How to give permissions to an archive using Enterprise Vault Policy Manager (EVPM)

Article:TECH69114  |  Created: 2009-01-25  |  Updated: 2013-11-15  |  Article URL http://www.symantec.com/docs/TECH69114
Article Type
Technical Solution

Product(s)

Environment

Issue



How to give permissions to an archive using Enterprise Vault Policy Manager (EVPM)


Solution



The EVPM utility is designed to allow granular and custom changes to mailboxes and archives.  By default an archive will have permissions assigned to it based on inherited permissions.  At times it is necessary to add custom permissions to one or more archives.

This can be achieved by creating an EVPM script, specifying the particular details and running it against the affected archive.

a. Modify the script below to match the particular DirectoryComputerName, SiteName and ArchiveName values for your environment.
b. Save the file with an .ini extension in UNICODE format.

---------------------------Copy below---------------------------------------

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName = john doe
GrantAccess = read write delete, ourdomain\smith

---------------------------Copy above---------------------------------------

Descriptions:

 
ArchiveName
 
Mandatory. Identifies the archive to which the permission settings are applied.
 
If there are multiple folders with the same name and you specify a name, Policy Manager modifies only the first one that it finds. In this case, you must use archive Ids to specify the archives.
 

 
Possible values:
 
The name of an archive
 
An archive ID
 
ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
 
ALL_JOURNAL (permissions are applied to all journal archives)
 
ALL_SHARED (permissions are applied to all shared archives)
 
ALL_MAILBOX (permissions are applied to all mailbox archives)
 

 
GrantAccess
 
Optional. Grants to the specified Windows accounts the specified access to the archive.
 
The granted rights supplement any existing access rights.
 
You can have many occurrences of GrantAccess within the same [ArchivePermissions] section.
 

 
Possible values:
 
A list of permissions, followed by a comma and then a comma-delimited list of groups or accounts that are granted the specified permissions. Permissions can be any of read, write, and delete, followed by a comma.
 

 
Examples:
 
To grant read and write access to user Smith:
 
GrantAccess = read write, domain\smith
 
To grant read and write access to users Smith and Jones:
 
GrantAccess = read write, domain\smith, domain\jones
 
To grant read and write access to user Smith but only read access to user Jones:
 
GrantAccess = read write, domain\smith
GrantAccess = read, domain\jones

 

Multiple Archives

While you can have multiple occurrences of the GrantAccess parameter within a given [ArchivePermissions] section, the ArchiveName parameter does not work the same way. For instance, you might expect the following to grant read permissions to Alice for Bob's archive and read permissions to Carol for Dan's archive:

[ArchivePermissions]

ArchiveName = Bob
GrantAccess = read, Alice

ArchiveName = Dan
GrantAccess = read, Carol

However, this is not the case. The above example will grant all the permissions named to all the archives named. Thus both Alice and Carol end up with read permissions to both Bob's and Dan's archives.

To assign disparate permissions to multiple archives properly, you must use multiple [ArchivePermissions] sections. For example, the below actually does grant read permissions to Alice for Bob's archive and read permissions to Carol for Dan's archive:

[ArchivePermissions]

ArchiveName = Bob
GrantAccess = read, Alice
 

[ArchivePermissions]

ArchiveName = Dan
GrantAccess = read, Carol


Note: For further details and assistance in running EVPM, please see the Utilities guide under Documentation in the installation of EV.
 


Legacy ID



321592


Article URL http://www.symantec.com/docs/TECH69114


Terms of use for this information are found in Legal Notices