Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Needs Clarification
Workspace Domino
Categories Security
Created by Guest
Created on Nov 7, 2019

Find a way to prevent ACL changes even with Full Access Admin invoked.

Find a way to prevent ACL changes even with Full Access Admin invoked.
OR
Find a way of not allowing changes made to the ACL on a spoke server to replicate out to all the other servers.

  • Attach files
  • Guest
    Reply
    |
    Jan 8, 2020

    My guess for why scenario is something like:

    If you are an admin/editor of the directory with the server modify role, you can edit the server doc and add yourself to full access. This is how we get that wonderful "sudo" root type access I love for those frustrating moments.

     

    I have been at businesses who for very knowlegable regulatory auditors who don't know technology, but can spin the English language, have forced the admins to add the SECURE_DISABLE_FULLADMIN=1  notes.ini to block this wonderful feature.  When the Domino environment logs that I have sudo, it seems to me, we have the needed legal discovery and audit history. However, auditors and lawyers know what's most efficient for the human race. <sarc> Besides, why fix an ACL the 15 second way, when you can spend massive amount effort and time to take it off site, to a "secure recovery firm" to put it on their Domino server for 15 seconds,  use this "sudo" feature, add the entry,  and send it back to you --- saving you from that terrible mistake for a very reasonable $5,000.00 fee. Or, they can pretend they cannot do that, and instead export the data to flat-files for much more, and let you think they saved you for less than $50,000.

     

    INI from the Domino documentation:

    You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access adminstrator privilege and overrides any names listed in that field in the Server document. This NOTES.INI parameter can only be set by a user with physical access to the server who can edit the ...

  • Admin
    Thomas Hampel
    Reply
    |
    Jan 7, 2020

    What type of problem are you trying to solve?

  • Guest
    Reply
    |
    Nov 15, 2019

    And/or provide a better logging of the use of Full Access Admin and which changes were made to the ACL. 

     

    And improve the tools for setting up alarms for ACL changes.

     

  • Guest
    Reply
    |
    Nov 7, 2019

    Or: just use the existing restriction to WHO is able to use full access administration ;-)