Roles-based administration

Roles-based administration enables you to use Microsoft Authorization Manager to configure the various administrator roles. All such configuration is performed using the Vault Service account.

See Installing and Configuring for details of the prerequisite software that is needed to run Authorization Manager. When you configure roles, you must use an Administration Console running on Windows XP/2003/2008.

Within Authorization Manager, administrator roles are built up using operations and tasks, as follows:

An operation is a low-level permission that represents a privileged action or capability. When the Administration Console determines whether a role has access to perform a task, it is the operations associated with the role that are checked.

Operations with names prefixed by "{STO}" or "{DIR}" are internal operations that do not affect the Administration Console display. Other, external operations control the view of the Administration Console that an administrator sees.
A task is a group of operations that collectively provide sufficient permissions to do a particular job.

An administrator role is a collection of tasks and, possibly, operations and other roles.

Enterprise Vault supplies the following predefined roles:

Messaging Administrator	Responsible for the day-to-day administration of Exchange Server and Lotus Domino archiving. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving.
Domino Administrator	Responsible for the day-to-day administration of Lotus Domino archiving, including NSF migration. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving. In Enterprise Vault Operations Manager, can view Domino information and parameters.
Exchange Administrator	Responsible for the day-to-day administration of Exchange Server archiving. This administrator does not have access to other parts of the product, such as File Server archiving or SharePoint archiving. In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.
File Server Administrator	Responsible for the day-to-day administration of File Server archiving. This administrator does not have access to other parts of the product, such as Exchange Server archiving or SharePoint archiving.
PST Administrator	Has a view of the Administration Console that concentrates on those components that are required to manage personal stores. In Enterprise Vault Operations Manager, can view Exchange Server information and parameters.
NSF Administrator	Has a view of the Administration Console that concentrates on those components that are required to manage NSF files. In Enterprise Vault Operations Manager, can view Domino information and parameters.
SharePoint Administrator	Has a view of the Administration Console that concentrates on those components that are required to manage SharePoint archiving.
Storage Administrator	Has a view of the Administration Console interface that concentrates mainly on those components that are required to keep storage running properly. This administrator does not have access to archiving policy settings for the various targets.
Power Administrator	Can perform all the tasks in the other predefined roles. Cannot perform reconfiguration tasks such as changing the Vault Service account or Directory SQL server.

You can use the predefined roles as supplied, customize them, or create new roles, as required.

By assigning administrator roles you can adjust the permissions of individual administrators to match their job responsibilities. The mechanism is flexible enough for you to be able to modify an individual's role to cope with any change in responsibility.

You can assign administrator roles to the following:

Windows Users and Groups.
The results of an LDAP query.
Application-specific groups. These are specific to Authorization Manager and can contain a mixture of users and groups. They can also be based on an LDAP query. The main benefit of using application groups is that there is no need to create new groups within Active Directory to support Enterprise Vault.

Enterprise Vault auditing does not log changes to role membership within Authorization Manager. If you require auditing of changes within Authorization Manager, assign Enterprise Vault administrator roles to Windows security groups and enable Windows auditing of changes to those groups.

Table: Administration Console containers available to the default roles shows the tasks that an administrator in each of the supplied roles can perform and the access that is allowed in the Administration Console.

Table: Administration Console commands available to the default roles shows the Administration Console commands available to the default roles.

Note that adminstrator roles are also required for access to Enterprise Vault Operations Manager and Enterprise Vault Reporting.

For an introduction to using Microsoft Authorization Manager, see the following article:

http://technet2.microsoft.com/WindowsServer/en/Library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx

Table: Administration Console containers available to the default roles

Container	Messaging Admin	Domino Admin	Exchange Admin	PST Admin	NSF Admin	File Server Admin	SharePoint Admin	Storage Admin	Power Admin
Targets	Exchange Domino	Domino	Exchange	None	None	File Server	SharePoint	None	All targets
Policies	Exchange Domino Journaling Retention Categories	Domino Retention Categories	Exchange Retention Categories	PST Migration Retention Categories	Domino Mailbox Domino Desktop Retention Categories	File Archiving Retention Categories	SharePoint Retention Categories	None	All policies
Services	Task Controller	Task Controller	Task Controller	Task Controller	None	Task Controller	Task Controller	Storage	All services
Tasks	Mailbox Archiving Public Folder Exchange Journaling Exchange Provision-ing Domino Journaling	Domino Mailbox Archiving Domino Journaling	Mailbox Archiving Public Folder Exchange Journaling Exchange Provision-ing	Mailbox Archiving PST Locator PST Collector PST Migrator	None	File Server Archiving	SharePoint	None	All tasks
Archives	Journal Mailbox Public Folder Shared	Domino Mailbox Domino Journal	Exchange Journal Exchange Mailbox Public Folder Shared	None	Import NSF	File System Shared	Shared SharePoint	All types of archive	All types of archive
Vault Stores	None	None	None	None	None	None	None	All vault stores	All vault stores
Personal Store Manage-ment	None	None	None	None	None	None	None	None	All functions

Table: Administration Console commands available to the default roles

Container	Messaging Admin	Domino Admin	Exchange Admin	PST Admin	NSF Admin	File Server Admin	SharePoint Admin	Storage Admin	Power Admin
Enable Mailbox	Available	Available	Available	Not available	Not available	Not available	Not available	Not available	Available
Disable Mailbox	Available	Available	Available	Not available	Not available	Not available	Not available	Not available	Available
Enable Workspace	Not available	Not available	Not available	Not available	Not available	Not available	Available	Not available	Available
Disable Workspace	Not available	Not available	Not available	Not available	Not available	Not available	Available	Not available	Available
New Vault Store	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Available	Available
Site Property Pages	General Archiving Settings Site Schedule	General Archiving Settings Site Schedule	General Archiving Settings Site Schedule	General Site Schedule	Not available	General Archiving Settings Site Schedule	General Archiving Settings Site Schedule	General Archiving Settings Site Schedule Storage Expiry	All pages
Import Archive	Not available	Not available	Not available	Available	Not available	Not available	Not available	Available	Available
Export Archive	Not available	Not available	Not available	Available	Not available	Not available	Not available	Available	Available
Import NSF	Available	Available	Not available	Not available	Available	Not available	Not available	Not available	Available
Update Service Locations	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available
Run Config-uration Wizard (Second server)	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available
Change Directory SQL Server	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available
Change Service Account	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available
Change Vault Store SQL Server	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available	Not available
Advanced Features	Available	Available	Available	Available	Not available	Available	Available	Available	Available
Exchange Message Classes	Available	Not available	Available	Not available	Not available	Not available	Not available	Not available	Available
Domino forms	Available	Available	Not available	Not available	Available	Not available	Not available	Not available	Available