Folder Delete permission through Monitored Employee Group assignment do not revoke properly when an individual is removed from the AD Group.

Article:TECH190311  |  Created: 2012-06-04  |  Updated: 2013-07-31  |  Article URL http://www.symantec.com/docs/TECH190311
Article Type
Technical Solution


Environment

Issue



When a user is added to a group in Compliance Accelerator(CA) that has "custom roles" assigned to it and then later removed from said group, the user still have rights to perform actions as if no removal action had been taken.  Only when the permission cache is off or updated are the permissions corrected and/or access denied.

This does not appear to happen on the predefined roles.

 


Cause



The permissions cache does not appear to be fully updated when the user is removed from a group.  Only when the user executes a function where access has been revoked will the system first perform the action of the function and then update the permissions, even though it the action has already been allowed.

Workaround:

Change the "Permissions Cache option"  to "0".  The issue exist if this setting value is "2" (the default). 

  1. From the CA Client, select the Configuration tab, then the Settings sub-tab.
  2. Hold CTRL key and click on Configuration Settings in the heading banner to display the hidden settings.
  3. Expand the Security section to display the Permission Cache Option setting.
  4. Click the Value column.
  5.  Change the entry from "2" (default value) to "0" (zero).
  6. Click the Save button to save the change.
  7. Restart the Enterprise Vault Accelerator Manager Service (EVAMS) on the CA server to put the changes into effect.

Note:  A slight client access performance degradation may occur with the "Permissions Cache option" set to 0.


Solution



This issue has been addressed in the following release:


Enterprise Vault 10.0.2 cumulative Hotfix 2 Release
http://www.symantec.com/docs/TECH201383

Enterprise Vault 10.0.3 - Release Details
http://www.symantec.com/docs/TECH193300


Supplemental Materials

SourceETrack
Value2736708
Description

Permissions Cache causes Folder Delete permission through Monitored Employee Group assignment to not revoke properly when an individual is removed from the AD Group.



Article URL http://www.symantec.com/docs/TECH190311


Terms of use for this information are found in Legal Notices