Folder Delete permission through Monitored Employee Group assignment do not revoke properly when an individual is removed from the AD Group.
|Article:TECH190311|||||Created: 2012-06-04|||||Updated: 2013-01-23|||||Article URL http://www.symantec.com/docs/TECH190311|
When a user is added to a group in Compliance Accelerator(CA) that has "custom roles" assigned to it and then later removed from said group, the user still have rights to perform actions as if no removal action had been taken. Only when the permission cache is off or updated are the permissions corrected and/or access denied.
This does not appear to happen on the predefined roles.
The permissions cache does not appear to be fully updated when the user is removed from a group. Only when the user executes a function where access has been revoked will the system first perform the action of the function and then update the permissions, even though it the action has already been allowed.
Change the "Permissions Cache option" to "0". The issue exist if this setting value is "2" (the default).
- From the CA Client, select the Configuration tab, then the Settings sub-tab.
- Hold CTRL key and click on Configuration Settings in the heading banner to display the hidden settings.
- Expand the Security section to display the Permission Cache Option setting.
- Click the Value column.
- Change the entry from "2" (default value) to "0" (zero).
- Click the Save button to save the change.
- Restart the Enterprise Vault Accelerator Manager Service (EVAMS) on the CA server to put the changes into effect.
Note: A slight client access performance degradation may occur with the "Permissions Cache option" set to 0.
Permissions Cache causes Folder Delete permission through Monitored Employee Group assignment to not revoke properly when an individual is removed from the AD Group.
Article URL http://www.symantec.com/docs/TECH190311