All of the security roles found under "Settings >  Security > Roles" can no longer be seen. All that is visible is the "Security Roles" folder, but nothing shows up underneath.

The root of the problem seems to have been caused by the fact that the orininal account used as the logon account (Application Identity) was replaced by another account, and then the original account was deleted from the domain.

When the tree is rendered, starting at the 'Security Roles' folder the builder seems to try to validate the the owner of the folder. In this case the OwnerGuid of the folder was no longer even found in the SecurityTrustee table. As a result the attempt to render the security role tree is abandoned.

To identify if this might be the problem the following query could be run against the database.

SELECT *
FROM SecurityEntity
WHERE guid = '9C5D33FA-AB95-4D57-851D-1B43902CDCE5'
 and OwnerGuid in (select guid from SecurityTrustee)

If the query returns no result then this may be the root of the problem.

If the previous query returned no results then perform the following steps:

1. It would first be helpful to know what the SID of the current Application Identity user is. The user's SID can usually be found in the registry of any computer that it has logged onto.

HKLM/Software/Microsoft/Windows NT/CurrentVersion/ProfileList

The identity of the account associated with each SID listed in the registry can be found in the "ProfileImagePath" string

2. Once the SID has been identified run the following query to find the GUID associated with the SID.

SELECT guid, Trustee
FROM SecurityTrustee
ORDER BY Trustee

3. Copy the GUID associated with the Application Identity account's SID and plug it into the following SQL modify script:

UPDATE SecurityEntity
SET OwnerGuid = '<guid>' -- Guid of Application Identity account Trustee
WHERE Guid = '9C5D33FA-AB95-4D57-851D-1B43902CDCE5'

Also, if this condition exits in the database then it is likely that there are many objects that have no OwnerGuid that can be resolved to a valid trustee. The following query can be used to identify what those objects are, and how many.

SELECT i.Name, i.Guid
FROM vItem i
 join SecurityEntity se on se.guid = i.guid
WHERE se.OwnerGuid NOT IN (select guid from SecurityTrustee)
ORDER by i.Name

At this point it may not be a bad idea to assign the current Application Identity account as the owner of all objects that have no owner.

UPDATE SecurityEntity
SET OwnerGuid = '<guid>' -- Guid of Application Identity account Trustee
WHERE OwnerGuid NOT IN (select guid from SecurityTrustee)

NOTE: As with any scripts that modify the database, it is highly recommended that a current backup of the database exist prior to running the scripts.

Applies To
Symantec Management Platform 7 SP4 HF1