Application Control policy update errors

Owned by Anonymous
Last updated: Mar 15, 2016 by Max Pinion (Deactivated)
2 min read

Problem

The  Agent requests a policy/filter update but is denied by the Server. 

In the Server Logs (viewed from the Altiris Log Viewer or found in C:\ProgramData\Symantec\SMP\Logs), the logs will have the following error:

Process: w3wp (6028)
Thread ID: 188
Module: w3wp.exe
Source: Arellia.SMP.Common.ClientItemManagerWS.GetClientItems
Description: ClientItemManagerWS.GetClientItemDigestsByType() failed.



( Exception Details: Altiris.NS.Exceptions.AeXUnauthorizedAccessException: The current user does not have required permission 'read' to load item '36abf24e-e3e7-4d12-86a7-bd61be9f204e'.
at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid)
at Altiris.NS.ItemManagement.Item.GetItem(Guid itemGuid)
at Arellia.SMP.Common.ContextManagement.ItemContext.??(Guid itemGuid)
at Arellia.SMP.Common.ClientItemManager.GetClientItems(GuidCollection gcClientItems, Guid PlatformGuid, Guid ResourceGuid)
at Arellia.SMP.Common.ClientItemManagerWS.GetClientItems(StringCollection ClientItems) )

The error is stated as "The current user does not have required permission 'read' to load..."

Solution

To resolve this issue, do the following steps:

  1. Right-click a policy that is not being received by the agents and then click "Security."
  2. Change the role to "Symantec Administrators."
  3. Select the Read permission check box, either inherited or non-inherited. If it is checked then the error is in IIS, if it is not check continue with the following steps.
  4. Close out of the Security Manager.

If you are unable to set permissions using the Security Manager, then do the following steps:

  1. From the console, right-click the policy that is not being updated and click "Export."
  2. Edit the .xml policy using Notepad and delete everything between and including <security> tags.
  3. Delete the policy from the Console.
  4. Right-click and select Import and import the saved .xml policy.
  5. Right-click the newly imported policy and select "Security" and verify that the read permissions have been added.
  6. Repeat the above steps for all policies/filters and folders that do not have the read permission.

After doing the above steps, verify that the agent is able to receive the updated policies and filters. The error in the logs should disappear.

Additional information

The issue is caused by policy permissions on the Server.