Wednesday, 14 November 2018

Consequences Administration Server Action Field Settings in the Access Control List Dialog Box

In my journey as Domino Administrator I performed a deep dive into the AdminP process during the past period especially for renaming and deleting users. One of the most important coherent settings that I encountered here are the Administration Server settings in the Access Control List of the databases especially the value in the action field. These setting can be set or modified using the Domino Administrator Client. From the Domino Administrator open the domain containing the server with the database for which an administration server must be added or changed. Next select the Files tab and select the database to which an administration server has to be assigned. From the Tools pane select Tools - Database - Manage ACL and select Advanced. In the Action field the values can be selected as described in the table below.

Field Value
Administration Server Choose one of these:
None -- If you do not want an administration server assigned for the database.
Server -- Select a server from the list.
Action Choose one of these according to whether you want modifications to the indicated fields to occur during a rename group, rename user, or rename server action; or during a delete server, delete group, or delete user action:

Do not modify Names fields
Names fields are not updated during any of the above rename and delete actions.

Modify all Readers and Authors fields
Reader and Author fields are updated during the rename and delete actions listed above. Any item of type Item_Readers or Item_ReadWriters is modified.

Modify all Names fields
All names fields are updated during any of the rename or delete actions listed above. Any item of type "Item_Names" is modified, for example, a list of users or groups would be modified. Item_Names includes Item_Readers and Item_ReadWriters making it a super-set of modifications that include Readers and Authors fields.

For more information see also the IBM Support documents Specifying an administration server for databases and Modifying the Action field in the Access Control List (ACL).

In a number of custom Notes applications, including the mail databases, the value in the Action Field is set to Modify All Names Fields in our Notes environment. Further in several custom Notes applications the user names are stored in Readers fields, Authors fields or Names fields.
When it comes to renaming a user in the Domino Administrator Client the value Modify all Names fields in the Action field in the Administration Server settings in the ACL in these databases means that the AdminP process will update the user's name in all Readers Fields, Authors fields and Names fields in accordance with a name change performed in the Domino Administration client. So far so good since this is what we want to accomplish with the setting in the Action field.
But here is the problem when it comes to deleting a user. When a user has been deleted in the Domino Administration client AdminP removes the user's name from all Readers fields, Authors fields and Names fields. In the Administration Request database there is an Delete in Readers/Authors Field entry. For specific custom Notes applications this means that important workflow information will be deleted. In mail files this means that anywhere the user's name appears the name will be removed. This includes also the information about who created a document and the information about who sent mail.

However, regarding the settings in the mail databases IBM recommends that for heavy users of Calendar and Scheduling specific to recurring meetings the Action field for the user's mail database should be set to Modify All Names fields. For users who are not frequently involved in the use of Calendar and Scheduling the Action field for the user's mail database should be set to Do not modify Names fields.
For more information see the IBM document Modifying the Action field in the ACL dialog box.
I specific tested the AdminP process for removing a user and for mail databases en workflow applications this is a major problem. Critical information is deleted when the Action field is set to Modify all Names Fields. We use the setting Modify all Names Fields in our mail databases because of the Calendar and Scheduling and recurring meetings.

The above situation yields a dilemma regarding which setting is best used in which database in the situation where use is made of the AdminP process when a user is renamed and when deleting a user.
In my humble opinion it can not be the intention to redesign existing Notes applications so that they can work the one-sides way that AdminP processes deletion requests. I would like to hear any solutions by Domino Administrators regarding the AdminP process for deleting users when in the ACL the value Modify all Names Fields is selected.
Below the recommendations for the names.nsf and admin4.nsf databases by IBM.

NAMES.NSF - Domino Directory
By default, the Action field for the administration server for the Domino Directory is set to "Do not modify names fields." Do not change the Action setting for the administration server for the Domino Directory. The purpose of this setting is to allow the Administration Process to update names (people, group, or server names) in critical areas of a database. The Administration Process automatically manages the names in the Domino Directory. Changing the Advanced ACL setting for this database causes the removal of names which are critical to other Domino features, for example, mail routing and calendaring and scheduling.

ADMIN4.NSF - Administration Requests database
The Administration Requests database (ADMIN4.NSF) is a log database from which documents are routinely purged. If you set the Action field on the ACL dialog box to anything other than "Do not modify names fields," you may cause performance problems when the Administration Process (adminp) processes requests. This does not apply to cross-domain administration requests.

In any case the above is certainly something to think about when selecting a value in the Action Field in the Administration Server settings in the Access Control List of a Notes database. I hope to receive some solutions from other Domino Administrators how this can best be solved without redesign existing Notes applications.

No comments:

Post a Comment