Entitlement tracking
As of Domino 12.0, a new internal mechanism is provided for collecting the highest entitlement that individual users have across a Domino domain. When a user appears in the ACL of a database with Reader access or above and that person has the right to access the server, the user is said to be an entitled user.
For example, Dana Smith/Renovations has Author access to an expense reporting application, expenses.nsf. The server's Allow Access security setting allows */Renovations permission to access the server. Therefore Dana Smith/Renovations is considered an entitled user with Author access.
- Dana Smith/Renovations has: Author access to expenses.nsf, Reader access to AcmeSales.nsf, and Editor access to her mail file, DanaSmith.nsf.
- Richard Smith/Renovations has: Author access to expenses.nsf and Designer access to AcmeSales.nsf.
- Gary Smith/GS Consulting has Reader access to AcmeSales.nsf.
- Dana Smith/Renovations is an entitled user with Editor as her highest level of access.
- Richard Smith/Renovations is an entitled user with Designer as his highest level of access.
- Gary Smith/GS Consulting is not an entitled user because, though he appears in a database ACL with Reader access, he does not have access to the server.
How servers track entitlement
The Domino installer installs the template: entitlementtrack.ntf. The Domino server update task works with the server to create and manage a hidden system database entitlementtrack.ncf on the server. entitlementtrack.ncf has a document for every user in the server's Domino directory to track each user's highest entitled access level. In addition to a user's highest entitled access level, each document contains corroborating facts such as the first database in which this user was found and how a user is granted the highest entitled access level. For example: "User Dana Smith/Renovations has Editor access in the database DanaSmith.nsf because she is explicitly named in the ACL." Or: "User Richard Smith/Renovations has Designer access in database AcmeSales.nsf because he is a member of the AppDesigners group which has Designer access to this database." As of 12.0.2, the database also tracks the last date/time that a user authenticated with a tracked server and what protocol that user connected to the server with, as shown in the following example.
Name | Highest Access | Granted in Database | Granted by ACL Entry | Last Access | Type |
---|---|---|---|---|---|
Aaliyah Click/Guitars | Editor | mail3/aclick.nsf (MusicMan) | Aaliyah Click/Guitars (Explicit) | 8/10/2022 16:14 | HTTP |
Alexander School/Guitars | Manager | cscancfg.nsf (Gibson) | LocalDomainAdmins (Group) | 7/28/2022 9:03 | HTTP |
Alexis Rose/Guitars | Editor | mail2/arose.nsf (MusicMan) | Alexis Rose/Guitars (Explicit) | 8/10/2022 8:54 | NRPC |
Amy Andrews/Guitars | Manager | specs/NewFeatures.nsf (Fender) | LocalDomainAdmins (Group) | 7/24/2022 0:00 | NRPC |
Autumn Blakely/Guitars | Editor | mail4/arose.nsf (Gibson) | Autumn Blakely/Guitars (Explicit) | 8/4/2022 19:39 | LDAP |
Barack Wall/Guitars | Editor | mail1/bwall.nsf (Gibson) | Barack Wall/Guitars (Explicit) | 7/24/2022 0:00 | NRPC |
Boyd Webber/Guitars | Editor | mail1/bwebber.nsf (Fender) | Boyd Webber/Guitars (Explicit) | 8/10/2022 8:54 | NRPC |
Who is tracked
- Authenticated users in a directory. Every user in all directories trusted for authentication are tracked. This may be as simple as all of the users in the Domino directory, users defined in an LDAP directory, or a combination of both. Since each server can have a unique directory configuration, each server might have a unique set of users.
- Authenticated users that are not in a directory. If a user who is not in the directory has successfully connected to the server and accessed a database, they are added to the list of tracked users. An example of this is a cross-certified user who accesses the server over HTTP.
- Users in the ACL that are not in the directory. If the server's security setting is unrestrictive (for example "Allow anyone to access this server") then any user with a qualifying access level in a database is considered an entitled user and tracked accordingly.
Who is not tracked
- Servers.
- Users who cannot access the server because they are not included in a "allowed to access the server" list or because they're explicitly denied access in the "not allowed to access the server."
- Person documents that are for routing purposes only, for example, ones with no Notes certificate and no HTTP password.
When are users tracked
Although the server scans for entitled users every day, user tracking documents are only updated in the tracking database when their entitlements change. For example, if Dana Smith/Renovations's access to her mail file changes from Editor to Manager, then her tracking document is updated on the next scan to reflect the change in entitlement.
Groups, wildcards and -Default- access
Entitlements are tracked at the individual user level but Domino administrators typically use Domino or LDAP groups and wildcards to control user access to servers and databases. The entitlements collector recursively expands "groups of groups" and/or "wildcards matching users" to project the entitlements for the group or wildcard on to a set of individual users. Using groups and wildcards explicitly entitles a set of users.
The use of -Default- access on the other hand can implicitly entitle many users because the -Default- access setting projects to "everyone else." For example, if the group RenovationsManagers with five members has Manager access to a database, the user Richard Smith/Renovations has explicit Editor access, and the -Default- access is Reader, then everyone with access to the server other than these six users are entitled with Reader access. If the server allows anyone with */Renovations to access the server and the configured directory has 1,705 Renovations users, then this ACL default entitles 1,700 users with Reader access. In general, -Default- access should be used with great care.
Summarizing entitlements at the Domain level
How the entitlement information is used
Entitlement Summary for 3/10/2010
Manager 13
Designer 7
Editor 234
Author 1200
Reader 2400
==================
Total 3834
How you can use this information
- Do not delete the entitlement collector databases or the collector summary database unless instructed to do so by HCL Support.
- Do not modify the design or alter the template in any way.
- The database and collection services are offered "as is" and the structure of the database and the data collection process can be changed by HCL in subsequent releases of the product.
ACL Scanner agent
An agent named ACL Scanner is provided "as is," without support, as a tool that might be useful to administrators to get immediate reports that summarize who has access to various databases. You can use the tool to help "harden" security by further limiting who has access to those databases. A benefit of using the tool is that you can make ACL changes and rerun the tool for immediate feedback on the effects of your changes, rather than waiting for the next cycle of the entitlement tracker.
- Select a server to scan.
- Specify whether you want to scan databases, templates, or both.
- Specify a user or group to search for, or the special name -Default- for default ACL access.
- Specify an ACL level to search for -- it will search for that level or higher access.
- Optionally specify a list of folders to skip.
For example, you might search a server for databases whose -Default- ACL entry is Editor or higher access.
The tool will scan the ACL of all the selected databases on the server and generate a report that lists all matching databases. In this example, you might choose to modify the ACL of some of those databases and reduce the access level of the -Default- entry. You could then immediately rerun the report to see the effects of your changes.