User migrated to a new domain has lost access to cases and research folders.

book

Article ID: 100010258

calendar_today

Updated On:

Description

Error Message

Unable to connect

You do not have permission to access the instance 'DACustomer1'  (where DACustomer1 is the name of the actual DA Customer)

 

Cause

Access to CA/VAS departments, DA cases and Research Folders is granted through Role Assignments to users in the AD or Lotus Domino domain.  The role assignments are granted on an individual user or group membership basis based on the AD or Domino domain in which the user account resides.  When any user account that has any Role Assignment is moved from one AD or Domino domain to another, that user's account in the new AD or Domino domain will not automatically have any Role Assignment to any CA/VAS department, DA case or Research Folder.

The error noted in the Error section above will be thrown anytime the new account is used to attempt to access any CA/VAS department, DA case or Research Folder in the Accelerator Customer, as the account has not been granted any Role Assignment.  After the appropriate Role Assignment has been granted to the new domain account, the user will be able to access the CA/VAS department, DA Case or Research Folder to which the Role Assignment has been granted.

Note: A trust relationship is required between the domain in which CA/VAS or DA is located and the domain in which the user account is located.  A two-way trust is preferred, but a one-way trust may also work as long as:

  1. the domain in which CA/VAS or DA is located trusts the domain in which the user account is located, and
  2. an account in the user's domain that is configured within CA/VAS or DA that can access the account properties of the user account.

 

Resolution

The user's account in the new domain will not have the ability to access any CA/VAS department, DA case or Research Folder until after their account has been granted the appropriate Role Assignment(s).

To grant the appropriate Role Assignments to a CA/VAS department, DA case or Research Folder, an account with the proper permissions must be used.  Those permissions are:

  • Department level User Admin role within each CA/VAS department to be accessed
  • Case level Admin role within each DA case to be accessed
  • Research Folder level Full Control for CA/VAS or Folder Full Control for DA.

The Department, Case, folder owner has the appropriate Role assigned by default, but these Roles can be granted to other users by the owners.

The user with the appropriate Role must:

  1. Access the Role Assignment tab for the department, case or Research Folder.
  2. Note the Role(s) assigned to the user's previous domain account.
    1. Click on the user's previous domain account in the Role Assignment tab.
    2. Take note of the Roles assigned to that user account in the Assigned Roles panel.  Note: Be aware of any Role that is grayed out as such role assignments indicate the user is the department, case or Research Folder owner and those assignments cannot be removed until after the ownership has changed to the user's new domain account.  If the user's old account is the owner of a Department, Case or Research Folder, that ownership will need to be changed to the user's new account using the user's old account.
  3. Remove the Role(s) assigned to the user's previous domain account.
    1. Click on the user's previous domain account in the Users and Groups panel if that user is not already selected from Step 2 above.
    2. For each Role assigned -
      1. Click on the Role in the Assigned Roles panel.
      2. Click the Remove button in the bottom right of the Assigned Roles panel.
    3. An alternate method to remove role assignments is to click on one role to select it, then hold the Ctrl key down while clicking on additional role assignments to add them to the selection, then click on the Remove button.
  4. Add the user's new domain account and assign the Roles their previous domain's account had.
    1. Click the Add User... option above the Users and Groups panel.
    2. In the Select Users pane that will open in DA -
      1. Change the Windows Domain if the option is available: selection to the new Active Directory or Lotus Domino domain, if that domain is not already selected.
        1. Click the drop down arrow to the right of the Windows Domain: selection line.
        2. Scroll up or down through the list of available domains to locate the new AD or Domino domain.
        3. Click on the new AD or Domino domain name.
      2. If the new AD or Domino domain contains more than 1000 user accounts, the browser pane will only show the first 1000 accounts.
        1. If the user to be added is listed within those 1000 accounts, scroll through the accounts to locate and select the user's account.
        2. If the user to be added is not listed within those 1000 accounts, or if scrolling through the first 1000 accounts is considered too time-consuming -
          1. Enter some or all of the user's Display Name into the Enter User dialog line
          2. Click the Search button.
        3. Click on the user's account to select it.
      3. Click the OK button to complete the user selection process.  This will cause the Select User pane to be replaced by the Roles pane.
    3. In the Roles pane -
      1. Click on the appropriate Role to be assigned to the user's new domain account.
      2. If the user is to have multiple Role assignments with the CA department DA case or Research Folder, hold the Ctrl key and click on the additional Roles to which the user's account will be assigned.
      3. Click the OK button to complete the Role Assignment selection process and allow the Roles pane to disappear. 
  5. Click the Save button in the Assigned Roles panel to complete the Role Assignment process.

