Solved: What are minimum permission to acccess to EV Opera...

ElGringo · ‎02-08-2011

Hi,

EV M

Does anyone know what are minimum permissions (in EV Authorization) that a user need to access to EV Operation Manager ?

Many thanks !

GertjanA · ‎02-08-2011

Create a new Role in the console, following: http://www.symantec.com/docs/TECH76981
I use:

The following "Operations" will need to have a check next to them

Can administer Enterprise Vault
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can Administer Archives
Can administer all Enterprise Vault policies
Can administer all Enterprise vault targets
Can administer Enterprise Vault archives
Can administer Enterprise Vault Exchange Journaling policies
Can administer Enterprise Vault Exchange mailbox policies
Can administer Enterprise Vault Exchange policies
Can administer Enterprise Vault Exchange targets
Can administer Enterprise Vault policies
Can administer Enterprise Vault servers
Can administer Enterprise Vault targets
Can administer Enterprise Vault Vault Stores
Can administer Retention Categories
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can manage Enterprise Vault services
Can manage Enterprise Vault tasks
Can manage Exchange Journal Archives
Can manage Exchange Mailbox Archives
Can use Server Manager
Can View Site Archiving Defaults property page
Can view Site Archiving Usage Limit property page
Can view Site General property page
Can Site monitoring property page
Can view Site Schedule property page
Can view Site Shortcut Deletion property page
Can view Site Storage Expiry property page

Don't get fooled by the 'can manage', because in the monitoring they cannot. It is needed to SEE certain things.

You can secure the monitoring page itself as follows:

On the machine where the monitoring webapp is running, go to c:\program files\enterprise vault\monitoringwebapp

open web.config file (using notepad)

under the line <authentication mode="windows"/> add the following:

</authorization>

Save file. You might have to restart IIS, not sure anymore.

when opening the webpage you now get a login prompt. Login with domain\useraccount + password, and it'll open the webpage. People not in the group, or not listed with their account get an 'access denied' after 3 times clicking ok.

I then also limited access further to the configuration-page, using rightclicking the specific aspx file (monitoringconfig), properties, tab asp.net, edit configuration, tab authorization, the denied access for the group who is supposed to only check monitoring.

This better?

Regards. Gertjan

View solution in original post

GertjanA · ‎02-08-2011

Administrators guide page 25 and further

Exchange admin for instance

In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.

Regards. Gertjan

ElGringo · ‎02-08-2011

As you, I found this. But I would like to have less privileges in EV : I mean member of Exchanger Administrator are able to modify EV ... And that is speciffically what I do not want

GertjanA · ‎02-08-2011

Create a new Role in the console, following: http://www.symantec.com/docs/TECH76981
I use:

The following "Operations" will need to have a check next to them

Can administer Enterprise Vault
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can Administer Archives
Can administer all Enterprise Vault policies
Can administer all Enterprise vault targets
Can administer Enterprise Vault archives
Can administer Enterprise Vault Exchange Journaling policies
Can administer Enterprise Vault Exchange mailbox policies
Can administer Enterprise Vault Exchange policies
Can administer Enterprise Vault Exchange targets
Can administer Enterprise Vault policies
Can administer Enterprise Vault servers
Can administer Enterprise Vault targets
Can administer Enterprise Vault Vault Stores
Can administer Retention Categories
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can manage Enterprise Vault services
Can manage Enterprise Vault tasks
Can manage Exchange Journal Archives
Can manage Exchange Mailbox Archives
Can use Server Manager
Can View Site Archiving Defaults property page
Can view Site Archiving Usage Limit property page
Can view Site General property page
Can Site monitoring property page
Can view Site Schedule property page
Can view Site Shortcut Deletion property page
Can view Site Storage Expiry property page

Don't get fooled by the 'can manage', because in the monitoring they cannot. It is needed to SEE certain things.

You can secure the monitoring page itself as follows:

On the machine where the monitoring webapp is running, go to c:\program files\enterprise vault\monitoringwebapp

open web.config file (using notepad)

under the line <authentication mode="windows"/> add the following:

</authorization>

Save file. You might have to restart IIS, not sure anymore.

when opening the webpage you now get a login prompt. Login with domain\useraccount + password, and it'll open the webpage. People not in the group, or not listed with their account get an 'access denied' after 3 times clicking ok.

I then also limited access further to the configuration-page, using rightclicking the specific aspx file (monitoringconfig), properties, tab asp.net, edit configuration, tab authorization, the denied access for the group who is supposed to only check monitoring.

This better?

Regards. Gertjan

ElGringo · ‎02-09-2011

Thanks GertjanA !

VOX

What are minimum permission to acccess to EV Operation Manager