---++ Description of problem

unable to use PAM groups to define Access Control Lists in pacemaker

---++ Version-Release number of selected component (if applicable)

pacemaker-cli-1.1.12-22.el7_1.2.x86_64
pacemaker-1.1.12-22.el7_1.2.x86_64

---++ How reproducible

always.

---++ Steps to Reproduce

1. create a group
   groupadd rogrou
2. create a user
   useradd -G haclient,rogroup rouser
3. verify
   id rouser
4. uid=4101(rouser) gid=4101(rouser)
5. groups=4101(rouser),189(haclient),10001(rogroup)

1. enable acl
   pcs acl enable
2. define role
   pcs acl role create readonly read xpath /cib
3. add group
   pcs acl group create rogroup readonly
4. verify
   pcs acl

1. ACLs are enabled
   #
2. Group: rogroup
3. Roles: readonly
4. Role: readonly
5. Permission: read xpath /cib (readonly-read)

---++ Actual results

[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied

---++ Expected results

resource status shown.

---++ Notes

Directly assigning roles to the user works (pcs acl user create rouser readonly), but groups should be used as multiple users need the same permissions.