Upgrade with Power Administrator Role
Hello,
As I read at the Enterprise Vault Upgrade articles we need to use VSA accounts for upgrade purposes. I couldn't find any information about Power Administrator able to do it. So it is clear we need to do it with VSA account. Just to be clearfly I need to ask.
I am asking this because my customer wants to use Power Admin role for administration of Enterprise Vault. They are going to change password of VSA an put it into safe-deposit.
Thanks
Vaultlearner.
Hello, apologies for the confusion.
The article I linked to is defining how to limit permissions for the Vault Service Account in SQL, and on the EV SQL databases. If you follow this, daily operation will still be working as normal, only when you perform an upgrade you will need to change the role.
An upgrade can only be performed while being logged in with the Vault Service Account. There is no way to assign permissions to an account which then has equal permissions as the VSA does. One of the things which is required (for instance) is adding the account again to the EV services, setting proper permissions for DCOM, and in and on IIS (as example). There is no other option.
EV roles are different from AD roles. They only live in EV, and are not added to AD. The EV roles are described in the EV Admin guide. Pre EV12, you can rightclick the Directory in the EV Console, select authorization Manager, then see the roles and who has them (and add/delete accounts to the roles ofcourse). EV12 requires you to assign EV roles using the EV Powershell.
As example, if you add an AD group (EVadmins) to the EV Power Administrator group, anyone in that AD group can open the EV Console and perform actions. Anyone NOT in that AD group, but with permission to logon to the EV server CANNOT open the EV Console. (a 'not authorized' message will be shown). Such a user can probably do some damage (i.e. stop services, delete files), but that is out of EV hands.
As for DA/CA, changing the password on the service is sufficient. No need to open the admin page to do something.
Better?
GJ