ACLs for the Domino® Change Control database
There are four ACL roles created specifically for those who are working with the resource-balancing plan. However, users or groups can also have standard Domino® ACL roles, such as Author or Reader. The roles specific to resource balancing are: Change Admin, System Admin, Plan Creator, and Plan Reader.
Change Admin
A Change Administrator has the authority to change the settings in any plan or plan element, such as a constraint or variable. In addition, a Change Administrator can alter and add some elements used to create a plan. Specifically, a Change Administrator can edit, create, and delete constraints and constraint sets, approval profiles, keywords, and resources.
A Change Administrator must commit a plan to be executed. All plans (including move requests created in the Administration Process database) execute with the authority of the Change Administrator who committed the plan. For that reason, the Change Administrator must also have Create Replica access on each destination server. A Change Administrator automatically has the Plan Reader role.
System Admin
The System Admin role is distinct from the Change Admin role, which does not automatically include the role of System Admin. Each of these roles is independent but not mutually exclusive in terms of the access that the role grants. As with a Change Administrator, a System Administrator can edit, create, and delete keywords, resources, interfaces, functions, domain configurations, and plug-Ins. Because users with the System Admin role can make powerful and potentially catastrophic changes, assign the role only to users or groups of users who have an in-depth understanding the Domino® Change Manager. In addition, all control documents (Interface and Function Definitions, Domain Configurations and Plug-ins) must be signed by either the Change Manager server or a user who has the System Admin role. When the database is first created, all control documents are signed by the server. This is to ensure the security of the Change Manager system and the Domino® Server.
Plan Creator
This role designates users and groups of users who can create plans.
Plan Reader
This role allows users and groups of users to read all plans. By default a Change Administrator can read all plans and does not explicitly need this role. Authors and Requesters of plans do not need this role to read their own plans.