Minimum privileges needed to register a new user
Category Notes Stuff
I recently had to delegate the creation of Lotus Notes user accounts to several of our helpdesk staff, so that I could be freed up to work on other project based activities. In order to give the helpdesk staff just enough rights to perform this function, here's what I did.
The above configuration allowed our helpdesk staff register new users for us, whilst not being able to do very much else, i.e. -- not f**k up the server or the Domino directory!
I recently had to delegate the creation of Lotus Notes user accounts to several of our helpdesk staff, so that I could be freed up to work on other project based activities. In order to give the helpdesk staff just enough rights to perform this function, here's what I did.
- So as to avoid any confusion, and so that the same staff could also perform Lotus Notes password recovery at a later date, I registered a new user id for them called User Registration. I then setup a location document for them to switch to, when registering new users
- Since we are using the CA Process to register new users, I added the User Registration account to the list of Registration Authorities within the certifier(s) that we use. I did this via the Modify certifier tool within the Domino Administrator client, so that the necessary changes were made the ICL database for the certifier(s), via the Administration Process
- I added the User Registration account to the ACL of the Domino Directory, as a Person with Author access and Create documents privilege. I also gave the account the User Creator, User Modifier and Group Modifier roles. These are required so that person documents can be added to the Domino Directory during user registration, and that they can also be edited, (handy for when mistakes are made). The Group Modifier role is required if you are adding users to groups during registration
- The User Registration account was also added to the ACL of the server's Certification Log database (certlog.nsf). Again, added as a Person with Author access and Create documents privilege
- I also added the User
Registration account to the "Create
new databases" field in the security section of the server's server
document. I then added the User
Registration account to the ACL
of the Administration Process requests database, (admin4.nsf), as a Person
with Author access and Create documents privilege.
I think the default ACL level of admin4.nsf already gives this level of access, but we have our ACLs locked down so tightly, it would have prevented us from dropping the "Create mail file in background" requests to the Administration Process. Hence the ACL change.
NOTE: You will only need to do this if you are creating mail files for newly registered users during the registration process
The above configuration allowed our helpdesk staff register new users for us, whilst not being able to do very much else, i.e. -- not f**k up the server or the Domino directory!
| Permalink | 
