Setting up ACLs for the Administration Process

Each administrator who uses the Administration Process to perform tasks must have the appropriate access rights and roles in the Domino® Directory (NAMES.NSF), secondary directories -- if applicable, Administration Requests database (ADMIN4.NSF), and the Certification Log database (CERTLOG.NSF).

The quickest way to provide administrators with the access they need is to give them the minimum levels of access:

  • For the Domino® Directory, create an administrator group of type Person Group with Editor access, and list the administrators in the group.
  • For the Administration Requests database, give administrators Author access. If an administrator will be approving requests, give Editor access.
  • For the Certification Log database, give administrators Author with Create documents access.

The following table describes access needed for specific tasks. If an error occurs during any administrative task, the administrator must have Editor access in the ACL of the Administration Requests database to perform the task again.

Note: If extended ACLs are enabled and you have specified who can modify documents for an organization, administration requests will fail if they are initiated by anyone not specified in the extended ACL.
Table 1. Access for administrators to run Administration Process tasks
Task Administrator needs this access in the Domino® Directory Administrator needs this access in ADMIN4.NSF Administrator needs this access in other databases

Add a resource to or delete a resource from the Resource Reservations database

None. However, the Administration Process updates the Domino® Directory to reflect the change

Author with Create documents access

CreateResource role in the Resource Reservations database

Add group

Author with Create documents and the ServerModifier role

Author with Create documents access and GroupModifier role

Add users to group

Author with GroupModifier role. If administrator has access greater than Author, that access is sufficient

Add servers to and remove servers from a cluster

One of these:

  • Author access and ServerModifier role
  • Editor access

Author with Create documents access

None

Approve a request to move a user name to another hierarchy

One of these:

  • Author with Create documents access and UserModifier/Server Modifier role
  • Editor access

Editor access

Author with Create documents access to the Certification Log

Approve the deletion of a resource from the Resource Reservations database

Delete documents access

Editor access

None

Create mail files automatically during user registration

Author access and the UserCreator role

Author with Create documents access

Create new database access on the registration server

Create replicas of databases

No requirement

Author with Create documents access

All of these:

  • Create replica access to the destination server
  • Reader access to the database on the source server
  • In addition, the source server must have Create replica access to the destination server, and the destination server must have Reader access to one replica of the database.

Delete group

One of these:

  • Author with Delete documents access and the GroupModifier role
  • Editor access

Author with Create documents access

None

Delete servers

One of these:

  • Author with Delete documents and the ServerModifier role
  • Editor access

Author with Create documents access

None

Delete users*

One of these:

  • Author with Delete documents access and the UserModifier role
  • Editor access

Author with Create documents access

None

Delete users and their mail files

Delete users and their private design elements

Note: To delete a user from an Active Directory, when deleting a user, the Delete Person request must be made from a computer running Active Directory, and the initiator must be an Active Directory administrator with rights to delete user accounts.

One of these:

  • Author with Delete documents and the UserModifier role
  • Editor with Delete documents access

Editor

None

Enable password-checking during authentication

Editor access

Author with Create documents access

None

Find name

Editor access with UserModifier role

None

None

Move replicas from a cluster server

None

Author with Create documents access

Both of these:

  • Same access as Create replicas of databases
  • Manager access to the original database

Move replicas from a non-clustered server

None

Editor

Both of these:

  • Same access as Create replicas of databases
  • Manager access to the original database

Move user to another server

One of these:

  • Author access and UserModifier role
  • Editor access

Editor

Create replica access on the new mail server

In addition, the old mail server must have Create replica access to the new mail server, and the person whose mail file is being moved must be running a Notes® Release 5 or higher client.

Recertify user IDs and server IDs

One of these:

  • Author with Create documents access and UserModifier/Server Modifier role
  • Editor access

Author with Create documents access

Author with Create documents access to the Certification Log

Register user

Author with Create documents access and User/Creater role

Author with Create documents access if using Administration Process for background processing

If creating mail files/roaming files, Create database access on the mail server and/or roaming server, accordingly.

If creating replicas, Create Replica access on the replica servers.

If CERTLOG.NSF resides on the registration server, Create document access to CERTLOG.NSF is required.

Remove all replicas of a database

None

None

None

Rename users and convert users and servers to hierarchical naming

One of these:

  • Author with Create documents access and UserModifier/Server Modifier role
  • Editor access

Author with Create documents access

Author with Create documents access to the Certification Log

Sign database

None

None

None

Specify the Master Address Book name in Server documents

One of these:

  • Author access with ServerModifier role
  • Editor access

Author with Create documents access

None

Add Internet certificate

Editor

Author with Create documents access

None

Update client information in Person record

None

None

None