I wonder if anyone can help with some CSR behaviour that we have seen.
We have just upgraded an installation of ePO 4.5 patch 3 to 4.6.4 in order to install Content Security Reporter. CSR users are being created to use Windows authentication. ePO and CSR servers are all in the same Windows domain.
Seems to work fine, except when we change a user's AD group membership, this is not reflected to the user's ePO session. For example.
1) We have two AD groups: CSR_View (maps to a permission set that allows report / querying viewing) and CSR_Admin (maps to permission set that allows report / query editting). User is a member of CSR_View.
2) User logs in. CSR Report / Query viewing. OK.
3) Move user from CSR_View to CSR_Admin AD group
4) Restart ePO browser session for CSR View user. User still have View permissions only.
5) Restart the McAFee ePO 4.6.4 Application Server service
6) Restart ePO browser session for CSR View user. User now has edit permissions.
Is this expected behaviour? It looks like ePO is caching the group membership for a user.
How frequently does ePO refresh its cache? Do we need to set up an AD sync task? There is nothing in the manual to indicate that we should.
ePO does cache AD details - I believe the cache is 30 minutes. As a test, if you leave longer than this after changing the group membership (but don't restart the service) does it behave correctly?