Granting someone Manager access to a Lotus Notes Domino database is serious stuff. It's the kind of thing you don't want to do without putting some thought into it, since it obviously gives a Lotus Notes user the ultimate power to mess with documents, change an access control list (ACL), and even delete the Domino database itself.
What would you think about setting up a Lotus Notes database with an ACL whose default setting is set to Manager access? That would be terrible, right? It's literally akin to hanging the keys to your house on your front door, inviting someone to come right in and make breakfast in your kitchen.
Listen to this tip as an audiocast:
Click the play button to listen to this tipcast. (Time: 5:47)
Based on what I have seen in doing Domino domain audits, I can almost guarantee that you have Lotus Notes databases in your domain right now that have the Default access level set to Manager.
You might not realize it, but there's a built-in Lotus Notes database that will help you find out if you have this issue and help you fix it too. It's called the Lotus Notes Database Catalog.
Many Lotus Notes Domino domains have the catalog configured so that one of the replicas of the catalog contains a list of databases from all the Domino servers (see the Notes Administrator's Help for information about how to do this.) It's best to use a catalog of this type since it has records for all Lotus Notes databases from all servers in the domain.
In other domains, every server's catalog contains the contents of all other catalogs.
After opening the catalog of your choosing, go to the view called Access Control Lists / By Level.
The top part of this view will show you which Lotus Notes databases have their Default access level set to Manager. What you find might be a little disturbing though, for example:
My business partner, Rob Axelrod, also likes another view called Access Control Lists / By Name, where you can easily find how the Default setting has been applied to Lotus Notes databases:
But wait, there's more! Domino users and developers who have Manager access to Lotus Notes databases can decide they don't want their databases listed in the catalog at all. They can uncheck the "List in Database Catalog" checkbox in the properties for a database. In these cases, the Lotus Notes databases will not be listed in the Access Control Lists / By Level or By Name views in the catalog.
That doesn't mean the database records aren't in the catalog; it just means that they're not listed. Each record for one of these Lotus Notes databases has a field called DbListInCatalog set to a "0."
Almost all mail files are configured in this way, and each Lotus Notes view in the catalog has a selection formula that tells the view to only show Lotus Notes documents that do not have that field set to a "0."
If you want to see all of the Lotus Notes database records, including mail file records, make a copy of the Access Control Lists / By Level or By Name view, take it into the Notes Designer client and remove the last part of the selection formula that says: & !(DBListInCatalog = "0").
This view will show you all applications in the catalog -- including the ones where DBListInCatalog is set to a "0" -- that have their Default access level set to Manager access. You might find some real shockers here, so be prepared!
You can easily use the "Open" button in the action bar at the top of the Lotus Notes database entry in the catalog to open the database and fix these access control lists. After all, you do have Manager access.
And while you're in the catalog, check the list of Lotus Notes databases that have defaults set to Designer and Editor. They are also much too powerful of privileges to be set as -Default-.
Feel free to write to me at Andyp@Technotics.com and tell me what you found.
About the author: Andy Pedisich is President of Technotics, Inc. He has been working with Lotus Notes and Domino since Release 2. Technotics provides strategic consulting and training on collaborative infrastructure projects for customers throughout the world. You can contact Technotics through their Web site at www.technotics.com.
Opening Lotus Notes databases from the Lotus Notes Database Catalog is not needed. If you use the Domino Administrator found in the Files tab, the Database Catalog is available with all the tools you need. By doing this, you can select several different Lotus Notes databases, while simultaneously managing ACLs (access control lists).
This is a useful discussion and one that some less-experienced Domino administrators may have overlooked.
The article has prompted me to perform an ad hoc audit, as I understand and agree that it is amazing how many of these will slip through the net over time, even though we operate clear standards to prevent it from happening.
One small comment that you may like to build into future discussions is the flag: DBListInCatalog = "0". I do have Lotus Notes views where this flag has been removed, but I have added some security to the view to restrict it to our Lotus Notes Domino administration team. One level of security that someone may use in an organization is to make the Lotus Notes database listed in the catalog invisible from public view. This makes it more secure than the one that is visibly listed for public view.
Do you have comments on this tip? Let us know.
Please let others know how useful it is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our monthly tip contest and you could win a prize.