User-directed archiving defaults to wrong retentio...

Ryan_the_Red · ‎03-14-2008

This may be a bug.

Enterprise Vault 2007 SP2.

Background:

We've set up Several custom retention categories. Many of these are hidden from users and are assigned in a provisioning group. Some Users are in provisioning group are assigned a policy which locks them into using the policy settings. Others are able to change the target archive and retention category, but only using a constrained list of retention categories.

We've done this by using visible and hidden retention categories. We expect to be able to apply a hidden retention category to users in their provisioning group. As a side note, the lack of a method to constrain the list of retention categories per provisioning group (i.e. a custom list per group) is a problem too, but that's certainly more of a feaure request.

When a user in a provisioning group with such a "locked" policy, and the user clicks on the "Store in Archive" button, they receive the dialog box, which of course is all greyed out. However, the user does not receive the retention category that is set in the provisioning group. For example the combo box on the store in archive dialog is set to an incorrect value. And this is true regardless of whether the retention category set in the provisioning group is visible to users or not.

Instead, the combo box on that dialog shows only the alphabetically first retention category which is visible to users. And, if we proceed with the archiving after this point, the incorrect retention category (the one showing up grayed out on the dialog) is actually applied during user-directed archiving.

Users with an "unlocked" policy, of course, are unaffected.

In effect, this eliminates the ability for me to configure proactive archiving for users who I must lock to a specific retention category. If the store in vault screen applied the retention category from the provisioning group by default, this would be satisfactory for now.

As a workaround we've had to disable the store in vault button for these users altogether in their policy. My current customer is rather displeased about this.

Anyone have any ideas about how to Let users proactively archive and if they are "locked" to a retention category apply the retention category from their provisioning group.

Since I may be thinking about this wrong I need the mass of users to be able to choose between one of two values (such as 1year or 2year retention) when performing a directed archive, while not allowing them to see or even use the values that other groups, such as Legal, would use (such as 5year retention). I still want to let all users perform directed archiving, however.

Ryan_the_Red · ‎03-14-2008

More detail,

The behavior in the "store in vault" dialog happens when the user's provisioning group sets a retention category that is hidden and a policy that uses "overall lock". In this case, Enterprise Vault automatically assigns the first visible retention category (alphabetically), and of course the user can't change it by design.

But basically you can't lock a user to a hidden retention category and also allow manual archiving for users in that provisioning group, you'd better disable the store in vault button in that case.

Let you know more as things develop.

Michael_Bilsbor · ‎03-16-2008

Hi,

I think EV is getting confused because you are using a hidden retention category to archive to. The intended purpose of being able to hide a retention category is for retention categories no longer in 'active' use. So for example if you goto search page you'll see them as being available so users can search against them.

So I feel that the bug is that provisioning appears to be letting you select a hidden retention category. After that it sounds like what you really want is retention categories associated with provisioning groups, agreed?

Ryan_the_Red · ‎03-17-2008

Well I disagree and here's why.

The client does want certain groups to be able to use retention of 5 years, but most users should not have that option. Essentially, if a lawyer wants to he should be able to proactively archive an item to a five year retention, but an operations person should not be able to see that option.

The fear is that many users will just select the maximum retention in terms of years regardless of its label, just to retain more email.

I know that's different than what I've brought up here, but that's the reason for using hidden retention categories in the first place, not because they are no longer in use. So the lawyers have been provisioned with a hidden retention category to make automatic archiving fit the need, but the preferred solution would be that lawyers get to choose a five year retention during manual archiving but are defaulted to 2 years, while operations personnel can only choose 2 years or 1 year.

It's a common scenario, really.

The problem is that using hidden retention categories breaks manual archiving, at least from this client's perspective, so the only workaround is to take away manual archiving from the lawyers.

I would add the ability to choose a discrete list of retention categories in the provisioning group, sort of like an ACL for the retention categories, if there are any product changes.

John_Chisari · ‎03-17-2008

Ryan

When you hide a retention category - it explicitly warns you that the category will be hidden from the users desktop and can't be selected or used - so at the moment I would say this is by design - but again choosing the retention category based on alphabetical is not a good choice by EV either.

Have you looked at EV User Classification Engine? This may be what you are looking for - this is from the main page - maybe speak to your Account rep at Symantec to get more info on it.

Enterprise Vault User Classification Engine extends the email classification, capture and retention capabilities of Symantec Enterprise Vault to every user desktop. By providing a comprehensive, policy-based email capture process, it enables all business-critical and regulated emails to be classified as each item is created or read by the user. This helps enforce user retention policies more effectively by taking control of records where they are most vulnerable—under the control of employees on personal workstations.

Ryan_the_Red · ‎03-17-2008

John

Thank you for your reply. I do know about the warning. And I appreciate the information about the classification engine.

Yes, I understand why it's happening. What I don't understand is how to give the customer (1600 seats, global rollout) what they desire with the current product. We've gone through all this on the phone with support to make sure I'm not an idiot, by the way. One can fulfill pieces of these requirements but not the entirety.

The hidden retention groups scenario is the agreed "best case" for the client using the current toolset, but the "ideal case" would have been for each provisioning group to have an administrator selectable subset of retention categories available (i.e. to each provisioning group). So a group named "Everyone Else" could have either 1 year or 2 year retention, while Legal could choose from a much larger list, to include up to a 5 year retention.

Tack onto that, of course, that the User-Directed archiving piece would always choose the default retention category as set in the provisioning group (including for hidden retention categories), as originally stated.

The current functionality assigns a default category but does not control the available categories, the only way to do that is not allow user-directed archiving at all and/or hide the offending retention categories. And currently user-directed archiving cannot assign a default retention category as set in the provisioning group IF the retention category is hidden.

I have of course floated the idea to constrain all of the lowest level of users to one and only one retention category and take away the ability to manually archive items. That would elegantly solve the current problem of not trusting most users to make a decision and providing trusted users a decision. No go. They want specific retention category choices for specific groups, and at minimum they want manual archiving to set the retention category from the provisioning group.

Basically in this deployment the large mass of users are not trusted to make valid decisions about which retention category to place an email in, as it is suspected every user will always choose the longest retention period, and there's no real way to audit/enforce appropriate choices.

I will investigate the classification engine, however, as I've not ever deployed that.

Ryan

Message Edited by Ryan the Red on 03-17-2008 07:55 PM

John_Chisari · ‎03-17-2008

Wish there was more we could do for your requirement - but unfortunately as you know we are limited here - I would suggest and yes these things do get looked at - is to post an enhancement on

http://enhancement.veritas.com - stating the business case etc.

Michael_Bilsbor · ‎03-18-2008

Hi,

Do you have a case logged with Symantec for this? Can you give me the case reference number.

Ryan_the_Red · ‎03-18-2008

I was looking for a way to write you offline, but I can't seem to find your address on your profile...

I guess it won't harm anything to post the case number in the clear...

230-511-339

VOX

User-directed archiving defaults to wrong retention category