Delegation support

HCL Traveler can allow delegates to access mail files owned by other users.

Delegation is when a mail file owner grants access to another user, known as the delegate, to read, create, update, and delete documents in the mail file owner’s database (as if the actions were being performed by the mail file owner). The delegate does not need to know the mail file owner's password - the delegate uses his own password to authenticate to Domino, and the Access Control List (ACL) of the mail file gives the delegate the access to the owner’s mail file.

HCL Traveler delegation support allows a mobile user to authenticate as itself but access a different user’s mail file. To accomplish that, the delegate uses a special notation using two exclamation points (!!) to separate the delegate’s own internet address or HCL Domino® canonical name from the mail file owner’s internet address or canonical name. See the following example:
CN=Delegate Name/O=OrgName!!CN=Mailfile Owner/O=OrgName

Addresses using this !! notation identify this as a delegate user. Traveler considers that a different user than either the delegate or mail file owner when they are accessing their own mail files. For each delegate user, Traveler tracks its own set of devices that have been registered for syncing the mail file owner’s data.

Delegate addresses appear in the output of tell Traveler commands, in Traveler log files and dumps, and in the HCL Traveler administration database, where a user’s canonical name would normally appear. Similarly, delegate addresses can be used on tell Traveler commands where a user name is allowed.

For example, the following is allowed:
tell traveler dump CN=Delegate Name/O=OrgName!!CN=Mailfile Owner/O=OrgName
This example produces different output than tell traveler dump Delegate Name because they are syncing different data – the Delegate Name user dump has information about that user’s mail file, but the user dump taken using the delegate address has information about the mail file owner’s mail file.

In addition, when you take a user dump of a non-delegate address, it now includes information about every delegate user that has registered a device with Traveler in which the user being dumped is one of the users identified in the delegate address. So, the user dump identifies all the mail files which this user is accessing as a delegate, as well as all delegates that are accessing this user’s mail file. The Traveler admin can take user dumps of those delegate users if needed, to help investigate issues with syncing of data to the delegate’s device.

Delegation is enabled by default, but can be disabled in the Traveler server by setting NTS_IMSMO_ALLOW_DELEGATION_ENABLED=false in the notes.ini file.

There are some limitations with Traveler delegation support:

  • You cannot login to the /traveler home page using a delegate address.
  • A delegate cannot read encrypted mail in owner’s mail file, or validate the signature of signed emails there. Similarly, a delegate cannot send encrypted or signed emails on behalf of the mail file owner.
  • Partial delegation (for example, granting a delegate access to calendar but not email, or granting read-only access) is not supported. Delegates must have Editor access to the owner’s mail file.
  • Delegation is only supported for the HTMO client. For more information, see HTMO delegation in the HTMO documentation.