Solved: I went through the operations

goatboy · ‎08-30-2013

Hi

EV 9.0.2

I've followed https://www-secure.symantec.com/connect/forums/read-only-role to create a read only role in EV.

However, that role lets me create and delete archives, not exactly read only.

Anyway to prevent this without removing all access to archives? I want read only access to archives in the VAC as well.

thanks

GabeV · ‎08-30-2013

I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.

View solution in original post

TonySterling · ‎08-30-2013

So do you just want to be able to search the archives? If yes you would want to use EVPM to give your account permissions on the archive.

GabeV · ‎08-30-2013

Have you tried to actually create an archive? For instance, if you open the VAC using a user assigned to the read-only role and you try to create a journal archive, can you go through the wizard until the end without getting an exception or access denied error? I am asking because I just tried it in my lab, and even though I have access to the options, I got an access denied error message when I try to create/delete or modify an archive permissions:

1. For Archive deletion:

2. For archive permissions update:

goatboy · ‎08-30-2013

Interesting, i can create and delete archives. Here's my custom role:

:

goatboy · ‎08-30-2013

And this shows the role when I am logged on as that restricted user:

Your Enterprise Vault role is: Read Only

Entitlements associated with this role:

=======================

Can administer Enterprise Vault targets

Can administer all Enterprise Vault targets

Can administer Enterprise Vault Exchange targets

Can administer Retention Categories

Can administer Enterprise Vault archives

Can administer Enterprise Vault Vault Stores

Can administer Enterprise Vault policies

Can administer all Enterprise Vault policies

Can administer Enterprise Vault Exchange policies

Can administer Enterprise Vault Exchange mailbox policies

Can administer Enterprise Vault Exchange Journaling policies

Can view Site General property page

Can view Site Archiving Defaults property page

Can view Site Shortcut Deletion property page

Can view Site Schedule property page

Can view Site Storage Expiry property page

Can view Site Archiving Usage Limit property page

Can view Site Monitoring property page

Can administer Enterprise Vault servers

Can manage Enterprise Vault Exchange Journaling tasks

Can manage Enterprise Vault Exchange Mailbox tasks

Can manage Enterprise Vault tasks

Can manage Enterprise Vault services

Can use ServerManager

Can manage Exchange Journal Archives

Can manage Exchange Mailbox Archives

Using Authorization Store version number: 8

goatboy · ‎08-30-2013

I just tried to change a permission on an existing archive and got the same error that you posted - Access Denied.

However, I don't get this error when deleting an existing archive - it says "marked for deletion" and then deletes.

GabeV · ‎08-30-2013

I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.

goatboy · ‎09-02-2013

Thanks, looks like that has done the trick! Now I can't create or delete archives with my custom role, but can still view properties.

Thanks again!

VOX

EV read only role - lets me create and delete archives