search cancel

Automation Policies fail to execute when the account used to create the Automation Policy is modified to have restricted security

book

Article ID: 163115

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

After moving a user from the "Symantec Administrators" group to one with less permissions the 'Send automation policy e-mail' task fails to run with the newly restricted permissions of that group.

User '<USER>' doesn't have permission to run this task 'Send automation policy e-mail'

Cause

There is a schedule trigger associated to an account. This is a hidden Item and may need to be changed by making modifications within SQL if updating the policy schedule does not update this attribute. The fact that this does not change the owner when the schedule is changed is resolved in version 8.0. The current workaround is to change the owner in 'SecurityEntity' via SQL script.

Resolution

There are two workarounds to address this issue:

  1. Modify the schedule of the Automation Policy with a member of the "Symantec Administrators" group; then 'Save changes'.
  2. Perform a backup of the Symantec_CMDB and run the following SQL query with AppID, Class, and broken user GUIDs inserted:
    1. ‚Äč
      update SecurityEntity
      set OwnerGuid = '<GUID>'--AppID Guid
      where Guid - '<CLASS GUID>'
      and OwnerGuid = '<Broken User GUID>'

Attachments