HCL Notes and Domino 9.0 Social Edition Forum - Administrator role to change Internet Password?

Jul 18, 2013, 1:22 PM

107 Posts

You could give them Author access plus the UserModifier role.

Note, however, that this will enable them to modify person documents in general, not just Internet passwords, since the standard Person form in the public NAB template does not allow you to differentiate what fields on the form are editable depending on a role. If that is an essential requirement, one would have to create a custom form and a view that selects only Person documents, with a form formula that instructs Notes to open documents using the custom form. And you'd have to restrict access to all standard views that display Person documents. Alternatively, one could create a dialog that allows Helpdesk staff to choose a user and assign a new Internet password to that user, plus an agent running on behalf of someone who has administrative privileges that writes the new password to the person document. The second solution is more secure, because it can be implemented without the need to give Helpdesk staff the UserModifier role (which is needed for the first solution, so a knowledgeable Helpdesk user could still access person documents through a search or a private view and open them with the standard form.)

In short, it would require a few non-trivial changes to the design of your NAB if you wish to restrict Helpdesk staff to only change Internet passwords of users, but nothing else.

~Sigmund Quetweteretsi

Jul 18, 2013, 3:05 PM

6 Posts

Use additional application

I recommend to develop an additional application where the helpdesk can select the user, enters and saves the new password. The request will be queued and a scheduled agent (running with the server ID) sets the password field in the person document accordinly. So you do not need to modify the design of the Domino Directory, can use a history for the requests (preventing misuse of this function) and keep your help desk staff from accessing the Domino Directory directly. We developed such an application for some of our customers and it is used not only for the internet password but also for address data, mail forwarding, e.g.

Regards,

Thorsten

~Fred Asatumiburynds

Jul 19, 2013, 7:10 AM

107 Posts

You are raising a valid point.

In fact, modifying the NAB design can cause headaches when the Domino server is upgraded to a newer version -- especially if best practices of how to handle customized features were ignored.
I agree with you that a separate application is the best solution.

~Tony Bubnulyettu

Jul 26, 2013, 2:21 PM

1 Posts

Why not use an external DB

Hi,

Modifying the NAB design is not recommended at all. Instead of giving your people author access to these docs, I would advise using an external DB. Usually its best to let your users handle an reset their passwords if needed, this can be done with a single form that identifies the user (@Username) and an agent that has the proper rights to edit person docs in your NAB, and write the hashed password into the HTTPPassword field. This way you don't have to grant access to the documents, plus it's pretty simple to create some logs so your helpdesk people can keep track and or initiate these password changes.
By the way I've had to assign new HTTP passwords to all users in our NAB once, and found ytria's scanez tool extremely useful - it would let you make changes (like assign hashed values to the HTTPPassword items) without having to do any coding - cool stuff.

Cheers

Wade