08-30-2013 08:51 AM
Hi
EV 9.0.2
I've followed https://www-secure.symantec.com/connect/forums/read-only-role to create a read only role in EV.
However, that role lets me create and delete archives, not exactly read only.
Anyway to prevent this without removing all access to archives? I want read only access to archives in the VAC as well.
thanks
Solved! Go to Solution.
08-30-2013 01:09 PM
I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.
08-30-2013 09:18 AM
So do you just want to be able to search the archives? If yes you would want to use EVPM to give your account permissions on the archive.
08-30-2013 09:49 AM
Have you tried to actually create an archive? For instance, if you open the VAC using a user assigned to the read-only role and you try to create a journal archive, can you go through the wizard until the end without getting an exception or access denied error? I am asking because I just tried it in my lab, and even though I have access to the options, I got an access denied error message when I try to create/delete or modify an archive permissions:
1. For Archive deletion:
2. For archive permissions update:
08-30-2013 11:03 AM
Interesting, i can create and delete archives. Here's my custom role:
:
08-30-2013 11:06 AM
And this shows the role when I am logged on as that restricted user:
Your Enterprise Vault role is: Read Only
Entitlements associated with this role:
=======================
Can administer Enterprise Vault targets
Can administer all Enterprise Vault targets
Can administer Enterprise Vault Exchange targets
Can administer Retention Categories
Can administer Enterprise Vault archives
Can administer Enterprise Vault Vault Stores
Can administer Enterprise Vault policies
Can administer all Enterprise Vault policies
Can administer Enterprise Vault Exchange policies
Can administer Enterprise Vault Exchange mailbox policies
Can administer Enterprise Vault Exchange Journaling policies
Can view Site General property page
Can view Site Archiving Defaults property page
Can view Site Shortcut Deletion property page
Can view Site Schedule property page
Can view Site Storage Expiry property page
Can view Site Archiving Usage Limit property page
Can view Site Monitoring property page
Can administer Enterprise Vault servers
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can manage Enterprise Vault tasks
Can manage Enterprise Vault services
Can use ServerManager
Can manage Exchange Journal Archives
Can manage Exchange Mailbox Archives
Using Authorization Store version number: 8
08-30-2013 11:08 AM
I just tried to change a permission on an existing archive and got the same error that you posted - Access Denied.
However, I don't get this error when deleting an existing archive - it says "marked for deletion" and then deletes.
08-30-2013 01:09 PM
I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.
09-02-2013 11:30 AM
Thanks, looks like that has done the trick! Now I can't create or delete archives with my custom role, but can still view properties.
Thanks again!