Restricting administrator access

You can specify various access levels for different types of administrators in your organization. For example, you may want to give only a few people 'system administrator' access, while all of the administrators on your team are designated as database administrators.

About this task

Administrator access rights are granted hierarchically. The privilege hierarchy looks like this:

  • Full access administrator -- gets all rights and privileges of all administration access levels listed.
  • Administrator -- gets all rights and privileges of database administrator and full-console administrator (but not system administrator).
  • Full console administrator -- gets rights and privileges of view-only console administrator (but not system administrator)
  • System administrator -- gets rights and privileges of restricted system administrator

You do not need to list a user individually in each field. Adding a user to the topmost level of administrator access automatically grants that user all privileges listed for subordinate levels in the hierarchy.

To restrict administrator access

Procedure

  1. From the Domino® Administrator, click the Configuration tab, and open the Server document.
  2. Click the Security tab.
  3. In the Administrators section, complete one or more of these fields, and then save the document. For all of these fields, you can specify individual hierarchical names, groups, and wildcards (for example, */Sales/Renovations). Separate multiple entries with commas.
    Note: With the exception of the Administrators field, all of these fields are blank by default, meaning that no one has these access rights.
    Table 1. Administrator Access descriptions

    Field

    Action

    Full access administrators

    Enter the names of administrators who have full access to administer the server. This is the highest level of administrative privilege.

    Administrators

    Enter the names of administrators who can administer the server. The default value for this field is the name of the administrator who initially set up the server. Administrators listed here have the following rights:

    • Create, update, and delete folder and database links
    • Create, update, and delete directory link ACLs
    • Compact and delete databases
    • Create, update, and delete full text indexes
    • Create databases, replicas, and Master Templates
    • Get and set certain database options (for example, in/out of service, database quotas, and so on)
    • Use message tracking and track subjects
    • Use the console to remotely administer UNIX servers
    • Issue any remote console command
    Note: If you are using the (Java) Server Controller and you enter a group name in this field, the group must have a group type of Multi-purpose to allow the administrator names to appear in the Administrators field.
    Note: For Domino® 6.0 and subsequent releases, if the NOTES.INI variable Server_Restricted is used to restrict server access, administrators can still open databases on the server.

    Database administrators

    Enter the names of administrators who will be responsible for administering databases on the server. Note that database administrators are not automatically granted Manager access to databases on the server. Users listed here have the following rights only:

    • Create, update, and delete Folder and Database links
    • Create, update, and delete directory link ACLs
    • Compact and delete databases
    • Create, update, and delete full text indexes
    • Create databases, replicas, and Master Templates
    • Get and set certain database options (e.g., in/out of service, database quotas, etc.)

    Full remote console administrators

    Enter the names of administrators who can use the remote console to issue commands to this server.

    View-only administrators

    Enter the names of administrators who can use the remote console to issue only those commands that provide system status information, such as SHOW TASKS and SHOW SERVER.

    View-only administrators cannot issue commands that affect the server's operation.

    System administrator

    Enter the names of administrators who are allowed to issue a full range of operating system commands to the server.

    The type and range of commands depends on the server operating system. For example, administrators for a Linux server would only be able to issue Linux commands.

    Note: This feature requires that you run the Domino® server controller on the server machine.

    Restricted system administrator

    Enter the names of administrators who are allowed to issue only the operating system commands that are listed in the Restricted System Commands field.

    Note: This feature requires that you run the Domino® server controller on the server machine.

    Restricted system commands

    Enter the subset of operating system commands that Restricted System Administrators can issue. The type and range of commands depends on the server operating system and the tasks that restricted system administrators need to do.

    For example, you may want to have a restricted system administrator for managing UNIX print queues. Enter the UNIX commands for managing print queues in this field. Any names you enter in the Restricted system administrators field will then have access to these commands only.

Results

CAUTION: Administrators who are listed in the Full Access Administrators, Administrators, and Database Administrators fields on the Security tab of a server document are allowed to delete any database on that server, even if they are not listed as managers in the database ACL.

Full access administrators

About this task

A full access administrator has the greatest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes® client locally on a server. Establishing a full access administrator resolves access control problems that can result when the only managers of a database ACL depart from an organization.

Full access administrators have the following rights:

  • All of the rights granted to administrators at every access level (refer to Table 1).
  • Manager access, with all access privileges enabled, to all databases on the server, regardless of the database ACL settings.
    Note: ACL roles must still be enabled manually for full access administrators.
  • Access to all documents in all databases, regardless of Reader names fields.
  • The ability to create agents that run in unrestricted mode with full administration rights.
  • Access to any unencrypted data on the server.
    Note: Full access administrator does not allow access to encrypted data. The use of the specified user's private key is required to decrypt documents that are encrypted with public keys. Similarly, a secret key is required to decrypt documents encrypted with secret keys.

Enabling full access administrator mode

About this task

In order to work in full access administrator mode, an administrator must:

  • Be using the Administrator Client.
  • Be listed in the Full Access Administrators field in the Administrators section of the Security tab in the Server document. By default, this field is empty.
  • Enable Full Access Administration mode in the Administrator client by selecting Administration > Full Access Administration. If this mode is not enabled, then users will not have full administrator access to the server, even if they are listed as a full access administrator in the Server document. They will instead be granted Administrator rights.

When full access administrator mode is enabled, the client's window title, tab title, and status bar indicate this. This is to remind users that they are accessing the server with the highest level of privilege and should therefore proceed with caution.

If an administrator enables full administration mode in the Administration client, this mode is also enabled for the Domino® Designer and for the Notes® clients. Full administrator access is also reflected in their window titles, tab titles, and status bars.

If a user attempts to switch to full access administrator mode, but is not listed as one in the Server document, the user is denied full access and a message appears in the status bar and on the server console. The client will be in full access mode, but that user will not have full administrator access to that particular server. If the user attempts to switch servers, that person's access is checked against the server document of the new server.

Disabling the full access administrator feature

You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access administrator privilege and overrides any names listed in that field in the Server document. Only a user who has physical access to the server and who can edit the NOTES.INI file for the server can set this NOTES.INI parameter. This parameter cannot be set using the server console, the remote console, or set in the Server document.

Options for managing the full access administrator feature

About this task

There are several ways to grant full access administrator

  • Create a special Full Admin ID file -- for example, Full Admin/Sales/Renovations -- and only put that name in the Full Admin field. You must then either log in with or switch to this user ID in order to gain this level of access. Optionally, you could set up this ID file to require multiple passwords.
  • Create an OU-level certifier for granting full administrator access, and issue additional IDs to trusted administrators -- for example, Jane Admin/Full Admin/Acme.
  • Leave the Full Access Administrator field empty. Add the name of a trusted individual for emergency situations, and remove it when the situation has been resolved.
  • Populate the Full Access Administrator field with a limited set of trusted administrators.

You can also track how this feature is used:

  • Configure the Event Handler to send notification through EVENTS4.NSF when full access administration privileges are invoked.
  • Any database activity done using full access administrator access is recorded in the database activity log, under Database Properties.
  • Use of the feature is logged by the server.