Deleting Terminated Users from ACLs

3845 pts.
Access Control List
Domino 6.5
We have databases that include the names of teminated users in their ACLs. We think this happened because we had the wrong server identified as the admin server on these databases, or on templates that control them. For databases controlled by templates, if the users are defined in the template ACL as default users, they get added back into the .nsf database ACL when Design Refresh runs overnight. The name of the server is in these ACLs with Manager access as well. I have logged in using the, but Notes knows that the server is not a client and will not allow me to change ACLs using those rights. Does anyone have an idea how to deal with this problem? I'm thinking I might be able to create a lotusscript agent to walk through all databases and remove the name of anyone in our Terminations Deny Access Group. Maybe if I signed it with the, the server would allow the scheduled agent to run and make the changes. I would appreciate any advice you have on this cleanup effort. We are using Lotus Domino 6.5.

Answer Wiki

Thanks. We'll let you know when a new response is added.

>> … For databases controlled by templates, if the users are defined in the template ACL as default
>> users, they get added back into the .nsf database ACL when Design Refresh runs overnight

This is not correct. ACLs do not get changed as part of the nightly design refresh. That only happens when the NSF is created.

Do you have full admin access to the server? If so, you should be able to use the Admin client, use the menu command to turn on full-admin level access and change the ACLs of any database.

Other than cluttering up the ACLs, the obsolete names should not be a problem. The presence of a name in an ACL does not grant them any access. Presumably your server document denies access to the deny-access group. If necessary, contact your server admin to grant you full access. If that is you, edit the server document (see the security tab).

You can write an agent to process ACLs (many examples exist). They will still be subject to ACL rules.

Individual names in an ACL is not a problem. The AdminP process can deal with that. Groups is a better practice in most cases.

If your server security is set up appropriately, you should never have to put a deny-access group name in an ACL. Those people should be denied access to the server. Period.

Previously posted answer from Tpinky has nothing to do with this problem, so I have deleted it. I welcome other suggestions.

Posting from Broxy, below. (Note: This is irrelevant to the question. It doesn’t matter how I got in this state, unless one of the reasons that it is a Best Practice to only put groups in ACLs is because Adminp is unreliable. Is that why? Also, auditors don’t really get Terminations groups. They want to know why the processes don’t work to clean the ACLs. So I need to clean them some other way. I considered posting all of these points as background to prevent people from responding with explanations on the correct way to do things, but I opted not to do so. Apparently, that is a mistake. If anyone has any ideas how to do what I have asked, I welcome the suggestions.)

Why have you got individual usernames in database ACL’s anyway, database ACL’s should only use groups which means that you won’t have to worry about scheduled agents updating ACL’s as they never change. It’s a bit of a hit to move from individual usernames to groups in the ACL but not that bad as you can create the groups in the domino directory and put them in the database ACL’s as you get time then work your way through the ACL’s and move users into the relevant groups as you get time, if you do a few at a time then you can also cut down on the number of calls as you know on a day to day basis who you are switching.

If you put the terminated users group as a deny access list for the database then this will remove access as soon as the named entry is taken out of the ACL, It worth noting that access is the sum of group access so if a user is in more than one group there access is calculated by working out the highest level of access unless one is a deny access group in which case access is denied no matter what the other group allows.

An individual named entry takes precedence over access via a group, I can’t remember if named access will override an entry in a deny access group.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Brooklynegg
    Update: One of our servers is on 8.0.1. The other is 6.5.6 FP3, but will be upgraded in one month. I don't think this is important to the question, but just wanted to add this detail.
    3,845 pointsBadges:
  • GailVan
    I don't understand why you can't remove them from the ACL. Are you in an Admin group with manager and delete access? The users shouldn't be in the template ACL. Change the database so it's not a termplate, remove them, then make it a template again.. Once you delete their person doc in the Domino directory - adminp will go through and delete them. Also the 'deny access' group is defined in your server doc? You can add these people to this group and they won't be able to access the databases.
    175 pointsBadges:
  • Broxy
    Broxy : Sorry, thought my original post would help but having read your response I have some further thoughts. It is best practise by the way to use groups in ACL's rather than named users and I wouldn't do it any other way but your problem is that you have templates with ACL's which I would never do. To fix this make a copy of the templates using file database copy, select don't copy ACL. Once you have created new copy set default access to manager and set template name, remove template name from original and do one-off design replace. You could also do a file copy from production app if your wrried about integrity of template. Once you have the new empty database (make sure it has .ntf extension), set template name and you should be ok, you can do one application t a time to minimise risk. I would move the original templates out of the server data directory to a directory that notes can't get to in case you want to look at them in the future. I'm also of the opinion that you shouldn't necessarily need to refresh database designs from templates every night, this shouldn't really be necessary.
    190 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: