Symptoms
URM Service Returning Incorrect User Accounts
Diagnoses
After upgrade encountering similar issue to what is described here: http://community.k2.com/t5/K2-blackpearl/URM-Service-Issue/td-p/79935
Different accounts are being returned from the GetRolesUsers method compared to what is shown in K2 workspace regardless of running the role cache expiring SQL script.
Happening in at least DEV, QA, and UAT environments.
Resolution
It was determined that some of the users specified in the role were disabled in Active Directory (and as such will also be disabled in the K2 Identity Service) this resulted in the differences that we see when executing the "UMUser > Get Role Users" method vs K2 Workspace > Management > [Server:Port] > Roles. As such, these disabled users were removed from the role.
Additionally if a user belongs to an AD group role item that was included in the role if an explicit role item entry for this user also exists but is excluded the explicit exclusion will take precedence over the group membership inclusion.
To refresh a non-dynamic role's membership right away, you can use the ForceIdentityServiceRefreshV2 tool to first expire the role membership specify the role name, matching type dropdown of 'Role' and check the 'Membership' property. Then to force the resolving of the Role membership execute the Smartobject Service Tester Tool > All Smartobject > UmUser > Get Role Users method against the role (twice).
