Setting up ACLs for the Administration Process

Each administrator who uses the Administration Process to perform tasks must have the appropriate access rights and roles in the Domino® Directory (NAMES.NSF), secondary directories -- if applicable, Administration Requests database (ADMIN4.NSF), and the Certification Log database (CERTLOG.NSF).

The quickest way to provide administrators with the access they need is to give them the minimum levels of access:

For the Domino® Directory, create an administrator group of type Person Group with Editor access, and list the administrators in the group.
For the Administration Requests database, give administrators Author access. If an administrator will be approving requests, give Editor access.
For the Certification Log database, give administrators Author with Create documents access.

The following table describes access needed for specific tasks. If an error occurs during any administrative task, the administrator must have Editor access in the ACL of the Administration Requests database to perform the task again.

Note: If extended ACLs are enabled and you have specified who can modify documents for an organization, administration requests will fail if they are initiated by anyone not specified in the extended ACL.

Table 1. Access for administrators to run Administration Process tasks
Task	Administrator needs this access in the Domino® Directory	Administrator needs this access in ADMIN4.NSF	Administrator needs this access in other databases
Add a resource to or delete a resource from the Resource Reservations database	None. However, the Administration Process updates the Domino® Directory to reflect the change	Author with Create documents access	CreateResource role in the Resource Reservations database
Add group	Author with Create documents and the ServerModifier role	Author with Create documents access and GroupModifier role
Add users to group	Author with GroupModifier role. If administrator has access greater than Author, that access is sufficient
Add servers to and remove servers from a cluster	One of these: Author access and ServerModifier role Editor access	Author with Create documents access	None
Approve a request to move a user name to another hierarchy	One of these: Author with Create documents access and UserModifier/Server Modifier role Editor access	Editor access	Author with Create documents access to the Certification Log
Approve the deletion of a resource from the Resource Reservations database	Delete documents access	Editor access	None
Create mail files automatically during user registration	Author access and the UserCreator role	Author with Create documents access	Create new database access on the registration server
Create replicas of databases	No requirement	Author with Create documents access	All of these: Create replica access to the destination server Reader access to the database on the source server In addition, the source server must have Create replica access to the destination server, and the destination server must have Reader access to one replica of the database.
Delete group	One of these: Author with Delete documents access and the GroupModifier role Editor access	Author with Create documents access	None
Delete servers	One of these: Author with Delete documents and the ServerModifier role Editor access	Author with Create documents access	None
Delete users*	One of these: Author with Delete documents access and the UserModifier role Editor access	Author with Create documents access	None
Delete users and their mail files Delete users and their private design elements Note: To delete a user from an Active Directory, when deleting a user, the Delete Person request must be made from a computer running Active Directory, and the initiator must be an Active Directory administrator with rights to delete user accounts.	One of these: Author with Delete documents and the UserModifier role Editor with Delete documents access	Editor	None
Enable password-checking during authentication	Editor access	Author with Create documents access	None
Find name	Editor access with UserModifier role	None	None
Move replicas from a cluster server	None	Author with Create documents access	Both of these: Same access as Create replicas of databases Manager access to the original database
Move replicas from a non-clustered server	None	Editor	Both of these: Same access as Create replicas of databases Manager access to the original database
Move user to another server	One of these: Author access and UserModifier role Editor access	Editor	Create replica access on the new mail server In addition, the old mail server must have Create replica access to the new mail server, and the person whose mail file is being moved must be running a Notes® Release 5 or higher client.
Recertify user IDs and server IDs	One of these: Author with Create documents access and UserModifier/Server Modifier role Editor access	Author with Create documents access	Author with Create documents access to the Certification Log
Register user	Author with Create documents access and User/Creater role	Author with Create documents access if using Administration Process for background processing	If creating mail files/roaming files, Create database access on the mail server and/or roaming server, accordingly. If creating replicas, Create Replica access on the replica servers. If CERTLOG.NSF resides on the registration server, Create document access to CERTLOG.NSF is required.
Remove all replicas of a database	None	None	None
Rename users and convert users and servers to hierarchical naming	One of these: Author with Create documents access and UserModifier/Server Modifier role Editor access	Author with Create documents access	Author with Create documents access to the Certification Log
Sign database	None	None	None
Specify the Master Address Book name in Server documents	One of these: Author access with ServerModifier role Editor access	Author with Create documents access	None
Add Internet certificate	Editor	Author with Create documents access	None
Update client information in Person record	None	None	None