Setting up ACLs for the Administration Process
Each administrator who uses the Administration Process to perform tasks must have the appropriate access rights and roles in the Domino® Directory (NAMES.NSF), secondary directories -- if applicable, Administration Requests database (ADMIN4.NSF), and the Certification Log database (CERTLOG.NSF).
The quickest way to provide administrators with the access they need is to give them the minimum levels of access:
- For the Domino® Directory, create an administrator group of type Person Group with Editor access, and list the administrators in the group.
- For the Administration Requests database, give administrators Author access. If an administrator will be approving requests, give Editor access.
- For the Certification Log database, give administrators Author with Create documents access.
The following table describes access needed for specific tasks. If an error occurs during any administrative task, the administrator must have Editor access in the ACL of the Administration Requests database to perform the task again.
Task | Administrator needs this access in the Domino® Directory | Administrator needs this access in ADMIN4.NSF | Administrator needs this access in other databases |
---|---|---|---|
Add a resource to or delete a resource from the Resource Reservations database |
None. However, the Administration Process updates the Domino® Directory to reflect the change |
Author with Create documents access |
CreateResource role in the Resource Reservations database |
Add group |
Author with Create documents and the ServerModifier role |
Author with Create documents access and GroupModifier role |
|
Add users to group |
Author with GroupModifier role. If administrator has access greater than Author, that access is sufficient |
||
Add servers to and remove servers from a cluster |
One of these:
|
Author with Create documents access |
None |
Approve a request to move a user name to another hierarchy |
One of these:
|
Editor access |
Author with Create documents access to the Certification Log |
Approve the deletion of a resource from the Resource Reservations database |
Delete documents access |
Editor access |
None |
Create mail files automatically during user registration |
Author access and the UserCreator role |
Author with Create documents access |
Create new database access on the registration server |
Create replicas of databases |
No requirement |
Author with Create documents access |
All of these:
|
Delete group |
One of these:
|
Author with Create documents access |
None |
Delete servers |
One of these:
|
Author with Create documents access |
None |
Delete users* |
One of these:
|
Author with Create documents access |
None |
Delete users and their mail files Delete users and their private design elements Note: To delete a user
from an Active Directory, when deleting a user, the Delete Person
request must be made from a computer running Active Directory, and
the initiator must be an Active Directory administrator with rights
to delete user accounts. |
One of these:
|
Editor |
None |
Enable password-checking during authentication |
Editor access |
Author with Create documents access |
None |
Find name |
Editor access with UserModifier role |
None |
None |
Move replicas from a cluster server |
None |
Author with Create documents access |
Both of these:
|
Move replicas from a non-clustered server |
None |
Editor |
Both of these:
|
Move user to another server |
One of these:
|
Editor |
Create replica access on the new mail server In addition, the old mail server must have Create replica access to the new mail server, and the person whose mail file is being moved must be running a Notes® Release 5 or higher client. |
Recertify user IDs and server IDs |
One of these:
|
Author with Create documents access |
Author with Create documents access to the Certification Log |
Register user |
Author with Create documents access and User/Creater role |
Author with Create documents access if using Administration Process for background processing |
If creating mail files/roaming files, Create database access on the mail server and/or roaming server, accordingly. If creating replicas, Create Replica access on the replica servers. If CERTLOG.NSF resides on the registration server, Create document access to CERTLOG.NSF is required. |
Remove all replicas of a database |
None |
None |
None |
Rename users and convert users and servers to hierarchical naming |
One of these:
|
Author with Create documents access |
Author with Create documents access to the Certification Log |
Sign database |
None |
None |
None |
Specify the Master Address Book name in Server documents |
One of these:
|
Author with Create documents access |
None |
Add Internet certificate |
Editor |
Author with Create documents access |
None |
Update client information in Person record |
None |
None |
None |