Group membership mechanism

Hi,
We have a user ‘AdminTest’ on Tacacs server , it’s group is operator .Then a same username ‘AdminTest’ also on local db,it’s group is admin.

When we login AdminTest via Tacacs , the expected role is operator,but the result is assigned to groups : admin, operator.
I find that the user is assigned to groups by consulting data under /nacm/groups in confd user guide.

So I want to know if there is a way that will not consult the data under /nacm/groups when login user via tacacs server.

refer ro the topic ’ TACACs and local users with the same user name but different permissions

You are providing the group(s) that the user belongs to from the external tacacs or local authentication. That group assignment is then used by NACM for authorization.
Check your /confdConfig/aaa/authOrder setting in confd.conf, see the confd.conf(5) man page for details, and that the correct groups are returned by the external authentication executable configured in configured in /confdConfig/aaa/externalAuthentication/executable.
See also ConfD UG chapter “External authentication”.