Have you ever had a user with a serious paranoia problem and a gift for writing simple agents that had deadly consequences? I think you know the type -- smart enough to have Manager Access, paranoid enough to Deny Access to LocalDomainAdmins, and dumb enough to write a simple agent that tries to forward all e-mail to a Yahoo account.
E-mail is forwarded to Yahoo until the mailbox fills up, then Yahoo starts sending messages to the person telling him that his mailbox is full. Those messages are also forwarded to Yahoo, where they are responded to and forwarded again in a merry game of "How Fast Can We Crash the Server." It's a fun game to watch, if it's not my domain or my mail server!
When people used to ask me what I wanted for Christmas, I always said, "Please give me a way I can get into an evil user's mail file without sparking up the client on the server or mapping a drive to the server." Santa gave me what I wanted in Release 6 -- the wonderful functionality called Full Access Administrator.
The feature is activated using the Notes Administrator Client.
Having Full Access Administrator privileges means you can get into almost any file or document, provided you're in a group that's in the right field in the server document. You can't open stuff that's encrypted for someone else though. Full Access Administrator doesn't break all the security rules -- it just bends most of them.
Like the pop-up help on the field says: "The people listed here get the same rights as Administrators as well as Manager access to ALL databases on this server, regardless of the ACL on the databases. They have Manager Access, with all roles enabled, to the Web Administrator database (WEBADMIN.NSF)."
Wow! That is so cool I can hardly stand it! Nobody locks me out anymore!
But the pop-up goes on to give us this dire warning: "This access level should only be given to trustworthy people who truly need access to all databases on this server."
So who do you give this monstrous amount of power to, and how do you track when they use it? I'll leave that part up to you. Every domain has rules about who gets the power. I assume that you'll take the necessary precautions given the potential for abuse of this privilege.
But let's establish two rules for using this power I think make sense in any enterprise:
- Administrators should turn it on when they encounter a problem that requires that amount of strength, and then turn it off when they are done.
Once switched on, Full Access Administrator power will continue when you move to other servers. This can be dangerous. Documents and files can be deleted quickly by mistake.
- Full Access Administrator functionality should not be used in place of a good security architecture.
No day-to-day processes should require that Full Access Administration be used by an administrator. This is especially true when controlling access to the address book. In my opinion, it should never be necessary to use Full Access Administrator to change an Address Book Design or to monkey with a Notes Address Book access control list (ACL).
You even might consider giving trusted admins special IDs that can have this functionality. Administrators would have to switch IDs before they could use the privilege. This further limits the scope of how this power can be used and who can use it.
Lastly, you should always know when someone turns on Full Access Administrator. The simplest way to be notified is to create an event in the Monitoring Configuration Database (Events4.nsf). Every time someone accesses a server with Full Access Administrator enabled, the event is logged on the console and in the log. It looks like this:
01/27/2006 11:29:18 AM Andrew M Pedisich/Technotics was granted full administrator access.
To capture that someone turned it on, create an event that looks like this. Make sure you are monitoring every Domino server.
Then have it look for the words "was granted full administrator access."
Make two of these events. Create one that logs to a statrep.nsf on your admin server.
Then make another that pages your top-level Domino administrators.
It might turn out that you need to adjust security to make it easier for your Notes/Domino administrators to do what they do without using this special power. Then again, you might end up slapping a few wrists.
Ask for an explanation every time the power of Full Access Administrator is used. This will help decrease the risk of it being abused by some monster of an administrator. Also, remind your administrators that disabling the alert that notifies you when "The Power" is turned on is a "career-shortening event" they might watch out for.
About the author: Andy Pedisich is President of Technotics, Inc. He has been working with Lotus Notes and Domino since Release 2. Technotics provides strategic consulting and training on collaborative infrastructure projects for customers throughout the world. You can contact Technotics through their Web site at www.technotics.com.
I have found that the Full Access Administrator only works if you have a direct connection to the server. If you are coming in through a pass-through server, it will not work!
Using the xACL further restricts the use of this function. For example, we use the xACL to hide the contents of the field and also use it to ensure that only a select group of admins can actually edit the field.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our tip contest and you could win a prize.