logo: Ytria - Essential Tools for IBM Notes and Domino (Lotus)
Ytria Tech Lab
Articles, Tips, and Code for IBM Notes and Domino Administrators & Developers

ACL inconsistencies giving you headaches? Here’s how to find and fix missing ACL entries on a Domino server using aclEZ

on 3/11/10

Domino security is something of a mosaic, built upon, among other things, the many individual entries found in all the Notes database ACLs on a server. This system works great—it’s extremely flexible and it gives admins the control they need to make their servers impregnable fortresses. But there is one problem associated with this approach to security–things can get unmanageably complex over time. Before you know it, the total quantity of ACL entries for all the databases on a server can easily grow to number in the thousands.

Moreover,  it’s impossible to get a bird’s-eye-view of this ACL security mesh with the native Domino toolkit. But if you use Ytria aclEZ, it includes a grid that gives you a spreadsheet-like view of all the ACL entries (and  their attributes) for all the databases on a server. This grid makes it very easy to quickly check an entire server’s ACL security makeup.

A very practical application of this functionality would be to use aclEZ to find out if an important ACL entry (e.g. the Administrators group) that should be used server-wide is missing in any databases. If you do find an important ACL entry is not present where it ought to be, aclEZ also lets you copy-and-paste entries to fill in the ‘holes.’

Here’s how it works:

1) Launch aclEZ and choose the Domino server you’d like to look at.

2) Go to the Database panel and choose which databases you’d like to look at (or tick the top-level checkbox to select them all). You will also need to click the ‘Apply‘ button if you have the ‘Read databases only after ‘Apply’ button is clicked‘ option enabled.

This panel lists all the databases on a Domino server; use the checkboxes to load ACLs

This panel lists all the databases on a Domino server; click the checkboxes to load ACLs

3) As soon as the databases are loaded, the ACL Entries panel should be populated. Each line in the grid represents an ACL entry.

Now select an ACL entry from this panel (we’ll use the OtherDomainServers group for this example); right-click it and choose Copy Selected ACL Entries to… from the resulting contextual menu.

The aclEZ grid: a flat view of all the ACL entries on your server

4) The Copy Elements dialog should be open. Now to quickly determine which databases have the selected ACL entry, simply drag the Presence column header to the ‘grouping areas’ as shown the images below:

Using drag-and-drop grouping to see missing ACL entries

aclEZ: seeing missing ACL entries

5) Next you’ll want to expand the ‘Presence : Unchecked’ grouping by clicking the [+] icon. All of these databases where ‘Presence is unchecked’ are missing the selected ACL entry. If you’d like them to have this entry, simply tick the checkboxes under the Copy To column then click OK.

Click the checkboxes for the databases where you'd like to paste the missing ACL entry

Click the checkboxes for the databases where you'd like to paste the missing ACL entry

6) At this point we’ve already made the changes to the ACL grid but if you want to modification to go ‘live’ just choose Apply Changes in aclEZ’s File menu or click Ctrl + S. That’s it—the ACL entry is now available for all the databases on our server.

"Apply changes" will enact the ACL changes that you have made

"Apply changes" will enact the ACL changes that you have made

Note 1: If you choose to select more than one entry in the ACL Entries grid, you may see “Presence : Indeterminate” in the Copy To dialog. This means that one-or-more selected ACL entry is available and one-or-more ACL selected entry is not available in a given database.

Note 2: In many instances you may want to enable Full Access Administration (Options>Full Access Administration) when using aclEZ to copy missing ACL entries. Like all Ytria tools, aclEZ complies with Lotus Notes security, so you must be listed a Full Access Administrator in the server document of the server NAB in order to use the tool in Full Access mode.


Leave a Comment

To diplay code in your comment, put the code between these brackets: [cc]your code[/cc]. You can also put inline code by using these: [cci]your inline code[/cci]