Previous Topic: Close Browser After Logging Off with X.509 Authentication Scheme (CQ 134124)Next Topic: Cannot Access Protected SharePoint Resource using the Impersonation Authentication Scheme (CQ 135275)

Agent for SharePoint Release NotesKnown IssuesInconsistency between runtime Access Policy and People Picker Behavior (CQ 134290)

Inconsistency between runtime Access Policy and People Picker Behavior (CQ 134290)

An inconsistency occurs between an access policy and the people picker when CA SiteMinder Forms protection is configured for a SharePoint web application or zone.

User access to a SharePoint site is governed first by the CA SiteMinder user policy and then by the SharePoint permissions.

The behavior changes when SharePoint permissions are configured through the People and Groups dialog (people picker) and the CA SiteMinder protection is configured using ASP.NET Forms authentication. The CA SiteMinder user directory connection object governs the list of users and groups returned. The CA SiteMinder user access policy does not affect the results.

This behavior means that while a SharePoint site administrator can select users using People and Groups dialog (people picker) and grant them access to a SharePoint resource, CA SiteMinder denies them access to the resource at runtime.

As a workaround, do the following steps:

  1. Create CA SiteMinder user directory connection objects that are restricted to the set of users contained in the CA SiteMinder user policy associated with the SharePoint sites.
  2. Include the directory object in the policy and select all users from this directory object in the user policy.