Solved

Access Control List

Posted on 2001-09-03
14
232 Views
Last Modified: 2013-12-18
Hi all,

Is there any way to tell which databases have a particular group in the ACL? I can open each one and have a look, but I want to make sure none are overlooked before I delete unwanted groups.

I was hoping there was some kind of analysis tool to help.

Thanks,
Andrew.
0
Comment
Question by:ANDREAG
  • 6
  • 4
  • 4
14 Comments
 
LVL 10

Accepted Solution

by:
zvonko earned 50 total points
ID: 6451254
Hello Andrew,

this one is easy :-))

Look into catalog.nsf on server. Therin is a view "AccessControlList\ByName". Therin you can find all databases where your GroupName is entered on all servers (and which access level).

Is this wath you are searching for?

Regards,
zvonko

PS: If this catalog.nsf is not present on server, than do on the servers console this command:
LOAD CATALOG
0
 
LVL 18

Expert Comment

by:marilyng
ID: 6451263
Team Studio does this rather well, along with the database analyzer from easy access software. Team Studio is a touch pricy.

www.easyaccess-software.com
www.teamstudio.com

I have a quick and dirty analyzer that I built that collects the ACL via script, and Notes Net, I believe has one that does it via the API.

The only way I know to collect it and show it is via some script that you attach to either a copy of the database catalogue, or via an agent that collects the database entries into a "administration" database that you can use to maintain all your databases.

Marilyng
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6451286
have a look at this two:
http://www.notes.net/sandbox.nsf/e7425656e0c80508852567540065d7f9/11f736c9d472b15885256996006d7458?OpenDocument
http://www.notes.net/sandbox.nsf/e7425656e0c80508852567540065d7f9/81deffed8f49e561852568d4006c98e4?OpenDocument

The last one is my posting to SandBox, less for auditing, but for easy text editing of ACL and mainly to restore a former saved (and/or modified ACL) state.

But to find db's with particular ACL group name look simply into catalog.nsf ....
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 18

Expert Comment

by:marilyng
ID: 6451303
zvonko,

cool.. these look good and simple..and free!!

Marilyng

0
 
LVL 10

Expert Comment

by:zvonko
ID: 6451367
thank's for feedback <|;-)

may I add only this, that the first link is very beatyfull html generator, very nice user interface.
My tool is more to look at LotusScript techincs for accessing ACL's with too simple user interface.
0
 

Author Comment

by:ANDREAG
ID: 6452405
Thanks zvonko,

since it was so easy, can I reduce the points? ;-)
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6452983
:-))

I think you have checked the radio button:
 () This question is easy (50 points)
...and for this it was 50 pennies.

But primarly I would be interested in wether my hint was the solution for you. As you see most comments are from high-end expert to another <|;-) and less betwean question asker and helper...

And for my points; please give me: A+

Regards,
zvonko
0
 

Author Comment

by:ANDREAG
ID: 6453089
well, your hint was a 90% solution - I have 7 servers to check, so it makes the job MUCH easier.

>As you see most comments are from high-end expert to another

!! But high-end experts shouldn't need to ask any questions!! :-))
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6453478
Thank you Andrew for the points and for the feedback <|;-)

but let me give you one more comment (for the last 10%)...

If your CATALOG task is running on all seven servers and your catalog.nsf is a correct replica on all seven servers than you can look in one db for all servers. Or have I misunderstud something?
0
 

Author Comment

by:ANDREAG
ID: 6453569
yes, well, you see, catalog.nsf isn't being replicated (I didn't even know it existed, remember?).

Should it usually be set up the way you describe? If so, how would I go about setting it up? Do I just delete the files from 6 servers and replicate the last one?

Also, why did you change your name?

Andrew.
0
 
LVL 18

Expert Comment

by:marilyng
ID: 6453975
Andreag,
zvonko and I are two different people.  I am more a programmer rather than administrator, so my experience with catalog.nsf is of two different varieties:  One is that it is configured to catalog only the current server's files, or that it is configured to catalog all domain databases.  You'll need to see which yours is doing.  If you didn't set them up to be one big repository, then they each contain ONLY the current server's published databases.

On the program management side, we tend to spawn a different database to manage ACL's, permissions, size, groups, etc., because catalog.nsf is not always set to collect and publish all the databases, and there are some that are "support" databases that we don't want to appear in the public catalog, but want to manage.

This is why I didn't suggest using the catalog.nsf to check for ACL's, but rather a third database that can not only check the ACL's, but maintain them with a variety of agents and code buttons that can do this automatically.

Also, I've noticed a variety of different ways that administrators use the "administration" server.  So, for instance, if you rename a group from the NAB, the "administration" server should update and remove the group from all affected "databases" - but, only if the database has assigned an "administration" server.


Catalog.nsf is kinda like the server log.nsf, it normally only applies to the current server's adminp and event process.  I believe it would be a mistake to "delete" all the other catalog.nsf files, and replace them with a replica of the hub's catalog.nsf.

But, since you awarded the points to Zvonko, perhaps he should be answering your latest question.

smiles,
marlyng
0
 
LVL 18

Expert Comment

by:marilyng
ID: 6453998
Another thought..
if your database isn't configured to "maintain a consistent ACL across all replicas" then changing the ACL on one replica might not change it in the other.

If your database is replicated across all your servers, then you need to only deal with one database's ACL and replicate that to the other replicas.

Therefore,you'd only need to open the catalog.nsf on the server where you intend to make the changes.

marilyng
0
 

Author Comment

by:ANDREAG
ID: 6456079
:-))

>>zvonko and I are two different people.

thanks for the clarification marilyng!! what I meant was: why did "stamp" change his name to "zvonko".

thanks for the info though.

I can see I'll have to do a bit of research on setting up the catalog.nsf properly...

Andrew
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6461955
(stamp is stamped <|;-))

For ACL problems with catalog.nsf look for Technote#177274 here:
http://support.lotus.com/sims2.nsf/802ee480bdd32d0b852566fa005acf8d/b5b9051b08d8abc585256856004aecae?OpenDocument

About deleting all catalog.nsf until last one and replicate, that I do not know. I allways supposed that the catalog task do this all right. But this your idea with replication should allways work.

To the question why I changed my EE logon: when I wanted to register first time in 1998 to EE, was my firstname already in use. Three years later, after asking EE community support, they told me, that there is no problem. When Zvonko is in use, is zvonko not in use :-))
But they could not refund my expert points, so I am now begging for any single point I can get (to cath this beggar Arun :-))

...but mainly I am doing this for fun (not for t-****s).
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Notes 8.5.2 application on web 4 218
Changing over from Lotus Approach v3 to MS Access 4 416
Using @Prompt in a Queryclose Event 14 84
@Mailsend 3 69
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question