# Scheduled Data Exports

Vault allows you to schedule data export jobs on the **Admin > Operations > Job Definitions** page. The _Scheduled Data Exports_ job exports data once a day at 12:00AM by default in the <a href="/en/gr/13309/#vault_time_zone">Vault time zone</a>
 or other time configured by an Admin. The job can be configured to export object records, audit history, and document metadata directly to your Vault's file staging or Amazon S3 Bucket. Vault exports extracted data to a CSV file.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Vaults have a 30 object limit by default.</p>
    </div>
  </div>
</div>



## Configuring Scheduled Data Exports

If you are a Vault Owner, you can configure the job definition on the **Job Definitions** > **Scheduled Data Exports** page. Configuring the job definition grants you the role of _Job Owner_ for the _Scheduled Data Exports_ job.

The _Scheduled Data Exports_ job is inactive by default. To activate the job:

1. Click **Edit**.
2. Under _Status_, select **Active**.
3. Click **Save**.

Admins can edit the _Scheduled Data Exports_ job start time.

### Selecting Entities to Export

On the **Scheduled Data Exports** page, you can select which entities Vault exports under _Export Configuration_. Entities include object records, audit history, and document metadata. Exporting audit history data requires additional [permissions][2].

The following audit history data is available for export:
* System Audit
* Login Audit
* Document Audit
* Object Record Audit
* Domain Audit

To add entities to the export:

1. Click **Edit**.
2. Enter the name of the **Entities to Export** or select an entity from the list.
3. Use the arrow buttons to move the entity to **Selected Entities**.
4. Click **Save**.

### Accessing Exported Data

By default, Vault exports CSV files from the _Scheduled Data Exports_ job to <a href="/en/gr/38653/">file staging</a>
. Vault uploads files to different locations depending on your security profile. For Vault Owners, Vault uploads files to the root file staging folder.

You can configure Vault to export data to a custom Amazon S3 Bucket in addition to file staging. Before Vault can export data, you must set up your Amazon S3 Bucket with the appropriate permissions to allow Vault to read and write to the bucket. Vault supports the use of bucket policies and access control lists (ACLs) to configure permissions to manage bucket and object access. See the <a class="external-link " href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html" target="_blank" rel="noopener">AWS S3 documentation<i class="fa fa-external-link" aria-hidden="true"></i></a> for more information on bucket ownership.

#### Setting Up Amazon S3 Buckets with Bucket Policies

To set up an S3 Bucket with bucket policies:

1. Create a new S3 bucket. The bucket name does not impact functionality but needs to be distinct.
2. Ensure that ACLs are disabled.
3. Edit the bucket policy by adding a statement with the following settings:
  * **Effect**: Allow
  * **Principal**: `"CanonicalUser": "6aa09b8b08a72fa7c87711134cbbdca1a855f619b5679ad7a90b9d947420928f"`
  * **Action**: DeleteObject, GetObject, PutObject
  * **Resource**: `arn:aws:s3:::${BucketName}/*`
4. Validate the S3 Bucket you wish to use with Vault _Scheduled Data Exports_ using a verification file. To download the verification file from Vault, navigate to **Admin > Settings > Scheduled Data Export Settings** and click **Edit**.
5. Upload the verification file to the root folder of your S3 bucket, ensuring that the **Read object** and **Read and Write Object ACL** permissions checkboxes are selected and the **Server-side encryption type** is set to **Server-side encryption with Amazon S3 managed keys (SSE-S3)**.

#### Setting Up Amazon S3 Buckets with Access Control Lists

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Amazon recommends disabling ACLs. By default, disabling ACLs assigns the bucket owner ownership of all objects within the bucket and the ability to define bucket policies to manage access.</p>
    </div>
  </div>
</div>



To set up an S3 Bucket with ACLs:

1. Create a new S3 bucket. The bucket name does not impact functionality but needs to be distinct.
2. Grant _Read objects_, _Write objects_, and _Read bucket_ permissions on the bucket to the following canonical ID: `6aa09b8b08a72fa7c87711134cbbdca1a855f619b5679ad7a90b9d947420928f`.
3. Select the **Read object** and **Read and Write Object ACL** permissions checkboxes.
4. Validate the S3 Bucket you wish to use with Vault _Scheduled Data Exports_ using a verification file. To download the verification file from Vault, navigate to **Admin > Settings > Scheduled Data Export Settings** and click **Edit**.
5. Upload the verification file to the root folder of your S3 bucket, ensuring that the **Read object** and **Read and Write Object ACL** permissions checkboxes are selected and the **Server-side encryption type** is set to **Server-side encryption with Amazon S3 managed keys (SSE-S3)**.

#### Setting Up Vault for S3 Bucket Access

To add your S3 Bucket details to Vault:

1. Navigate to **Admin > Settings > Scheduled Data Export Settings** and click **Edit**.
2. Enter your <a class="external-link " href="https://docs.aws.amazon.com/general/latest/gr/s3.html" target="_blank" rel="noopener">**S3 Endpoint**<i class="fa fa-external-link" aria-hidden="true"></i></a>.
3. Enter the **S3 Bucket Name**.
4. Click **Validate**.
5. Click **Save**.
6. Navigate to **Operations** > **Job Definitions** \> **Scheduled Data Exports**.
7. Click **Edit**.
8. Under _Data Storage Option_, select your Amazon S3 Bucket.
9. Click **Save**.

