Use this task to obtain an overview of the most important information about a group.
To obtain an overview of a group
-
In the Manager, select the HCL Domino > Groups category.
-
Select the group in the result list.
-
Select the Notes group overview task.
A user is considered to be locked in Domino if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the Not access server permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.
For this reason, denied access groups are used. Each denied access group initially gets the Not access server permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.
Immediately after a user account has been locked in One Identity Manager, a denied access group is found for the user. If a denied access group of the right type is not found, the One Identity Manager Service creates a new group, Deny list only, and automatically stores it on each server with Not access server. The group name is made up of a prefix and a sequential index (for example viDenyAccess0001). Furthermore, this group is labeled with Denied access group>.
To change the prefix of an denied access group.
-
In the Designer, edit the value in the TargetSystem | NDO | DenyAccessGroups | Prefix configuration parameter.
-
Enter the prefix when a denied access group is initially created.
- Save the changes.
It is also possible to specify the maximum number of user accounts in a denied access group. This is necessary in an environment with a large number of user accounts to prevent the maximum number of user names in one group being exceeded. If this limit is reached, a new denied access group is created with an index value incremented by 1 and added with the permissions type Not access server on all domain servers.
To change the number of user accounts permitted in a denied access group
TIP: The denied access groups are found using the VI_Notes_GetOrCreateRestrictGroup script and then added. If denied access groups already exist in Domino, they are handled like normal groups.
To use these groups for the locking process in One Identity Manager
-
In the Manager, set the Locking group option for this group.
-
In the Designer, modify the prefix in TargetSystem | NDO | DenyAccessGroups | Prefix if necessary.
-
Modify the NDO_Notes_GetOrCreateRestrictGroup script according to your requirements.
Since Domino version 8.5, it is possible to assign user accounts to groups by certain selection criteria. A criteria is, for example, the user account's mail server. Furthermore, members can be explicitly excluded or additionally added to the group. A group is mapped as a dynamic group in One Identity Manager, if Home server is selected in Load dynamic member (column AutoPopulateInput = '1'). Members cannot be assigned directly to these groups.
Dynamic groups are excluded from inheritance through hierarchical roles. This means that system roles, business roles, and organizations cannot be assigned to dynamic groups. Inheritance exclusion cannot be defined and dynamic groups cannot be requested in the IT Shop.
Detailed information about this topic
If the maximum number of members in a group has been reached, Domino adds so called extension groups. These extension groups are imported into the One Identity Manager database by synchronization and cannot be edited. The connection to the dynamic group is created using the Parent Notes group property (UID_NotesGroupParent column). Excluded and additional lists are maintained exclusively for parent dynamic groups. Extension groups are only shown on the overview form.