>> … For databases controlled by templates, if the users are defined in the template ACL as default
>> users, they get added back into the .nsf database ACL when Design Refresh runs overnight
This is not correct. ACLs do not get changed as part of the nightly design refresh. That only happens when the NSF is created.
Do you have full admin access to the server? If so, you should be able to use the Admin client, use the menu command to turn on full-admin level access and change the ACLs of any database.
Other than cluttering up the ACLs, the obsolete names should not be a problem. The presence of a name in an ACL does not grant them any access. Presumably your server document denies access to the deny-access group. If necessary, contact your server admin to grant you full access. If that is you, edit the server document (see the security tab).
You can write an agent to process ACLs (many examples exist). They will still be subject to ACL rules.
Individual names in an ACL is not a problem. The AdminP process can deal with that. Groups is a better practice in most cases.
If your server security is set up appropriately, you should never have to put a deny-access group name in an ACL. Those people should be denied access to the server. Period.
Previously posted answer from Tpinky has nothing to do with this problem, so I have deleted it. I welcome other suggestions.
Posting from Broxy, below. (Note: This is irrelevant to the question. It doesn’t matter how I got in this state, unless one of the reasons that it is a Best Practice to only put groups in ACLs is because Adminp is unreliable. Is that why? Also, auditors don’t really get Terminations groups. They want to know why the processes don’t work to clean the ACLs. So I need to clean them some other way. I considered posting all of these points as background to prevent people from responding with explanations on the correct way to do things, but I opted not to do so. Apparently, that is a mistake. If anyone has any ideas how to do what I have asked, I welcome the suggestions.)
Why have you got individual usernames in database ACL’s anyway, database ACL’s should only use groups which means that you won’t have to worry about scheduled agents updating ACL’s as they never change. It’s a bit of a hit to move from individual usernames to groups in the ACL but not that bad as you can create the groups in the domino directory and put them in the database ACL’s as you get time then work your way through the ACL’s and move users into the relevant groups as you get time, if you do a few at a time then you can also cut down on the number of calls as you know on a day to day basis who you are switching.
If you put the terminated users group as a deny access list for the database then this will remove access as soon as the named entry is taken out of the ACL, It worth noting that access is the sum of group access so if a user is in more than one group there access is calculated by working out the highest level of access unless one is a deny access group in which case access is denied no matter what the other group allows.
An individual named entry takes precedence over access via a group, I can’t remember if named access will override an entry in a deny access group.