This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Samuel Chukitexynds
Oct 9, 2018, 3:18 PM
1 Posts

how to prevent access to local replicas once employee leaves organization

  • Category: Replication
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator,End User
  • Tags: replica,acceess,termination,exit,deny access
  • Replies: 2

Users of Lotus Notes Databases create replicas on their local machines. Encryption of databases created on local PC's is enforced.

My question is when a particular employee leaves the organization and they have the local replica and their ID file, WHAT is the best way to prevent the terminated user from

accessing the local replica

What all steps can we take as Admins.

Thanks

~Sigmund Dworelitnivu
Oct 9, 2018, 3:14 PM
328 Posts
Personal 'Local Machine'?

Normally when a user leaves the company, you're going to delete the user's Person document from the NAB, add their user name to the Terminations group, and admin process will update all files that they may have had access to to remove them. Depending on how your server security is set, adding them to the Terminations group ad removing them from the NAB will prevent them from contacting the server and/or replicating and/or sending mail and/or signing onto Traveler or iNotes.

However, If the local machine in question is a user's personal machine, then there is not a lot you can do, because, unless the machine again contacts the server, it will remain in the state it was when they left; so they'll be able to open their mail file until their user.id expires.

So, one thought in this scenario - when creating user ID's, set them to expire in a short amount of time. It will cause you more work as an admin to update expiration dates much more frequently, but if you can expire a user's ID after say, 3 months, that will limit the time they can access it.

If there is a possibility that the user's PC will connect back to the server 'one last time', you can remove them from the ACL of their mail file, or better yet, set their ID to 'No Access'. But I think that will only work if you have 'Enforce a consistent Access Control List across all replicas'.

~Sigmund Umwemanoni
Oct 10, 2018, 8:36 PM
323 Posts
You can block or empty them before the employee leaves.

Keep in mind, once you've granted a workstation access to the data, it can be exported and downloaded or copied to another database. So there's no real security here. Once someone has a copy, they have a copy.

That said, there are a number of things you can do. It's possible to set up replicas so that you can replicate-out the lack of access to the documents in the DB. Then the replication event will remove all the documents from the DB.

But it is always a good idea to experiment on a copy before you set this up. Removals of this type are forever -- if you inadvertently turned this capability loose on the server replica -- they'll all go away.

It's also possible to set up selective replication on a database, and it'll serve the same purpose.

So just take some care when you're experimenting, and don't do it in production until you're familiar with the gotchas.


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal