SECURING
You can specify various access levels for different types of administrators in your organization. For example, you may want to give only a few people 'system administrator' access, while all of the administrators on your team are designated as database administrators.
About this task
Administrator access rights are granted hierarchically. The privilege hierarchy looks like this:
Parent topic: Customizing access to a Domino server
To restrict administrator access
Procedure
1. From the Domino Administrator, click the Configuration tab, and open the Server document.
2. Click the Security tab.
3. In the Administrators section, complete one or more of these fields, and then save the document. For all of these fields, you can specify individual hierarchical names, groups, and wildcards (for example, */Sales/Renovations). Separate multiple entries with commas.
Table 1. Administrator Access descriptions
Note: For Domino 6.0 and subsequent releases, if the NOTES.INI variable Server_Restricted is used to restrict server access, administrators can still open databases on the server.
View-only administrators cannot issue commands that affect the server's operation.
The type and range of commands depends on the server operating system. For example, administrators for a Linux™ server would only be able to issue Linux commands.
Note: This feature requires that you run the Domino server controller on the server machine.
For example, you may want to have a restricted system administrator for managing UNIX print queues. Enter the UNIX commands for managing print queues in this field. Any names you enter in the Restricted system administrators field will then have access to these commands only.
CAUTION: Administrators who are listed in the Full Access Administrators, Administrators, and Database Administrators fields on the Security tab of a server document are allowed to delete any database on that server, even if they are not listed as managers in the database ACL.
Full access administrators
A full access administrator has the greatest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes client locally on a server. Establishing a full access administrator resolves access control problems that can result when the only managers of a database ACL depart from an organization.
Full access administrators have the following rights:
Note: ACL roles must still be enabled manually for full access administrators.
Note: Full access administrator does not allow access to encrypted data. The use of the specified user's private key is required to decrypt documents that are encrypted with public keys. Similarly, a secret key is required to decrypt documents encrypted with secret keys.
In order to work in full access administrator mode, an administrator must:
If an administrator enables full administration mode in the Administration client, this mode is also enabled for the Domino Designer and for the Notes clients. Full administrator access is also reflected in their window titles, tab titles, and status bars.
If a user attempts to switch to full access administrator mode, but is not listed as one in the Server document, the user is denied full access and a message appears in the status bar and on the server console. The client will be in full access mode, but that user will not have full administrator access to that particular server. If the user attempts to switch servers, that person's access is checked against the server document of the new server.
Disabling the full access administrator feature
You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access administrator privilege and overrides any names listed in that field in the Server document. Only a user who has physical access to the server and who can edit the NOTES.INI file for the server can set this NOTES.INI parameter. This parameter cannot be set using the server console, the remote console, or set in the Server document.
Options for managing the full access administrator feature
There are several ways to grant full access administrator
Related reference Server_Restricted