause.
In this case, you will typically see a log message like the following:
2021-10-01 08:56:34.819 DEBUG (qtp1571125860-53) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:252 -
Roles for user 'user1@example.com' from group entries: []
You can see that the role list for the user is empty [], which means the user's AMS roles could not be mapped to any LDAP groups. This is a symptom of one of the following causes:
- The group name(s) specified in the RoleToPrivilegeMappings do not exist in the LDAP system
- The selected principalRoot attribute is incorrect.
- The selected principalSearch attribute is incorrect.
- The selected roleRoot attribute is incorrect.
- The selected roleAttribute attribute is incorrect.
- The roleAttribute value has a typo.
Consult with your LDAP administrator to obtain the appropriate group names and values for these AMS configuration options. Also, refer to Knowledge article
000045254 for guidance on running LDAP searches from the command line, which can help identify the correct values for the above configuration options.