We had linked Idash to EEM and EEM is integrated with AD and in EEM we are using Dynamic User Groups (DUG) 




Only people who are part of Default policy are able to generate the reports and when a access policy is searching for identities in DUG, it is not allowing.

Reviewed Debug_EEM.log file and found that non admin user has is getting access denied 

Normal user activity:

No matching Explicit Deny policies returned
No matching Explicit Grant policies returned
No explicit deny/grant - checking delegations for resource create/idash-report/*D12*. Delegator Level: 1.
No deny delegation policies match.
No delegation policies match.
Checking for obligations for resource [create/idash-report/*D12*] and action [FulfillOnDeny].




admin user activity:

No matching Explicit Deny policies returned
Matching Explicit Grant Policy "Default Report Name Policy" has no filters - access granted.
Access was explicitly granted - exiting.
Checking for obligations for resource [create/idash-report/*D12*] and action [FulfillOnGrant].

You would need to add the domain to user in the Identity field within EEM, to get the permission checked to work.

Follow these steps:
In CA EEM, click the Manage Access Policies tab.
Select Dynamic User Group Policies from the policies column on the left side of the window.
In the policy table, click the Add icon to create a new DUG, or click an existing DUG name to edit the group details.
Under Identities, enter the identity of the user being added to the DUG in the Identity field -add the domain to user-, or click Search Identities to search for the user.
Click the arrow icon to add the user to the DUG.
The user now appears in the Selected Identities section.
Click Save.

Add Users to EEM Dynamic User Groups (DUG)