ITMS 7.6.x.
Users who are members of exactly the same security roles may have different permissions accessing the default IT Analytics reports.
Steps to reproduce.
0. Create a new user in Active Directory.
1. Create a new account in Symantec Management Console and link it to the user from (0) via
Account Management
Accounts
2. Make the user a member of "IT Analytics Users" role.
3. "Run now" from
Settings
Notification Server
IT Analytics Settings
Cubes
Security.
4. Now delete the user from Active Directory.
5. Run the same rule again.
6. Error(s) in the log will appear.
Update 12.04.2016.
Another similar scenario was recently reported to Symantec Support, see error III below. However this time the error does not explicitly mention the affected user's name.
I.
=====
Error Synchronizing Security Roles. Object reference not set to an instance of an object. [System.NullReferenceException @ System.Xml] at System.Xml.XmlNode.RemoveChild(XmlNode oldChild) at Altiris.ITAnalytics.ASDatabase.RemoveRoleMemberByName(String roleID, String roleName, StringCollection strRemoveRoles, Guid parentPid) at Altiris.ITAnalytics.ASDatabase.SynchronizeRole(Guid SyncRoleGuid, Guid parentPid) at Altiris.ITAnalytics.Tasks.ITAnalyticsSyncSecurityRolesTask.ProcessTasks() ===== II. ===== Error Synchronizing Security Roles. Add role member failed. Invalid member domain\user [System.Exception @ Altiris.ITAnalytics] at Altiris.ITAnalytics.ASDatabase.AddRoleMemberByName(String roleID, String roleName, String name, Guid parentPid) at Altiris.ITAnalytics.ASDatabase.SynchronizeRole(Guid SyncRoleGuid, Guid parentPid) at Altiris.ITAnalytics.Tasks.ITAnalyticsSyncSecurityRolesTask.ProcessTasks() =====
III.
=====
Error Synchronizing Security Roles. Object reference not set to an instance of an object. [System.NullReferenceException @ Altiris.ITAnalytics] at Altiris.ITAnalytics.DisposableASDB.ExecXmla(String xmla) at Altiris.ITAnalytics.ASDatabase.ExecXmla(String xmla) at Altiris.ITAnalytics.ASDatabase.AddRoleMemberByName(String roleID, String roleName, String name, Guid parentPid) at Altiris.ITAnalytics.ASDatabase.SynchronizeRole(Guid SyncRoleGuid, Guid parentPid) at Altiris.ITAnalytics.Tasks.ITAnalyticsSyncSecurityRolesTask.ProcessTasks()
=====
It is a known defect that can be caused by:
a. A user that has been removed from Active Directly still exists in Symantec Management Console under Account Management -> Accounts;
b. An AD user imported to Symantec Management Console does not have associated credentials.
Symantec has introduced some changes into IT Analytics 8.0 to improve handling of Active Directory imported users in scope of the synchronization task.
However it is still possible, that you may encounter the same errors or similar.
WORKAROUND.
It is easy to workaround the issue if the affected user's name is explicitly given in the log. Otherwise the task is a bit more complicated and SQL Profiler can be used to discover the problematic user or role (https://msdn.microsoft.com/en-us/library/ms181091%28v=sql.110%29.aspx). Below is an example of SQL Profiler usage.
The error in the screen shot does not provide the user's name, but using the name of the role from the description, it was possible to analyze it's membership and find the 'corrupt' users.