Entitlement tracking

As of Domino 12.0, a new internal mechanism is provided for collecting the highest entitlement that individual users have across a Domino domain. When a user appears in the ACL of a database with Reader access or above and that person has the right to access the server, the user is said to be an entitled user.

For example, Dana Smith/Renovations has Author access to an expense reporting application, expenses.nsf. The server's Allow Access security setting allows */Renovations permission to access the server. Therefore Dana Smith/Renovations is considered an entitled user with Author access.

Approximately once a day, each Domino 12 server scans every database on the server and collects the highest level of access for each entitled user. For example, on Server A:
  • Dana Smith/Renovations has: Author access to expenses.nsf, Reader access to AcmeSales.nsf, and Editor access to her mail file, DanaSmith.nsf.
  • Richard Smith/Renovations has: Author access to expenses.nsf and Designer access to AcmeSales.nsf.
  • Gary Smith/GS Consulting has Reader access to AcmeSales.nsf.
After completing its scan, Server A tracks that:
  • Dana Smith/Renovations is an entitled user with Editor as her highest level of access.
  • Richard Smith/Renovations is an entitled user with Designer as his highest level of access.
  • Gary Smith/GS Consulting is not an entitled user because, though he appears in a database ACL with Reader access, he does not have access to the server.

How servers track entitlement

The Domino installer installs the template: entitlementtrack.ntf. The Domino server update task works with the server to create and manage a hidden system database entitlementtrack.ncf on the server. entitlementtrack.ncf has a document for every user in the server's Domino directory to track each user's highest entitled access level. In addition to a user's highest entitled access level, each document contains corroborating facts such as the first database in which this user was found and how a user is granted the highest entitled access level. For example: "User Dana Smith/Renovations has Editor access in the database DanaSmith.nsf because she is explicitly named in the ACL." Or: "User Richard Smith/Renovations has Designer access in database AcmeSales.nsf because he is a member of the AppDesigners group which has Designer access to this database." As of 12.0.2, the database also tracks the last date/time that a user authenticated with a tracked server and what protocol that user connected to the server with, as shown in the following example.

Table 1. Sample data in entitlement tracker data
Name Highest Access Granted in Database Granted by ACL Entry Last Access Type
Aaliyah Click/Guitars Editor mail3/aclick.nsf (MusicMan) Aaliyah Click/Guitars (Explicit) 8/10/2022 16:14 HTTP
Alexander School/Guitars Manager cscancfg.nsf (Gibson) LocalDomainAdmins (Group) 7/28/2022 9:03 HTTP
Alexis Rose/Guitars Editor mail2/arose.nsf (MusicMan) Alexis Rose/Guitars (Explicit) 8/10/2022 8:54 NRPC
Amy Andrews/Guitars Manager specs/NewFeatures.nsf (Fender) LocalDomainAdmins (Group) 7/24/2022 0:00 NRPC
Autumn Blakely/Guitars Editor mail4/arose.nsf (Gibson) Autumn Blakely/Guitars (Explicit) 8/4/2022 19:39 LDAP
Barack Wall/Guitars Editor mail1/bwall.nsf (Gibson) Barack Wall/Guitars (Explicit) 7/24/2022 0:00 NRPC
Boyd Webber/Guitars Editor mail1/bwebber.nsf (Fender) Boyd Webber/Guitars (Explicit) 8/10/2022 8:54 NRPC

Who is tracked

The following users are tracked:
  • Authenticated users in a directory. Every user in all directories trusted for authentication are tracked. This may be as simple as all of the users in the Domino directory, users defined in an LDAP directory, or a combination of both. Since each server can have a unique directory configuration, each server might have a unique set of users.
  • Authenticated users that are not in a directory. If a user who is not in the directory has successfully connected to the server and accessed a database, they are added to the list of tracked users. An example of this is a cross-certified user who accesses the server over HTTP.
  • Users in the ACL that are not in the directory. If the server's security setting is unrestrictive (for example "Allow anyone to access this server") then any user with a qualifying access level in a database is considered an entitled user and tracked accordingly.

Who is not tracked

The following entities are not tracked:
  • Servers.
  • Users who cannot access the server because they are not included in a "allowed to access the server" list or because they're explicitly denied access in the "not allowed to access the server."
  • Person documents that are for routing purposes only, for example, ones with no Notes certificate and no HTTP password.

