Denied Access Groups
Denied Access Groups
| Configuration parameter | Meaning |
|---|---|
| TargetSystem\NDO\DenyAccessGroups | Denied access groups are used when a Notes user account is disabled. |
| TargetSystem\NDO\DenyAccessGroups\Memberlimit | This configuration parameter contains the maximum number of members per denied access group. When this limit is reached, another denied access group is created automatically. |
| TargetSystem\NDO\DenyAccessGroups\Prefix | This configuration parameter contains the prefix used for formatting the name of a denied access group. |
A user is considered to be locked in IBM Notes if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the permissions type "Not access server" for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.
For this reason, denied access groups are used. Each denied access group initially gets the permissions type "Not access server" for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.
Immediately after a user account has been locked in One Identity Manager, a denied access group is found for the user. If a denied access group of the right type is not found, the One Identity Manager Service creates a new group with the group type "Deny list only" and automatically stores it on each server with the permissions type "Not access server". The group name is made up of a prefix and a sequential index (for example "viDenyAccess0001"). Furthermore, this group is labeled with the option Denied access group>.
To change the prefix of an denied access group.
- Edit the value of the configuration parameter "TargetSystem\NDO\DenyAccessGroups\Prefix" in the Designer.
- Enter the prefix to use when a denied access group is initially created.
- Save the changes.
It is also possible to specify the maximum number of user accounts in a denied access group. This is necessary in an environment with a large number of user accounts, to prevent the maximum number of user names in one group being exceeded. If this limit is reached, a new denied access group is created with an index value incremented by "1" and added with the permissions type "Not access server" on all domain servers.
To change the number of user accounts permitted in a denied access group
- Edit the value of the configuration parameter "TargetSystem\NDO\DenyAccessGroups\Memberlimit" in the Designer.
|
|
TIP: The denied access groups are found using the script VI_Notes_GetOrCreateRestrictGroup then added. If denied access groups already exist in IBM Notes, they are handled like normal groups. To use these groups for the locking process in One Identity Manager
|
Dynamic Groups
Dynamic Groups
Since IBM Domino version 8.5, it is possible to assign user accounts to groups by certain selection criteria. A criteria is, for example, the user account's mail server. Furthermore, members can be explicitly excluded or additionally added to the group. A group is mapped as a dynamic group in One Identity Manager, if the method "Home server" is selected in the property "Load dynamic member" (column AutoPopulateInput = '1'). Members cannot be assigned directly to these groups.
Dynamic groups are excluded from inheritance through hierarchical roles. This means that system roles, business roles and organization cannot be assigned to dynamic groups. Inheritance exclusion cannot be specified. Dynamic groups cannot be requested in the IT Shop.
Extension Groups
Extension Groups
IBM Notes adds so called extension groups if the maximum number of members in a group has been reached. These extension groups are loaded into the One Identity Manager database by synchronization and cannot be edited. The connection to the dynamic group is created using the property Parent Notes groups (column UID_NotesGroupParent). Excluded and additional lists are maintained exclusively for parent dynamic groups. Extension groups are only shown on the overview form.
Memberships in Dynamic Groups
Memberships in Dynamic Groups
You cannot assign members directly to dynamic groups. Members are determined over the home servers assigned to the group. All user accounts that are assigned as mail server to this server are automatically members of the dynamic group. In addition, memberships can be edited through an excluded and additional list. At the same time, user accounts that are assigned to both the excluded and additional lists cannot be members of the dynamic group. User accounts and groups can both be added to the excluded and additional lists.
When the IBM Notes is calculating effective members it finds all the user accounts that:
- The home server is assigned to as mail server
- Are directly assigned to an additional list
- Are assigned to an additional list as member of Notes group
- Are assigned to an excluded list
- Are assigned to an excluded list as member of Notes group
Effective memberships in dynamic groups (table NDOUserInGroup) are not maintained in One Identity Manager, but only loaded in the One Identity Manager by synchronization. Excluded and additional lists can be edited in Manager. Changes are immediately provisioned in the target system. Membership lists are recalculated there. After resynchronizing, the changes to the effective memberships are visible in One Identity Manager and can be taken into account by, for example, compliance checking.
If you use One Identity Manager's identity audit functionality and also check memberships in dynamic Notes groups in compliance rules, note the following:
|
|
NOTE: Changes to the excluded and additional lists in the Manager, cannot be immediately acted upon as effective memberships in dynamic groups are not updated until after resynchronization. Customize the synchronization schedule for your IBM Notes environment such that changes to effective memberships are promptly transferred to the One Identity Manager database. For more detailed information about editing synchronization schedules, see the One Identity Manager Target System |
