Knowledge Base Article

Roles Based Administration with Enterprise Vault 8

 
I wanted to correlate all the various information about Roles Based Administration that is in the Admin Guide and technotes into an article that will make it easier for you to take advantage of this great feature.  I hope you find it useful.

With Enterprise Vault Roles Based Administration it is possible to:
  • Define which operations an administrator is entitled to perform
  • Define which EV objects an administrator has access to
  • Allow administrators to manage EV without having equivalent privileges to the Vault Service Account (VSA).
 
Additionally, the Vault Admin Console may be running remotely on a Windows XP desktop. The Windows Server 2003 Administration Tools Pack is required, which can be downloaded from Microsoft.
With this the Windows Server 2003 management tools (including Authorization Manager) can be installed on a machine running Windows XP Professional so it is not even necessary for the lower level Admin’s to log into the Enterprise Vault server.
 
 
 
In EV 8.0 there are nine pre-defined roles have been pre-built and available to choose from:
 
  1. File Server Administrator
  2. Messaging Administrator
  3. Power Administrator
  4. PST Administrator
  5. SharePoint Administrator
  6. Storage Administrator
  7. Exchange Administrator
  8. Domino Administrator
  9. NSF Administrator
 
These roles are customizable and new roles can be created. The existing roles are customizable, but it is not recommended to add individual operations to a role. The best practice is that you use tasks to create custom roles if needed. The tasks contain the correct combination of internal and external operations.  We will also talk later about creating groups and managing roles that way.
 
A Role is a set of permissions that an administrator must have to do a job. A well-designed role will correspond to a job category or responsibility (for example, ‘receptionist’, ‘hiring manager’ or ‘Messaging Administrator’) and be named accordingly. With Authorization Manager, you simply add users or groups to a role, to authorize them for the job.
 
A Task is a collection of operations, and sometimes other tasks. Tasks are a useful mechanism to simplify the grouping and assignment of operations to a role.
 
An Operation is a low-level permission that represents a privileged action or capability of an application like ‘‘Can manage Enterprise Vault tasks’.
 
Operations are used as building blocks for tasks and roles. They are usually meaningful only to the application developer and are used to secure particular parts of the product. Role access checks are based on operations.
Roles support inheritance from other roles. To define a role, you specify a name, a friendly description, and some lower-level tasks, roles, and operations that are part of it. This provides a mechanism for role inheritance. For example, a ‘Helpdesk’ role might include both a ‘Messaging Administrator’ role and a ‘File Server Administrator’ role.
Roles may be assigned to:
•           Windows Users and Groups
•           Application-specific groups
 
When assigning roles via groups it is a best practice to use Window Active Directory groups, as these have the added benefit of automatically auditing who has been given what level of access.
Only the VSA can create and assign roles in the EV Authorization Store. You can assign an AD group to each role and then you would not need to log in as VSA to manage roles as you could add/subtract users via AD. It is important to note the only the VSA can Update Service Locations, Run Configuration Wizard (Second server), Change Directory SQL Server, Change Service Account, or Change Vault Store SQL Server. For more information please refer to the tables in the Appendix.
 
  1. Right-click the Directory container and, on the shortcut menu, click Authorization Manager.
imagebrowser image


  1. In the Authorization Manager window, under Enterprise Vault, click Role Assignments.
  2. If role you want to use is not listed, right-click Role Assignments and, on the shortcut menu, click Assign Roles. The Add Role listing shows the roles you can select. Select the required role and click OK.
  3. Right-click the role to which you want assign users and, on the shortcut menu, click Assign Application Groups or Assign Windows Users and Groups.
  4. If chose Assign Application Groups, select the check boxes next to the users or groups you want to add to the role and then click OK.
  5. If you chose Assign Windows Users and Groups, the standard Windows Select Users, Computers or Groups dialog appears. Select the required users or groups and then click OK to close the dialog.
  6. In the Authorization Manager File menu, click Exit. There is a prompt, asking whether you want to save your changes. Click Yes.
The changes will take approximately one minute to be replicated to all Enterprise Vault servers. The Administration Console will show the changes the next time it is started.
 
