Video Screencast Help

EV read only role - lets me create and delete archives

Created: 30 Aug 2013 • Updated: 02 Sep 2013 | 7 comments
This issue has been solved. See solution.

Hi

EV 9.0.2

I've followed https://www-secure.symantec.com/connect/forums/read-only-role to create a read only role in EV.

However, that role lets me create and delete archives, not exactly read only.

Anyway to prevent this without removing all access to archives? I want read only access to archives in the VAC as well.

thanks

Operating Systems:

Comments 7 CommentsJump to latest comment

TonySterling's picture

So do you just want to be able to search the archives?  If yes you would want to use EVPM to give your account permissions on the archive. 

 

GabeV's picture

Have you tried to actually create an archive? For instance, if you open the VAC using a user assigned to the read-only role and you try to create a journal archive, can you go through the wizard until the end without getting an exception or access denied error? I am asking because I just tried it in my lab, and even though I have access to the options, I got an access denied error message when I try to create/delete or modify an archive permissions:

1. For Archive deletion:

Capture_3.JPG

2. For archive permissions update:

   Capture_4.JPG

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

goatboy's picture

Interesting, i can create and delete archives. Here's my custom role:

 

2.JPG

:1.JPG

3.JPG

4.JPG
goatboy's picture

And this shows the role when I am logged on as that restricted user:

 

Your Enterprise Vault role is: Read Only

 

Entitlements associated with this role:

=======================

Can administer Enterprise Vault targets

Can administer all Enterprise Vault targets

Can administer Enterprise Vault Exchange targets

Can administer Retention Categories

Can administer Enterprise Vault archives

Can administer Enterprise Vault Vault Stores

Can administer Enterprise Vault policies

Can administer all Enterprise Vault policies

Can administer Enterprise Vault Exchange policies

Can administer Enterprise Vault Exchange mailbox policies

Can administer Enterprise Vault Exchange Journaling policies

Can view Site General property page

Can view Site Archiving Defaults property page

Can view Site Shortcut Deletion property page

Can view Site Schedule property page

Can view Site Storage Expiry property page

Can view Site Archiving Usage Limit property page

Can view Site Monitoring property page

Can administer Enterprise Vault servers

Can manage Enterprise Vault Exchange Journaling tasks

Can manage Enterprise Vault Exchange Mailbox tasks

Can manage Enterprise Vault tasks

Can manage Enterprise Vault services

Can use ServerManager

Can manage Exchange Journal Archives

Can manage Exchange Mailbox Archives

 

Using Authorization Store version number: 8

goatboy's picture

I just tried to change a permission on an existing archive and got the same error that you posted - Access Denied.

However, I don't get this error when deleting an existing archive - it says "marked for deletion" and then deletes.

GabeV's picture

I went through the operations list and I think that you don't need "{STO} Can administer archives" for this role since you already have "Can administer Enterprise Vault archives". Give it a try and let me know if that works for you.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

SOLUTION
goatboy's picture

Thanks, looks like that has done the trick! Now I can't create or delete archives with my custom role, but can still view properties.

Thanks again!