Roles-based administration

Article:HOWTO37150  |  Created: 2010-12-24  |  Updated: 2012-06-27  |  Article URL http://www.symantec.com/docs/HOWTO37150
Article Type
How To

Product(s)

Subject

Languages

Roles-based administration

Use Windows Authorization Manager to configure roles for Enterprise Vault roles-based administration. All such configuration is performed using the Vault Service account.

See Installing and Configuring for details of the prerequisite software that is needed to run Authorization Manager.

For an introduction to using Authorization Manager, see the following article:

http://msdn.microsoft.com/en-us/library/bb897401.aspx

Within Authorization Manager, roles are built up using operations and tasks, as follows:

  • An operation is a low-level permission that represents a privileged action or capability. When the Administration Console determines whether a role has access to perform a task, it is the operations associated with the role that are checked.

    Operations with names prefixed by "{STO}" or "{DIR}" are internal operations that do not affect the Administration Console display. Other, external operations control the view of the Administration Console that an administrator sees.

  • A task is a group of operations that collectively provide sufficient permissions to do a particular job.

A role is a collection of tasks and, possibly, operations and other roles.

Enterprise Vault supplies the following predefined administrator roles:

Messaging Administrator

Responsible for the day-to-day administration of Exchange Server and Lotus Domino archiving. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving.

Domino Administrator

Responsible for the day-to-day administration of Lotus Domino archiving, including NSF migration. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving.

In Enterprise Vault Operations Manager, can view Domino information and parameters.

Exchange Administrator

Responsible for the day-to-day administration of Exchange Server archiving. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving.

In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.

File Server Administrator

Responsible for the day-to-day administration of File Server archiving. This administrator does not have access to other parts of the product, such as Exchange Server archiving or SharePoint archiving.

PST Administrator

Has a view of the Administration Console that concentrates on those components that are required to manage personal stores.

In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.

NSF Administrator

Has a view of the Administration Console that concentrates on those components that are required to manage NSF files.

In Enterprise Vault Operations Manager, can view Domino information and parameters.

SharePoint Administrator

Has a view of the Administration Console that concentrates on those components that are required to manage SharePoint archiving.

Storage Administrator

Has a view of the Administration Console interface that concentrates mainly on those components that are required to keep storage running properly. This administrator does not have access to archiving policy settings for the various targets.

Indexing Administrator

Has a view of the Administration Console interface that concentrates mainly on those components that are required to keep indexing running properly. This administrator does not have access to archiving policy settings for the various targets.

Power Administrator

Can perform all the tasks in the other predefined administrator roles.

Cannot perform reconfiguration tasks such as changing the Vault Service account or Directory SQL server.

Enterprise Vault provides one predefined task role:

Task Applications

This role provides access to archives to allow an account other than the Vault Service account to run Exchange Server tasks. Enterprise Vault grants this role automatically when you configure an Exchange Server task to run under an account other than the Vault Service account.

Enterprise Vault provides one predefined application role:

Placeholder Application

Able to run the FSAUndelete utility. This role enables the undeletion of items from archives.

You can use the predefined roles as supplied, customize them, or create new roles, as required.

By assigning roles you can adjust the permissions of individual administrators to match their job responsibilities. The mechanism is flexible enough for you to be able to modify an individual's role to cope with any change in responsibility.

You can assign roles to the following:

  • Windows Users and Groups.

  • The results of an LDAP query.

  • Application-specific groups. These are specific to Authorization Manager and can contain a mixture of users and groups. They can also be based on an LDAP query. The main benefit of using application groups is that there is no need to create new groups within Active Directory to support Enterprise Vault.

Enterprise Vault auditing does not log changes to role membership within Authorization Manager. If you require auditing of changes within Authorization Manager, assign Enterprise Vault roles to Windows security groups and enable Windows auditing of changes to those groups.

Note:

The predefined Placeholder Application role does not allow access to the Administration Console.

Table: Administration Console features and actions shows the Administration Console features and actions that are available to the supplied administrator roles.

Table: Administration Console features and actions

Role

Administration Console containers available

Administration Console actions available

Messaging Admin

  • Targets: Exchange; Domino

  • Policies: Exchange; Domino Journaling; Retention Categories

  • Services: Task Controller

  • Tasks: Mailbox Archiving; Public Folder; Exchange Journaling; Exchange Provisioning; Domino Mailbox Archiving; Domino Journaling; Domino Provisioning

  • Archives: Journal; Mailbox; Public Folder; Shared

  • Enable Mailbox

  • Disable Mailbox

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Import NSF

  • Advanced Features

  • Exchange Message Classes

  • Domino forms

Domino Admin

  • Targets: Domino

  • Policies: Domino; Retention Categories

  • Services: Task Controller

  • Tasks: Domino Mailbox Archiving; Domino Journaling; Domino Provisioning

  • Archives: Domino Mailbox; Domino Journal

  • Enable Mailbox

  • Disable Mailbox

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

  • Domino forms

Exchange Admin

  • Targets: Exchange

  • Policies: Exchange; Retention Categories

  • Services: Task Controller

  • Tasks: Mailbox Archiving; Public Folder; Exchange Journaling; Exchange Provisioning

  • Archives: Exchange Journal; Exchange Mailbox; Public Folder; Shared

  • Enable Mailbox

  • Disable Mailbox

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

  • Exchange Message Classes

PST Admin

  • Policies: PST Migration; Retention Categories

  • Services: Task Controller

  • Tasks: Mailbox Archiving; PST Locator; PST Collector; PST Migrator

  • Personal Store Management: All functions

  • Site Property tabs: General; Site Schedule

  • Import Archive

  • Export Archive

  • Advanced Features

NSF Admin

  • Policies: Domino Mailbox; Domino Desktop; Retention Categories

  • Archives: Import NSF

  • Import NSF

  • Domino forms

File Server Admin

  • Targets: File Server

  • Policies: File Archiving; Retention Categories

  • Services: Task Controller

  • Tasks: File Server Archiving

  • Archives: File System; Shared

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

SharePoint Admin

  • Targets: SharePoint

  • Policies: SharePoint; Retention Categories

  • Services: Task Controller

  • Tasks: SharePoint

  • Archives: SharePoint; Shared

  • Enable Workspace

  • Disable Workspace

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

Storage Admin

  • Services: Storage; Indexing

  • Archives: All types of archive

  • Vault stores: All vault stores

  • Site Property tabs: General; Archiving Settings; Site Schedule; Storage Expiry

  • Import Archive

  • Export Archive

  • Advanced Features

Power Admin

  • Targets: All targets

  • Policies: All policies

  • Services: All services

  • Tasks: All tasks

  • Archives: All types of archive

  • Vault stores: All vault stores

  • Indexing: All Index Servers

  • Personal Store Management: All functions

  • Enable Mailbox

  • Disable Mailbox

  • Enable Workspace

  • Disable Workspace

  • Site Property tabs: All tabs

  • Import Archive

  • Export Archive

  • Import NSF

  • Advanced Features

  • Exchange Message Classes

  • Domino forms

See About administrator security

See Roles and Enterprise Vault Operations Manager

Legacy ID



v11738033_v34981136


Article URL http://www.symantec.com/docs/HOWTO37150


Terms of use for this information are found in Legal Notices

Please Sign In

Login using SymAccount.

Knowledge Base Search

Knowledge Base Search

Rate this Article

Help us improve your support experience.

MySymantec

MySymantec

Contacting Support

Contacting Support