Enterprise Vault Permissions

Detailed Description

In order to bind to Enterprise Vault Archives, the Simply Migrate Management Shell requires permissions to be set.

In addition to needing read access to all of the Enterprise Vault SQL databases, there are Enterprise Vault specific permissions that need to be set.

The following article explains how to configure the various types of permissions that can be used within the Enterprise Vault product.

Set Archive Rights Using EVPM

The EVPM utility is designed to allow granular and custom changes to mailboxes and archives and is included with Enterprise Vault.

By default an archive will have permissions assigned to it based on inherited permissions. At times it is necessary to add custom permissions to one or more archives.

This can be achieved by creating an EVPM script, specifying the particular details and running it against the archive(s) you wish to apply the changes to.

STEP 1 – Modify the script below to match the particular DirectoryComputerName, SiteName and ArchiveName values for your environment.

STEP 2 – Save the file with an .ini extension in UNICODE format.

---------------------------Copy below---------------------------------------

[Directory] 
DirectoryComputerName=YOUR_EV_DIRECTORY_SERVER
SiteName=YOUR_VAULT_SITE_NAME

[ArchivePermissions]
ArchiveName = Fred Flintstone
GrantAccess = read write delete, DOMAIN\NEW_ACCOUNT

---------------------------Copy above---------------------------------------

Script Details

ArchiveName

Mandatory. Identifies the archive to which the permission settings are to be applied. If there are multiple folders with the same name and you specify a name, Policy Manager modifies only the first one that it finds. In this case, you must use archive Ids to specify the archives.

Possible Values

  • The name of an archive
  • An archive ID
  • ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
  • ALL_JOURNAL (permissions are applied to all journal archives)
  • ALL_SHARED (permissions are applied to all shared archives)
  • ALL_MAILBOX (permissions are applied to all mailbox archives)

GrantAccess

Optional. Grants to the specified Windows accounts the specified access to the archive.
NOTE : The granted rights supplement any existing access rights.
You can have many occurrences of GrantAccess within the same [ArchivePermissions] section.

Possible Values

A list of permissions, followed by a comma and then a comma-delimited list of groups or accounts that are granted the specified permissions. Permissions can be any of read, write, and delete, followed by a comma.

Examples

  • To grant read and write access to user Smith:
    GrantAccess = read write, domain\smith
  • To grant read and write access to users Smith and Jones:
    GrantAccess = read write, domain\smith, domain\jones
  • To grant read and write access to user Smith but only read access to user Jones:
    GrantAccess = read write, domain\smith
    GrantAccess = read, domain\jones

Multiple Archives

While you can have multiple occurrences of the GrantAccess parameter within a given [ArchivePermissions] section, the ArchiveName parameter does not work the same way. For instance, you might expect the following to grant read permissions to Alice for Bob’s archive and read permissions to Carol for Dan’s archive:

[ArchivePermissions]

ArchiveName = Bob
GrantAccess = read, Alice

ArchiveName = Dan
GrantAccess = read, Carol

However, this is not the case. The above example will grant all the permissions named to all the archives named. Thus both Alice and Carol end up with read permissions to both Bob’s and Dan’s archives. To assign disparate permissions to multiple archives properly, you must use multiple [ArchivePermissions] sections. For example, the below actually does grant read permissions to Alice for Bob’s archive and read permissions to Carol for Dan’s archive:

[ArchivePermissions]

ArchiveName = Bob
GrantAccess = read, Alice

[ArchivePermissions]

ArchiveName = Dan GrantAccess = read, Carol