Detect and fix 'Manager' access control list settings in Lotus Notes Domino

What would you think about setting up a Lotus Notes database with an ACL whose default setting is set to Manager access? That would be terrible, right? It's literally akin to hanging the keys to your house on your front door, inviting someone to come right in and make breakfast in your kitchen.

Listen to this tip as an audiocast:

Click the play button to listen to this tipcast. (Time: 5:47)

Right-click to download this tipcast

Based on what I have seen in doing Domino domain audits, I can almost guarantee that you have Lotus Notes databases in your domain right now that have the Default access level set to Manager.

You might not realize it, but there's a built-in Lotus Notes database that will help you find out if you have this issue and help you fix it too. It's called the Lotus Notes Database Catalog.

Many Lotus Notes Domino domains have the catalog configured so that one of the replicas of the catalog contains a list of databases from all the Domino servers (see the Notes Administrator's Help for information about how to do this.) It's best to use a catalog of this type since it has records for all Lotus Notes databases from all servers in the domain.

In other domains, every server's catalog contains the contents of all other catalogs.

Related information from SearchDomino.com: Lotus Notes Domino access control lists (ACLs) Get control of your access control lists Lotus Notes Domino Access, Permissions and Authentication Reference Center

If you don't have a master catalog, use the catalog on each Lotus Domino server.

After opening the catalog of your choosing, go to the view called Access Control Lists / By Level.

The top part of this view will show you which Lotus Notes databases have their Default access level set to Manager. What you find might be a little disturbing though, for example:

My business partner, Rob Axelrod, also likes another view called Access Control Lists / By Name, where you can easily find how the Default setting has been applied to Lotus Notes databases:

But wait, there's more! Domino users and developers who have Manager access to Lotus Notes databases can decide they don't want their databases listed in the catalog at all. They can uncheck the "List in Database Catalog" checkbox in the properties for a database. In these cases, the Lotus Notes databases will not be listed in the Access Control Lists / By Level or By Name views in the catalog.

That doesn't mean the database records aren't in the catalog; it just means that they're not listed. Each record for one of these Lotus Notes databases has a field called DbListInCatalog set to a "0."

Almost all mail files are configured in this way, and each Lotus Notes view in the catalog has a selection formula that tells the view to only show Lotus Notes documents that do not have that field set to a "0."

If you want to see all of the Lotus Notes database records, including mail file records, make a copy of the Access Control Lists / By Level or By Name view, take it into the Notes Designer client and remove the last part of the selection formula that says: & !(DBListInCatalog = "0").

This view will show you all applications in the catalog -- including the ones where DBListInCatalog is set to a "0" -- that have their Default access level set to Manager access. You might find some real shockers here, so be prepared!

You can easily use the "Open" button in the action bar at the top of the Lotus Notes database entry in the catalog to open the database and fix these access control lists. After all, you do have Manager access.

And while you're in the catalog, check the list of Lotus Notes databases that have defaults set to Designer and Editor. They are also much too powerful of privileges to be set as -Default-.

Feel free to write to me at Andyp@Technotics.com and tell me what you found.

About the author: Andy Pedisich is President of Technotics, Inc. He has been working with Lotus Notes and Domino since Release 2. Technotics provides strategic consulting and training on collaborative infrastructure projects for customers throughout the world. You can contact Technotics through their Web site at www.technotics.com.

MEMBER FEEDBACK TO THIS TIP

Opening Lotus Notes databases from the Lotus Notes Database Catalog is not needed. If you use the Domino Administrator found in the Files tab, the Database Catalog is available with all the tools you need. By doing this, you can select several different Lotus Notes databases, while simultaneously managing ACLs (access control lists).
—Felipo M.

******************************************

This is a useful discussion and one that some less-experienced Domino administrators may have overlooked.

The article has prompted me to perform an ad hoc audit, as I understand and agree that it is amazing how many of these will slip through the net over time, even though we operate clear standards to prevent it from happening.

One small comment that you may like to build into future discussions is the flag: DBListInCatalog = "0". I do have Lotus Notes views where this flag has been removed, but I have added some security to the view to restrict it to our Lotus Notes Domino administration team. One level of security that someone may use in an organization is to make the Lotus Notes database listed in the catalog invisible from public view. This makes it more secure than the one that is visibly listed for public view.
—Pete S.

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our monthly tip contest and you could win a prize.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Lotus Notes Domino Access, Permissions and Authentication Display Lotus Notes user group membership details in a tree view How DirLint verifies data in Lotus Notes Domino 8 directories Fix and update Lotus Notes documents with limited access Lotus Notes access error: 'database is not opened yet' Formula language button manages Deny Access list searches Update the ACL from the Roles view with LotusScript Secure Lotus Notes 8 with the Internet password lockout feature Find a Lotus Notes user within NAB Deny Access groups Move a Lotus Domino server to a new certifier without a reinstall Troubleshoot Lotus Notes Out of Office (OOO) agent error messages Database LotusScript code rebuilds corrupted busytime.nsf file How to move Notes databases off Domino 8 servers and save disk space Top 10 Lotus Notes/Domino administration tips of 2008 Batch file runs scheduled Lotus Notes database maintenance tasks Fix and update Lotus Notes documents with limited access Programmatically replace the design of Lotus Notes databases Add a program doc to compact Lotus Notes databases automatically More efficient local Lotus Notes database replication Remove orphaned Lotus Notes documents on Domino databases with a 'virtual delete' Copy Lotus Notes databases from the Domino Server console command line RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.