For more information of assignment of Application Groups please visit Microsoft’s TechNet website under Authorization Manager Concepts, Using Authorization manager.
 
 
 
As mentioned earlier you can customize the default roles and even create new ones to meet your specific needs.
  1. Using Vault Service account, start the Administration Console.
  2. Right-click the Directory container and, on the shortcut menu, click Authorization Manager.
  3. In the Authorization Manager window, under Enterprise Vault, expand Definitions.
  4. Click Role Definitions.
  5. In the list of role definitions, double-click the name of the role you want to modify.
  6. In the role properties, click the Definition tab. The list shows the tasks and roles that comprise this role definition.
  7. To remove a task or role from the definition, click the task or role and then click Remove. The task is removed immediately. There is no confirmation prompt.
  8. To add a task or role to the definition:
    1. Click Add. The Add Definition window appears.
    2. To add a roles to the definition, select the check box next to each role you want to add.
    3. To add tasks to the definition, click the Task tab and then select the check box next to each task you want to add.
    4. To add operations, click the Operations tab and then select the check box next to each operation you want to add.
    6. Note   It is not advisable to add individual operations to a role. We recommend that you use tasks to create custom roles. The tasks contain the correct combination of internal and external operations.
    8. Click OK to close the Add Definition window.
  1. Click OK to close the definition properties window.
  2. On the File menu, click Exit. There is a prompt, asking whether you want to save your changes. Click Yes.
 
You can create new roles, adding other roles, tasks, and operations, as required. You can create roles from a combination of existing roles and tasks.
 Note   It is not advisable to add individual operations to a role. We recommend that you use tasks to create custom roles. The tasks contain the correct combination of internal and external operations. Adding unnecessary internal operations to a role reduces the security of that role.
To create a new role
  1. Using Vault Service account, start the Administration Console.
  2. Right-click the Directory container and, on the shortcut menu, click Authorization Manager.
  3. In the Authorization Manager window, under Enterprise Vault, expand Definitions.
  4. Right-click Role Definitions and, on the shortcut menu, click New Role Definition.
  5. In the Role Definition window, enter a Name and Description for the new role.
  6. Click Add to add roles, tasks, or operations to the role that you are creating.
As mentioned above, the changes will take approximately one minute to be replicated to all Enterprise Vault servers. The Administration Console will show the changes the next time it is started.
Note   The Administration Console will not show the changes until it has been restarted. However, the changes will have been replicated to Enterprise Vault servers. This may result in that person receiving unexpected error messages.
 
 
To view your current role
If you need to find out what your current role is, and which tasks you can perform, you can list the role entitlements.
  1. In the Administration Console, right-click the Directory container and, on the shortcut menu, click Show Roles.
  2. If you want to keep a copy of the list, click Copy to clipboard. You can then paste the text into a document or mail message as required.
  3. Click OK.
Resetting all roles and assignments
In the event that your roles and customizations become confusing or you inherit an EV system from an admin that is no longer accessible it is possible for you to use a registry value to reset all the roles and role assignments so that they are the same as they were when installed.
To do so, change the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\KVS\Enterprise Vault\Admin\ResetAuthorizationStore
This is a String value - Set to “1”
Enables the “Reset Authorization Store” command on the Directory container in the VAC
 imagebrowser image
 
As previously outlined the following sections show the functionality available to Administrators in each of the pre-defined roles. The specific roles will only see their applicable options in the Vault Admin Console. Note that administrator roles are also required for access to Enterprise Vault Operations Manager and Enterprise Vault Reporting.
 
For demonstrative purposes I have included screenshots for Messaging Administrator and File Server Administrator.
A Messaging Administrator is responsible for the day-to-day administration of Exchange and Lotus Domino archiving. They do not have access to other parts of the product, such as File Server archiving and SharePoint archiving:
 
imagebrowser image 
Messaging Administrator view of the VAC
A File Server Administrator is responsible for the day-to-day administration of only File Server archiving. They do not have access to other parts of the product, such as Exchange archiving and SharePoint archiving:
imagebrowser image
File Server Administrator view of the VAC
 
Note that there is no Personal Store Management available and the Enable/Disable mailbox buttons are disabled.
Responsible for the day-to-day administration of Lotus Domino archiving, including NSF migration. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving.
In Enterprise Vault Operations Manager, can view Domino information and parameters.
 
