立即与支持人员聊天
与支持团队交流

Identity Manager 9.1.1 - Administration Guide for Connecting to HCL Domino

Managing HCL Domino environments Synchronizing a Domino environment
Setting up initial synchronization of a Domino environment Domino server configuration Setting up a gateway server Creating a synchronization project for initial synchronization of a Notes domain Adjusting the synchronization configuration for Domino environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Notes user accounts and employees Managing memberships in Notes groups Login information for Notes user accounts Using AdminP requests for handling Domino processes Mapping of Notes objects in One Identity Manager
Notes domains Notes user accounts Notes groups Notes certificates Notes templates Notes policies Notes mail-in databases Notes server Reports about Notes objects
Handling of Notes objects in the Web Portal Basic data for managing a Domino environment Configuration parameters for managing a Domino environment Default project template for Domino Processing methods of Domino system objects Domino connector settings

Displaying the Notes group overview

Use this task to obtain an overview of the most important information about a group.

To obtain an overview of a group

  1. In the Manager, select the HCL Domino > Groups category.

  2. Select the group in the result list.

  3. Select the Notes group overview task.

Locking groups

A user is considered to be locked in Domino if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the Not access server permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.

For this reason, denied access groups are used. Each denied access group initially gets the Not access server permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.

Immediately after a user account has been locked in One Identity Manager, a denied access group is found for the user. If a denied access group of the right type is not found, the One Identity Manager Service creates a new group, Deny list only, and automatically stores it on each server with Not access server. The group name is made up of a prefix and a sequential index (for example viDenyAccess0001). Furthermore, this group is labeled with Denied access group>.

To change the prefix of an denied access group.

  1. In the Designer, edit the value in the TargetSystem | NDO | DenyAccessGroups | Prefix configuration parameter.

  2. Enter the prefix when a denied access group is initially created.

  3. Save the changes.

It is also possible to specify the maximum number of user accounts in a denied access group. This is necessary in an environment with a large number of user accounts to prevent the maximum number of user names in one group being exceeded. If this limit is reached, a new denied access group is created with an index value incremented by 1 and added with the permissions type Not access server on all domain servers.

To change the number of user accounts permitted in a denied access group

  • In the Designer, edit the value in the TargetSystem | NDO | DenyAccessGroups | Memberlimit configuration parameter.

TIP: The denied access groups are found using the VI_Notes_GetOrCreateRestrictGroup script and then added. If denied access groups already exist in Domino, they are handled like normal groups.

To use these groups for the locking process in One Identity Manager

  1. In the Manager, set the Locking group option for this group.

  2. In the Designer, modify the prefix in TargetSystem | NDO | DenyAccessGroups | Prefix if necessary.

  3. Modify the NDO_Notes_GetOrCreateRestrictGroup script according to your requirements.

Dynamic groups

Since Domino version 8.5, it is possible to assign user accounts to groups by certain selection criteria. A criteria is, for example, the user account's mail server. Furthermore, members can be explicitly excluded or additionally added to the group. A group is mapped as a dynamic group in One Identity Manager, if Home server is selected in Load dynamic member (column AutoPopulateInput = '1'). Members cannot be assigned directly to these groups.

Dynamic groups are excluded from inheritance through hierarchical roles. This means that system roles, business roles, and organizations cannot be assigned to dynamic groups. Inheritance exclusion cannot be defined and dynamic groups cannot be requested in the IT Shop.

Detailed information about this topic

Extension groups

If the maximum number of members in a group has been reached, Domino adds so called extension groups. These extension groups are imported into the One Identity Manager database by synchronization and cannot be edited. The connection to the dynamic group is created using the Parent Notes group property (UID_NotesGroupParent column). Excluded and additional lists are maintained exclusively for parent dynamic groups. Extension groups are only shown on the overview form.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级