ID vault

ID vault

The ID Vault is a IBM Domino database that stores copies of user ID files. This allows IBM Notes to be able to restore user ID files and to reset user account passwords. The One Identity Manager provides a process for resetting the passwords in the ID vault.

Prerequisites

• The Domino server, which communicates with the gateway server, is also the ID vault server.
• There are executing permissions defined for agents for the synchronization user account. For more information, see Running Restricted LotusScript/Java Agents.
• ID vault database permissions for the synchronization user account are set: access function "Manager" and role "Auditor". For more detailed information, see your IBM Notes documentation.
• Permissions for restoring passwords of the synchronization administrative user account and the ID vault server are set. For more detailed information, see your IBM Notes documentation.

To use the ID vault

1. Select the category IBM Notes | Domains.
2. Select the domain you want to use for the ID vault in the result list and run Change master data in the task view.
3. Set the option ID vault enabled.

   This setting effects all user accounts in the domain.

4. Save the changes.

When a new user account is published in the IBM Notes environment the One Identity Manager saves the initial password in the One Identity Manager database (NotesUser.PasswordInitial). This initial password is used when a user account password needs to be reset. Passwords are saved automatically for user accounts that are initially setup in the One Identity Manager. The initial password for all other user accounts has to be transferred to the One Identity Manager database with a customized process.

To reset a user account password

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Select ID restore in the task view.

This task starts the process NDO_NDOUser_PWReset_from_Vault. The password from the user ID file saved in ID Vault is replaced by the initial password from the One Identity Manager database by this process. If the user is logged into the IBM Notes client at this point, the user‘s local ID file is replaced with the update copy from the ID Vault. The user has to login with the initial password when the IBM Notes client is started the next time. If the user is not logged into the IBM Notes client when the password is reset, the updated ID file must be provided separately.

Once the password has been successfully reset, the user must be provided with initial password and the ID file if necessary. This process has to be customized to meet your needs.

ID restore

ID restore

ID restore is a One Identity Manager mechanism that can be used when a user has forgotten his password or the ID file itself has been lost. If the user ID file is restored with the ID restore procedure, the full name of the user account and the display name are determined from the user account name, organizational unit and certificate.

The following information is required to run an ID restore:

• An ID file that is initially imported into the database including the associated password (NotesUser.NotesID, NotesUser.PasswordInitial)
• The certifier that the initial ID file was created with (NotesUser.UID_NotesCertifierInitial)
• A copy of the initially loaded or added employee document in the gateway server’s archive database archiv.nsf
• The GUID of the document copy in the archive database (NotesUser.ObjectGUID_Archiv)

This data is automatically generated and saved for the user accounts that were added in the One Identity Manager. A one-off custom import of the files mentioned above has to be run for all other user accounts.

To restore the user ID file

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Select ID restore in the task view.

   The ID restore process carries out the following steps:

   • Deletes all current employee documents from the Domino directory.
   • Copies initial employee documents from archive database to the Domino directory.
   • Exports the initially saved ID files to the gateway server.
   • Starts the AdminP request to track the changes made to the original ID up until now. This includes changes to the components of the user’s name, changes to the ID expiry date and exchanging certifiers.
   • Updates the restored employee documents with known values.
4. If the ID file is restored, provide the user with the ID file and the initial password.

Related Topics

• Setting up an Archive Database for Backing Up Employee Documents

Locking and Unlocking Notes User Accounts

Locking and Unlocking Notes User Accounts

A user is considered to be locked in IBM Notes if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the permissions type "Not access server" for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.

For this reason, denied access groups are used. Each denied access group initially gets the permissions type "Not access server" for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.

The way you lock user accounts depends on how they are managed.

Scenario:

• The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. User accounts with the manage level "Full managed" are disabled depending on the account definition settings. For user accounts with another manage level, modify the column template NDOUser.AccountDisabled accordingly.

Scenario:

• The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the configuration parameter "QER\Person\TemporaryDeactivation".

• If the configuration parameter is set, the employee’s user accounts are locked if the employee is permanently or temporarily disabled.
• If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock a user account when the configuration parameter is disabled

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Select Change master data in the task view.
4. Set the option Account is disabled on the General tab.
5. Save the changes.

Scenario:

• User accounts not linked to employees.

To lock a user account, which is not linked to an employee

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Select Change master data in the task view.
4. Set the option Account is disabled on the General tab.
5. Save the changes.

The user account becomes anonymous when it is locked and is not shown in address books. Access to Notes servers is removed. The configuration parameter "TargetSystem\NDO\MailBoxAnonymPre" is checked if the user is made anonymous.

To unlock a user account

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Select Change master data in the task view.
4. Disable the option Account is disabled on the General tab.
5. Save the changes.

   Anonymity is rescinded and the user account removed from denied access groups.

Detailed information about this topic

• Denied Access Groups

Related Topics

• Setting Up Account Definitions
• Setting Up Manage Levels

Deleting Notes User Accounts

Deleting Notes User Accounts

If a user account is deleted in One Identity Manager, it is initially marked for deletion. The user account is therefore locked. Depending on the deferred deletion setting, the user account is either deleted immediately from the address books and One Identity Manager database or at a later date.

To delete a user account

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Click to delete the user account.
4. Confirm the security prompt with Yes.

To restore user account

1. Select the category IBM Notes | User accounts.
2. Select the user account in the result list.
3. Click in the result list toolbar.

Configuring Deferred Deletion

By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative deletion delay on the table NDOUser in the Designer.

Related Topics

• Locking and Unlocking Notes User Accounts