SECURING


Restricting administrator access
You can specify various access levels for different types of administrators in your organization. For example, you may want to give only a few people 'system administrator' access, while all of the administrators on your team are designated as database administrators.

About this task

Administrator access rights are granted hierarchically. The privilege hierarchy looks like this:


You do not need to list a user individually in each field. Adding a user to the topmost level of administrator access automatically grants that user all privileges listed for subordinate levels in the hierarchy.

To restrict administrator access

Procedure

1. From the Domino® Administrator, click the Configuration tab, and open the Server document.

2. Click the Security tab.

3. In the Administrators section, complete one or more of these fields, and then save the document. For all of these fields, you can specify individual hierarchical names, groups, and wildcards (for example, */Sales/Renovations). Separate multiple entries with commas.


Results

CAUTION: Administrators who are listed in the Full Access Administrators, Administrators, and Database Administrators fields on the Security tab of a server document are allowed to delete any database on that server, even if they are not listed as managers in the database ACL.

Full access administrators

About this task

A full access administrator has the greatest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes® client locally on a server. Establishing a full access administrator resolves access control problems that can result when the only managers of a database ACL depart from an organization.

Full access administrators have the following rights:


Enabling full access administrator mode

About this task

In order to work in full access administrator mode, an administrator must:


When full access administrator mode is enabled, the client's window title, tab title, and status bar indicate this. This is to remind users that they are accessing the server with the highest level of privilege and should therefore proceed with caution.

If an administrator enables full administration mode in the Administration client, this mode is also enabled for the Domino Designer and for the Notes clients. Full administrator access is also reflected in their window titles, tab titles, and status bars.

If a user attempts to switch to full access administrator mode, but is not listed as one in the Server document, the user is denied full access and a message appears in the status bar and on the server console. The client will be in full access mode, but that user will not have full administrator access to that particular server. If the user attempts to switch servers, that person's access is checked against the server document of the new server.

Disabling the full access administrator feature

You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access administrator privilege and overrides any names listed in that field in the Server document. Only a user who has physical access to the server and who can edit the NOTES.INI file for the server can set this NOTES.INI parameter. This parameter cannot be set using the server console, the remote console, or set in the Server document.

Options for managing the full access administrator feature

About this task

There are several ways to grant full access administrator


You can also track how this feature is used:
Related concepts
The Server Controller and the Domino Console

Related tasks
Giving additional administrators access to the Web Administrator

Related reference
Server_Restricted