Description

In order to access Enterprise Vault (EV) Compliance Accelerator (CA) or be monitored by CA, users must be added as Employees in CA first. This allows CA to recognize the users as CA users, after which they can be assigned to Roles as needed, and/or be added to Departments as Monitored Employees.

Note: Some or all of the following steps may also be performed in Veritas Advanced Supervision (VAS), depending on the VAS version. The steps below reference the CA Client.

Adding Employees

The first step is to add users as Employees. All Employees require a CA profile. Each Employee profile comprises a number of properties, some of which correspond to Active Directory (AD) or Domino directory attributes. When configuring an Employee profile, you can choose whether CA should automatically synchronize these properties with the corresponding directory account information. You must have the Manage Employees Permission to set up an Employee profile. By default, users with the Application Role of App User Admin have this Permission.

Users can be added individually as Employees, as follows:

1. Click the Employees tab in the Compliance Accelerator Client.

2. Click New Employee at the top of the window.

3. In the right pane, click on Browse under Windows account or under Domino account as applicable, select the applicable AD Domain or Domino LDAP Server, then find the user and click OK. Verify the Automatically synchronize option is selected if you want CA to regularly synchronize the Employee profile properties with values in the associated AD or Domino user account. By default, CA synchronizes Employees and Groups every four hours and every time that the Enterprise Vault Accelerator Manager Service starts. However, you can change this setting.

4. Click Save.

5. After all Employees have been added, click Synchronize Employees.

Note

To add a user that is not in AD or Domino, the user's details must be manually entered. The Display Name and Email addresses are mandatory fields. If the Employee has multiple addresses, type each one on a line of its own. Note that you must only specify one instance of each email address across all the active addresses in the Customer database. Duplicate addresses can cause Sampling errors. If you search for the items that were sent to or from this Employee, CA includes all the listed addresses in the search. To ensure that you capture all the relevant items, remember to add old email addresses.

Verify the Automatically synchronize option is not selected for manually added Employees that are not in AD or Domino. If set to Automatically synchronize, you must clear this option if you want to edit the profile manually after synchronization.

Other fields can also be manually entered, such as First Name, Initials and Last Name. Here are some of the available fields that can be populated when manually entering in an Employee's profile information:

- Title: Specifies the Employee's job title.

- Department: Identifies the Employee's department within the organization. This department is not the Compliance Accelerator Department to which the Employee is to belong (as applicable).

- Start date: Your company policy should specify how this box is used. For example, the start date can indicate when the Employee joined the company or when the Employee was first monitored. By default, today's date appears in the box. To change this date, click the down arrow at the right of the box and then select the required date.

- End date: As with the start date, your company policy should specify how this box is used. For example, the end date can indicate when the Employee left the company. This date is important for preserving accurate system information.

- Employee ID: If your company's administration or finance department issues each Employee with a unique company ID, you can enter it here. If you update employee data using an XML file, the Employee ID box must have a unique value. This value is used to identify the Employee profile to update.

The quickest way to add a large number of Employee profiles to CA is to create an Employee Group. Then you can synchronize this Group with the user account information held in Active Directory or a Domino directory, or a Windows or Domino group.

You must have the Manage Employees Permission to set up an Employee Group. By default, users with the Role of App User Admin have this Permission.

To create an Employee Group:

1. Click the Employees tab in the CA client, then click New Employee Group at the top of the window.

2. Type the name of the Group and a brief description (optional).

3. If you want to synchronize the Group with the user account information held in an external source like Active Directory, select Automatically synchronize and enter the required details. By default, CA synchronizes Employees and Groups every four hours and every time that the Enterprise Vault Accelerator Manager Service starts. However, you can change this setting. The options are as follows:

3.1. Active Directory search, or Domino LDAP search

Lets you specify the appropriate search filter and search root. If the target employees are in various parts of your organization, their user accounts may be in different areas of the directory. By using a search with one or more search filters, you can find and automatically add these users.

An LDAP search filter can be based on any number of custom or standard attributes, but it must target user objects. You can combine multiple filters to find the members for a department. For example, you can enter the following to find all users whose department attribute is set to UK Equities:

(&(objectCategory=person)(department=UK Equities))

In the Search Root box, type the Distinguished Name for the search root. This name identifies where in the directory hierarchy to start the search. For example, if your directory spans multiple countries, you can set the root to the UK organizational unit by entering the following:

LDAP://OU=UK, DC=MyCompany, DC=com

Select Search whole tree to include the members of nested groups.

3.2. Active Directory container

Lets you type the name of the Active Directory container.

