Roles-based administration

Article:HOWTO56620  |  Created: 2011-08-01  |  Updated: 2013-07-12  |  Article URL http://www.symantec.com/docs/HOWTO56620
Article Type
How To


Subject


Roles-based administration

Use Windows Authorization Manager to configure roles for Enterprise Vault roles-based administration. All such configuration is performed using the Vault Service account.

See Installing and Configuring for details of the prerequisite software that is needed to run Authorization Manager.

For an introduction to using Authorization Manager, see the following article:

http://msdn.microsoft.com/en-us/library/bb897401.aspx

Within Authorization Manager, roles are built up using operations and tasks, as follows:

  • An operation is a low-level permission that represents a privileged action or capability. When the Administration Console determines whether a role has access to perform a task, it is the operations associated with the role that are checked.

    Operations with names prefixed by "{STO}" or "{DIR}" are internal operations that do not affect the Administration Console display. Other, external operations control the view of the Administration Console that an administrator sees.

  • A task is a group of operations that collectively provide sufficient permissions to do a particular job.

A role is a collection of tasks and, possibly, operations and other roles.

Enterprise Vault supplies the following predefined administrator roles:

Messaging Administrator

Responsible for the day-to-day administration of Exchange Server and Lotus Domino archiving. This administrator does not have access to other parts of the product, such as File System Archiving or SharePoint archiving.

Domino Administrator

Responsible for the day-to-day administration of Lotus Domino archiving, including NSF migration. This administrator does not have access to other parts of the product, such as File System Archiving or SharePoint archiving.

In Enterprise Vault Operations Manager, can view Domino information and parameters.

Exchange Administrator

Responsible for the day-to-day administration of Exchange Server archiving. This administrator does not have access to other parts of the product, such as File System Archiving or SharePoint archiving.

In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.

File Server Administrator

Responsible for the day-to-day administration of File System Archiving. This administrator does not have access to other parts of the product, such as Exchange Server archiving or SharePoint archiving.

PST Administrator

Has a view of the Administration Console interface that concentrates on those components that are required to manage personal stores.

In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.

NSF Administrator

Has a view of the Administration Console interface that concentrates on those components that are required to manage NSF files.

In Enterprise Vault Operations Manager, can view Domino information and parameters.

SharePoint Administrator

Has a view of the Administration Console interface that concentrates on those components that are required to manage SharePoint archiving.

Storage Administrator

Has a view of the Administration Console interface that concentrates mainly on those components that are required to keep storage running properly. This administrator does not have access to archiving policy settings for the various targets.

Indexing Administrator

Has a view of the Administration Console interface that concentrates mainly on those components that are required to keep indexing running properly. This administrator does not have access to archiving policy settings for the various targets.

Power Administrator

Can perform all the tasks in the other predefined administrator roles.

Cannot perform reconfiguration tasks such as changing the Vault Service account or Directory SQL server.

Extension Content Provider Administrator

Has a view of the Administration Console interface that concentrates on those components that are required for the day-to-day administration of extension content providers. This administrator does not have access to other parts of the product, such as File System Archiving or SharePoint archiving.

Enterprise Vault provides one predefined task role:

Task Applications

This role provides access to archives to allow an account other than the Vault Service account to run Exchange Server tasks. Enterprise Vault grants this role automatically when you configure an Exchange Server task to run under an account other than the Vault Service account.

Enterprise Vault provides the following predefined application roles:

Placeholder Application

Able to run the FSAUndelete utility. This role enables the undeletion of items from archives.

Monitoring Application

Able to query the state of Enterprise Vault tasks.

Extension Content Provider Application

This role allows a third party application to act as an extension content provider. The role allows the application to create, delete, read, and update extension content provider entries and to store items into any archive.

In Enterprise Vault Operations Manager, can view all information and parameters.

This role does not enable full update access to all extension content provider properties. For example, an extension content provider application cannot enable or disable itself and cannot modify or override its own schedule.

This role does not allow access to the Administration Console. The role is intended to be for an extension content provider application, not for an administrator.

You can use the predefined roles as supplied, customize them, or create new roles, as required.

By assigning roles you can adjust the permissions of individual administrators to match their job responsibilities. The mechanism is flexible enough for you to be able to modify an individual's role to cope with any change in responsibility.

You can assign roles to the following:

  • Windows Users and Groups.

  • The results of an LDAP query.

  • Application-specific groups. These are specific to Authorization Manager and can contain a mixture of users and groups. They can also be based on an LDAP query. The main benefit of using application groups is that there is no need to create new groups within Active Directory to support Enterprise Vault.