NSF Administrator
Has a view of the Administration Console that concentrates on those components that are required to manage NSF files.
In Enterprise Vault Operations Manager, can view Domino information and parameters.
 
Exchange Administrator
Responsible for the day-to-day administration of Exchange Server archiving. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving.
In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.
PST Administrator
PST Administrator has limited view of the VAC concentrating on those components required to manage personal stores:
The SharePoint Administrator has limited view of the VAC concentrating on those components required to manage SharePoint archiving:
Storage Administrator
The Storage Administrator has a VAC display that concentrates mainly on those components needed to keep storage running properly. There is no access to archiving policy settings for the various targets:
The Power Administrator has only slightly less permission than the VSA and can access all areas of the VAC. It is a best practice to only grant this role to those Administrators that are fully trained and responsible for over seeing EV. Power Administrators cannot perform tasks such as Configuration, USL or create an Auditing database:
 
Admin Permissions Property Page
Each of the Enterprise Vault objects listed above will carry an ‘Admin Permissions’ property page. This can be used to grant users and groups administration access to this object:

imagebrowser image
 
 
In this example, the group ‘Domain Admins’ is explicitly granted administration permissions on Exchange Server K2K3. Similarly, a user or group can be explicitly prevented from managing an object by setting the ‘Deny’ flag in the security descriptor for that object. Above you see both users and groups in the permissions section, as a best practice it would be best to use only groups, that way you can just modify the group in AD and not have to continually update the property pages whenever a change is necessary. This will also keep orphaned entries from being present in the event a user leaves and their account is disabled.
 
 
Important Note: Until a security descriptor is set on an EV managed object, every administrator in an appropriate role will be able to access that object. Once a security descriptor has been explicitly created for that object, only those users and groups in the access control list of that security descriptor will be granted and denied access. To return to the situation where ‘everyone’ has access, all the subscribers must be removed from the access control list.
 
 
Roles and Enterprise Vault Operations Manager
Any user other than the Vault Service account must be assigned to a suitable administrator role to access the Enterprise Vault Operations Manager Web application. Users can view only the tabs and tables in Operations Manager that is applicable to the role to which they are assigned. The tabs and tables that are available for a role are consistent with the containers that are available to that role in the Administration Console. The Power Administrator role is able to see all the tabs and tables in Operations Manager.
 
Roles and Enterprise Vault Reporting
Any user other than the Vault Service account must be assigned to a suitable administrator role to access Enterprise Vault Reporting's reports.
 
The following roles do not have access to any reports:
SharePoint Administrator
NSF Administrator
PST Administrator
 
 
 
Creating a Custom Role
Here is an example of how to create a custom role that enables a Helpdesk user to Enable and Disable mailboxes only. The steps are also available here:
 
 
1. Open the Authorization Manager from the Vault Administration console logged in as the Vault Service Account (VSA). Right-click on the Directory and click 'Authorization Manager'. (Figure 1)

imagebrowser image
Figure 1
 
 
2. Select 'Enterprise Vault', 'Definition' and 'Role Definition' and right-click on 'Role Definition' --> 'New Role Definition'. (Figure 2)
imagebrowser image
Figure 2
 
 
3. Name the new role as 'Enable-Disable Only' and put a description to it. (Figure 3)
imagebrowser image
Figure 3
 
 
4. Click the Add button, and select the Operations tab, select the operation definitions and click 'OK' twice. (Figure 4)
 
    * {DIR} Can administer Enterprise Vault
    * Can enable and disable Exchange mailboxes
    * Can manage Enterprise Vault Exchange Mailbox tasks
 
imagebrowser image

imagebrowser image

imagebrowser image
Figure 4
 
5. Enable the new defined role in the 'Role Assignments'. (Figure 5)
a. Right-click on the Role Assignments
b. Assign roles...
c. Check the 'Enable-Disable Only' definition and click OK.
 
