After our weekly LDAP synchronization last Friday, project managers are reporting that Gantt charts in the Program Management module won’t load. Users get a ‘403 Forbidden’ error when trying to access project timelines.
The browser console shows:
GET /enovia/resources/v1/modeler/projects/{id}/gantt
Status: 403 Forbidden
Response: {"error":"Insufficient privileges for resource access"}
This affects about 40 users who had working access before the sync. We suspect the LDAP group-to-role mapping got disrupted somehow, but we’re not sure where to start troubleshooting. The LDAP sync logs show successful completion with no errors. However, when we check individual user roles in ENOVIA, they still appear to have ‘Project Manager’ and ‘Project Lead’ roles assigned correctly. The REST endpoint access policy might have changed, but we haven’t modified any security configurations manually. Has anyone dealt with Gantt chart access issues after LDAP integration updates?
We encountered this exact issue in our R2021x environment. The problem was that our LDAP sync process was updating the ‘memberOf’ attributes for users, but ENOVIA’s role assignment automation wasn’t picking up the changes correctly. The roles appeared correct in the UI because the UI checks direct role assignments, but the REST API access policy was checking group-based role derivation which wasn’t being updated. We had to modify our LDAP sync job to explicitly trigger role re-evaluation after each sync cycle. Also check if your LDAP groups are mapped to ENOVIA roles using the correct distinguished name format - if the DN format changed in your LDAP directory, the mapping breaks silently.
Check if the LDAP sync modified the role assignment source. Sometimes when roles are re-synchronized, they get marked as ‘LDAP-managed’ which can affect how access policies evaluate them. Verify the role assignment origin in the database.
I bet the LDAP sync changed the group membership timestamps or attributes that ENOVIA uses for access caching. Try forcing a role cache refresh for affected users.
We saw similar behavior when our LDAP group names changed. Even though users had roles, the REST endpoint couldn’t validate them because the group mapping was stale. Clear the authentication cache and restart the REST services.
The 403 error on the REST endpoint is the key symptom here. ENOVIA R2021x has specific access policies for REST API endpoints that are separate from UI access. Even if users have the correct roles, they need explicit REST API access grants. Check your REST service security configuration - navigate to the security context for the ‘modeler’ service and verify that ‘Project Manager’ role has GET access to the /gantt endpoint. Also review if your LDAP sync process is updating role attributes that affect API access rights.