Q

Trusting system admin staff

In a recent question from a searchDomino member, I addressed the issue of system administration people being able

to read users' email messages. I said that, to some extent, you just had to trust system admin people.

Member Douglas Butler responded with some helpful information about how his company handles this situation. Here is what he wrote....

I have worked for two different companies as the Domino Administrator. In both cases, we turned on mail encryption on the server (in NOTES.INI in R4 and in the server configuration document in R5). In addition, we add an entry for "[Notes Administrators]" to the ACL of the mail template (eg. MAIL50.NTF) as a "Person Group" with "Manager" access, but (to prevent mistakes) no delete privileges.

The square brackets around the template ACL entry ensures that Notes Administrators will, by default, have manager access to all newly created mail files (existing mail files can easily be updated by mailing a button-based script to all users). When new users are created, either the user types in their password directly, or an administrative clerk enters a temporary one of her choosing. The clerk does not get access to the ID file, and the Administrator does not know the password. Finally, we tell all users that there is absolutely no reason to give out their Notes password.

So, now we have the following: Notes Administrators have full manager access to all user mail files, but (because of forced mail encryption) cannot read the mail; Any activity we do perform is recorded in the logs under the name of the administrator actually performing the work ? not under some ID that they also know the password to; Maintenance is much easier, because we are always working under our own IDs.

(Thanks for helping Doug!)

Chuck Connell

This was first published in September 2001

Dig deeper on Domino Resources - Part 5

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.uk

Close