Note: This will add the definition in the Role Assignments

imagebrowser image
Figure 5
 
 
6. Add the desired Windows User or Group to the newly created role. (Figure 6)
a. Right-click on the 'Enable-Disable Only' (Enterprise Vault, Role Assignments) group and select 'Assign Windows users and groups'
b. Add the desired user or group and click OK. I would recommend creating an AD group as mentioned above. Therefore when you need to add people to the role you can just add them to the AD Group.

imagebrowser image
Figure 6
 
 
7. Close the 'Authorization Manager' answering yes to the question 'Do you want to save the Authorization Store to the directory database?'
 
8. Test the new user by using the 'run as...' function on the EV Administration Console.
 
 
 
Container
Messaging Admin
Domino Admin
Exchange Admin
PST Admin
NSF Admin
File Server Admin
SharePoint Admin
Storage Admin
Power Admin
 
Targets
Exchange
Domino
Domino
Exchange
None
None
File Server
SharePoint
None
All targets
 
Policies
Exchange
Domino Journaling
Retention Categories
Domino
Retention Categories
Exchange
Retention Categories
PST Migration
Retention Categories
Domino Mailbox
Domino Desktop
Retention Categories
File Archiving
Retention Categories
SharePoint
Retention Categories
None
All policies
 
Services
Task Controller
Task Controller
Task Controller
Task Controller
None
Task Controller
Task Controller
Storage
All services
 
Tasks
Mailbox Archiving
Public Folder
Exchange Journaling
Exchange Provision-ing
Domino Journaling
Domino Mailbox Archiving
Domino Journaling
Mailbox Archiving
Public Folder
Exchange Journaling
Exchange Provision-ing
Mailbox Archiving
PST Locator
PST Collector
PST Migrator
None
File Server Archiving
SharePoint
None
All tasks
 
Archives
Journal
Mailbox
Public Folder
Shared
Domino Mailbox
Domino Journal
Exchange Journal
Exchange Mailbox
Public Folder
Shared
None
Import NSF
File System
Shared
Shared
SharePoint
All types of archive
All types of archive
 
Vault Stores
None
None
None
None
None
None
None
All vault stores
All vault stores
 
Personal Store Manage-ment
None
None
None
None
None
None
None
None
All functions
 
Table: Administration Console commands available to the default roles
 
Container
Messaging Admin
Domino Admin
Exchange Admin
PST Admin
NSF Admin
File Server Admin
SharePoint Admin
Storage Admin
Power Admin
 
Enable Mailbox
Available
Available
Available
Not available
Not available
Not available
Not available
Not available
Available
 
Disable Mailbox
Available
Available
Available
Not available
Not available
Not available
Not available
Not available
Available
 
Enable Workspace
Not available
Not available
Not available
Not available
Not available
Not available
Available
Not available
Available
 
Disable Workspace
Not available
Not available
Not available
Not available
Not available
Not available
Available
Not available
Available
 
New Vault Store
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Available
Available
 
Site Property Pages
General
Archiving Settings
Site Schedule
General
Archiving Settings
Site Schedule
General
Archiving Settings
Site Schedule
General
Site Schedule
Not available
General
Archiving Settings
Site Schedule
General
Archiving Settings
Site Schedule
General
Archiving Settings
Site Schedule
Storage Expiry
All pages
 
Import Archive
Not available
Not available
Not available
Available
Not available
Not available
Not available
Available
Available
 
Export Archive
Not available
Not available
Not available
Available
Not available
Not available
Not available
Available
Available
 
Import NSF
Available
Available
Not available
Not available
Available
Not available
Not available
Not available
Available
 
Update Service Locations
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
 
Run Config-uration Wizard (Second server)
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
 
Change Directory SQL Server
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
 
Change Service Account
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
 
Change Vault Store SQL Server
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
 
Advanced Features
Available
Available
Available
Available
Not available
Available
Available
Available
Available
 
Exchange Message Classes
Available
Not available
Available
Not available
Not available
Not available
Not available
Not available
Available
 
Domino forms
Available
Available
Not available
Not available
Available
Not available
Not available
Not available
Available
 
 
Published 16 years ago
Version 1.0
Best Practice
Configuring
Enterprise Vault
Information Governance
Tip-How to

Was this article helpful?