1. Support
  2. Knowledge base
  3. 100020573

How to give permissions to an archive using Enterprise Vault Policy Manager (EVPM)

Article: 100020573
Last Published: 2014-08-05
Ratings: 0 0
Product(s): Enterprise Vault

Problem

The EVPM utility is designed to allow granular and custom changes to mailboxes and archives.  By default an archive will have permissions assigned to it based on inherited permissions.  At times it is necessary to add custom permissions, for a group or a user, to one or more archives.

Solution

This can be achieved by creating an EVPM script, specifying the particular details and running it against the affected archive.

a. Modify the script below to match the particular DirectoryComputerName, SiteName and ArchiveName values for the environment.
b. Save the file with an .ini extension in UNICODE format.

---------------------------Copy below---------------------------------------

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName = john doe
GrantAccess = read write delete, ourdomain\smith

---------------------------Copy above---------------------------------------

Descriptions:

 
ArchiveName
 
Mandatory. Identifies the archive to which the permission settings are applied.
 
If there are multiple folders with the same name and you specify a name, Policy Manager modifies only the first one that it finds. In this case, you must use archive Ids to specify the archives.
 

 
Possible values:
 
The name of an archive
 
An archive ID
 
ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
 
ALL_JOURNAL (permissions are applied to all journal archives)
 
ALL_SHARED (permissions are applied to all shared archives)
 
ALL_MAILBOX (permissions are applied to all mailbox archives)
 

 
GrantAccess
 
Optional. Grants to the specified Windows accounts the specified access to the archive.
 
The granted rights supplement any existing access rights.
 
There can be many occurrences of GrantAccess within the same [ ArchivePermissions] section.
 

 
Possible values:
 
A list of permissions, followed by a comma and then a comma-delimited list of groups or accounts that are granted the specified permissions. Permissions can be any of read, write, and  delete, followed by a comma.
 

 
Examples:
 
To grant read and write access to user Smith:
 
GrantAccess = read write, domain\smith
 
To grant read and write access to users Smith and Jones:
 
GrantAccess = read write, domain\smith, domain\jones
 
To grant read and write access to user Smith but only read access to user Jones:
 
GrantAccess = read write, domain\smith
GrantAccess = read, domain\jones

 

Multiple Archives

While there can be multiple occurrences of the GrantAccess parameter within a given [ArchivePermissions] section, the ArchiveName parameter does not work the same way. It may see that the following will grant read permissions to Alice for Bob's archive and read permissions to Carol for Dan's archive:

[ArchivePermissions]

ArchiveName = Bob
GrantAccess = read, Alice

ArchiveName = Dan
GrantAccess = read, Carol

However, this is not the case. The above example will grant all the permissions named to all the archives named. Thus both Alice and Carol end up with read permissions to both Bob's and Dan's archives.

To assign disparate permissions to multiple archives properly, multiple [ArchivePermissions] sections must be used. For example, the below actually does grant read permissions to Alice for Bob's archive and read permissions to Carol for Dan's archive:

[ArchivePermissions]

ArchiveName = Bob
GrantAccess = read, Alice
 

[ArchivePermissions]

ArchiveName = Dan
GrantAccess = read, Carol


Note: For further details and assistance in running EVPM, please see the Utilities guide under Documentation in the installation of EV.
 
 

 

Was this content helpful?

Article Languages