Hi EV 9.0.2 I've followed https://www-secure.symantec.com/connect/forums/read-only-role to create a read only role in EV. However, that role lets me create and delete archives, not exactly read only. Anyway to prevent this without removing all access to archives? I want read only access to archives in the VAC as well. thanks

I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.

EV read only role - lets me create and delete archives

TonySterling
Moderator
12 years ago
So do you just want to be able to search the archives? If yes you would want to use EVPM to give your account permissions on the archive.
GabeV
Level 6
12 years ago
Have you tried to actually create an archive? For instance, if you open the VAC using a user assigned to the read-only role and you try to create a journal archive, can you go through the wizard until the end without getting an exception or access denied error? I am asking because I just tried it in my lab, and even though I have access to the options, I got an access denied error message when I try to create/delete or modify an archive permissions:

1. For Archive deletion:

2. For archive permissions update:
goatboy
Level 6
12 years ago
Interesting, i can create and delete archives. Here's my custom role:

:
goatboy
Level 6
12 years ago
And this shows the role when I am logged on as that restricted user:

Your Enterprise Vault role is: Read Only

　

Entitlements associated with this role:

=======================

Can administer Enterprise Vault targets

Can administer all Enterprise Vault targets

Can administer Enterprise Vault Exchange targets

Can administer Retention Categories

Can administer Enterprise Vault archives

Can administer Enterprise Vault Vault Stores

Can administer Enterprise Vault policies

Can administer all Enterprise Vault policies

Can administer Enterprise Vault Exchange policies

Can administer Enterprise Vault Exchange mailbox policies

Can administer Enterprise Vault Exchange Journaling policies

Can view Site General property page

Can view Site Archiving Defaults property page

Can view Site Shortcut Deletion property page

Can view Site Schedule property page

Can view Site Storage Expiry property page

Can view Site Archiving Usage Limit property page

Can view Site Monitoring property page

Can administer Enterprise Vault servers

Can manage Enterprise Vault Exchange Journaling tasks

Can manage Enterprise Vault Exchange Mailbox tasks

Can manage Enterprise Vault tasks

Can manage Enterprise Vault services

Can use ServerManager

Can manage Exchange Journal Archives

Can manage Exchange Mailbox Archives

　

Using Authorization Store version number: 8
goatboy
Level 6
12 years ago
I just tried to change a permission on an existing archive and got the same error that you posted - Access Denied.

However, I don't get this error when deleting an existing archive - it says "marked for deletion" and then deletes.
GabeV
Level 6
12 years ago
I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.
goatboy
Level 6
12 years ago
Thanks, looks like that has done the trick! Now I can't create or delete archives with my custom role, but can still view properties.

Thanks again!