Note: Once an account has been added to a CA department, DA case or Research Folder, even if no Role has been assigned, that account is available for Role Assignment in all CA departments, DA cases and Research Folders.  This is by design to allow for quicker adding of Role Assignments where access by the account user is required for multiple CA departments, DA cases and / or Research Folders.

If the CA department, DA case or Research Folder is owned by the user's previous domain account and the user can still log onto the previous domain, the user should:

  1. Log onto the previous domain.
  2. Launch the CA or DA Client.
  3. Add the user's new domain account to the Role Assignment tab of any Case or Research Folder to which they are owner.
  4. Assign the appropriate Roles to the new domain account to match the old domain account.
  5. Change the owner to the new domain account.
  6. Repeat the above Steps 3 through 5 for each Case or Research Folder they own.

If the CA department, DA case or Research Folder is owned by the user's previous domain account and that domain is no longer available for login validation, contact Technical Support for assistance to remove and replace the ownership and Role Assignments.

 

Here are some data-gathering scripts that Technical Support may ask to be run. All scripts are to be run against the Customer database with output to spreadsheet (Right-click in the results | Select All | Right-click in the results again | Copy With Headers | Paste into a new spreadsheet in Excel).

1. List all non-deleted Cases/Departments/Research Folders:

SELECT DISTINCT 
[Query] = '1'
, [CustomerDatabase] = db_name()
, tc.CaseID
, [Folder_Type] = CASE
WHEN (tc.FolderType = 330 AND tc.Type = 101) THEN 'Case'
WHEN (tc.FolderType = 330 AND tc.Type = 102) THEN 'Department'
WHEN (tc.FolderType = 331 AND tc.Type = 101) THEN 'DA Folder'
WHEN (tc.FolderType = 332 AND tc.Type = 101) THEN 'DA Hidden Folder'
WHEN (tc.FolderType = 331 AND tc.Type = 102) THEN 'CA Folder'
WHEN (tc.FolderType = 332 AND tc.Type = 102) THEN 'CA Hidden Folder'
ELSE 'FolderType ' + CONVERT(nvarchar(10), tc.FolderType) + ' Type ' + CONVERT(nvarchar(10), tc.Type) END
, [Folder_Name] = tc.Name
, [Folder_Owner_PrincipalID] = tp1.PrincipalID
, [Folder_Owner] = tp1.PrincipalName
, tc.StatusID
, [Folder_Status] = ts2.Name
, [Parent_CaseID] = tcParent.CaseID
, [Parent_Case/Department_Name] = tcParent.Name
, [Parent_Case/Department_Owner] = tp2.PrincipalName
, [NumSearches] = COUNT(tis.SearchID) OVER(PARTITION BY tis.CaseID)
FROM tblCase AS tc (NOLOCK)
JOIN tblStatus AS ts2 ON ts2.StatusID = tc.StatusID
JOIN tblPrincipal AS tp1 ON tc.OwnerPrincipalID = tp1.PrincipalID
LEFT JOIN tblCase AS tcParent (NOLOCK) ON tc.ParentCaseID = tcParent.CaseID
LEFT JOIN tblPrincipal AS tp2 ON tcParent.OwnerPrincipalID = tp2.PrincipalID
LEFT JOIN tblIntSearches AS tis ON tc.CaseiD = tis.CaseID
WHERE tc.MarkedForDeletion = 0 AND (tc.DeletedByPrincipalID IS NULL OR tc.DeletedByPrincipalID = NULL)
ORDER BY tc.CaseID, tc.Name;

2. Find the PrincipalID for the new Owner/user. Edit the following query as indicated and run against the Customer database:

