Solved

ECL without creators ID and/or privs

Posted on 2002-04-04
11
293 Views
Last Modified: 2013-12-18
I want to change ECL on our domain but keep running into ECL security issues. The ellegged person who created the domain as it is , has left the organisation and has been deleted from the NAB. How can I change the permissions on running the ECL agent without his ID ( wich is rendered useless because it has expired as well . ) ???

Our domain consists of over 2000 notes users and over 40 Servers so installing a new NAB and creating a new domain are out of the question.
0
Comment
Question by:EricMD
11 Comments
 
LVL 24

Expert Comment

by:HemanthaKumar
Comment Utility
Switch to the current admin id, and Open the agent in designer then resave it. This should incorporate the current admin access and signatures.

~Hemanth
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
I do not understand your problem.

Either this general ExecutionControlList allow agent run for agents signed by this "security hole" user :-) and you are lazy to change this fact,
or you do not know how to distribute your CommonName  as signer for agents and other design elements to all workstation ECLs.

At our installation we do not use person ids for application signing. We have special application signing id's for every block of applications which we release for production. Such one signer CommonName could be:
BulletinBoard/App/CompanyOrg

So your ECL can allow execution of all */App/CompanyOrg signed designs.

If you like to live with the security hole, then recreate the same CommonName, as the deleted one, for application signing purposes. Public key are not compared at ECL level.

Good luck,
zvonko


0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
Eric, one more about the questions...

I saw you have created your account today. I am happy we have you among us as an expert. But please keep in mind what our biggest problem in our EE community is: abandoned questions
And you have to know, as soon as a question is answered, none of other experts have much interest to involve until the "wrong" answer is rejected by questioner. Most of the questioner sit there and wait until right answer comes along. They do not much involve in their own questions :-)

You have answered on your first day also a question. This is for the first look an enthusiastic manner. But please keep this abandoned question problem in mind.

Thank you,
zvonko
0
 
LVL 13

Expert Comment

by:CRAK
Comment Utility
Hi Eric, welcome!
I told you this would have a better response than notes.net!?

Zvonko,
Eric is a collegue of mine: he's one of the  administrators, I'm one of the developers. He's not any lazier than any of us here!

I don't fully understand the problem. I only saw the symptoms briefly. Even though he owns admin id's etc., the ECL-checkboxes remain greyed out... and something needs to be altered badly!
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
I am lazy :-)

OK, where do you see this disabled (grayed) ECL checkbox?

Are you sure you are not talking about ACL :-)

Or are you talking about the names.nsf Action "EditAdministrationECL" in your domains names.nsf?

If you are really talking about your domains ECL, then make a local copy of your names.nsf and try to modify this ECL there. Stop the server and bring the names.nsf back to server (and hope that this will replicate to other servers names.nsf, I don't know :-)

If really in this AdministrationECL is not titled: ECLforAdministrator
but something like: ECLforJohnDoe/OU/Org
then create this dammed JohnDoe within same hierarchy and use this as I proposed in my first comment.

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 10

Accepted Solution

by:
zvonko earned 50 total points
Comment Utility
my assumption that AdministrationECL is not replicating seems to be a known problem to Lotus:
http://www.notes.net/46dom.nsf/55c38d716d632d9b8525689b005ba1c0/1b88da8dfbffb24085256ae9004c1e9c?OpenDocument

Anyway, best solution is to set it manualy at every server (when not greyed :-)

Another idea would be to create a new AdministrationECL with this command:
http://doc.notes.net/domino_notes/5.0.3/help5_designer.nsf/078c27b23262ffff852566dd0029426a/7f1a8981105618608525687e00586688?OpenDocument&AutoFramed

and distribute afterwards a mail with a button updating users workstation ECL like here described:
http://doc.notes.net/domino_notes/5.0.3/help5_designer.nsf/f4b82fbb75e942a6852566ac0037f284/7a1f88fe766885d48525687e00586d90?OpenDocument&AutoFramed



0
 
LVL 9

Expert Comment

by:Arunkumar
Comment Utility
Hey Eric !
Welcome to the Forum.  
:-)
0
 

Author Comment

by:EricMD
Comment Utility
Okay Guys here's the awnser . I got it from another Notes admin who I happen to run into. It worked like a charm:


create a new location document and remove the homeserver name from it.
Switch to that location and go to the ecl . press refresh. Since there is no server on wich the ECL is able to verify it will give you lacol control wich is full. now goto the addressbook and run the agent.

I tried it and it worked. is this a security bug in notes or just an undocumented feature :-)

thanks for all the help.

Eric
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
Still does not exact know what you are talking about.

Whether it is a security hole to change local ECL I also will never know, because in our installations we do not forbid changing private ECLs.

Anyway is the good final that you found your solution.

You have now two options: accept any comment as answer to keep your solution as foundation for next questioner,
or delete this question because of this all misunderstandings and reward your question points.

In any case thank you for the feedback :-) EE is full of abandoned questions where questioners found in any why their solutions and was too frustrated to close their questions.

Regards,
zvonko

0
 

Author Comment

by:EricMD
Comment Utility
although it was not the awnser to the problem it did contain a link for creating the mail towards our users.
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
Thanks for the feedback and for the points :-)

Did you know that this B grading is not school grading; it is Expert points multiplicator.

Only for the future... <|:-)

So long,
zvonko



0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

For Desktop Techs: How to retain a user's Notes configuration data when swapping out the end user's computer. (Assuming that you are not upgrading to a completely different version of Notes client) All you need to do is: 1) install Notes o…
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now