logo: Ytria - Essential Tools for IBM Notes and Domino (Lotus)
Ytria Tech Lab
Articles, Tips, and Code for IBM Notes and Domino Administrators & Developers

A quick way to uncover (and fill) security holes on Domino servers using aclEZ

on 6/22/10

One of the nicest things about aclEZ‘s grouping grid interface is that is that it allows you sort and filter live information on all the Lotus Notes database ACLs on a server (even for databases that aren’t included in the catalog.nsf file). Here’s a simple-yet-practical application of this feature:

Using aclEZ’s Grouping Grid to Spot Inappropriate Access Settings

To start you need to load all your ACL entries in aclEZ’s grid:

aclEZ: Load all Domino ACL Entries in grid

Then you drag the ‘Access’ column header to the ‘grouping area’ –this will re-group the grid by levels of access
(i.e. No Access; Depositor; Reader; Author; Editor; or Manager)

aclEZ Group by ACL Entries' access level

Next, drag the Name’ column header to the grouping area as well…

aclEZ: Group Domino ACL entries by Access and Name

Now you can expand or collapse the groupings with the [+] and [-] buttons to quickly see precisely who has what access.

In the example below, you can see that the default access was set to manager for a number of databases on the server–a potential security hole that’s certainly worth looking into further!

aclEZ: Spotting default manager access

Access denied! Plug those Domino security holes in a few clicks

If you want to fix any questionable ACL settings, here’s a quick way to do it:

  1. Select the names in question aclEZ: Select ACL entries
  2. Update the settings in attributes panel aclEZ: Mass-edit attributes for a selection of ACL names
  3. The entries that you’ve changed will be marked with an icon in the Status column of the grid. aclEZ: Modified ACL entry settingThe changes won’t go live until you…
  4. …click Ctrl+S (or File>Apply Changes) to apply the changes to the server.

That’s all there is to it.

Tip: aclEZ supports Full Access Administration. If you are listed as a full access administrator, it’s often helpful to enable this feature by clicking Options>Full Access Administration when following the steps listed in this post.

So… How can I do this *without* aclEZ?

Finding and fixing ACL security holes with only the Lotus Notes client and the Domino Administrator can often take a great deal of time and effort.

You could start by looking at the catalog.nsf, but the catalog will fall short in a number of ways. For instance, it won’t supply you with live data; it won’t allow you to group or organize the ACL entry settings in any meaningful way;  it’s won’t allow you to directly edit entries; and perhaps most importantly, it won’t contain every database on your server.

This means that without aclEZ, you’d likely have to spend a lot of time going though the ACLs one-by-one in the Domino Administrator client.  And yes, that means dealing with the modal Access Control dialog. And in the event you want to modify entries for several ACLs at once, the Manage Multiple ACLs dialog gives you no indication of the current status of your selection and forces you to ‘go blind.’

Print Friendly, PDF & Email

1 Comment


  1. Tweets that mention A quick way to uncover (and fill) security holes on Domino servers using aclEZ | Ytria Tech Lab -- Topsy.com

Leave a Comment

To diplay code in your comment, put the code between these brackets: [cc]your code[/cc]. You can also put inline code by using these: [cci]your inline code[/cci]