Extracting an ID file from a vault

A vault administrator assigned to the Auditor role in the vault database ACL can extract an ID from a vault to gain access to a user's encrypted data. A copy of the ID remains in the vault after extraction.

Procedure

  1. Open the People & Groups tab of the Domino® Administrator, and select the Person document of the user whose ID will be extracted. If the ID is for an inactive user, select any Person document.
  2. Click Tools > ID Vaults > Extract ID From Vault.
  3. If the ID is for an inactive user, type the hierarchical name of the user.
  4. If the name of the vault that holds the user ID is not filled in for you, type in the vault name. The name of the vault is filled in if the user's effective policy refers to it.
  5. Click OK.
  6. Specify a local file location for the copy of the ID file.
  7. Provide a new password when prompted.

Results

An auditor can use the extracted ID file to access a user's applications on a server if the security setting Check passwords on Notes IDs is disabled. If this setting is enabled, audits should be done on local, client-based copies of applications instead because the password for the extracted ID does not match the password on the user's copy.

You can disable the Auditor role capability using the NOTES.INI setting SECURE_DISABLE_AUDITOR=1. You must edit the NOTES.INI file directly on the server.