SECURITY
If users in your environment are certified under different organizations or organizational units, you will need to decide how to implement vault trust. For example, if you have an organizational certifier and multiple organizational unit certifiers below it, decide which one or ones should issue Vault Trust Certificates.
For example, assume the Acme company uses the organization certifier /Acme and three organizational unit certifiers /Dallas/Acme, /NewYork/Acme, and /Shanghai/Acme. All the users are registered in one Domino Domain and will use the same vault. In this case, the /Acme certifier could issue one Vault Trust Certificate. However, perhaps /Acme doesn't want to store the IDs of /Shanghai/Acme users in the vault because those users are registered in a different Domino Domain and will use a different vault. The /Dallas/Acme and /NewYork/Acme certifiers, rather than the /Acme certifier, could each issue a Vault Trust Certificate, preventing IDs certified under /Shanghai/Acme (as well as under /Acme) from using the vault.
Note Vault Trust Certificates determine which IDs are allowed in a vault; policy configuration determines which IDs are actually stored there.
Related topics