Entitlement tracking

As of Domino 12.0, a new internal mechanism is provided for collecting the highest entitlement that individual users have across a Domino domain. When a user appears in the ACL of a database with Reader access or above and that person has the right to access the server, the user is said to be an entitled user.

For example, Dana Smith/Renovations has Author access to an expense reporting application, expenses.nsf. The server's Allow Access security setting allows */Renovations permission to access the server. Therefore Dana Smith/Renovations is considered an entitled user with Author access.

Approximately once day, each Domino 12 server scans every database on the server and collects the highest level of access for each entitled user. For example, on Server A:
  • Dana Smith/Renovations has: Author access to expenses.nsf, Reader access to AcmeSales.nsf, and Editor access to her mail file, DanaSmith.nsf.
  • Richard Smith/Renovations has: Author access to expenses.nsf and Designer access to AcmeSales.nsf.
  • Gary Smith/GS Consulting has Reader access to AcmeSales.nsf.
After completing its scan, Server A tracks that:
  • Dana Smith/Renovations is an entitled user with Editor as her highest level of access.
  • Richard Smith/Renovations is an entitled user with Designer as his highest level of access.
  • Gary Smith/GS Consulting is not an entitled user because, though he appears in a database ACL with Reader access, he does not have access to the server.

How servers track entitlement

The Domino installer installs the template: entitlementtrack.ntf. The Domino server update task works with the server to create and manage a hidden system database entitlementtrack.ncf on the server. entitlementtrack.ncf has a document for every user in the server's Domino directory to track each user's highest entitled access level. In addition to a user's highest entitled access level, each document contains corroborating facts such as the first database in which this user was found and how a user is granted the highest entitled access level. For example: "User Dana Smith/Renovations has Editor access in the database DanaSmith.nsf because she is explicitly named in the ACL." Or: "User Richard Smith/Renovations has Designer access in database AcmeSales.nsf because he is a member of the AppDesigners group which has Designer access to this database".

Who is tracked

The following users are tracked:
  • Authenticated users in a directory. Every user in all directories trusted for authentication are tracked. This may be as simple as all of the users in the Domino directory, users defined in an LDAP directory, or a combination of both. Since each server can have a unique directory configuration, each server might have a unique set of users.
  • Authenticated users that are not in a directory. If a user who is not in the directory has successfully connected to the server and accessed a database, they are added to the list of tracked users. An example of this is a cross-certified user who accesses the server over HTTP.
  • Users in the ACL that are not in the directory. If the server's security setting is unrestrictive (for example "Allow anyone to access this server") then any user with a qualifying access level in a database is considered an entitled user and tracked accordingly.

Who is not tracked

The following entities are not tracked:
  • Servers.
  • Users who cannot access the server because they are not included in a "allowed to access the server" list or because they're explicitly denied access in the "not allowed to access the server."
  • Person documents that are for routing purposes only, for example, ones with no Notes certificate and no HTTP password.

When are users tracked

Although the server scans for entitled users every day, user tracking documents are only updated in the tracking database when their entitlements change. For example, if Dana Smith/Renovations's access to her mail file changes from Editor to Manager, then her tracking document is updated on the next scan to reflect the change in entitlement. Tracking documents are also refreshed every 45 days regardless of entitlement changes to prevent data from becoming stale.

Groups, wildcards and -Default- access

Entitlements are tracked at the individual user level but Domino administrators typically use Domino groups and wildcards to control user access to servers and databases. The entitlements collector recursively expands "groups of groups" and/or "wildcards matching users" to project the entitlements for the group or wildcard on to a set of individual users. Using groups and wildcards explicitly entitles a set of users.

The use of -Default- access on the other hand can implicitly entitle many users because the -Default- access setting projects to "everyone else." For example, if the group RenovationsManagers with five members has Manager access to a database, the user Richard Smith/Renovations has explicit Editor access, and the -Default- access is Reader, then everyone with access to the server other than these six users are entitled with Reader access. If the server allows anyone with */Renovations to access the server and the configured directory has 1,705 Renovations users, then this ACL default entitles 1,700 users with Reader access. In general, -Default- access should be used with great care.

Summarizing entitlements at the Domain level

The entitlement data collected daily by each Domino server in a domain is also aggregated for the entire domain on the domain administration server. The directory catalog task manages the synchronization process and the combined entitlement tracking data from each server is aggregated into an entitlements.nsf database on the administration server. The administration server has both its own entitlement tracking database (entitlementtrack.ncf) and the aggregate tracking information for all of the servers in the domain (entitlements.nsf). The administration server identifies the highest level of access for each user in the domain and stores which server has the highest access level for a particular user as well as the other corroborating information like which database and how the user is entitled.

How the entitlement information is used

The entitlement information is collected to help Domino customers monitor their environments. This data is not collected by HCL in any way nor is it used to control server access in any way. The only information you may be asked by HCL to provide is the "entitlement report" which contains the total number of entitlements by access level, for example:
Entitlement Summary for 3/10/2010
	Manager         13
	Designer         7
	Editor         234
	Author        1200
	Reader        2400
	==================
	Total	    3834

How you can use this information

The information in the entitlement summary can be extremely useful in understanding how many users you have with different access levels and which servers, databases, ACLs and permissions are contributing to these numbers. By default, these databases have access restricted to LocalDomainAdmins but since this is your data you can manage access to it in any way you see fit with the following caveats:
  • Do not delete the entitlement collector databases or the collector summary database unless instructed to do so by HCL Support.
  • Do not modify the design or alter the template in any way.
  • The database and collection services are offered "as is" and the structure of the database and the data collection process can be changed by HCL in subsequent releases of the product.