Roles-based administration
Roles-based
administration enables you to use Microsoft Authorization Manager
to configure the various administrator roles. All such
configuration is performed using the Vault Service account.
See Installing and Configuring for details of the
prerequisite software that is needed to run Authorization Manager.
When you configure roles, you must use an Administration Console
running on Windows XP/2003/2008.
Within Authorization Manager, administrator roles
are built up using operations and tasks, as follows:
-
An operation is a low-level permission that
represents a privileged action or capability. When the
Administration Console determines whether a role has access to
perform a task, it is the operations associated with the role that
are checked.
Operations with names
prefixed by "{STO}" or "{DIR}" are internal operations that do not
affect the Administration Console display. Other, external
operations control the view of the Administration Console that an
administrator sees.
-
A task is a group of operations that collectively
provide sufficient permissions to do a particular job.
An administrator role is
a collection of tasks and, possibly, operations and other
roles.
Enterprise Vault supplies
the following predefined roles:
You can use the
predefined roles as supplied, customize them, or create new roles,
as required.
By assigning
administrator roles you can adjust the permissions of individual
administrators to match their job responsibilities. The mechanism
is flexible enough for you to be able to modify an individual's
role to cope with any change in responsibility.
You can assign administrator roles to the
following:
-
Windows Users and Groups.
-
The results of an LDAP query.
-
Application-specific groups. These are specific to
Authorization Manager and can contain a mixture of users and
groups. They can also be based on an LDAP query. The main benefit
of using application groups is that there is no need to create new
groups within Active Directory to support Enterprise Vault.
Enterprise Vault auditing
does not log changes to role membership within Authorization
Manager. If you require auditing of changes within Authorization
Manager, assign Enterprise Vault administrator roles to Windows
security groups and enable Windows auditing of changes to those
groups.
Table: Administration Console containers
available to the default roles shows the tasks that an
administrator in each of the supplied roles can perform and the
access that is allowed in the Administration Console.
Table: Administration Console commands
available to the default roles shows the Administration Console
commands available to the default roles.
Note that adminstrator
roles are also required for access to Enterprise Vault Operations
Manager and Enterprise Vault Reporting.
For an introduction to
using Microsoft Authorization Manager, see the following
article:
http://technet2.microsoft.com/WindowsServer/en/Library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx
Table: Administration Console containers available
to the default roles
Container
|
Messaging Admin
|
Domino Admin
|
Exchange Admin
|
PST Admin
|
NSF Admin
|
File Server Admin
|
SharePoint Admin
|
Storage Admin
|
Power Admin
|
Targets
|
Exchange
Domino
|
Domino
|
Exchange
|
None
|
None
|
File Server
|
SharePoint
|
None
|
All targets
|
Policies
|
Exchange
Domino Journaling
Retention Categories
|
Domino
Retention Categories
|
Exchange
Retention Categories
|
PST Migration
Retention Categories
|
Domino Mailbox
Domino Desktop
Retention Categories
|
File Archiving
Retention Categories
|
SharePoint
Retention Categories
|
None
|
All policies
|
Services
|
Task Controller
|
Task Controller
|
Task Controller
|
Task Controller
|
None
|
Task Controller
|
Task Controller
|
Storage
|
All services
|
Tasks
|
Mailbox Archiving
Public Folder
Exchange Journaling
Exchange Provision-ing
Domino Journaling
|
Domino Mailbox Archiving
Domino Journaling
|
Mailbox Archiving
Public Folder
Exchange Journaling
Exchange Provision-ing
|
Mailbox Archiving
PST Locator
PST Collector
PST Migrator
|
None
|
File Server Archiving
|
SharePoint
|
None
|
All tasks
|
Archives
|
Journal
Mailbox
Public Folder
Shared
|
Domino Mailbox
Domino Journal
|
Exchange Journal
Exchange Mailbox
Public Folder
Shared
|
None
|
Import NSF
|
File System
Shared
|
Shared
SharePoint
|
All types of archive
|
All types of archive
|
Vault Stores
|
None
|
None
|
None
|
None
|
None
|
None
|
None
|
All vault stores
|
All vault stores
|
Personal Store Manage-ment
|
None
|
None
|
None
|
None
|
None
|
None
|
None
|
None
|
All functions
|
Table: Administration Console commands available
to the default roles
Container
|
Messaging Admin
|
Domino Admin
|
Exchange Admin
|
PST Admin
|
NSF Admin
|
File Server Admin
|
SharePoint Admin
|
Storage Admin
|
Power Admin
|
Enable Mailbox
|
Available
|
Available
|
Available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Available
|
Disable Mailbox
|
Available
|
Available
|
Available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Available
|
Enable Workspace
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Available
|
Not available
|
Available
|
Disable Workspace
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Available
|
Not available
|
Available
|
New Vault Store
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Available
|
Available
|
Site Property Pages
|
General
Archiving Settings
Site Schedule
|
General
Archiving Settings
Site Schedule
|
General
Archiving Settings
Site Schedule
|
General
Site Schedule
|
Not available
|
General
Archiving Settings
Site Schedule
|
General
Archiving Settings
Site Schedule
|
General
Archiving Settings
Site Schedule
Storage Expiry
|
All pages
|
Import Archive
|
Not available
|
Not available
|
Not available
|
Available
|
Not available
|
Not available
|
Not available
|
Available
|
Available
|
Export Archive
|
Not available
|
Not available
|
Not available
|
Available
|
Not available
|
Not available
|
Not available
|
Available
|
Available
|
Import NSF
|
Available
|
Available
|
Not available
|
Not available
|
Available
|
Not available
|
Not available
|
Not available
|
Available
|
Update Service Locations
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Run Config-uration Wizard (Second server)
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Change Directory SQL Server
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Change Service Account
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Change Vault Store SQL Server
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Advanced Features
|
Available
|
Available
|
Available
|
Available
|
Not available
|
Available
|
Available
|
Available
|
Available
|
Exchange Message Classes
|
Available
|
Not available
|
Available
|
Not available
|
Not available
|
Not available
|
Not available
|
Not available
|
Available
|
Domino forms
|
Available
|
Available
|
Not available
|
Not available
|
Available
|
Not available
|
Not available
|
Not available
|
Available
|