Lotus Domino Administrator 8.5 Help - Restricting administrator access

SECURITY

Restricting administrator access
You can specify various access levels for different types of administrators in your organization. For example, you may want to give only a few people 'system administrator' access, while all of the administrators on your team are designated as database administrators.

Administrator access rights are granted hierarchically. The privilege hierarchy looks like this:

Full access administrator -- gets all rights and privileges of all administration access levels listed.
Administrator -- gets all rights and privileges of database administrator and full-console administrator (but not system administrator).
Full console administrator -- gets rights and privileges of view-only console administrator (but not system administrator)
System administrator -- gets rights and privileges of restricted system administrator

You do not need to list a user individually in each field. Adding a user to the highest level of administrator access automatically grants that user all privileges listed for more restricted access levels below in the hierarchy.

To restrict administrator access

1. From the IBM® Lotus® Domino® Administrator, click the Configuration tab, and open the Server document.

2. Click the Security tab.

3. In the Administrators section, complete one or more of these fields, and then save the document.

For all of these fields, you can specify individual hierarchical names, groups, and wildcards (for example, */Sales/Acme). Separate multiple entries with commas.

Note With the exception of the Administrators field, all of these fields are blank by default, meaning that no one has these access rights.

Field Action

Full access administrators Enter the names of administrators who have full access to administer the server. This is the highest level of administrative privilege. For more information, see below.

Administrators Enter the names of administrators who can administer the server. The default value for this field is the name of the administrator who initially set up the server. Administrators listed here have the following rights:

Manager access to the Web Administrator database (WEBADMIN.NSF).
Create, update, and delete folder and database links
Create, update, and delete directory link ACLs
Compact and delete databases
Create, update, and delete full text indexes
Create databases, replicas, and Master Templates
Get and set certain database options (for example, in/out of service, database quotas, and so on)
Use message tracking and track subjects
Use the console to remotely administer UNIX servers
Issue any remote console command
Note If you are using the (Java) Server Controller and you enter a group name in this field, the group must have a group type of "Multi-purpose" to allow the administrator names to appear in the Administrators field.
Note For Domino 6.0 and subsequent releases, if the Notes.ini variable Server_Restricted is used to restrict server access, administrators can still open databases on the server.

Database administrators Enter the names of administrators who will be responsible for administering databases on the server. Note that database administrators are not automatically granted Manager access to databases on the server, nor do they have any access to the Web Administrator database. Users listed here have the following rights only:

Create, update, and delete Folder and Database links
Create, update, and delete directory link ACLs
Compact and delete databases
Create, update, and delete full text indexes
Create databases, replicas, and Master Templates
Get and set certain database options (e.g., in/out of service, database quotas, etc.)

Full remote console administrators Enter the names of administrators who can use the remote console to issue commands to this server.

View-only administrators Enter the names of administrators who can use the remote console to issue only those commands that provide system status information, such as SHOW TASKS and SHOW SERVER.
View-only administrators cannot issue commands that affect the server's operation.

System administrator Enter the names of administrators who are allowed to issue a full range of operating system commands to the server.
The type and range of commands depends on the server operating system. For example, administrators for a Linux® server would only be able to issue Linux commands.
Note This feature requires that you run the Domino server controller on the server machine.

Restricted system administrator Enter the names of administrators who are allowed to issue only the operating system commands that are listed in the Restricted System Commands field (see below).
Note This feature requires that you run the Domino server controller on the server machine.

Restricted system commands Enter the subset of operating system commands that Restricted System Administrators can issue. The type and range of commands depends on the server operating system and the tasks that restricted system administrators need to do.
For example, you may want to have a restricted system administrator for managing UNIX print queues. Enter the UNIX commands for managing print queues in this field. Any names you enter in the "Restricted system administrators" field will then have access to these commands only.

Administer the server from a browser (Obsolete as of Domino 6) This setting applies only to pre-Domino 6 servers for the purposes of backwards compatibility. The Domino Web Administrator client will only work with Domino 6 and later servers. In the case where an existing domain's Domino Directory is upgraded from Domino 5 to a later release, those servers that have not been upgraded will still need to have this setting in their Server documents so they can use earlier versions of the Web Administrator.

Caution Administrators who are listed in the Full Access Administrators, Administrators, and Database Administrators fields on the Security tab of a server document are allowed to delete any database on that server, even if they are not listed as managers in the database ACL.

Full access administrators

Full access administrator is the highest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes client locally on a server. It resolves access control problems -- for example, such as those caused when the only managers of a database ACL have left an organization.

Full access administrators have the following rights:

All the rights as listed for all administrator access levels (see above).
Manager access, with all access privileges enabled, to all databases on the server, regardless of the database ACL settings.
Note ACL roles must still be enabled manually for full access administrators.
Manager access, with all roles and access privileges enabled, to the Web Administrator database (WEBADMIN.NSF).
Access to all documents in all databases, regardless of Reader names fields.
The ability to create agents that run in unrestricted mode with full administration rights.
Access to any unencrypted data on the server.
Note Full access administrator does not allow access to encrypted data. The use of the specified user's private key is required to decrypt documents that are encrypted with public keys. Similarly, a secret key is required to decrypt documents encrypted with secret keys.

Enabling full access administrator mode

In order to work in full access administrator mode, an administrator must:

Be using the Administrator Client.
Be listed in the Full Access Administrators field in the Administrators section of the Security tab in the Server document. By default, this field is empty.
Enable "Full Access Administration" mode in the Administrator client by selecting Administration - Full Access Administration. If this mode is not enabled, then users will not have full administrator access to the server, even if they are listed as a full access administrator in the Server document. They will instead be granted Administrator rights.

When full access administrator mode is enabled, the client's window title, tab title, and status bar indicate this. This is to remind users that they are accessing the server with the highest level of privilege and should therefore proceed with caution.

If an administrator enables full administration mode in the Administration client, this mode is also enabled for the IBM® Lotus® Domino® Designer and for the Lotus Notes clients. Full administrator access is also reflected in their window titles, tab titles, and status bars.

If a user attempts to switch to full access administrator mode, but is not listed as one in the Server document, the user is denied full access and a message appears in the status bar and on the server console. The client will be in full access mode, but that user will not have full administrator access to that particular server. If the user attempts to switch servers, that person's access is checked against the server document of the new server.

Disabling the full access administrator feature

You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access adminstrator privilege and overrides any names listed in that field in the Server document. This NOTES.INI parameter can only be set by a user with physical access to the server who can edit the NOTES.INI file for the server. This parameter cannot be set using the server console, the remote console, or set in the Server document.

Options for managing the full access administrator feature

There are several ways to grant full access administrator

Create a special Full Admin ID file -- for example, "Full Admin/Sales/Acme" -- and only put that name in the Full Admin field. You must then either log in with or switch to this user ID in order to gain this level of access. Optionally, you could set up this ID file to require multiple passwords.
Create an OU-level certifier for granting full administrator access, and issue additional IDs to trusted administrators -- for example, Jane Admin/Full Admin/Acme.
Leave the Full Access Administrator field empty. Add the name of a trusted individual for emergency situations, and remove it when the situation has been resolved.
Populate the Full Access Administrator field with a limited set of trusted administrators.

You can also track how this feature is used:

Configure the Event Handler to send notification through EVENTS4.NSF when full access administration privileges are invoked.
Any database activity done using full access administrator access is recorded in the database activity log, under Database Properties.
Use of the feature is logged by the server.

Related topics

Server_Restricted

The Server Controller and the Domino Console

Giving additional administrators access to the Web Administrator

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Full access administrators	Enter the names of administrators who have full access to administer the server. This is the highest level of administrative privilege. For more information, see below.
Administrators	Enter the names of administrators who can administer the server. The default value for this field is the name of the administrator who initially set up the server. Administrators listed here have the following rights: Manager access to the Web Administrator database (WEBADMIN.NSF). Create, update, and delete folder and database links Create, update, and delete directory link ACLs Compact and delete databases Create, update, and delete full text indexes Create databases, replicas, and Master Templates Get and set certain database options (for example, in/out of service, database quotas, and so on) Use message tracking and track subjects Use the console to remotely administer UNIX servers Issue any remote console command Note If you are using the (Java) Server Controller and you enter a group name in this field, the group must have a group type of "Multi-purpose" to allow the administrator names to appear in the Administrators field. Note For Domino 6.0 and subsequent releases, if the Notes.ini variable Server_Restricted is used to restrict server access, administrators can still open databases on the server.
Database administrators	Enter the names of administrators who will be responsible for administering databases on the server. Note that database administrators are not automatically granted Manager access to databases on the server, nor do they have any access to the Web Administrator database. Users listed here have the following rights only: Create, update, and delete Folder and Database links Create, update, and delete directory link ACLs Compact and delete databases Create, update, and delete full text indexes Create databases, replicas, and Master Templates Get and set certain database options (e.g., in/out of service, database quotas, etc.)
Full remote console administrators	Enter the names of administrators who can use the remote console to issue commands to this server.
View-only administrators	Enter the names of administrators who can use the remote console to issue only those commands that provide system status information, such as SHOW TASKS and SHOW SERVER. View-only administrators cannot issue commands that affect the server's operation.
System administrator	Enter the names of administrators who are allowed to issue a full range of operating system commands to the server. The type and range of commands depends on the server operating system. For example, administrators for a Linux® server would only be able to issue Linux commands. Note This feature requires that you run the Domino server controller on the server machine.
Restricted system administrator	Enter the names of administrators who are allowed to issue only the operating system commands that are listed in the Restricted System Commands field (see below). Note This feature requires that you run the Domino server controller on the server machine.
Restricted system commands	Enter the subset of operating system commands that Restricted System Administrators can issue. The type and range of commands depends on the server operating system and the tasks that restricted system administrators need to do. For example, you may want to have a restricted system administrator for managing UNIX print queues. Enter the UNIX commands for managing print queues in this field. Any names you enter in the "Restricted system administrators" field will then have access to these commands only.
Administer the server from a browser (Obsolete as of Domino 6)	This setting applies only to pre-Domino 6 servers for the purposes of backwards compatibility. The Domino Web Administrator client will only work with Domino 6 and later servers. In the case where an existing domain's Domino Directory is upgraded from Domino 5 to a later release, those servers that have not been upgraded will still need to have this setting in their Server documents so they can use earlier versions of the Web Administrator.