Avoid Lotus Notes Domino email archiving ACL issues with AdminP

Recently, my company began evaluating third-party email-archiving solutions for Lotus Notes Domino. The product we were looking at stored email messages together with a snapshot of the access control list. I found this to be a clever solution, because it maintains Lotus Notes security configurations on archived documents (both on the client and on the Web). Unfortunately, the "ACL snapshot" feature causes some trouble when delegating mail files -- mostly because of a missing "RemoveGroupMembers" method that occurs with this software.

The email-archiving dilemma

Imagine a scenario, where User A delegates his mail file to User B. (User B has author access -- this will also includes "READER" access.) When the email archive process starts, it will save the ACL together with the Lotus Notes document. So if User B retrieves the document from the archive, there won't be a problem.

Free Archiving Seminar Get independent expert advice on designing and deploying an email and file archiving strategy - register today!

Now let's say User B quits the company and is replaced by User C. From there, User A would modify the delegation profile according to the new situation. But what happens when User C wants to access the Lotus Notes documents that were archived before he was given access to the mail file?

To solve this issue, we put a group into each mail file ACL in the following format: #ARC-<FirstName><LastName>-READER. As the name implies, the access level for this group is "READER." When we send a mail document to the archive, this group is now archived as well.

We put User C into this group and he immediately had access to all archived email of User A. Bear in mind that regardless of which access level is given to a user by delegation, he needs at least READER privileges to access documents from within the archive. Manually adding members to a group or deleting them is not a good idea, because you'd have to do all the work yourself -- which is never a good thing.

Solution 1

The email-archiving vendor proposed a modification of the delegation process in Lotus Notes to solve the problem. This is not a good idea at all, because you would have to write a completely new CalendarProfile to achieve this.

Related resources from SearchDomino.com: An Administration Process (AdminP) crash course Lotus Notes Domino AdminP Reference Center Lotus Notes Domino Archiving Reference Center

Solution 2

The simplest answer is to have the abovementioned group in the ACL (and names.nsf ) and add code to the CalendarProfile to add/remove members to/from the group. This keeps the code provided by IBM intact. In addition, you can update to a higher version of Lotus Notes and Domino and easily add your modifications to the new template.

The basic algorithm we're going to custom create will add all mail delegates to the group, and remove a name from this group when the mail file owner revokes access to his Lotus Notes Domino database.

Creating a custom AdminP handler

AdminP is a server task for automating administrative tasks in the background on a schedule. The Domino administration process (AdminP) is a server-side mechanism for automating administrative tasks in the background on a specified schedule. Lotus Notes Domino's AdminP supports everything from user renames to file replications. Starting with version 6 of Lotus Notes and Domino, you can use the NotesAdministrationProcess class to create AdminP requests programmatically with LotusScript.

One of the methods of the NotesAdministrationProcess class is AddGroupMembers. This method adds members (passed as a parameter in the method call) to an existing group; or creates the group when it does not exist and then adds the members to the newly created group. This is a great feature if you want to enable Lotus Notes users in your organization to maintain groups in names.nsf without giving them Author or Editor rights.

But how can you delete users from existing groups using AdminP? Methods like "RemoveGroupMembers" don't exist in the NotesAdministrationProcess class. Since IBM does not provide such a function, I had to create my own.

Bob Balfe of IBM published an article back in 2003 on the IBM developerworks page: Creating a Custom Administration Process Request Handler. This is a great starting point for writing your own AdminP request handlers using the Notes C API.

Following the instructions in the article, I created a new form in admin4.nsf to contain all the fields needed for the new AdminP request:

I saved the compiled nadminplus.exe to the Domino executable directory and started it by typing "load nadminplus" at the Domino server console:

I then created new RemoveGroupMembers requests directly in the admin4.nsf.

You can also use the following LotusScript to create the requests programmatically. This code is not meant to be a solution that can be copied and pasted. You will not find any source code here. This is only a code snippet to help you get started.

'/* Put the following code into the 
declaration section of an action */
'/* or create a new script 
library to contain the code */
Const DB_ADMIN4 = "admin4.nsf"
Const FLD_FORM = "CustomRequest"
Const FLD_PROXYACTION = "5005" 
' RemoveGroupMembers | 5001

Class NotesAdministrationProcessPlus
 
Private szServer As String

Public Sub new (szServerName As String)
Dim s As New NotesSession
Dim nn As NotesName
Set nn = s.CreateName (szServerName)
szServer = nn.Canonical
End Sub

Public Function 
 RemoveGroupMembers 
(ListName As String, Members As Variant) 
As String
RemoveGroupMembers = ""
If  (Ubound (members) = 1 
And members(0) ="") Or Trim(ListName) = 
""  Then
Exit Function
Else
Dim s As New NotesSession
Dim db As New NotesDatabase
( szServer, DB_ADMIN4 )
Dim doc As NotesDocument
 
If db.IsOpen Then
Set doc = db.CreateDocument
doc.Form = FLD_FORM
doc.ProxyAction = FLD_PROXYACTION
doc.ProxyServer = szServer
doc.ListName = ListName
doc.Members = Members
Call doc.ComputeWithForm(False, False)  
Call doc.Sign
Call doc.Save(False, True)
RemoveGroupMembers = doc.NoteID
Else
   
End If
 End If
  
 End Function
End Class

To create the request documents, use the following code:

Sub Click(Source As Button)
Dim noteid As Variant 
Dim members(1) As String 
members(0) = "Hein Bloed/Maus/de"
' ... 

Dim AdminPP As New 
NotesAdministrationProcessPlus 
("<YourServer>")
noteid = AdminPP.RemoveGroupMembers 
("<YourGroup>", members)
' ... 
 
End Sub

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our monthly tip contest and you could win a prize.