In the ADsPath box, type the Distinguished Name of the Active Directory container that holds the users to add to the employee group. For example, suppose that the UK Equities department points to this organizational unit container:

CN=Equities, OU=UK, DC=MyCompany, DC=com

You can enter the following to add all the employees in the department to the group:

LDAP://CN=Equities, OU=UK, DC=MyCompany, DC=com

Select Search nested containers to include the members of nested containers.

3.3. Windows group or distribution list, or Domino group or distribution list

Lets you type the name of a group in the form domain_name\group_name. The group may or may not be held in your directory. If you do not use Active Directory or a Domino directory, you can only update the display name of employee profiles by synchronizing. You need to enter additional employee information manually.

If you want to synchronize the Employee Group with a Domino group or distribution list, you must enable the following Domino LDAP attributes for anonymous access in Domino Administrator:

- cn
- dominocertificate
- mail
- maildomain
- member
- objectclass

See the Domino documentation for instructions on how to do this.

4. If you want to add Employees to the Group manually, click the Members tab and then click Add. Then select the Employees from the list. You can select multiple adjacent Employees by holding down the Shift key while clicking the first and last Employee in the range. To select multiple nonadjacent Employees, hold down the Ctrl key while clicking the required Employees. Click OK when you have finished.

5. Click Save.

Assigning Roles to Employees

A Role is a collection of Permissions that allow certain functions within CA. You assign Roles to Employees or Employee Groups to determine what they can access and the tasks that they can perform in CA. For example, you can assign the Role of Department Reviewer to an Employee who needs to Review and Mark items in a Department. Some Roles are effective at the Application level, across the entire CA system, whereas others apply at the Department level or Research Folder level only.

The predefined CA Roles are listed under the Application tab | Roles tab and fall into the following categories:

- Application Roles, which apply at the CA system level.
- Department Roles, which apply to individual Department(s) only.
- Folder Roles, which apply to individual Research Folder(s) only.

Please see the CA Help under About the predefined Compliance Accelerator roles and under About the Compliance Accelerator permissions for more information.

If a predefined Role does not meet your business needs, a custom Role can be created. It is a best practice to not edit any predefined Roles and to create custom Roles if a predefined Role does not meet business needs. Please see the CA Help under Creating Compliance Accelerator roles for more information on creating custom Roles.

You must have the Grant Users Access Permission to assign a Role to an Employee or Group. By default, users with the Application Role of App User Admin have the Permission required to assign Application level roles. Users with the Department Role of User Admin have the Permission to assign Department level roles.

As well as possessing the Roles that you have explicitly assigned to them, Employees can inherit Roles from the Groups to which they belong.

For Parent/Child Departments, a Child Department will inherit Permissions from Roles assigned in its Parent Department. In other words, an Employee or Employee Group assigned to a Role in a Parent Department will have that Role's Permissions in all Child Departments under the Parent Department. Note these inherited Employees/Employee Groups/Roles will not be listed in the Role Assignment tab in the Child Departments - it will be required to review the Role Assignment Tab of the Parent Department to review any existing Department Role Assignments.

To assign a Role to an Employee or Group:

1. First determine where the Role will be assigned, i.e., determine the Role Scope:

1.1. To assign an Application Role, click the Application tab in the CA Client, then click the Role Assignment tab.

1.2. To assign a Department role, click the Departments tab, click the required Department in the left pane, then click the Role Assignment tab.

2. Click the name of the Employee or Group to whom you want to Assign a Role. If the Employee or Group does not appear in the list, click Add User at the top of the pane. Then select the Employee or Group to add to the list.

3. In the right pane, click Add Role to assign a new role and select the applicable Role(s).

4. Click Save.

Adding Monitored Employees and/or Groups to Departments

An important activity in CA is to add Employees and Employee Groups to the Departments in which you want to monitor them. If you have not already created the profiles for these Employees and Groups, you must do so before you can add them to a Department.

You must have the Add Monitored Employees and Grant Users Access Permissions to add Employees and Groups to a Department. By default, users with the Department Role of User Admin have these

Permissions.

To add Monitored Employees and Groups to a Department:

1. Click the Departments tab in the CA client.

2. In the Departments pane at the left, do one of the following:

2.1. Click the Department to which you want to add Employees or Groups, click the Monitored Employees tab, then click Add employees at the top of the window.

2.2. Right-click the Department to which you want to add Employees or Groups, and then click Add Monitored Employees.

3. Select the Employees and/or Groups that you want to monitor. You can select multiple adjacent names by holding down the Shift key and clicking the first and last names in the range. To select multiple, nonadjacent names, hold down the Ctrl key and click the required names.

4. Click OK.