Lotus Domino Administrator 8.5 Help - Collecting information for a new administration ECL

SECURITY

Collecting information for a new administration ECL
Before you can create an Admin ECL to distribute, identify the individual people and/or organizations that you can trust to create and sign active content. Identify a few users who use a broad range of typical Lotus Notes applications, then ask them to complete these steps.

1. Remove all entries from the workstation ECL except the following:

All entries in the form */org, where org is a local domain/organization
-Default-
-No signature-
Lotus Notes Template Development/Lotus Notes

To do this, highlight the item to remove under "When signed by," then click Remove.

Note If any of these entries are not listed in the ECL, it means that those entries are not needed.

2. Make a list of the entries you remove so that if those entries were, in fact, not needed, they can later be added with "No access" in the administration ECL.

3. Make these changes to the remaining entries in the ECL:

For "When signed by" For "Allowed"

*/org, where org is a local domain/organization Deselect all selected items.

-Default- Deselect all selected items. "Default" should have no permissions.

-No signature- Deselect all selected items.

Lotus Notes Template Development/Lotus Notes Select all items. This signer should have all permissions.

4. For a designated time period (a week should be sufficient), when the Execution Security Alert dialog box appears, click "Trust signer," with the following exceptions:

Do not trust any actions with "-No Signature-".
Check with the administrator before trusting odd or unfamiliar signatures or before clicking "Execute once" for templates and applications signed with odd or unfamiliar signatures.

The resulting ECLs for these users should contain more signers than what the ECL originally contained, unless your organization has managed the signing process up front and only uses objects signed by a small number of known trustworthy signers.

After the designated time period is complete, the administrator should combine the signatures in the users' ECLs to create an updated administration ECL.

The workstation ECL log

The IBM® Lotus® Lotus® Notes® client logs ECL-related operations in the Client log (LOG.NSF) in Miscellaneous Events. This includes:

Results of Execution Security Alert (ESA) dialogs, as well as additional ESA details. These details include information about the code that caused the ESA, such as the design type, design title, NoteID, database title, and path.
Any ECL modifications. This includes information on which ECL was modified; the ECL entries that were changed, added or deleted; and the rights that were granted or revoked. It also includes all ECL modifications resulting from such operations as dynamic ECL update, programmatic ECL refresh (@ECLRefresh function), setup ECL refresh/creation and manual ECL changes made in the ECL Editor or through the User Security Panel.

It is possible to write an agent to run on Lotus Notes clients and parse the ECL logging data to provide administrators with specific information on how users are managing their workstation ECLs, as well as current information about applications or other code that should be added to Admin ECLs.

Related topics

Administration ECLs

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

For "When signed by"	For "Allowed"
*/org, where org is a local domain/organization	Deselect all selected items.
-Default-	Deselect all selected items. "Default" should have no permissions.
-No signature-	Deselect all selected items.
Lotus Notes Template Development/Lotus Notes	Select all items. This signer should have all permissions.