Privileged Delete fails with error advising insufficient permissions to delete items from the archive

book

Article ID: 100049934

calendar_today

Updated On:

Description

Error Message

Error seen in the DA Review Set History tab for the item being Privileged Deleted:

Failed to delete the item from the archive.
Failure reason: Enterprise Vault Accelerator Service account has insufficient permissions to delete items from the archive.


DTrace of the StorageOnlineOpns process on the EV Storage server:

[12345]    (StorageOnlineOpns)    <1234>    EV:L    {CSecurityWrapper::HasServerClientGotPermission:#x} Checking role access for admin operation [2022]...
[12345]    (StorageOnlineOpns)    <1234>    EV:L    {CSecurityWrapper::HasServerClientGotPermission:#x} Caller [doesn't have] role [2022]. Permission [denied].
[12345]    (StorageOnlineOpns)    <1234>    EV:M    {CSecurityWrapper::ServerClientCheckPermissions:#x} Operation [{STO} Can perform compliance delete of items in any archive (2022)] has been denied.
[12345]    (StorageOnlineOpns)    <1234>    EV:H    {CSimpleStore::DeleteItem3:#x} _com_error exception: [Access is denied.  (0x80070005)]
[12345]    (StorageOnlineOpns)    <1234>    EV:H    {CSimpleStore::DeleteItem3} (Exit) Status: [Access is denied.  (0x80070005)]


DTrace of the AcceleratorService process on the DA server:

[56789]    (AcceleratorService)        EV-H    {ArchiveditemDeletor} Exception: Access denied. Insufficient permissions to access the requested object(s). Info:{Cx} Error deleting item from archive in attempt :1, DiscoveredItemId: X Diag:HRESULT: 80040303 Type:System.Runtime.InteropServices.COMException ST:   at KVS.EnterpriseVault.Interop.IItem4.Delete()|   at KVS.Accelerator.PrivilegedDeleteItems.ArchiveditemDeletor.KVS.Accelerator.PrivilegedDeleteItems.IArchiveItemDeleter.DeleteItem(DeleteItemRecord itemToDelete) Inner:None
[56789]    (AcceleratorService)        EV-L    {TraceTimer} {Cx} [  81ms] Time taken deleting item from archive . SavesetId:
[56789]    (AcceleratorService)        EV-H    {QueuePrivilegedDeleteItems} Exception: Access denied. Insufficient permissions to access the requested object(s). Info:{Cx} Error deleting item from archive , DiscoveredItemId: x. Updating item deletionStatus as failure. Diag:HRESULT: 80040303 Type:System.Runtime.InteropServices.COMException ST:   at KVS.EnterpriseVault.Interop.IItem4.Delete()|   at KVS.Accelerator.PrivilegedDeleteItems.ArchiveditemDeletor.KVS.Accelerator.PrivilegedDeleteItems.IArchiveItemDeleter.DeleteItem(DeleteItemRecord itemToDelete)|   at KVS.Accelerator.PrivilegedDeleteItems.QueuePrivilegedDeleteItems.PrivilegeDeleteProcessWork(ThreadSafeQueue& theQueue, Object queuedItem) Inner:None

 

Cause

The cause is identified in the DA Review Set History tab error and in the DTrace entries: the account used by the Enterprise Vault Accelerator Manager Service (EVAMS) on the DA server does not have rights or permissions to delete items from the Archives.

This issue should not normally occur as the account used by the DA EVAMS should be the same as the account used by the EV services, typically the Vault Service Account (VSA). The issue is seen when the EVAMS is configured to use an account that is not the VSA and not the same account as used by the EV services. This can be confirmed by reviewing the EV services on the EV server and the EVAMS on the DA server using the Services control panel:

On the DA server:

- Right-click the Start button | Run | services.msc | OK.
- Double-click the Enterprise Vault Accelerator Manager Service, or right-click the Enterprise Vault Accelerator Manager Service | Properties.
- Review the account listed in the Log On tab.

On the EV Storage server(s):

- Right-click the Start button | Run | services.msc | OK.
- Double-click the Enterprise Vault services, or right-click the Enterprise Vault services | Properties. The EV services are:
    Enterprise Vault Admin Service
    Enterprise Vault Directory Service
    Enterprise Vault Indexing Service
    Enterprise Vault Shopping Service
    Enterprise Vault SMTP Service (optional)
    Enterprise Vault Storage Service
    Enterprise Vault Task Controller Service
- Review the account listed in the Log On tab for each EV service.

 

Resolution

The optimum solution is to edit the EVAMS on the DA server to use the VSA. The prerequisite is to close all DA Clients on all computers. Log on to the DA server with an administrative account and perform the following steps:

1. Right-click the Start button | Run | services.msc | OK.
2. Double-click the Enterprise Vault Accelerator Manager Service, or right-click the Enterprise Vault Accelerator Manager Service | Properties.
3. Click on the Log On tab.
4. Click Browse and select the VSA.
5. Enter the password for the VSA.
6. Click OK and acknowledge any prompts advising the new logon name will not take effect until the service is stopped and restarted.
7. Either Restart or Stop and Start the EVAMS.

An alternate solution is to provide the EVAMS account with the required permissions to the Archive. This is not the best solution as the recommended configuration is for all EV and DA services to use the same VSA. Log on to the EV Directory server as the VSA and perform the following steps:

1. Provide the EVAMS account permissions to the Archive(s) storing the items to be Privileged Deleted:
1.1. Open the Enterprise Vault Administration Console (VAC).
1.2. Expand the Directory | Site | Archives.
1.3. Find and right-click on the Archive | Properties | Permissions.
1.4. Add the EVAMS account.
1.5. Select the EVAMS account and then select all Grant permissions under Manually set.
1.6. Click OK.
1.7. Repeat to add the EVAMS account with all Grant permissions for all required Archives.

2. Add the DA EVAMS account to the Roles-Based Administration (RBA) Role Compliance Delete Application:
2.1. Determine the DA EVAMS account login name in the format domain\username per the steps in the Cause section.
2.2. Open the Enterprise Vault Management Shell.
2.3. Edit the following PowerShell command to replace domain\username with the EVAMS account login name and then execute the command. Note the format must be domain\username.

Add-EVRBARoleMember -Identity "Compliance Delete Application" -Members "domain\username"

2.4. Run the following PowerShell command to confirm the EVAMS account has been correctly added to the Compliance Delete Application RBA Role:

Get-EVRBARolemember -Identity "Compliance Delete Application"

If the EVAMS account is not listed, review the above steps to verify nothing was missed and re-run the steps. If an incorrect account was used, edit the following PowerShell command to replace domain\username with the account information that was incorrectly entered, execute the command, then repeat the above steps to add the correct EVAMS account:

Remove-EVRBARoleMember -Identity "Compliance Delete Application" -Members "domain\username"

 

Issue/Introduction

Enterprise Vault (EV) Discovery Accelerator (DA) provides the ability to delete items from the Review Set starting from version 12.3. This function is called Privileged Delete. Attempting to use the Privileged Delete function may fail with the error below. Running a DTrace of the StorageOnlineOpns process on the EV Storage server and of the AcceleratorService process on the DA server may also show entries as below.
Powered by Wolken Software