A user is considered to be locked in Domino if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the Not access server permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.
For this reason, denied access groups are used. Each denied access group initially gets the Not access server permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.
Immediately after a user account has been locked in One Identity Manager, a denied access group is found for the user. If a denied access group of the right type is not found, the One Identity Manager Service creates a new group, Deny list only, and automatically stores it on each server with Not access server. The group name is made up of a prefix and a sequential index (for example viDenyAccess0001). Furthermore, this group is labeled with Denied access group>.
To change the prefix of an denied access group.
-
In the Designer, edit the value in the TargetSystem | NDO | DenyAccessGroups | Prefix configuration parameter.
-
Enter the prefix when a denied access group is initially created.
- Save the changes.
It is also possible to specify the maximum number of user accounts in a denied access group. This is necessary in an environment with a large number of user accounts to prevent the maximum number of user names in one group being exceeded. If this limit is reached, a new denied access group is created with an index value incremented by 1 and added with the permissions type Not access server on all domain servers.
To change the number of user accounts permitted in a denied access group
TIP: The denied access groups are found using the VI_Notes_GetOrCreateRestrictGroup script and then added. If denied access groups already exist in Domino, they are handled like normal groups.
To use these groups for the locking process in One Identity Manager
-
In the Manager, set the Locking group option for this group.
-
In the Designer, modify the prefix in TargetSystem | NDO | DenyAccessGroups | Prefix if necessary.
-
Modify the NDO_Notes_GetOrCreateRestrictGroup script according to your requirements.
Since Domino version 8.5, it is possible to assign user accounts to groups by certain selection criteria. A criteria is, for example, the user account's mail server. Furthermore, members can be explicitly excluded or additionally added to the group. A group is mapped as a dynamic group in One Identity Manager, if Home server is selected in Load dynamic member (column AutoPopulateInput = '1'). Members cannot be assigned directly to these groups.
Dynamic groups are excluded from inheritance through hierarchical roles. This means that system roles, business roles, and organizations cannot be assigned to dynamic groups. Inheritance exclusion cannot be defined and dynamic groups cannot be requested in the IT Shop.
Detailed information about this topic
If the maximum number of members in a group has been reached, Domino adds so called extension groups. These extension groups are imported into the One Identity Manager database by synchronization and cannot be edited. The connection to the dynamic group is created using the Parent Notes group property (UID_NotesGroupParent column). Excluded and additional lists are maintained exclusively for parent dynamic groups. Extension groups are only shown on the overview form.
You cannot assign members directly to dynamic groups. Members are determined over the home servers assigned to the group. All user accounts that are assigned as mail server to this server are automatically members of the dynamic group. In addition, memberships can be edited through an excluded and additional list. At the same time, user accounts that are assigned to both the excluded and additional lists cannot be members of the dynamic group. User accounts and groups can both be added to the excluded and additional lists.
When Domino is calculating effective members, it finds all the user accounts that:
-
The home server is assigned to as mail server
-
Are directly assigned to an additional list
-
Are assigned to an additional list as a member of a Notes group
-
Are assigned to an excluded list
-
Are assigned to an excluded list as a member of a Notes group.
Effective memberships in dynamic groups (table NDOUserInGroup) are not maintained in One Identity Manager, but only loaded in the One Identity Manager by synchronization. Excluded and additional lists can be edited in the Manager. Changes are immediately provisioned in the target system. Membership lists are recalculated there. After resynchronizing, the changes to the effective memberships are visible in One Identity Manager and can be taken into account by, for example, compliance checking.
If you use One Identity Manager's identity audit functionality and also check memberships in dynamic Notes groups in compliance rules, note the following:
NOTE: Changes to the excluded and additional lists in the Manager, cannot be immediately acted upon as effective memberships in dynamic groups are not updated until after resynchronization. Customize the synchronization schedule for your Domino environment such that changes to effective memberships are promptly transferred to the One Identity Manager database.
For more information about editing synchronization schedules, see the One Identity Manager Target System Synchronization Reference Guide.