02-08-2011 06:27 AM
Hi,
EV M
Does anyone know what are minimum permissions (in EV Authorization) that a user need to access to EV Operation Manager ?
Many thanks !
Solved! Go to Solution.
02-08-2011 11:24 AM
Create a new Role in the console, following: http://www.symantec.com/docs/TECH76981
I use:
The following "Operations" will need to have a check next to them
Can administer Enterprise Vault
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can Administer Archives
Can administer all Enterprise Vault policies
Can administer all Enterprise vault targets
Can administer Enterprise Vault archives
Can administer Enterprise Vault Exchange Journaling policies
Can administer Enterprise Vault Exchange mailbox policies
Can administer Enterprise Vault Exchange policies
Can administer Enterprise Vault Exchange targets
Can administer Enterprise Vault policies
Can administer Enterprise Vault servers
Can administer Enterprise Vault targets
Can administer Enterprise Vault Vault Stores
Can administer Retention Categories
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can manage Enterprise Vault services
Can manage Enterprise Vault tasks
Can manage Exchange Journal Archives
Can manage Exchange Mailbox Archives
Can use Server Manager
Can View Site Archiving Defaults property page
Can view Site Archiving Usage Limit property page
Can view Site General property page
Can Site monitoring property page
Can view Site Schedule property page
Can view Site Shortcut Deletion property page
Can view Site Storage Expiry property page
Don't get fooled by the 'can manage', because in the monitoring they cannot. It is needed to SEE certain things.
You can secure the monitoring page itself as follows:
On the machine where the monitoring webapp is running, go to c:\program files\enterprise vault\monitoringwebapp
open web.config file (using notepad)
under the line <authentication mode="windows"/> add the following:
<authorization>
<allow roles="domain\AD-groupname" />
<allow users="domain\useraccount" />
<deny users="*" />
</authorization>
Save file. You might have to restart IIS, not sure anymore.
when opening the webpage you now get a login prompt. Login with domain\useraccount + password, and it'll open the webpage. People not in the group, or not listed with their account get an 'access denied' after 3 times clicking ok.
I then also limited access further to the configuration-page, using rightclicking the specific aspx file (monitoringconfig), properties, tab asp.net, edit configuration, tab authorization, the denied access for the group who is supposed to only check monitoring.
This better?
02-08-2011 06:36 AM
Administrators guide page 25 and further
Exchange admin for instance
In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.
02-08-2011 07:00 AM
As you, I found this. But I would like to have less privileges in EV : I mean member of Exchanger Administrator are able to modify EV ... And that is speciffically what I do not want
02-08-2011 11:24 AM
Create a new Role in the console, following: http://www.symantec.com/docs/TECH76981
I use:
The following "Operations" will need to have a check next to them
Can administer Enterprise Vault
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can Administer Archives
Can administer all Enterprise Vault policies
Can administer all Enterprise vault targets
Can administer Enterprise Vault archives
Can administer Enterprise Vault Exchange Journaling policies
Can administer Enterprise Vault Exchange mailbox policies
Can administer Enterprise Vault Exchange policies
Can administer Enterprise Vault Exchange targets
Can administer Enterprise Vault policies
Can administer Enterprise Vault servers
Can administer Enterprise Vault targets
Can administer Enterprise Vault Vault Stores
Can administer Retention Categories
Can manage Enterprise Vault Exchange Journaling tasks
Can manage Enterprise Vault Exchange Mailbox tasks
Can manage Enterprise Vault services
Can manage Enterprise Vault tasks
Can manage Exchange Journal Archives
Can manage Exchange Mailbox Archives
Can use Server Manager
Can View Site Archiving Defaults property page
Can view Site Archiving Usage Limit property page
Can view Site General property page
Can Site monitoring property page
Can view Site Schedule property page
Can view Site Shortcut Deletion property page
Can view Site Storage Expiry property page
Don't get fooled by the 'can manage', because in the monitoring they cannot. It is needed to SEE certain things.
You can secure the monitoring page itself as follows:
On the machine where the monitoring webapp is running, go to c:\program files\enterprise vault\monitoringwebapp
open web.config file (using notepad)
under the line <authentication mode="windows"/> add the following:
<authorization>
<allow roles="domain\AD-groupname" />
<allow users="domain\useraccount" />
<deny users="*" />
</authorization>
Save file. You might have to restart IIS, not sure anymore.
when opening the webpage you now get a login prompt. Login with domain\useraccount + password, and it'll open the webpage. People not in the group, or not listed with their account get an 'access denied' after 3 times clicking ok.
I then also limited access further to the configuration-page, using rightclicking the specific aspx file (monitoringconfig), properties, tab asp.net, edit configuration, tab authorization, the denied access for the group who is supposed to only check monitoring.
This better?
02-09-2011 10:16 AM
Thanks GertjanA !