This is not a 403 error: users successfully get through to Automation after authentication, but then see incorrect services or no services at all.
Users may also see unfamiliar services available, or getting "An Error Occurred" "Please try again later" and not seeing any services on the VMware Aria Automation Cloud Services Console
An Error Occurred
Please try again later... [OK]
The identity service app logs displays the below error.
Path:/services-logs/prelude/identity-service-app/file-logs/identity-service-app.log"GET /csp/gateway/am/api/userinfo HTTP/1.1" 500 169 8080 161 ms
Date_Time INFO identity-service [host='identity-service-app-123456789' thread='reactor-http-epoll-2' user='username (11111-2222-3333-4444-5555555555)' org='11111-2222-3333-4444-5555555555' trace='
11111-2222-3333-4444-5555555555' parent='123456789' span='123456789'] com.vmware.identity.rest.RestClient.lambda$logRequest$1:86 - GET https://FQDN/SAAS/jersey/manager/api/scim/Users?filter=(userName%)
Date_Time ERROR identity-service [host='identity-service-app-123456789' thread='reactor-http-epoll-2' user='username (11111-2222-3333-4444-5555555555)' org='11111-2222-3333-4444-5555555555' trace='11111-2222-3333-4444-5555555555' parent='123456789123456789' span='123456789123456789'] c.v.i.c.RestResponseEntityExceptionHandler.logError:225 - Handling generic exception: There is more than 1 user found.
java.lang.IllegalStateException: There is more than 1 user found.
at com.vmware.identity.common.util.IdmUserUtil.getUserResource(IdmUserUtil.java:33) ~[classes!/:na]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
This issue occurs when the same Directory Search Attribute such as SAMAccountName is being used in multiple domains in VMware Identity Manager.
If this is the case, then the attribute must be unique across all domains available to Aria Automation from the Identity Manager
For now, this is working as designed: since Automation uses this Search Attribute to distinguish between accounts, these users are getting mixed up.
Please see this docs page for some discussion:
https://docs.vmware.com/en/VMware-Aria-Automation/8.16/Administering-VMware-Aria-Automation/GUID-77BF8FFD-8A09-42CC-A2D3-DB0E92F00CD7.html
The workaround will cause a break in assigned roles on the removed domain.
These will need to be reassigned to users in Automation