Vault uploads data to S3 Endpoints over HTTPS.

You can reset the S3 Bucket configuration by navigating to **Settings > Scheduled Data Export Settings** and clicking **Edit**. Click **Reset**, then click **Confirm** in the dialog. You cannot reset S3 Bucket configuration if the bucket is selected as the data storage option on the _Scheduled Data Export_ job.

### Data Export Options

The first time you configure an entity for export, Vault exports the entity's full data. The subsequent daily export contains data from the previous successful _Entity Run Date_ for the initial full data export to the current execution time. Vault does not automatically export an entity's full data if a _Scheduled Data Exports_ job previously exported the entity. However, if the initial export for the entity failed, the next job will attempt a full export of that entity.

_Scheduled Data Exports_ only include the most recent changes for a record. For example, the export only includes a record's deletion if it was updated and subsequently deleted since the last successful job run.

To override the _Scheduled Data Exports_ job and force Vault to complete a full data export, select the **Enable full data export** option under _Data Export Options_ when configuring the job.

You can only execute a full data export once every 30 days. Vault does not export audit history for initial or full data exports.

## Notifications

When the export is complete, you'll receive an email and a Vault notification. The notifications include a link to the search results for _Scheduled Data Exports_ filtered by the applicable Job ID and the filepath of the export folder. You can also access all _Scheduled Data Export_ records from **Business Admin > Objects**. Vault also notifies you upon partial completion or failure of the _Scheduled Data Exports_ job.

If a job run is unsuccessful, the next job will process the data to a maximum of 14 days.

## Formatting in Exported Data

Vault formats exported data as follows:

* Exported document metadata includes inactive document fields.
* Unique, empty value fields on multi-value objects, displayed as ",," in files extracted from Vault Loader, are empty in _Scheduled Data Exports_ files.
* When escaping characters, Vault does not add backslash (\\) characters to field values with an existing backslash.
* When escaping characters, Vault adds two pairs of double quotes for multi-value fields with commas. For example, Vault escapes `"ab,c"` or `"ab,c,def"` as `"""ab,c"""` and `"""ab,c"",def"`.
* Currency fields in Vault objects export with an extra decimal place. For example, 1.0 exports as 1.00.
* DateTime fields on _Document_ and _Document Version_ exports include seconds in the timestamp.
* Column headers in _Document_ and _Document Version_ exports are in alphabetical order by field name.
* Picklist fields in Vault object, _Document_, and _Document Version_ exports include both the picklist name and label.
* Unique fields on referenced objects are included in _Scheduled Data Export_ files with a column for each unique field.

## Limitations

* _Scheduled Data Export_ jobs are limited to 30 objects.
* _Scheduled Data Export_ jobs cannot be run more than once every 24-hour period.
* After the initial export, Vault only exports data updated since the last successful job run.
* All columns are exported, including inactive fields.
* Vault excludes document formula fields from _Scheduled Data Exports_.
* Available and selected entities are limited to data that the Job Owner can view.
* Exporting platform objects and document relationships is not supported.
* Job schedule frequency cannot be modified.
* Vault removes files placed on Vault file staging after the _FTP File Staging Retention_ time expires.
* Vault does not export deleted records in initial or full data exports. Daily data exports contain deleted records.
* When reactivating an inactive _Scheduled Data Exports_ job, Vault provides 14 days of data at most.
* The _Scheduled Data Exports_ job currently does not support AWS China.
* AWS Key Management Service (KMS) is not supported as the server-side encryption for the verification.jwt file.

### Audit History Export Limitations

In addition to the applicable limitations above, the following apply for audit history exports:

  * Vault does not export audit history for initial or full data exports.
  * Vault exports all system audit records from the previous 24 hours from the job run date when the job is exporting system audit data for the first time. For subsequent job runs, Vault exports system audit records since the last successful run date.
  * Vault exports a maximum of five days of audit history data, in the event that the job fails to run and is restarted.

## Related Permissions {#permissions}

You can complete all steps in this article with the standard _Vault Owner_ security profile. If your Vault uses custom security profiles, your profile must grant the following <a href="/en/gr/22824/">permissions</a>
:

### Security Profile

Admin: Operations: Jobs: Read
: Grants read-only access to **Operations > Job Definitions**.

Admin: Operations: Jobs: Edit
: Grants ability to edit existing job definitions.

Admin: Operations: Jobs: Interact
: Grants ability to manage scheduled job instances (start, stop, cancel, among others).

Application: File Staging: Access
: Grants ability to connect to file staging and download files extracted using Vault Loader (document source files and renditions).

Objects: Scheduled Data Export: Read
: Grants ability to view records for the **Scheduled Data Export** object.

Admin: Logs
: Grants ability to view and export log data for System Audit, Login Audit, Document Audit, Object Record Audit, and Domain Audit in scheduled exports.

 [2]: #permissions