Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.
To specify extended properties for a group
-
In the Manager, select the IBM Notes | Groups category.
-
Select the group in the result list.
-
Select the Assign extended properties task.
-
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended properties.
To remove an assignment
- Select the extended property and double-click
.
- Save the changes.
For more detailed information about setting up extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.
Table 51: Configuration parameter for setting up denied access groups
| TargetSystem | NDO | DenyAccessGroups |
Denied access groups are used when a Notes user account is disabled. |
| TargetSystem | NDO | DenyAccessGroups | Memberlimit |
This configuration parameter contains the maximum number of members per denied access group. When this limit is reached, another denied access group is created automatically. |
| TargetSystem | NDO | DenyAccessGroups | Prefix |
This configuration parameter contains the prefix used for formatting the name of a denied access group. |
A user is considered to be locked in IBM Notes if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the "Not access server" permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.
For this reason, denied access groups are used. Each denied access group initially gets the "Not access server" permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.
Immediately after a user account has been locked in One Identity Manager, a denied access group is found for the user. If a denied access group of the right type is not found, the One Identity Manager Service creates a new group,"Deny list only", and automatically stores it on each server with "Not access server". The group name is made up of a prefix and a sequential index (for example "viDenyAccess0001"). Furthermore, this group is labeled with Denied access group>.
To change the prefix of an denied access group.
- In the Designer, edit "TargetSystem | NDO | DenyAccessGroups | Prefix".
- Enter the prefix when a denied access group is initially created.
- Save the changes.
It is also possible to specify the maximum number of user accounts in a denied access group. This is necessary in an environment with a large number of user accounts to prevent the maximum number of user names in one group being exceeded. If this limit is reached, a new denied access group is created with an index value incremented by "1" and added with the permissions type "Not access server" on all domain servers.
To change the number of user accounts permitted in a denied access group
- In the Designer, edit the value of "TargetSystem | NDO | DenyAccessGroups | Memberlimit".
TIP: The denied access groups are found using the VI_Notes_GetOrCreateRestrictGroup script and then added. If denied access groups already exist in IBM Notes, they are handled like normal groups.
To use these groups for the locking process in One Identity Manager
- Set Denied access group for this group.
- Modify the prefix in "TargetSystem | NDO | DenyAccessGroups | Prefix" if necessary.
- Modify the VI_Notes_GetOrCreateRestrictGroup script according to your requirements.
Since IBM Domino version 8.5, it is possible to assign user accounts to groups by certain selection criteria. A criteria is, for example, the user account's mail server. Furthermore, members can be explicitly excluded or additionally added to the group. A group is mapped as a dynamic group in One Identity Manager, if "Home server" is selected in "Load dynamic member" (column AutoPopulateInput = '1'). Members cannot be assigned directly to these groups.
Dynamic groups are excluded from inheritance through hierarchical roles. This means that system roles, business roles, and organizations cannot be assigned to dynamic groups. Inheritance exclusion cannot be defined and dynamic groups cannot be requested in the IT Shop.
If the maximum number of members in a group has been reached, IBM Notes adds so called extension groups. These extension groups are imported into the One Identity Manager database by synchronization and cannot be edited. The connection to the dynamic group is created using the Parent Notes group property (UID_NotesGroupParent column). Excluded and additional lists are maintained exclusively for parent dynamic groups. Extension groups are only shown on the overview form.
