Vault allows you to schedule data export jobs on the Admin > Operations > Job Definitions page. The Scheduled Data Exports job exports data on a daily basis at 12:00AM in the Vault time zone and can be configured to export object records, audit history, and document metadata directly to your Vault File Staging Server or Amazon S3 Bucket. Vault exports extracted data to a CSV file.
Note: In 24R3, Vaults will have a 30 object limit by default. Any existing Vaults that have used or configured Scheduled Data Exports before this release will not have this limit.
Configuring Scheduled Data Exports
If you are a Vault Owner, you can configure the job definition on the Job Definitions > Scheduled Data Exports page. Configuring the job definition grants you the role of Job Owner for the Scheduled Data Exports job.
The Scheduled Data Exports job is inactive by default. To activate the job:
- Click Edit.
- Under Status, select Active.
- Click Save.
Admins can edit the Scheduled Data Exports job start time.
Selecting Entities to Export
On the Scheduled Data Exports page, you can select which entities Vault exports under Export Configuration. Entities include object records, audit history, and document metadata. Exporting audit history data requires additional permissions.
The following audit history data is available for export:
- System Audit
- Login Audit
- Document Audit
- Object Record Audit
- Domain Audit
To add entities to the export:
- Click Edit.
- Enter the name of the Entities to Export or select an entity from the list.
- Use the arrow buttons to move the entity to Selected Entities.
- Click Save.
Accessing Exported Data
By default, Vault exports CSV files from the Scheduled Data Exports job to a File Staging Server. Vault uploads files to different locations depending on your security profile. For Vault Owners, Vault uploads files to the root file staging server folder.
You can configure Vault to export data to a custom Amazon S3 Bucket in addition to a file staging server. Before Vault can export data, you must set up your Amazon S3 Bucket with the appropriate permissions to allow Vault to read and write to the bucket. Vault supports the use of bucket policies and access control lists (ACLs) to configure permissions to manage bucket and object access. See the AWS S3 documentation for more information on bucket ownership.
Setting Up Amazon S3 Buckets with Bucket Policies
To set up an S3 Bucket with bucket policies:
- Create a new S3 bucket. The bucket name does not impact functionality but needs to be distinct.
- Ensure that ACLs are disabled.
- Edit the bucket policy by adding a statement with the following settings:
- Effect: Allow
- Principal:
"CanonicalUser": "6aa09b8b08a72fa7c87711134cbbdca1a855f619b5679ad7a90b9d947420928f"
- Action: DeleteObject, GetObject, PutObject
- Resource:
arn:aws:s3:::${BucketName}/*
- Validate the S3 Bucket you wish to use with Vault Scheduled Data Exports using a verification file. To download the verification file from Vault, navigate to Admin > Settings > Scheduled Data Export Settings and click Edit.
- Upload the verification file to the root folder of your S3 bucket, ensuring that the Read object and Read and Write Object ACL permissions checkboxes are selected and the Server-side encryption type is set to Server-side encryption with Amazon S3 managed keys (SSE-S3).
Setting Up Amazon S3 Buckets with Access Control Lists
Note: Amazon recommends disabling ACLs. By default, disabling ACLs assigns the bucket owner ownership of all objects within the bucket and the ability to define bucket policies to manage access.
To set up an S3 Bucket with ACLs:
- Create a new S3 bucket. The bucket name does not impact functionality but needs to be distinct.
- Grant Read objects, Write objects, and Read bucket permissions on the bucket to the following canonical ID:
6aa09b8b08a72fa7c87711134cbbdca1a855f619b5679ad7a90b9d947420928f
. - Select the Read object and Read and Write Object ACL permissions checkboxes.
- Validate the S3 Bucket you wish to use with Vault Scheduled Data Exports using a verification file. To download the verification file from Vault, navigate to Admin > Settings > Scheduled Data Export Settings and click Edit.
- Upload the verification file to the root folder of your S3 bucket, ensuring that the Read object and Read and Write Object ACL permissions checkboxes are selected and the Server-side encryption type is set to Server-side encryption with Amazon S3 managed keys (SSE-S3).