DECLARE @NewOwner nvarchar(100) = 'smith'; -- Edit new Owner's name here
SELECT
[Query] = '2'
, [CustomerDatabase] = db_name()
, PrincipalID, PrincipalName, PrincipalLogin
FROM tblPrincipal
WHERE PrincipalName LIKE '%' + @NewOwner + '%'
OR PrincipalLogin LIKE '%' + @NewOwner + '%'
ORDER BY PrincipalID;

3. List the current Roles and Permissions assigned to all users. Run the following query against the Customer database:

SELECT DISTINCT [Query] = '3',
tisc.*,
tc.Name 'Case/Dept/Folder Name',
CASE
WHEN (tc.FolderType = 330 AND tc.Type = 101) THEN 'Case'
WHEN (tc.FolderType = 330 AND tc.Type = 102) THEN 'Department'
WHEN (tc.FolderType = 331 AND tc.Type = 101) THEN 'DA Folder'
WHEN (tc.FolderType = 332 AND tc.Type = 101) THEN 'DA Hidden Folder'
WHEN (tc.FolderType = 331 AND tc.Type = 102) THEN 'CA Folder'
WHEN (tc.FolderType = 332 AND tc.Type = 102) THEN 'CA Hidden Folder'
ELSE 'Other' END AS 'FolderType', 
tpl.PrincipalName, tpl.PrincipalLogin, tpl.PrincipalID, tpl.AddressOwnerID,
tr.RoleName, ts2.Name AS 'Role Scope', 
tp.PermissionID, tp.Name AS 'Permission Name',
thcp.StartDate, thcp.EndDate, 
tp.ScopeID, ts1.Name AS 'Permission Scope'
, [RoleType] = ts3.Name
FROM tblIntSecurity AS tisc
JOIN tblCase AS tc ON tisc.CaseID = tc.CaseID
JOIN tblPrincipal AS tpl ON tisc.PrincipalID = tpl.PrincipalID
JOIN tblRole AS tr ON tisc.RoleID = tr.RoleID
JOIN tblIntRolePermission AS tirp ON tisc.RoleID = tirp.RoleID
JOIN tblPermission AS tp ON tirp.PermissionID = tp.PermissionID
JOIN tblStatus AS ts1 ON tp.ScopeID = ts1.StatusID
JOIN tblStatus AS ts2 ON tr.ScopeID = ts2.StatusID
JOIN tblHistCasePermission AS thcp ON tp.PermissionID = thcp.PermissionID
JOIN tblStatus AS ts3 ON tisc.RoleTypeID = ts3.StatusID
WHERE tisc.PrincipalID = thcp.PrincipalID AND tisc.CaseID = thcp.CaseID
ORDER BY tisc.CaseID, tisc.PrincipalID, tr.RoleName, tp.Name;

-- 4. List the tblIntSecurity information:

SELECT [Query] = '4', *
FROM tblIntSecurity
ORDER BY CaseID, PrincipalID, RoleID;

-- 5. Determine if Chinese Wall Security is enabled:

DECLARE @DepartmentUserRoleID int = (SELECT RoleID FROM tblRole WHERE ResourceID = 'tblRole_DepartmentUser');
IF EXISTS (SELECT 1 FROM tblIntSecurity WHERE RoleID = @DepartmentUserRoleID)
SELECT [Query] = '5'
, [ChineseWallSecurity] = 'Enabled', *
FROM tblIntSecurity
WHERE RoleID = @DepartmentUserRoleID 
ORDER BY CaseID, PrincipalID, RoleID;
ELSE SELECT [Query] = '5'
, [ChineseWallSecurity] = 'Disabled or no Department Users';

 

 


Applies To

 Any version of Enterprise Vault (EV) Discovery Accelerator (DA).

Any version of Enterprise Vault (EV) Compliance Accelerator (CA).

Issue/Introduction

After an Active Directory (AD) user has been migrated to a new domain, they are not able to see their previous Compliance Accelerator (CA) / Advanced Surveillance (VAS) departments, Discovery Accelerator (DA) cases or Research Folders.
Powered by Wolken Software