Identities in multiple roles (AD based claims)

I am currently using role based access via local AD groups to authenticate users.

The issue I am running into is I have a role called boarding which can view specific dashboards but I also want to give those users in the boarding role read only access. If I put that user in both AD groups it doesn’t work as expected.

How would we be able to have a single identity/user be able to view dashboards and have read only access to the platform to be able to view scripts/jobs.

I could just throw them in the reader role and allow reader to view the dashboard but that doesn’t make much sense as far as hardening the platform.

Thanks in advance.

New-PSURole -Name "Boarding" -Description "Boarding have access to read-only access to UA and view dashboards." -Policy {
    param(
        $User
    )
    $SID = 'S-1-5-21-113319999-185123456-185123456-123456'
    If ($User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", $SID)) {
        $true
    }
    else {
        $false
    }
}

New-PSURole -Name "Reader" -Description "Readers have read-only access to UA. They cannot make changes to any entity within the system." -Policy {
    param(
        $User
    ) 
    $SID = 'S-1-5-21-113319999-185123456-185123456-123457'
    If ($User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", $SID)) {
        $true
    }
    else {
        $false
    }
} 

Product: PowerShell Universal
Version: 1.5.14

Is the admin console not visible in this case? What you’ve configured should work so if you can’t access the console with this setup, I think it’s a bug.

When the user is in both of those AD groups when I have this configured I can not access /admin url or dashboard. I get the windows security authentication prompt

@adam - After further testing I think I got it working. I had to do the following.

• Add the user to the two AD groups
• Delete any existing identity for the user on the PSU platform
• Restart IIS instance