The Catalog will not generate a report but it will collect the ACL details when it adds the database information.  You can either export the data or write an agent to extract the data for yourself.

Hi Manjula,

you can do what you are asking for with aclEZ, which is a tools specifically made to analyze, report and mass modify ACLs. (see screenshot)

Let me know if you need further info or help.

Disclaimer: I work for Ytria

reenshot)

Thank you very much for your reply Andre. For now, we would like to see what can be achieved within Domino itself. Then, we will consider other options.

Thank you for your reply D Porter. It is absolutely fine to display the info in the catalog.nsf. I can export it then. But how do I do that? How do I insert the database in catalog.nsf so that I can audit the ACL?

Databases are added to the database catalog when the database property "List in Database Catalog" is set.  This can be found in the design tab of the database properties.

You may also wish to add a category such as Mail  and this will be added to the entry when added to the catalog.  There is a view in the catalog which allows you to view databases by category so it will save you some time looking for the databases you want.

The catalog task will run by default at 1am but if you want to run it adhoc you can use the command "load catalog" on the console.

Take a look here too: https://www.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_MANAGING_THE_DATABASE_CATALOG_OVERVIEW.html

Exporting the data is done by going to the view of choice and going to the File menu and selecting "Export...".  I would suggest you try the .csv option as you can manipulate the data in Excel later.  The view which you will want to export is Access Control Lists\By Application which has all the databases by file name.

If you need a "user-to-DB" map, that's more complicated than most people are talking about here.

With small usership though, it's not hard to produce. The API has NotesDatabase.QueryAccess, and you can build a list of people, then check on their accesses to each DB.

The bigger it gets, the more you'll need to cut into the number of people to check. There, you'll probably need to check -Default- & Anonymous settings to represent "everybody else".

And then you'd need to look up group entries from each DB's acl.

Groups are hard to expand-out, because there's not an API to expand them. However, you can do pretty well with one of the hidden "(LDAP)" views in the Address Book. Keep in mind, groups may not grant users access if you use "mail-only" and "deny-access" settings.

Thank you for your reply, D Porter.

Your post was extremely helpful.

We just have to run the cataloger task because the data in catalog.nsf is not up to date. For example, it says a secretary has delete rights in the database of her boss when in fact she doesn't.

Thank you for your reply, Mike.

For now, we are able to manage with the data in the catalog.nsf. When it gets updated of course.

The IBM Notes ACL tool below will allow you to audit all your Notes mailboxes and DBs in your Domino environment.  It will export all the ACLs including nested groups to Excel.   And that's just a one of the many security reporting features as seen below.

IBM Notes administration reporting and management security tool | ACL Dominator

Manage all ACLs, DB properties and mailbox preference properties on your Domino servers. Prevent security breaches, optimize server performance, assist with message migrations, reduce risk exposure to cyber-attacks and improve Domino administrator productivity. Export nested groups to Excel. User activity and DAOS reports.

http://www.notesmail.com/ACLdominator

Fix Security Holes, Optimize Server Performance and Prepare for Message Migration

 Reports can assist a Domino Administrator to fix security holes, optimize server performance and prepare for a messaging migration (i.e. IBM SmartCloud Notes Hybrid).

• Report, manage, analyze, audit, export, update all Access Control Lists - (useful to fix security holes)
• Advanced database properties report - (useful to verify DBs are using latest Domino compression / optimization)
• Mailbox/DB document count report - (useful to identify mailbox/DBs which require archiving)
• Full Text Index reports - (useful to optimize server performance by identifying non-critical mailbox/DBs using "Immediate" frequency which should ideally be changed to "Hourly" or "Daily)
• Mailbox delegation - (useful for messaging migrations)
• Mailbox user activity reports - (useful to identify mailboxes which can be retired)
• Group troubleshooting - (useful to identify mailbox/DB access issues using heavily nested groups)
• Mailbox owner reports including changing owner ACL - (useful to force mailbox access of all mailbox users to Editor)i.e. Specify "$$MailOwner" in tool when performing ACL updates
• DAOS reports including Logical, Physical and DAOS size - (useful to identify attachment consolidation disk space savings)

tags: lotus notes acl tool, lotus notes acl manager, lotus notes group explorer, expander, lotus notes acl report, lotus notes database properties, lotus notes user activity, domino admin export files tab, explode

Crucial tools for IBM Lotus Notes and Domino administration and development...

Find the "crucial tools you need to succeed" including product descriptions, downloads, demos and testimonials.
Speed up IBM Lotus Notes and Domino administration and development with these crucial software tools.
Better, stronger, faster productivity for administrators and developers.
Download and try the lite (free) version