Setting Up Vault for S3 Bucket Access
To add your S3 Bucket details to Vault:
- Navigate to Admin > Settings > Scheduled Data Export Settings and click Edit.
- Enter your S3 Endpoint.
- Enter the S3 Bucket Name.
- Click Validate.
- Click Save.
- Navigate to Operations > Job Definitions > Scheduled Data Exports.
- Click Edit.
- Under Data Storage Option, select your Amazon S3 Bucket.
- Click Save.
Vault uploads data to S3 Endpoints over HTTPS.
You can reset the S3 Bucket configuration by navigating to Settings > Scheduled Data Export Settings and clicking Edit. Click Reset, then click Confirm in the dialog. You cannot reset S3 Bucket configuration if the bucket is selected as the data storage option on the scheduled data export job.
Data Export Options
The first time you configure an entity for export, Vault exports the entity’s full data. The subsequent daily export contains data from the previous successful Entity Run Date for the initial full data export to the current execution time. Vault does not automatically export an entity’s full data if a Scheduled Data Exports job previously exported the entity. However, if the initial export for the entity failed, the next job will attempt a full export of that entity.
Scheduled Data Exports only include the most recent changes for a record. For example, the export only includes a record’s deletion if it was updated and subsequently deleted since the last successful job run.
To override the Scheduled Data Exports job and force Vault to complete a full data export, select the Enable full data export option under Data Export Options when configuring the job.
You can only execute a full data export once every 30 days. Vault does not export audit history for initial or full data exports.
Notifications
When the export is complete, you’ll receive an email and a Vault notification. The notifications include a link to the search results for Scheduled Data Exports filtered by the applicable Job ID and the filepath of the export folder. You can also access all Scheduled Data Exports from Business Admin > Objects. Vault also notifies you upon partial completion or failure of the Scheduled Data Exports job.
If a job run is unsuccessful, the next job will process the data to a maximum of 14 days.
Formatting in Exported Data
Vault formats exported data as follows:
- Exported document metadata includes inactive document fields.
- Unique, empty value fields on multi-value objects, displayed as “,,” in files extracted from Vault Loader, are empty in Scheduled Data Exports files.
- When escaping characters, Vault does not add backslash (\) characters to field values with an existing backslash.
- When escaping characters, Vault adds two pairs of double quotes for multi-value fields with commas. For example, Vault escapes
"ab,c"
or"ab,c,def"
as"""ab,c"""
and"""ab,c"",def"
. - Currency fields in Vault objects export with an extra decimal place. For example, 1.0 exports as 1.00.
- DateTime fields on Document and Document Version exports include seconds in the timestamp.
- Column headers in Document and Document Version exports are in alphabetical order by field name.
- Picklist fields in Vault object, Document, and Document Version exports include both the picklist name and label.
Limitations
- After the initial export, Vault only exports data updated since the last successful job run.
- All columns are exported, including inactive fields.
- Vault excludes document formula fields from scheduled data exports.
- Available and selected entities are limited to data that the Job Owner can view.
- Exporting platform objects and document relationships is not supported.
- Job schedule frequency cannot be modified.
- Vault removes files placed on the Vault File Staging Server after the FTP File Staging Retention time expires.
- Vault does not export deleted records in initial or full data exports. Daily data exports contain deleted records.
Related Permissions
You can complete all steps in this article with the standard Vault Owner security profile. If your Vault uses custom security profiles, your profile must grant the following permissions:
Security Profile
- Admin: Operations: Jobs: Read
- Grants read-only access to Operations > Job Definitions.
- Admin: Operations: Jobs: Edit
- Grants ability to edit existing job definitions.
- Admin: Operations: Jobs: Interact
- Grants ability to manage scheduled job instances (start, stop, cancel, among others).
- Application: File Staging: Access
- Grants ability to connect to the file staging server and download files extracted using Vault Loader (document source files and renditions).
- Objects: Scheduled Data Export: Read
- Grants ability to view records for the Scheduled Data Export object.
- Admin: Logs
- Grants ability to view and export log data for System Audit, Login Audit, Document Audit, Object Record Audit, and Domain Audit in scheduled exports.