ADMINISTERING
As of Domino 12.0, a new internal mechanism is provided for collecting the highest entitlement that individual users have across a Domino domain. When a user appears in the ACL of a database with Reader access or above and that person has the right to access the server, the user is said to be an entitled user.
For example, Dana Smith/Renovations has Author access to an expense reporting application, expenses.nsf. The server's Allow Access security setting allows */Renovations permission to access the server. Therefore Dana Smith/Renovations is considered an entitled user with Author access.
Approximately once a day, each Domino 12 server scans every database on the server and collects the highest level of access for each entitled user. For example, on Server A:
The Domino installer installs the template:entitlementtrack.ntf. The Domino server update task works with the server to create and manage a hidden system databaseentitlementtrack.ncf on the server.entitlementtrack.ncf has a document for every user in the server's Domino directory to track each user's highest entitled access level. In addition to a user's highest entitled access level, each document contains corroborating facts such as the first database in which this user was found and how a user is granted the highest entitled access level. For example: "User Dana Smith/Renovations has Editor access in the database DanaSmith.nsf because she is explicitly named in the ACL." Or: "User Richard Smith/Renovations has Designer access in database AcmeSales.nsf because he is a member of the AppDesigners group which has Designer access to this database." As of 12.0.2, the database also tracks the last date/time that a user authenticated with a tracked server and what protocol that user connected to the server with, as shown in the following example.
Table 1. Sample data in entitlement tracker data
Who is tracked
The following users are tracked:
The following entities are not tracked:
Although the server scans for entitled users every day, user tracking documents are only updated in the tracking database when their entitlements change. For example, if Dana Smith/Renovations's access to her mail file changes from Editor to Manager, then her tracking document is updated on the next scan to reflect the change in entitlement.
Groups, wildcards and -Default- access
Entitlements are tracked at the individual user level but Domino administrators typically use Domino or LDAP groups and wildcards to control user access to servers and databases. The entitlements collector recursively expands "groups of groups" and/or "wildcards matching users" to project the entitlements for the group or wildcard on to a set of individual users. Using groups and wildcards explicitly entitles a set of users.
The use of -Default- access on the other hand can implicitly entitle many users because the -Default- access setting projects to "everyone else." For example, if the group RenovationsManagers with five members has Manager access to a database, the user Richard Smith/Renovations has explicit Editor access, and the -Default- access is Reader, then everyone with access to the server other than these six users are entitled with Reader access. If the server allows anyone with */Renovations to access the server and the configured directory has 1,705 Renovations users, then this ACL default entitles 1,700 users with Reader access. In general, -Default- access should be used with great care.
Note: If the -Default- ACL entry that ships with a Domino system database allows access, that entry is not considered an entitlement and is excluded from processing. For example, Domino help databases ship with -Default- ACL entries that allow Reader access and therefore those -Default- ACL entries are excluded from processing.
Summarizing entitlements at the Domain level
The entitlement data collected daily by each Domino server in a domain is also aggregated for the entire domain on the domain administration server. The directory catalog task manages the synchronization process and the combined entitlement tracking data from each server is aggregated into anentitlements.nsf database on the administration server. The administration server has both its own entitlement tracking database (entitlementtrack.ncf) and the aggregate tracking information for all of the servers in the domain (entitlements.nsf). The administration server identifies the highest level of access for each user in the domain and stores which server has the highest access level for a particular user as well as the other corroborating information like which database and how the user is entitled.
Note: The History view in entitlements.nsf includes aSnapshot button. Click this button to generate a document that summarizes the current total number of entitlements by access level, based on current data. Domino runs this same action automatically once per week so that there is a historical record of changes to entitlement.
How the entitlement information is used
The entitlement information is collected to help Domino customers monitor their environments. This data is not collected by HCL in any way nor is it used to control server access in any way. The only information you may be asked by HCL to provide is the "entitlement report" which contains the total number of entitlements by access level, for example:
Entitlement Summary for 3/10/2010 Manager 13 Designer 7 Editor 234 Author 1200 Reader 2400 ================== Total 3834
How you can use this information
The information in the entitlement summary can be extremely useful in understanding how many users you have with different access levels and which servers, databases, ACLs and permissions are contributing to these numbers. By default, these databases have access restricted to LocalDomainAdmins but since this is your data you can manage access to it in any way you see fit with the following caveats: