SECURITY
Administrator access rights are granted hierarchically. The privilege hierarchy looks like this:
To restrict administrator access
1. From the IBM® Lotus® Domino® Administrator, click the Configuration tab, and open the Server document.
2. Click the Security tab.
3. In the Administrators section, complete one or more of these fields, and then save the document.
Note With the exception of the Administrators field, all of these fields are blank by default, meaning that no one has these access rights.
Note For Domino 6.0 and subsequent releases, if the Notes.ini variable Server_Restricted is used to restrict server access, administrators can still open databases on the server.
View-only administrators cannot issue commands that affect the server's operation.
The type and range of commands depends on the server operating system. For example, administrators for a Linux® server would only be able to issue Linux commands.
Note This feature requires that you run the Domino server controller on the server machine.
For example, you may want to have a restricted system administrator for managing UNIX print queues. Enter the UNIX commands for managing print queues in this field. Any names you enter in the "Restricted system administrators" field will then have access to these commands only.
Full access administrators
Full access administrator is the highest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes client locally on a server. It resolves access control problems -- for example, such as those caused when the only managers of a database ACL have left an organization.
Full access administrators have the following rights:
Note ACL roles must still be enabled manually for full access administrators.
Note Full access administrator does not allow access to encrypted data. The use of the specified user's private key is required to decrypt documents that are encrypted with public keys. Similarly, a secret key is required to decrypt documents encrypted with secret keys.
In order to work in full access administrator mode, an administrator must:
If an administrator enables full administration mode in the Administration client, this mode is also enabled for the IBM® Lotus® Domino® Designer and for the Lotus Notes clients. Full administrator access is also reflected in their window titles, tab titles, and status bars.
If a user attempts to switch to full access administrator mode, but is not listed as one in the Server document, the user is denied full access and a message appears in the status bar and on the server console. The client will be in full access mode, but that user will not have full administrator access to that particular server. If the user attempts to switch servers, that person's access is checked against the server document of the new server.
Disabling the full access administrator feature
You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access adminstrator privilege and overrides any names listed in that field in the Server document. This NOTES.INI parameter can only be set by a user with physical access to the server who can edit the NOTES.INI file for the server. This parameter cannot be set using the server console, the remote console, or set in the Server document.
Options for managing the full access administrator feature
There are several ways to grant full access administrator