Monitored Employee Group permissions are not revoked when an Employee is removed from the Group

Problem

When a user is added as a Monitored Employee via an Active Directory (AD) group that is listed as a Monitored Employee Group in Compliance Accelerator (CA) that has custom Roles assigned to the Monitored Employee Group and the user is then removed from the AD Group and Monitored Employee synchronization has completed, the user still has the same permissions to perform any actions as assigned by the custom Roles. It is only when the permission cache is updated or disabled that the permissions are corrected and the applicable permissions applied.

Note: This only seems to affect custom Roles and does not affect the pre-defined Roles.

 

Cause

CA uses permissions cache to quickly check permissions and apply them without having to fully refresh the applicable permissions each time an action is performed. In some cases, the permissions cache may not be fully updated when the user is removed from an AD Group and Monitored Employee synchronization has completed. It is only when the user executes a function within CA where access has been revoked that CA first performs the action and then confirms the action against the current cached permissions, even though the action has already been allowed.

Solution

Workaround:

The issue exists when the Permissions Cache option is set to cache the permissions (default setting of 2). Disabling the Permissions Cache option by setting the value to 0 is a workaround for this issue as this will force CA to validate all permissions prior to performing an action. Here are the steps to disable the Permissions Cache option:

  1. From the CA Client, select the Configuration tab, then the Settings sub-tab.
  2. Hold CTRL key and click on Configuration Settings in the heading banner to display the hidden settings.
  3. Expand the Security section to display the Permission Cache Option setting.
  4. Click the Value column.
  5.  Change the entry from "2" (default value) to "0" (zero).
  6. Click the Save button to save the change.
  7. Restart the Enterprise Vault Accelerator Manager Service (EVAMS) on the CA server to put the changes into effect.

Note:  A slight client access performance degradation may occur with the Permissions Cache option set to 0.


This issue has been addressed in the following release:

Enterprise Vault 10.0.2 cumulative Hotfix 2 Release
http://www.symantec.com/docs/TECH201383

Enterprise Vault 10.0.3 - Release Details
http://www.symantec.com/docs/TECH193300

 

 

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)