Avoid Lotus Notes Domino email archiving ACL issues with AdminP
Create a custom AdminP handler to fix mail file delegation and ACL problems caused by third-party email-archiving software for Lotus Notes Domino.
Recently, my company began evaluating third-party email-archiving solutions for Lotus Notes Domino. The product we were looking at stored email messages together with a snapshot of the access control list. I found this to be a clever solution, because it maintains Lotus Notes security configurations on archived documents (both on the client and on the Web). Unfortunately, the "ACL snapshot" feature causes some trouble when delegating mail files -- mostly because of a missing "RemoveGroupMembers" method that occurs with this software.
The email-archiving dilemma
Imagine a scenario, where User A delegates his mail file to User B. (User B has author access -- this will also includes "READER" access.) When the email archive process starts, it will save the ACL together with the Lotus Notes document. So if User B retrieves the document from the archive, there won't be a problem.
 |
||||
|
|
|||
|
||||
Now let's say User B quits the company and is replaced by User C. From there, User A would modify the delegation profile according to the new situation. But what happens when User C wants to access the Lotus Notes documents that were archived before he was given access to the mail file?
To solve this issue, we put a group into each mail file ACL in the following format: #ARC-<FirstName><LastName>-READER. As the name implies, the access level for this group is "READER." When we send a mail document to the archive, this group is now archived as well.
We put User C into this group and he immediately had access to all archived email of User A. Bear in mind that regardless of which access level is given to a user by delegation, he needs at least READER privileges to access documents from within the archive. Manually adding members to a group or deleting them is not a good idea, because you'd have to do all the work yourself -- which is never a good thing.
Solution 1
The email-archiving vendor proposed a modification of the delegation process in Lotus Notes to solve the problem. This is not a good idea at all, because you would have to write a completely new CalendarProfile to achieve this.
|
||||
|
|
|||
|
||||
Solution 2
The simplest answer is to have the abovementioned group in the ACL (and names.nsf ) and add code to the CalendarProfile to add/remove members to/from the group. This keeps the code provided by IBM intact. In addition, you can update to a higher version of Lotus Notes and Domino and easily add your modifications to the new template.
The basic algorithm we're going to custom create will add all mail delegates to the group, and remove a name from this group when the mail file owner revokes access to his Lotus Notes Domino database.
Creating a custom AdminP handler
AdminP is a server task for automating administrative tasks in the background on a schedule. The Domino administration process (AdminP) is a server-side mechanism for automating administrative tasks in the background on a specified schedule. Lotus Notes Domino's AdminP supports everything from user renames to file replications. Starting with version 6 of Lotus Notes and Domino, you can use the NotesAdministrationProcess class to create AdminP requests programmatically with LotusScript.
One of the methods of the NotesAdministrationProcess class is AddGroupMembers. This method adds members (passed as a parameter in the method call) to an existing group; or creates the group when it does not exist and then adds the members to the newly created group. This is a great feature if you want to enable Lotus Notes users in your organization to maintain groups in names.nsf without giving them Author or Editor rights.
But how can you delete users from existing groups using AdminP? Methods like "RemoveGroupMembers" don't exist in the NotesAdministrationProcess class. Since IBM does not provide such a function, I had to create my own.
Bob Balfe of IBM published an article back in 2003 on the IBM developerworks page: Creating a Custom Administration Process Request Handler. This is a great starting point for writing your own AdminP request handlers using the Notes C API.
Following the instructions in the article, I created a new form in admin4.nsf to contain all the fields needed for the new AdminP request:
I saved the compiled nadminplus.exe to the Domino executable directory and started it by typing "load nadminplus" at the Domino server console:
I then created new RemoveGroupMembers requests directly in the admin4.nsf.
You can also use the following LotusScript to create the requests programmatically. This code is not meant to be a solution that can be copied and pasted. You will not find any source code here. This is only a code snippet to help you get started.
'/* Put the following code into the declaration section of an action */ '/* or create a new script library to contain the code */ Const DB_ADMIN4 = "admin4.nsf" Const FLD_FORM = "CustomRequest" Const FLD_PROXYACTION = "5005" ' RemoveGroupMembers | 5001 Class NotesAdministrationProcessPlus Private szServer As String Public Sub new (szServerName As String) Dim s As New NotesSession Dim nn As NotesName Set nn = s.CreateName (szServerName) szServer = nn.Canonical End Sub Public Function RemoveGroupMembers (ListName As String, Members As Variant) As String RemoveGroupMembers = "" If (Ubound (members) = 1 And members(0) ="") Or Trim(ListName) = "" Then Exit Function Else Dim s As New NotesSession Dim db As New NotesDatabase ( szServer, DB_ADMIN4 ) Dim doc As NotesDocument If db.IsOpen Then Set doc = db.CreateDocument doc.Form = FLD_FORM doc.ProxyAction = FLD_PROXYACTION doc.ProxyServer = szServer doc.ListName = ListName doc.Members = Members Call doc.ComputeWithForm(False, False) Call doc.Sign Call doc.Save(False, True) RemoveGroupMembers = doc.NoteID Else End If End If End Function End Class
To create the request documents, use the following code:
Sub Click(Source As Button)
Dim noteid As Variant
Dim members(1) As String
members(0) = "Hein Bloed/Maus/de"
' ...
Dim AdminPP As New
NotesAdministrationProcessPlus
("<YourServer>")
noteid = AdminPP.RemoveGroupMembers
("<YourGroup>", members)
' ...
End Sub
About the author: Ulrich Krause a.k.a eknori has been working as administrator and developer with Lotus Notes and Domino since Release 4. Ulrich is the project chief of OpenNTF's project !!HELP!!, an open source helpdesk system for Lotus Notes and Domino. You can contact Ulrich through his blog at http://www.eknori.de.
Do you have comments on this tip? Let us know.
Please let others know how useful it is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our monthly tip contest and you could win a prize.
