We’re experiencing a critical issue with user role assignments in the asset lifecycle module after our recent LDAP integration. The LDAP sync job completes successfully without errors in the logs, but user roles aren’t being updated in NetSuite.
The problem manifests when employees initiate asset transfers - the approval workflow fails for certain users who should have the Asset Manager role based on their AD group membership. The sync dashboard shows ‘Success’ status and user accounts are created properly, but the role mapping simply doesn’t apply.
What’s particularly puzzling is that manual role assignment through the UI works perfectly fine for the same users. We’ve verified the LDAP attribute mapping configuration multiple times and it matches our documentation. This is becoming a serious bottleneck as we can’t scale our asset management process when every role assignment requires manual intervention.
Has anyone encountered similar LDAP sync behavior where the job completes but role assignments don’t propagate? We’re on 2023.1 and this started after a recent security patch.
I’ve seen this before. Check your LDAP mapping configuration - specifically the Group DN field. Even though the sync shows success, if the group distinguished name doesn’t exactly match what’s in Active Directory, roles won’t map. Also verify that the LDAP attribute you’re using for role mapping (usually memberOf) is actually being returned in the sync query.
This sounds like a timing issue with the role provisioning service. After LDAP sync creates or updates users, there’s a separate background process that applies roles based on group membership. If that service is overloaded or has errors, you’ll see exactly this behavior - successful sync but no role updates.
Navigate to Setup > Users/Roles > Manage Authentication and check the ‘Role Provisioning Status’ section. Look for any failed provisioning jobs that correspond to your sync times. You might also want to check if there are any custom SuiteScripts that are interfering with the standard role assignment process. We had a similar issue where a beforeSubmit script on the Employee record was preventing role updates from the LDAP sync.
Thanks for the suggestions. I checked the role provisioning status and found several ‘Pending’ entries that never completed. The LDAP group DN mappings look correct, and the memberOf attribute is definitely being returned - I can see it in the sync logs. The interesting thing is that when I manually trigger a role update for a specific user, it works immediately, which suggests the mapping configuration itself is valid but something in the automated process is broken.
Have you verified the LDAP group-to-NetSuite role mapping table? Sometimes the mappings get cleared during updates. Also check if the users are in multiple AD groups that might have conflicting role assignments.
Check your LDAP Connection Settings under Setup > Company > Setup Tasks > LDAP Authentication. There’s a setting called ‘Auto-Assign Roles’ that needs to be enabled for automatic role provisioning. Also verify that the ‘Role Mapping Enabled’ checkbox is checked for each specific role you’re trying to assign.
Another thing - in 2023.1, there was a known issue where role provisioning would fail silently if the user record had certain custom fields that weren’t properly initialized during LDAP sync. The workaround was to add a saved search that identifies users with incomplete profiles and a scheduled script to fix them before role assignment runs.