The following issues are observed with NCM policy manager:

1. When customer creates a policy as user A, they cannot see it under the list of NCM policies. But when they login as user B, they can see the policy
   
   
2. When they look at the NCM policies on the explorer pane, they see a certain number of policies, say, 19. On the right list pane though, they can only see 18 (with one policy  right on top showing up as null). 
   
   
3. Sometimes, when they try to assign a policy to a global collection or device family, it wont let them.

DX NetOps Spectrum 20.2.x and later

Since these user models exist on the non MLS SpectroSERVER, they take some time to sync user model attributes with the MLS.  To resolve this, the user models need to have ADMIN,0 Legacy security string. You may need to do an SS restart if this string is not properly updated/sync'd.

After updating the attribute, wait for around 5min and refresh the subview and see if the string is properly updated (not over-written with old string).

1. There is a group legacy snmp community string and a user legacy snmp community string. Which one should be updated?
   
   You can update group legacy snmp community string, which also updates user legacy snmp community strings under it.
   
   
2. Does this need to be done on all users manually?
   
   You can do this at Group level, so that user models also get updated.
   
   
3. Why do I need to do this? What went wrong?
   
   There was one added feature in 10.2.0, where we track all the user actions. As part of this feature we added a permissions check which enables the need of “ADMIN,0” for creating duplicate models in DSS environment. So need to add “ADMIN,0” for all the users in DSS environment.
   
   
4. Will it happen for future users we create?
   
   Any new user without group will have default “ADMIN,0” legacy snmp community string. User created under User Group will have derived legacy snmp community from its group.
   
   
5. Will updating the legacy snmp community string to ADMIN,0 change the users permissions (and give them access to functions they should not have access to)?
   
   User access permission will not be affected with this.

As a test, do a Policy test this with one user. Then you can update for all user groups/independent users. Also, you can test on user access restriction with two users in which one has restricted access to some functions and other has no restriction. It should behave same before and after updating the legacy snmp comm string with "ADMIN,0".