Epicor Service Account - Folder Permissions

Hello EpiGurus,

I’m trying to get an old BPM to work again. Something happened during our move to .600, and it no longer works.

The BPM sends an email notification and an attachment. The attachment is created, saved, and pulled from a folder in the shared “EpicorData” folder on our epicor server (on-prem). The attachment is created using a template .txt file in a folder in that EpicorData folder.

For some reason, Epicor cannot access this shared folder or write to it and I’m not sure why. When I look at the permissions on the share, the epicor service account that we have set up in EAC has full permissions for it.

Here’s the error we get in the event viewer:

Ice.Common.EpicorServerException: BPM runtime caught an unexpected exception of ‘UnauthorizedAccessException’ type.
See more info in the Inner Exception section of Exception Details. —> System.UnauthorizedAccessException: Access to the path ‘\EPICOR-SRV600V\EpicorData\Companies\93546\Shortcuts\CorrectiveAction\CorrectiveAction.sysconfig’ is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream…ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost)
at System.IO.StreamWriter…ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
at System.IO.File.InternalWriteAllText(String path, String contents, Encoding encoding, Boolean checkHost)
at Epicor.Customization.Bpm.DBEDF708DC2FE7435DBF83F2FFF5B4BF4A.PostTranDirective_EmailAssigneeWLink_AF57C75AF4174E81B4961346C00E6F0C.A002_CustomCodeAction()
at Epicor.Customization.Bpm.DBEDF708DC2FE7435DBF83F2FFF5B4BF4A.PostTranDirective_EmailAssigneeWLink_AF57C75AF4174E81B4961346C00E6F0C.ExecuteCore()
at Epicor.Customization.Bpm.DirectiveBase3.Execute(TParam parameters) in C:\_Releases\ICE\RL10.2.600.0FW\Source\Server\Internal\Lib\Epicor.Customization.Bpm\DirectiveBase.Generic.cs:line 146 --- End of inner exception stack trace --- at Epicor.Customization.Bpm.DirectiveBase3.Execute(TParam parameters) in C:_Releases\ICE\RL10.2.600.0FW\Source\Server\Internal\Lib\Epicor.Customization.Bpm\DirectiveBase.Generic.cs:line 162
at System.Linq.Enumerable.All[TSource](IEnumerable1 source, Func2 predicate)
at Epicor.Customization.Bpm.CustomizationBase23.Execute(TParam parameters) in C:\_Releases\ICE\RL10.2.600.0FW\Source\Server\Internal\Lib\Epicor.Customization.Bpm\CustomizationBase2.cs:line 87 at Epicor.Customization.Bpm.Standard.MonitoringSessionManager.ProcessCollectedData(IceDataContext db, IRowChangesCollection data, IDirectiveEnabler enabler) in C:\_Releases\ICE\RL10.2.600.0FW\Source\Server\Internal\Lib\Epicor.Customization.Bpm\Standard\MonitoringSessionManager.cs:line 145 at Epicor.Customization.Bpm.Standard.MonitoringSessionManager.FinalizeSession(String sessionId, IceDataContext db) in C:\_Releases\ICE\RL10.2.600.0FW\Source\Server\Internal\Lib\Epicor.Customization.Bpm\Standard\MonitoringSessionManager.cs:line 102 at Epicor.Customization.Bpm.SvcFacadeBase3.Epicor.Hosting.IBpmReadyService.FinalizeCall(Object state, Boolean fail) in C:_Releases\ICE\RL10.2.600.0FW\Source\Server\Internal\Lib\Epicor.Customization.Bpm\SvcFacadeBase.Generic.cs:line 227
at Epicor.Hosting.OperationBoundInvoker.Invoke(Object instance, Func`2 func) in C:_Releases\ICE\UD10.2.600.12FW\Source\Framework\Epicor.System\Hosting\OperationBoundInvoker.cs:line 32

I’m just using System.IO’s File.ReadAllText and File.WriteAllText to access/create the files.

Any input is much appreciated!

@Asz0ka Is that service account a local administrator on the app server?

No it’s not, but I can make it one if needed. Do you think that’s the only way it will work? Strange it seems like it’s ignoring the share permissions…

What’s this sysconfig file it’s trying to look at? Could that be where it’s getting tripped up?

@Asz0ka,

If you want to avoid the sysconfig file in a future version of Kinetic, vote for Deep Linking:

Provide URI to ERP object instances, i.e. Deep Linking

It’s already considered for future but every vote helps…

Hey Tom,

So that sysconfig file IS the attachment, and it gets modified slightly by File.WriteAllText. The attachment (sysconfig file) will open up a module in epicor with a specific record when opened with epicor. There are a few more details on the BPM here:

I’m going to try adding the svc account to local admin and see if that gets it working again.

So adding the account to the local admin group didn’t immediately change anything, but I’m not sure if something needs to be restarted for the change to take effect (I did restart the app pool at least).

Can you confirm I’m pulling the service account from the correct place in EAC?

image817×140 3.02 KB

Thanks for the input everyone, it’s officially working again. Apparently I needed to go to the “Advanced Sharing” settings on the folder and modify the permissions there.