cancel
Showing results for 
Search instead for 
Did you mean: 

Upgrade with Power Administrator Role

vaultlearner
Level 4
Partner Accredited

Hello,

As I read at the Enterprise Vault Upgrade articles we need to use VSA accounts for upgrade purposes. I couldn't find any information about Power Administrator able to do it. So it is clear we need to do it with VSA account. Just to be clearfly  I need to ask.

I am asking this because my customer wants to use Power Admin role for administration of  Enterprise Vault. They are going to change password of VSA an put it into safe-deposit.

 

Thanks

Vaultlearner.

1 ACCEPTED SOLUTION

Accepted Solutions

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

Hello, apologies for the confusion.

The article I linked to is defining how to limit permissions for the Vault Service Account in SQL, and on the EV SQL databases. If you follow this, daily operation will still be working as normal, only when you perform an upgrade you will need to change the role.

An upgrade can only be performed while being logged in with the Vault Service Account. There is no way to assign permissions to an account which then has equal permissions as the VSA does. One of the things which is required (for instance) is adding the account again to the EV services, setting proper permissions for DCOM, and in and on IIS (as example). There is no other option.

EV roles are different from AD roles. They only live in EV, and are not added to AD. The EV roles are described in the EV Admin guide. Pre EV12, you can rightclick the Directory in the EV Console, select authorization Manager, then see the roles and who has them (and add/delete accounts to the roles ofcourse). EV12 requires you to assign EV roles using the EV Powershell.

As example, if you add an AD group (EVadmins) to the EV Power Administrator group, anyone in that AD group can open the EV Console and perform actions. Anyone NOT in that AD group, but with permission to logon to the EV server CANNOT open the EV Console. (a 'not authorized' message will be shown). Such a user can probably do some damage (i.e. stop services, delete files), but that is out of EV hands.

As for DA/CA, changing the password on the service is sufficient. No need to open the admin page to do something.

Better?

GJ

Regards. Gertjan

View solution in original post

5 REPLIES 5

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

Hello,

The upgrade indeed requires to be done using the VSA.

Make sure that if the password is changed, you also change it following the proper procedure for EV. (I assume you know, but login with VSA account, open EV COnsole, rightclick "Directory on <name>", properties, System Account tab, change password, Apply, OK, restart EV services on all EV servers). Don't forget to change the password on DA/CA service if you have that.

Administering EV using the PA role is indeed a way to prevent usage of the VSA. You might even want to look at the more specific roles (like Exchange Admin), to narrow it down even further. See THIS document for information/configuring. Do take note that an upgrade will then require temporarily changing the roles.

GJ

Regards. Gertjan

vaultlearner
Level 4
Partner Accredited

Hello Gertjan

Thank you for reply. 

Little bit confused about article that you linked. So the article about when we fresh install EV with VSA(letssay:lab\labvaultadmin) you can revoke some roles from Labvaultadmin and when the time comes the upgrade assing the roles back to Labvaultadmin. (I edit the post for this question I read article after coffee again as I understand I can both revoke and assing roles for VSA or priviledge account for normal operations and elevated privileges)

Accually I am looking for a way give all permissions Power Administrator role or from Active Directory(for-example:Lab\VaultPowerAdmins which is assume Power Administrator Role assing from EV) able to upgrade. Is this possible?

Last Question after changing password of VSA for DA/CA I need basically change the service passport from Windows\Services right no further configurations needed from DaAdmin page?

 

Thanks

Can

 

 

 

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

Hello, apologies for the confusion.

The article I linked to is defining how to limit permissions for the Vault Service Account in SQL, and on the EV SQL databases. If you follow this, daily operation will still be working as normal, only when you perform an upgrade you will need to change the role.

An upgrade can only be performed while being logged in with the Vault Service Account. There is no way to assign permissions to an account which then has equal permissions as the VSA does. One of the things which is required (for instance) is adding the account again to the EV services, setting proper permissions for DCOM, and in and on IIS (as example). There is no other option.

EV roles are different from AD roles. They only live in EV, and are not added to AD. The EV roles are described in the EV Admin guide. Pre EV12, you can rightclick the Directory in the EV Console, select authorization Manager, then see the roles and who has them (and add/delete accounts to the roles ofcourse). EV12 requires you to assign EV roles using the EV Powershell.

As example, if you add an AD group (EVadmins) to the EV Power Administrator group, anyone in that AD group can open the EV Console and perform actions. Anyone NOT in that AD group, but with permission to logon to the EV server CANNOT open the EV Console. (a 'not authorized' message will be shown). Such a user can probably do some damage (i.e. stop services, delete files), but that is out of EV hands.

As for DA/CA, changing the password on the service is sufficient. No need to open the admin page to do something.

Better?

GJ

Regards. Gertjan

vaultlearner
Level 4
Partner Accredited

Hello GertjanA,

 

Thank you for full explanation. Apologies from my side for couse a lot of work.

 

Thanks again

Vaultleaner

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

No problem , trust me. I'm here to help (if I can)

Regards. Gertjan