Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Control automatically set Permissions on the archive

Created: 17 Jun 2013 • Updated: 17 Jun 2013 | 2 comments
kirankumarkapse's picture
2 Agree
0 Disagree
+2 2 Votes
Login to vote

Hi,

Of late I have been asked to control who can see the archives and who can do what on the archives when Archive explorer UI is used.

Currently the control seems to be comming from the folder or share permissions.

What would be of great assistance to admins would be to allow us changing the permission at the archive on the Admin console of evault, reason being I do not want to touch the file server permissions as it might break already set environment,

Currently we can only manage manually set permissions on the archive, but anything set automatically cannot be managed unless managed by foler or share permissions.

It would be good if we can remove the automatically set permissions on the archive and manage permissions manually, giving us a great ability of security and control. If this control is played back to clients they would be statisfied with the product much more than it is today.

Kiran Kumar

Comments 2 CommentsJump to latest comment

Ben Watts's picture

Hi Kiran,

To be honest the only real reason you would want to remove the automatic permissions is if you didnt want someone to access the files within the Archive, in which case surely you would want to remove the permissions on the Fileserver level too considering these files are 'effectively' in the same location?

Altering the Manual permissions on the Archive has the exact same effect as altering the Automatic permissions on the archive so what you are asking for, from what I can see, is already possible.

If you wanted to stop someone accessing files within the Archive simply add a manual Deny permission for them which will stop them accessing anything within that Archive, including searching within the Archive.

Please correct me if I am barking up the wrong tree and have misunderstood you.

0
Login to vote
Tgotschall's picture

Ben, I believe Kiran is right. We need to be able to break the inherited automatic permisssions via the GUI in certain stiuations.

This needs to be changed because it is a global setting and only has two options.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\Enterprise Vault\SynchroniseFSASharePermissions

DWORD

0= Sync with NTFS permissions of the folder being archived (This is the desired behavior for most instances for us)

1= Inherit the Share permisssions of the Share on the FSA Entry point (Default)

We want the users to see the permissions the opriginal folder and not the share permissions of the Entry point for active Data. This works great until you need to delete the original data/folder. The Event log fills up with errors because it is trying to synch with a folder that is no longer there.

An example:

A user retires, we move his user drive to a folder that is set to archive all files and delete the shortcuts. After wards, we want to delete the original folder. Now we have errors generated in the event log. We need to be able to set the properties of the archive in the GUI to inactive or something similar so that it will quit trying to synch and we need to be able to assign permissions appropriately. You can't remove the automatic perms without using the ZAPFSAPerms script. This is not convenient for a large number of users and is a cumbersome process.

Tech supports answer was to change the setting to "1". Well that stops the errors but now it puts the root share permissions on all the archives. This is not convenient because you don't want this in all cases either. You want the active archive folders to get NTFS permissons. Accepted procedure in an AD environment is to assign Everyone Full COntrol to the share and use NTFS perms to control access.

Instead of this setting being global, it needs to be able to be set on the FSA folder level or archive level to use either share perms or NTFS perms and we need to be able to remove any automatic perms with a simple checkbox override.

We have actually stopped the FSA archiving progress because of this flaw and the "all or nothing" implications of this setting.

You said "Altering the Manual permissions on the Archive has the exact same effect as altering the Automatic permissions on the archive so what you are asking for, from what I can see, is already possible.

If you wanted to stop someone accessing files within the Archive simply add a manual Deny permission for them which will stop them accessing anything within that Archive, including searching within the Archive."

This is not entirely true. Consider this. The everyone inherits Full Control. You don't want Everyone to see all Archives" You go in and manually Deny Full Control to Everyone. Now Nobody can see the archive, even if you explicity grant rights to a user. Everyone Denies their ability to see the archive... so no it is not the same.

We have spent days on this issue so I know this to be the case.

It would be a great help to the FSA process to have these changes implemented in a future release.

I know I am not alone in this because I have researched and seen many people with issues related to the way this presently works. Obviously Kiran is fighting this problem as well.

Regards,

Troy. (tgotschall@cfindustries.com)

0
Login to vote