May 30, 2017, 1:35 AM
18 Posts

ACL Audit on mail databases

  • Category: Domino Administrator
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 6

Dear All,

We are required to do yearly audits on mail databases ACL, that is list persons who can access a mail database; the level of access and/or roles.

In one of the IBM forums, it is mentioned that the report can be obtained by querying the catalog.nsf but it does not mention how. It says, "Set all databases for being inserted in the catalog.ns and run the task catalog on the server to get information required."

Any help on how to achieve this will be greatly appreciated.

Thank you.

Manjula

 

 

May 30, 2017, 10:08 AM
105 Posts
Not a report per se

The Catalog will not generate a report but it will collect the ACL details when it adds the database information.  You can either export the data or write an agent to extract the data for yourself.

May 30, 2017, 1:33 PM
1 Posts
Ytria aclEZ

Hi Manjula,

you can do what you are asking for with aclEZ, which is a tools specifically made to analyze, report and mass modify ACLs. (see screenshot)

Let me know if you need further info or help.

Disclaimer: I work for Ytria

reenshot)aclEZ ytria - report

May 31, 2017, 2:11 AM
18 Posts
ACL Audit on mail databases

Thank you very much for your reply Andre. For now, we would like to see what can be achieved within Domino itself. Then, we will consider other options.

Thank you for your reply D Porter. It is absolutely fine to display the info in the catalog.nsf. I can export it then. But how do I do that? How do I insert the database in catalog.nsf so that I can audit the ACL?

 

Jun 1, 2017, 2:46 AM
105 Posts
DB Properties

Databases are added to the database catalog when the database property "List in Database Catalog" is set.  This can be found in the design tab of the database properties.

You may also wish to add a category such as Mail  and this will be added to the entry when added to the catalog.  There is a view in the catalog which allows you to view databases by category so it will save you some time looking for the databases you want.

The catalog task will run by default at 1am but if you want to run it adhoc you can use the command "load catalog" on the console.

Take a look here too: https://www.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_MANAGING_THE_DATABASE_CATALOG_OVERVIEW.html

 

Exporting the data is done by going to the view of choice and going to the File menu and selecting "Export...".  I would suggest you try the .csv option as you can manipulate the data in Excel later.  The view which you will want to export is Access Control Lists\By Application which has all the databases by file name.

Jun 1, 2017, 9:54 AM
331 Posts
How thorough do you need to be? & how big an installation?

If you need a "user-to-DB" map, that's more complicated than most people are talking about here.

With small usership though, it's not hard to produce. The API has NotesDatabase.QueryAccess, and you can build a list of people, then check on their accesses to each DB.

The bigger it gets, the more you'll need to cut into the number of people to check. There, you'll probably need to check -Default- & Anonymous settings to represent "everybody else".

And then you'd need to look up group entries from each DB's acl.

Groups are hard to expand-out, because there's not an API to expand them. However, you can do pretty well with one of the hidden "(LDAP)" views in the Address Book. Keep in mind, groups may not grant users access if you use "mail-only" and "deny-access" settings.

Jun 2, 2017, 6:54 AM
18 Posts
ACL Audit on mail databases

Thank you for your reply, D Porter.

Your post was extremely helpful.

We just have to run the cataloger task because the data in catalog.nsf is not up to date. For example, it says a secretary has delete rights in the database of her boss when in fact she doesn't.

Thank you for your reply, Mike.

For now, we are able to manage with the data in the catalog.nsf. When it gets updated of course.