Re: How to block admins from other sites?

Aaron_Cuoio · ‎04-10-2008

We are beginning to implement the Vault with multiple sites. Each agency at the State of Washington is being placed within their own site. We want to limit who has access to the sites. For example, the administrator from agency XYZ cannot see or interact with the site for agency ABC.

Is there any way to assign permissions or configure the administrator's console to limit what a person has access to or can see at the Site level?

Thanks,

Aaron

sleddog · ‎04-11-2008

Just to make sure I understand, you have multiple sites that correspond to directory databases. If this is the case, there should be a VSA for each site that does not have access to any other site.

Aaron_Cuoio · ‎04-11-2008

I'll try to explain it better. We have multiple sites within the same Org. I create a service account for myself in the domain, and then inside the RBAC, I assign that account the Messaging Administrator role and set of permissions.

From my client workstation, I log onto the Admin Console. From this point, I can see every site and can monkey around in each site. What I need to be able to do is grant my service account permissions in only one site. As it stands now, that account has access to everything within the Org. because I can't find a way to assign individual accounts to sites. Meaning, permissions for Admin Console is assigned at the Root level, not the Site level.

I need to work this like I would in an Exchange org where I can delegate rights at the OU level, not the Root level.

[edit] The only other way I've seen permissions that can be directly assigned within the Console is directly to the Exchange server under Targets. At this time, we don't have any Exchange servers in the system. These will come next week. There is the possiblity that I can assign the Messaging Administrator permissions directly to that Exchange server and then permissions will build upwards. Long shot though.

Message Edited by Aaron Cuoio on 04-11-2008 10:14 AM

sleddog · ‎04-11-2008

You can also go to EV server(s) in the admin console and grant or deny access at that level. Will that help you?

Aaron_Cuoio · ‎04-11-2008

I don't think I'm seeing what you are seeing.

This is the tree:

Directory on "XXXX"

-DISEVSITE

---Targets

---Policies

---Enterprise Vault Servers

-------DISEV01(waxapolyevdis01) <---vault server

---Archives

If I right-click on DISEV01, I don't have any security options. Can you lay out some mouseclicks for me to follow?

Thanks for the help.

sleddog · ‎04-11-2008

If you right-click on the EV server and go to properties, you should see an admin permissions tab. (EV 2007 SP2)

Aaron_Cuoio · ‎04-11-2008

Ah, wasn't logged in as the vault admin at the time. I'm on hold with Business Critical. We'll work through this tip. Thanks!

Aaron_Cuoio · ‎04-11-2008

Okay, apparently this isn't possible per the 3 advanced engineers that helped me. I can block access to the Vault servers, which is definitely one step closer. But an admin in one site can still change policies, affect archives, add/delete users, etc in a different site.

Major bummer. Thanks for the help bud.

Michael_Bilsbor · ‎04-12-2008

Hi,

So if you don't want other admins making changes to your site, why have you got 1 directory database and multiple sites rather than just seperate systems entirely?

Aaron_Cuoio · ‎04-13-2008

This is how Symantec designed the system for us. I don't know enough to answer your question, but I can pose your suggestion to the designing engineer and our onsite consultant.

VOX

How to block admins from other sites?