Important Update: Cohesity Products Knowledge Base Articles
All Cohesity Knowledge Base Articles are now managed via the Cohesity Support Portal: https://support.cohesity.com/. The Knowledge Base articles available here will not reflect the latest information or may no longer be accessible.
Problem
Attempting to access the Archives tab under Application in the Enterprise Vault Compliance Accelerator/Surveillance (CA) thin client/web UI as any user that is not the Vault Service Account (VSA) returns the user to the login page, even when the user is assigned to an Application Role with the Modify System Configuration Permission selected. Only the VSA can access the Application Archives tab in the web UI.
Error Message
There is no error message displayed in the web UI. A DTrace on the W3WP process may list entries similar to the following (formatted with line breaks for easier reading):
[1234] (w3wp) <567> EV-H {RBO_Archives} {C2} Application level permission demand failed; User='...' Context='GetVaults': Stacktrace:
| at KVS.Accelerator.RBO.RBO_Base.LogDemandFailure(String type, Nullable`1 CaseID, Object Context)
| at KVS.Accelerator.RBO.RBO_Base.DemandAppLevelPermission(Object Context)
| at KVS.Accelerator.RBO.RBO_Base.DemandCaseLevelPermission(Int32 CaseID, Object Context)
| at KVS.Accelerator.RBO.RBO_Archives.GetArchivesForSelectedVaultStore(Int32 caseID, ArchivesEntity filterApplied)
|(truncated to 4 frames)
[1234] (w3wp) <567> EV-H {-} Exception: You no longer have the necessary permissions to perform the requested operation.
Info:{RBO_ArchivesWrapper} {C2}
Diag:
Type:KVS.Accelerator.Common.AccUserNotPermittedException
ST: at KVS.Accelerator.RBO.RBO_Base.DemandAppLevelPermission(Object Context)
| at KVS.Accelerator.RBO.RBO_Base.DemandCaseLevelPermission(Int32 CaseID, Object Context)
| at KVS.Accelerator.RBO.RBO_Archives.GetArchivesForSelectedVaultStore(Int32 caseID, ArchivesEntity filterApplied)
| at Veritas.Supervision.ApiEndpoint.Infrastructure.RBOWrappers.RBO_ArchivesWrapper.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter) Inner:None
[1234] (w3wp) <567> EV-H {-} {SupervisonExceptionFilter} {C2} An unhandled exception was thrown by Supervision REST API - You no longer have the necessary permissions to perform the requested operation., at Veritas.Supervision.ApiEndpoint.Infrastructure.RBOWrappers.RBO_ArchivesWrapper.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter)
| at Veritas.Supervision.ApiEndpoint.Infrastructure.Services.ArchiveService.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter)
...
| at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext()
[1234] (w3wp) <567> EV-H {-} {SupervisonExceptionFilter} {C2} Caught an exception in global exception filter for REST API - KVS.Accelerator.Common.AccUserNotPermittedException: You no longer have the necessary permissions to perform the requested operation.
| at Veritas.Supervision.ApiEndpoint.Infrastructure.RBOWrappers.RBO_ArchivesWrapper.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter)
| at Veritas.Supervision.ApiEndpoint.Infrastructure.Services.ArchiveService.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter)
| at lambda_method(Closure , Object , Object[] )
...
| at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(
[1234] (w3wp) <567> EV-H {-} {SupervisonExceptionFilter} {C2} Caught an exception in global exception filter for REST API request - 1234ABCD-12AB-34CD-56EF-123456ABCDEF accountId - X. Exception details - KVS.Accelerator.Common.AccUserNotPermittedException: You no longer have the necessary permissions to perform the requested operation.
| at Veritas.Supervision.ApiEndpoint.Infrastructure.RBOWrappers.RBO_ArchivesWrapper.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter)
| at Veritas.Supervision.ApiEndpoint.Infrastructure.Services.ArchiveService.GetArchivesForSelectedVaultStore(Int32 deptId, Archives filter)
...
| at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext()
Cause
The check to determine the required permissions when accessing the Application | Archives tab fails when the user is not the VSA or is not listed in the Administrator User or Group field in the Customer Properties in the EVBAAdmin adminsitration web site. This check failure causes the web UI to revert back to the login page.
Solution
A workaround is to add users needing access to Application | Archives to an Active Directory (AD) Group which is then listed in the Administrator User or Group field in the Customer Properties in EVBAAdmin. This allows access to Application | Archives as long as those users are assigned to an Application Role with the Modify System Configuration Permission.
Here are the steps:
1. Create a new Active Directory Global Security Group to contain the users needing access to the Application | Archives tab and add the required users to the new Group. Alternately, if a Group is already listed in the Administrator User or Group field in the CA Customer Properties in EVBAAdmin, the users can be added to this Group.
2. Add the new Group to the Administrator User or Group field in the CA Customer Properties in EVBAAdmin.
2.1. Open the EVBAAdmin administration web site on the CA server at http://localhost/evbaadmin.
2.2. Right click the CA Customer | Properties.
2.3. Enter the new Group in the format <domain>\<Group Name>.
If a Group already exists, do not add the new Group - only one entry is permitted in this field. Instead, either add the new Group to the existing Group in Active Directory, or, alternately, add the required users to the existing Group in the Administrator User or Group field.
Note - From the EVBAAdmin Help, adding a Group to the Administrator User or Group field will allow all members of the Group to have full administrative permissions in the Customer database and typically assigns application-wide roles to other users.
2.4. Click OK to save the change.
3. Restart the services on the CA server.
3.1. Stop the Enterprise Vault Accelerator Manager Service.
3.2. Restart the IIS Admin Service.
3.3. Start the Enterprise Vault Accelerator Manager Service.
4. Confirm the users are assigned an Application Scope Role under Application | Role Assignment that includes the Modify System Configuration Permission. If not, create a new Application Scope Role under under Application | Roles with the Modify System Configuration Permission selected and add the required users to this Role under Application | Role Assignment.
There are currently no plans to address this issue through a patch or hotfix in the current or previous versions of the software. However, it is scheduled to be resolved in the next major product revision. Please note that the product engineering team reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests. Our plans are subject to change, and any actions you take based on this information, or your reliance on it, are at your own risk.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.