When are users tracked

Although the server scans for entitled users every day, user tracking documents are only updated in the tracking database when their entitlements change. For example, if Dana Smith/Renovations's access to her mail file changes from Editor to Manager, then her tracking document is updated on the next scan to reflect the change in entitlement.

Groups, wildcards and -Default- access

Entitlements are tracked at the individual user level but Domino administrators typically use Domino or LDAP groups and wildcards to control user access to servers and databases. The entitlements collector recursively expands "groups of groups" and/or "wildcards matching users" to project the entitlements for the group or wildcard on to a set of individual users. Using groups and wildcards explicitly entitles a set of users.

The use of -Default- access on the other hand can implicitly entitle many users because the -Default- access setting projects to "everyone else." For example, if the group RenovationsManagers with five members has Manager access to a database, the user Richard Smith/Renovations has explicit Editor access, and the -Default- access is Reader, then everyone with access to the server other than these six users are entitled with Reader access. If the server allows anyone with */Renovations to access the server and the configured directory has 1,705 Renovations users, then this ACL default entitles 1,700 users with Reader access. In general, -Default- access should be used with great care.

Note: If the -Default- ACL entry that ships with a Domino system database allows access, that entry is not considered an entitlement and is excluded from processing. For example, Domino help databases ship with -Default- ACL entries that allow Reader access and therefore those -Default- ACL entries are excluded from processing.

Summarizing entitlements at the Domain level

The entitlement data collected daily by each Domino server in a domain is also aggregated for the entire domain on the domain administration server. The directory catalog task manages the synchronization process and the combined entitlement tracking data from each server is aggregated into an entitlements.nsf database on the administration server. The administration server has both its own entitlement tracking database (entitlementtrack.ncf) and the aggregate tracking information for all of the servers in the domain (entitlements.nsf). The administration server identifies the highest level of access for each user in the domain and stores which server has the highest access level for a particular user as well as the other corroborating information like which database and how the user is entitled.
Note: The History view in entitlements.nsf includes a Snapshot button. Click this button to generate a document that summarizes the current total number of entitlements by access level, based on current data. Domino runs this same action automatically once per week so that there is a historical record of changes to entitlement.

How the entitlement information is used

The entitlement information is collected to help Domino customers monitor their environments. This data is not collected by HCL in any way nor is it used to control server access in any way. The only information you may be asked by HCL to provide is the "entitlement report" which contains the total number of entitlements by access level, for example:
Entitlement Summary for 3/10/2010
	Manager         13
	Designer         7
	Editor         234
	Author        1200
	Reader        2400
	Total	    3834

How you can use this information

The information in the entitlement summary can be extremely useful in understanding how many users you have with different access levels and which servers, databases, ACLs and permissions are contributing to these numbers. By default, these databases have access restricted to LocalDomainAdmins but since this is your data you can manage access to it in any way you see fit with the following caveats:
  • Do not delete the entitlement collector databases or the collector summary database unless instructed to do so by HCL Support.
  • Do not modify the design or alter the template in any way.
  • The database and collection services are offered "as is" and the structure of the database and the data collection process can be changed by HCL in subsequent releases of the product.

ACL Scanner agent

An agent named ACL Scanner is provided "as is," without support, as a tool that might be useful to administrators to get immediate reports that summarize who has access to various databases. You can use the tool to help "harden" security by further limiting who has access to those databases. A benefit of using the tool is that you can make ACL changes and rerun the tool for immediate feedback on the effects of your changes, rather than waiting for the next cycle of the entitlement tracker.

To run the agent, open entitlementtrack.ncf and select Actions - ACL Scanner. A dialog box appears that offers you the following options:
  • Select a server to scan.
  • Specify whether you want to scan databases, templates, or both.
  • Specify a user or group to search for, or the special name -Default- for default ACL access.
  • Specify an ACL level to search for -- it will search for that level or higher access.
  • Optionally specify a list of folders to skip.

For example, you might search a server for databases whose -Default- ACL entry is Editor or higher access.

The tool will scan the ACL of all the selected databases on the server and generate a report that lists all matching databases. In this example, you might choose to modify the ACL of some of those databases and reduce the access level of the -Default- entry. You could then immediately rerun the report to see the effects of your changes.