This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Chloe Cisresteroni
Dec 14, 2015, 7:29 AM
19 Posts

Junior Administrators in Domino

  • Category: Domino Administrator
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 3

Dear All,

We are required to have junior Domino Administrators to carry out certain tasks such as register new users, recertify certificates, set quotas, compact databases, etc.

Based on documentation , this is what I have done :

  • Junior Admin listed as Administrators in the Security Tab of server document;
  • Junior Admin added as Author in the domino directory with Create Documents and roles Group Creator/Modifier, PolicyCreator/Modifier/Reader, UserCreator/Modifier;
  • Junior Admin listed in the certlog as Author with Create Documents;

The Junior Admin is able to register New users without any problem. But then the Junior Admin is listed as manager in the ACL of the mail database of that user. 


A junior Admin should be able to only register new users but not gain access to their mail database.

Can you advise how to prevent the name of the junior admin from appearing as manager in the mail databases he create?

Thank you for your help.

Manjula

~Tip Ekresaman
Dec 14, 2015, 4:30 PM
212 Posts
Manager Access to created mail files

By default, all mail files that are created list the person who created the file as manager.

This is a safety factor to ensure that someone has manager access to the file. You will need to remove the user name and replace it with a different administrator, if you do not want his name in that file.

~Chloe Cisresteroni
Dec 15, 2015, 7:05 AM
19 Posts
Manager Access to created mailfiles

Hello Bradley,

Thank you for taking the time to respond to the post.

This is tricky as the junior admin may create the mail database for a new manager but he does not need to access that database afterwards.

When a new user is registered using Full Access Admin, the generic admin account, Notes/Admin is listed as manager instead of the user who switched to Full Access Admin mode.

Can't this be achieved when an admin with restricted access registers a new user, that is, Notes/Admin listed as manager for the database instead of the name of the junior admin who registers the database?

~Joseph Brenitexjip
Jan 7, 2016, 6:25 PM
21 Posts
set acl on template

If your jr admins are in a group, set in the default mail9.ntf ACL a entry of  [GroupName] to no access.(yes with brackets)
​When a new mail database is created, the GroupName will appear in the ACL and any member in the group will be denied access.
​-make sure you set the GroupName document ACL (in domino directory) to only allow FullAdmins and LocalDomainServer to access to stop
​Jr Admins from elevating their privileges by removing themselves from the group on the fly as well as edit FullAdmins or LocalDomainServers group documents to stop them from elevating themselves. (it's easy to lock yourself out so pay attention.. make a backup before you start)

If he/she uses the Adminp process to create the accounts, he/she will not be in the ACL at all in either case.
​if you manually create a new db from the template, then the creator is the manager of the DB. (sounds like this is what's happening)


​the Jr admin will have to run everything from the console for db maintenence and cannot access the mail file directly.
If the end user has a particular problem with a email and Admin eyeballs need to see it, the Jr Admin cannot help. (unless the end user grant's the Jr explicitly, from their mail preferences..)


 


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal