Issue
When the using OAuth authentication on your instance Email Accounts, the job Refresh Email Access Token is associated to the "admin" user to have the admin role associated to work correctly.
You will identify this problem because:
- When the OAuth SMTP/IMAP/POP3 connection expires, the mail reader/sender connection is invalid:
e.g. OAuth access token is not present or has expired. Email account=xxxxxx - Instance node logs might show errors like
worker.0 worker.0 txid=20038682db9b Name: Refresh Email Access Token
worker.0 worker.0 txid=20038682db9b 6816f79cc0a8016401c5a33be04be441 can't read table oauth_credential - Renewing the tokens manually with an admin account, it works correctly.
- Your "admin" user does not have the admin role
- Your Refresh Email Access Token jobs is associated to Run As: System Administrator (admin user)
Cause
The scheduled job "Refresh Email Access Token" is configured to run as administrator (admin user).
- If you have installed the OAuth Email plugin, the job is located here: <instance>/sysauto_script_list.do?sysparm_query=name%3DRefresh%20Email%20Access%20Token%5Eactive%3Dtrue&sysparm_first_row=1&sysparm_view=
The admin user would normally have access to the oauth_credential table via the admin role.
In this instance the admin role has been removed from the admin user
Resolution
There are several recommended solutions:
- Restore the admin role to the admin user
- Customise the Refresh Email Access Token job to run with a user with the admin role
- Create relevant ACLs on oauth_credential table specifically granting access to a user, which you can use on the "Refresh Email Access Token" job
