ADMINISTERING


Setting up ACLs for the Administration Process

Each administrator who uses the Administration Process to perform tasks must have the appropriate access rights and roles in the Domino® Directory (NAMES.NSF), secondary directories -- if applicable, Administration Requests database (ADMIN4.NSF), and the Certification Log database (CERTLOG.NSF).

The quickest way to provide administrators with the access they need is to give them the minimum levels of access:


The following table describes access needed for specific tasks. If an error occurs during any administrative task, the administrator must have Editor access in the ACL of the Administration Requests database to perform the task again.

Note: If extended ACLs are enabled and you have specified who can modify documents for an organization, administration requests will fail if they are initiated by anyone not specified in the extended ACL.

Table 1. Access for administrators to run Administration Process tasks
Task Administrator needs this access in the Domino Directory Administrator needs this access in ADMIN4.NSF Administrator needs this access in other databases
Add a resource to or delete a resource from the Resource Reservations databaseNone. However, the Administration Process updates the Domino Directory to reflect the changeAuthor with Create documents accessCreateResource role in the Resource Reservations database
Add groupAuthor with Create documents and the ServerModifier roleAuthor with Create documents access and GroupModifier role
Add users to groupAuthor with GroupModifier role. If administrator has access greater than Author, that access is sufficient
Add servers to and remove servers from a clusterOne of these:
  • Author access and ServerModifier role
  • Editor access
Author with Create documents accessNone
Approve a request to move a user name to another hierarchyOne of these:
  • Author with Create documents access and UserModifier/Server Modifier role
  • Editor access
Editor accessAuthor with Create documents access to the Certification Log
Approve the deletion of a resource from the Resource Reservations database Delete documents accessEditor accessNone
Create mail files automatically during user registrationAuthor access and the UserCreator roleAuthor with Create documents accessCreate new database access on the registration server
Create replicas of databasesNo requirementAuthor with Create documents access All of these:
  • Create replica access to the destination server
  • Reader access to the database on the source server
  • In addition, the source server must have Create replica access to the destination server, and the destination server must have Reader access to one replica of the database.
Delete groupOne of these:
  • Author with Delete documents access and the GroupModifier role
  • Editor access
Author with Create documents accessNone
Delete serversOne of these:
  • Author with Delete documents and the ServerModifier role
  • Editor access
Author with Create documents accessNone
Delete users*One of these:
  • Author with Delete documents access and the UserModifier role
  • Editor access
Author with Create documents accessNone
Delete users and their mail files

Delete users and their private design elements

Note: To delete a user from an Active Directory, when deleting a user, the Delete Person request must be made from a computer running Active Directory, and the initiator must be an Active Directory administrator with rights to delete user accounts.

One of these:
  • Author with Delete documents and the UserModifier role
  • Editor with Delete documents access
EditorNone
Enable password-checking during authenticationEditor accessAuthor with Create documents accessNone
Find nameEditor access with UserModifier roleNoneNone
Move replicas from a cluster serverNoneAuthor with Create documents accessBoth of these:
  • Same access as Create replicas of databases
  • Manager access to the original database
Move replicas from a non-clustered serverNoneEditorBoth of these:
  • Same access as Create replicas of databases
  • Manager access to the original database
Move user to another serverOne of these:
  • Author access and UserModifier role
  • Editor access
EditorCreate replica access on the new mail server

In addition, the old mail server must have Create replica access to the new mail server, and the person whose mail file is being moved must be running a Notes® Release 5 or higher client.

Recertify user IDs and server IDsOne of these:
  • Author with Create documents access and UserModifier/Server Modifier role
  • Editor access
Author with Create documents accessAuthor with Create documents access to the Certification Log
Register userAuthor with Create documents access and User/Creater roleAuthor with Create documents access if using Administration Process for background processingIf creating mail files/roaming files, Create database access on the mail server and/or roaming server, accordingly.

If creating replicas, Create Replica access on the replica servers.

If CERTLOG.NSF resides on the registration server, Create document access to CERTLOG.NSF is required.

Remove all replicas of a databaseNoneNoneNone
Rename users and convert users and servers to hierarchical namingOne of these:
  • Author with Create documents access and UserModifier/Server Modifier role
  • Editor access
Author with Create documents accessAuthor with Create documents access to the Certification Log
Sign databaseNoneNoneNone
Specify the Master Address Book name in Server documentsOne of these:
  • Author access with ServerModifier role
  • Editor access
Author with Create documents access None
Add Internet certificateEditorAuthor with Create documents access None
Update client information in Person recordNoneNoneNone

Related tasks
Setting up the Administration Process
Configuring a database ACL
Managing database ACLs