Enterprise Vault auditing does not log changes to role membership within Authorization Manager. If you require auditing of changes within Authorization Manager, assign Enterprise Vault roles to Windows security groups and enable Windows auditing of changes to those groups.

Note:

The predefined Placeholder Application role does not allow access to the Administration Console.

Table: Administration Console features and actions shows the Administration Console features and actions that are available to the supplied administrator roles.

Table: Administration Console features and actions

Role

Administration Console containers available

Administration Console actions available

Messaging Admin

  • Targets: Exchange; Domino

  • Policies: Exchange; Domino Journaling; Retention Categories

  • Services: Task Controller

  • Tasks: Mailbox Archiving; Public Folder; Exchange Journaling; Exchange Provisioning; Domino Mailbox Archiving; Domino Journaling; Domino Provisioning

  • Archives: Journal; Mailbox; Public Folder; Shared

  • Enable Mailbox

  • Disable Mailbox

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Import NSF

  • Advanced Features

  • Exchange Message Classes

  • Domino forms

Domino Admin

  • Targets: Domino

  • Policies: Domino; Retention Categories

  • Services: Task Controller

  • Tasks: Domino Mailbox Archiving; Domino Journaling; Domino Provisioning

  • Archives: Domino Mailbox; Domino Journal

  • Enable Mailbox

  • Disable Mailbox

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

  • Domino forms

Exchange Admin

  • Targets: Exchange

  • Policies: Exchange; Retention Categories

  • Services: Task Controller

  • Tasks: Mailbox Archiving; Public Folder; Exchange Journaling; Exchange Provisioning

  • Archives: Exchange Journal; Exchange Mailbox; Public Folder; Shared

  • Enable Mailbox

  • Disable Mailbox

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

  • Exchange Message Classes

PST Admin

  • Policies: PST Migration; Retention Categories

  • Services: Task Controller

  • Tasks: Mailbox Archiving; PST Locator; PST Collector; PST Migrator

  • Personal Store Management: All functions

  • Site Property tabs: General; Site Schedule

  • Import Archive

  • Export Archive

  • Advanced Features

NSF Admin

  • Policies: Domino Mailbox; Domino Desktop; Retention Categories

  • Archives: Import NSF

  • Import NSF

  • Domino forms

File Server Admin

  • Targets: File Server

  • Policies: File Archiving; Retention Categories

  • Services: Task Controller

  • Tasks: File Server Archiving

  • Archives: File System; Shared

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

SharePoint Admin

  • Targets: SharePoint

  • Policies: SharePoint; Retention Categories

  • Services: Task Controller

  • Tasks: SharePoint

  • Archives: SharePoint; Shared

  • Enable Workspace

  • Disable Workspace

  • Site Property tabs: General; Archiving Settings; Site Schedule

  • Advanced Features

Storage Admin

  • Tasks: Indexing

  • Services: Storage; Indexing; Task Controller

  • Archives: All types of archive

  • Vault stores: All vault stores

  • Indexing: All Index servers and Index Server groups

  • Site Property tabs: General; Archiving Settings; Site Schedule; Storage Expiry

  • Import Archive

  • Export Archive

  • Advanced Features

Indexing Admin

  • Services: Indexing; Task Controller; Storage

  • Tasks: Indexing

  • Archives: All types of archive

  • Indexing: All Index Servers

  • Site Property tabs: Indexing; Advanced

  • Advanced Features

  • Manage indexes

Power Admin

  • Targets: All targets

  • Policies: All policies

  • Services: All services

  • Tasks: All tasks

  • Archives: All types of archive

  • Vault stores: All vault stores

  • Indexing: All Index Servers and Index Server groups

  • Personal Store Management: All functions

  • Enable Mailbox

  • Disable Mailbox

  • Enable Workspace

  • Disable Workspace

  • Site Property tabs: All tabs

  • Manage Indexes

  • Import Archive

  • Export Archive

  • Import NSF

  • Advanced Features

  • Exchange Message Classes

  • Domino forms

Extension Content Provider Admin

  • Extensions: All extensions operations except for creation.

  • Archives: Shared archives and custom archives

  • Policies: Retention Categories

  • In Site properties: Site Schedule

  • Manage Extension Content Providers

  • Manage Shared Archives

See About administrator security

See Roles and Enterprise Vault Operations Manager


Legacy ID



v11738033_v41328148


Article URL http://www.symantec.com/docs/HOWTO56620


Terms of use for this information are found in Legal Notices