FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.


May 30, 2017, 1:35 AM
18 Posts

ACL Audit on mail databases

  • Category: Domino Administrator
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 7

Dear All,

We are required to do yearly audits on mail databases ACL, that is list persons who can access a mail database; the level of access and/or roles.

In one of the IBM forums, it is mentioned that the report can be obtained by querying the catalog.nsf but it does not mention how. It says, "Set all databases for being inserted in the catalog.ns and run the task catalog on the server to get information required."

Any help on how to achieve this will be greatly appreciated.

Thank you.

Manjula

 

 

May 30, 2017, 10:08 AM
105 Posts
Not a report per se

The Catalog will not generate a report but it will collect the ACL details when it adds the database information.  You can either export the data or write an agent to extract the data for yourself.

May 30, 2017, 1:33 PM
1 Posts
Ytria aclEZ

Hi Manjula,

you can do what you are asking for with aclEZ, which is a tools specifically made to analyze, report and mass modify ACLs. (see screenshot)

Let me know if you need further info or help.

Disclaimer: I work for Ytria

reenshot)aclEZ ytria - report

May 31, 2017, 2:11 AM
18 Posts
ACL Audit on mail databases

Thank you very much for your reply Andre. For now, we would like to see what can be achieved within Domino itself. Then, we will consider other options.

Thank you for your reply D Porter. It is absolutely fine to display the info in the catalog.nsf. I can export it then. But how do I do that? How do I insert the database in catalog.nsf so that I can audit the ACL?

 

Jun 1, 2017, 2:46 AM
105 Posts
DB Properties

Databases are added to the database catalog when the database property "List in Database Catalog" is set.  This can be found in the design tab of the database properties.

You may also wish to add a category such as Mail  and this will be added to the entry when added to the catalog.  There is a view in the catalog which allows you to view databases by category so it will save you some time looking for the databases you want.

The catalog task will run by default at 1am but if you want to run it adhoc you can use the command "load catalog" on the console.

Take a look here too: https://www.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_MANAGING_THE_DATABASE_CATALOG_OVERVIEW.html

 

Exporting the data is done by going to the view of choice and going to the File menu and selecting "Export...".  I would suggest you try the .csv option as you can manipulate the data in Excel later.  The view which you will want to export is Access Control Lists\By Application which has all the databases by file name.

Jun 1, 2017, 9:54 AM
362 Posts
How thorough do you need to be? & how big an installation?

If you need a "user-to-DB" map, that's more complicated than most people are talking about here.

With small usership though, it's not hard to produce. The API has NotesDatabase.QueryAccess, and you can build a list of people, then check on their accesses to each DB.

The bigger it gets, the more you'll need to cut into the number of people to check. There, you'll probably need to check -Default- & Anonymous settings to represent "everybody else".

And then you'd need to look up group entries from each DB's acl.

Groups are hard to expand-out, because there's not an API to expand them. However, you can do pretty well with one of the hidden "(LDAP)" views in the Address Book. Keep in mind, groups may not grant users access if you use "mail-only" and "deny-access" settings.

Jun 2, 2017, 6:54 AM
18 Posts
ACL Audit on mail databases

Thank you for your reply, D Porter.

Your post was extremely helpful.

We just have to run the cataloger task because the data in catalog.nsf is not up to date. For example, it says a secretary has delete rights in the database of her boss when in fact she doesn't.

Thank you for your reply, Mike.

For now, we are able to manage with the data in the catalog.nsf. When it gets updated of course.

Oct 3, 2018, 1:31 AM
8 Posts
Download IBM Notes ACL tool... Export ACLs including nested groups to Excel

The IBM Notes ACL tool below will allow you to audit all your Notes mailboxes and DBs in your Domino environment.  It will export all the ACLs including nested groups to Excel.   And that's just a one of the many security reporting features as seen below.

IBM Notes administration reporting and management security tool | ACL Dominator

Manage all ACLs, DB properties and mailbox preference properties on your Domino servers. Prevent security breaches, optimize server performance, assist with message migrations, reduce risk exposure to cyber-attacks and improve Domino administrator productivity. Export nested groups to Excel. User activity and DAOS reports.

http://www.notesmail.com/ACLdominator

Fix Security Holes, Optimize Server Performance and Prepare for Message Migration

 Reports can assist a Domino Administrator to fix security holes, optimize server performance and prepare for a messaging migration (i.e. IBM SmartCloud Notes Hybrid).

  • Report, manage, analyze, audit, export, update all Access Control Lists - (useful to fix security holes)
  • Advanced database properties report - (useful to verify DBs are using latest Domino compression / optimization)
  • Mailbox/DB document count report - (useful to identify mailbox/DBs which require archiving)
  • Full Text Index reports - (useful to optimize server performance by identifying non-critical mailbox/DBs using "Immediate" frequency which should ideally be changed to "Hourly" or "Daily)
  • Mailbox delegation - (useful for messaging migrations)
  • Mailbox user activity reports - (useful to identify mailboxes which can be retired)
  • Group troubleshooting - (useful to identify mailbox/DB access issues using heavily nested groups)
  • Mailbox owner reports including changing owner ACL - (useful to force mailbox access of all mailbox users to Editor)i.e. Specify "$$MailOwner" in tool when performing ACL updates
  • DAOS reports including Logical, Physical and DAOS size - (useful to identify attachment consolidation disk space savings)

tags: lotus notes acl tool, lotus notes acl manager, lotus notes group explorer, expander, lotus notes acl report, lotus notes database properties, lotus notes user activity, domino admin export files tab, explode


Crucial tools for IBM Lotus Notes and Domino administration and development...

Find the "crucial tools you need to succeed" including product descriptions, downloads, demos and testimonials.
Speed up IBM Lotus Notes and Domino administration and development with these crucial software tools.
Better, stronger, faster productivity for administrators and developers.
Download and try the lite (free) version


FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.