202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Free Coursera course: IBM Blockchain for Developers
Thu, Dec 7th 2017 42
IBM Domino 10 – HCL Edition
Thu, Oct 26th 2017 3
2017 IBM Champion Nominations are being accepted
Mon, Oct 9th 2017 2
Cognitive Collaboration is here with IBM Watson Workspace
Mon, Oct 2nd 2017 2
Free version of Domino for development/testing
Thu, Sep 14th 2017 1
Engage 2018 User Group location: on a cruise ship!
Tue, Sep 12th 2017 1
How to fix sync issues after upgrading to Traveler 9.0.1.18 or higher
Fri, Sep 8th 2017 0
Top 10
Free Coursera course: IBM Blockchain for Developers
Thu, Dec 7th 2017 42
Quick Tip: Fix for unexplainable common crashes of Lotus Notes 8.x with Eclipse
Thu, Feb 13th 2014 8
Request to repair Bothell road and provide pedestrian access to 1000 homes instead of spending $42M on a Boulevard
Mon, May 26th 2014 8
How to get Sametime Video Chat in SmartCloud
Sun, Aug 24th 2014 8
IBM Connections in the Cloud New Service Update!
Thu, May 8th 2014 7
How Your Learning Mindset Can Cost Your Job (and how to avoid it)
Mon, Sep 1st 2014 7
SmartCloud Tip #03: Important Details to Setting the ACL on your Mail Files
Tue, Mar 4th 2014 6
Wealth is not measured by how much you have, but by how much you give
Thu, Mar 13th 2014 6
The tone is set for #IBMConnect 2014 and I am convinced Computing Power is the next Utility
Sun, Jan 26th 2014 5
Connectosphere 2014 Final Day: GURUpalooza!, Ask the Product Managers, Ask the Developers sessions
Wed, Feb 5th 2014 5


SmartCloud Tip #03: Important Details to Setting the ACL on your Mail Files
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
David Hablewitz    

When you move to SmartCloud Notes, you get many great benefits, but of course there are a few tradeoffs.  One of those is giving up Manager access to the mail files.  Whether you’re the mail file owner or the system administrator, the best access you’ll ever have is Editor.  And unless you explicitly configure it otherwise, by default only the mail file owner will have any access at all. This is actually great for enforcing best practices. Users should never have more than editor access anyway, and in countries like France, the law prohibits administrators from accessing a user’s mail without their permission. Yes, the owner can always use delegation to grant others access to their mail file, but that only works if they are available to give that access.  That doesn’t help for employees that are out sick or no longer employed at your company.

If you want anything other than the default, you need to plan ahead because once the mail file has been migrated, you can’t change the ACL. This means adding certain groups and roles to the ACL of the existing mail files as well as to the template for any future mail files.

There are typically 3 groups you will want to add to the ACL. The first is your administrator group. Without this, administrators can’t perform some basic administrator tasks, like opening the mail file to do troubleshooting.

The second group that may need access are support personnel who may need access to the mail files, but should not be included in your administrator group. For example, this may be regional administrators, or designated people on the help desk, or HR, or the legal department. How you organize these groups will vary depending on the organization and size of your company. Note that you need a different mail template in SmartCloud for each different ACL. For example, you will need a different template for each region if each region will have a different group of regional administrators.

The third consideration is providing access for your application servers in the event you have applications that run agents that directly touch the mail files.  Keep in mind that no agents can run on directly on the SmartCloud mail servers so any agents will need to be run on a server you maintain on site. Typically databases use mail routing to get things into your mail file, but I have encountered a few applications that add entries directly to the calendar.  The process of assigning access to these groups is simple, but must be done in advance of migrating the mail files into SmartCloud and also requires modifying the ACL of your mail template that will be posted in SmartCloud so future accounts created in the cloud will have them.

First, create a role called ExcludeDelegate in the ACL of the mail files, then create the three groups mentioned above as you need and apply that role to them. (More on exactly how to do this later.) The following screen shot was taken from the database catalog and shows these ACL entries framed in red boxes.  Note that regardless of what level of access you give these groups in the mail file on site, it will not have more than Editor when it is moved to the cloud. But if those entries do not have the ExcludeDelegate role applied, they will be removed entirely from the ACL upon migration.

Entries needed in SmartCloud ACL

Entries needed in SmartCloud ACL

So how do you get these settings applied to all of your mail files in advance? You could add the entries using the administrator client.  On the files tab, select a set databases then right click and choose Access Control – Manage.  A dialog box displays that allows adding, modifying, or deleting ACL entries. It also allows creating roles.  But the ability to actually applying those roles to ACL entries is missed. (I say BUG, IBM says “functioning as designed”)  So the only way to assign a role to an ACL entry via the Administrator UI is to manually open each database one at a time and add the role to the entry.  Not exactly convenient when trying to assign the [ExcludeDelegate] role to entries in hundreds or thousands of mail files before migrating them to SmartCloud.

Footnote: An SPR# GPKS6TNBN4 is a request to fix the admin client to mass-update roles in ACLs. Read this article for more details:
http://www-01.ibm.com/support/docview.wss?uid=swg21264880
Please take a moment to open a ticket with IBM technical support and request that your company be added to this  SPR. The more companies that request an enhancement, the more urgent they consider it.

Meanwhile, you can accomplish this using third party tools, such as Ytria EZ ACL tool, a module in the suite of useful admin tools. (Contact me for a discount code) or you can write an agent to accomplish this task.

Prepare your environment with these steps well in advance of migrating and things will be much less complicated at the time of migration.

If you found this tip helpful, you might also be interested in my other tips:
SmartCloud Tip #01 Using the Notes admin client to compliment the SmartCloud web admin screens
SmartCloud Tip #02: Best Practices to get mail files ready to move to SmartCloud




---------------------
http://thenotesguyinseattle.com/2014/03/03/smartcloudtip03aclsettings/
Mar 04, 2014
7 hits



Recent Blog Posts
42
Free Coursera course: IBM Blockchain for Developers
Thu, Dec 7th 2017 5:55a   David Hablewitz
3
IBM Domino 10 – HCL Edition
Thu, Oct 26th 2017 9:32p   David Hablewitz
2
2017 IBM Champion Nominations are being accepted
Mon, Oct 9th 2017 11:46p   David Hablewitz
2
Cognitive Collaboration is here with IBM Watson Workspace
Mon, Oct 2nd 2017 5:13p   David Hablewitz
1
Free version of Domino for development/testing
Thu, Sep 14th 2017 5:58p   David Hablewitz
1
Engage 2018 User Group location: on a cruise ship!
Tue, Sep 12th 2017 10:20p   David Hablewitz
0
How to fix sync issues after upgrading to Traveler 9.0.1.18 or higher
Fri, Sep 8th 2017 8:36p   David Hablewitz
2
Hot off the press: Join me at Watson Workspace!
Wed, Jul 12th 2017 6:52p   David Hablewitz
3
New Hybrid Mailbox Preview. You did NOT see this coming!
Thu, May 11th 2017 8:19p   David Hablewitz
1
Attention current and former IBM Champions: Prominic is offering you free hosting!
Thu, May 11th 2017 6:49p   David Hablewitz




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition