Lotus Domino Security: Tips for System Administrator

Lotus Domino Security: Tips for System Administrator

Eugene Polyakov

Alba Spectrum Technologies

1-866-528-0577, 1-630-961-5918 help@albaspectrum.com

Server Domino has multilevel security. The highest security level can be achieved when you work with Domino server, using Lotus Notes (‘thick’ client). IBM says about seven security levels the following:

Network – this level works with network side (physical possibility);
Authentication – the process for “trust” connection establishing between the server and the applier;
Domino Server Security - this level deals with server documents access rights;
Database Access (ACL) - this level provides user access control to specific database;
Design Element Security - this level corresponds to limitations stated in access control list for design element (i.e. who may work with this design element). This list allows to limit the access to objects, based on specific design elements (for example, who can create documents by the form);
Document Security – access rights in Readers and Authors type of fields;
Field Security - data encryption for the fields with this feature enabled (Enable encryption).

Except for the Network level, we can say for Authentication procedure that it is designed as a standard common certificates checking one. On Domino Server Security level in Server document stated rather big list of security parameters (starting from users group description to whom it is allowed or not working with the server till users which are server administrators with full rights allowed working with the server’s databases, omitting the next four security levels. Database Access (ACL) is installed independently for each Lotus Domino database and has seven main access levels:

Manager – user/users group with access rights to change all database information, including database ACL, replication and local encryption settings;
Designer - user/users group with access rights to change all database information, including data documents and design elements;
Editor - user/users group with access rights to change database data documents; user/users group with access rights to change
Author - create new and change his documents;
Reader - user/users group with access rights to read database documents;
Depositor - user/users group with access rights to create database documents and not view them afterwards (excluding, possible, Public documents);
No access - user/users group without access rights to database, (excluding, possible, Public documents and design elements).

At any mentioned level additional access parameters are existed, such as who may create personal folders, agents, etc.

At Document Security level two types of fields are used:

Authors. Dedicated for access limitation to the documents with such fields and used with database ACL simultaneously. The field may have names list, user groups and servers list as well as roles, specified in actual database ACL. In corresponding with database ACL this field type has effect only to access to information of Author level. If an user has access to the database on Author level and in a document exist not the fields with Authors type, thus this user is not allowed to edit even his own documents (the documents he has created by himself). If Authors type field exists in a document , than only users with Author access level in ACL of the database or users whose names are included in the Authors field (themselves, or on group level, or the corresponding role is assigned) can modify the document;
Readers. Dedicated for access limitation to the documents with such fields and used with database ACL simultaneously. The documents with such fields are not accessible for the users which names are not presented Readers and /or Authors fields (obviously or as groups and roles) and /or obviously not dedicated in Default read access for documents created with this form on Security bookmark of the current database’s properties.

At Field Security level the information encryption for specific fields can be done by the both symmetric and asymmetric algorithms.

Besides of mentioned security levels of Lotus Domino, it supports electronic signature mechanism and local encryption for all database information.

Working with Domino server via a browser Authentication procedure runs in another way from Lotus Notes client. Using Domino via Web Authentication can be done on login/password level, or x.509 certificate mechanism applying. In such a case the security level becomes higher and Domino server works correctly by HTTP + SSL protocol. In Web-applications for Domino by default Field Security and electronic signature are not supported as those mechanisms use users IDs.

Besides of mentioned above Lotus Notes and browser with Domino server can work:

Mail client by SMTP, POP3 and IMAP protocols;
News group clients by NNTP protocol;
Catalog service clients LDAP protocol;
Applications used OLE and COM technology.

Unfortunately those topics are out of the scope of this article.

Good luck in your system setting up and contact us for any help in USA: 1-866-528-0577! help@albaspectrum.com

Eugene Polyakov is a technical writer in Alba Spectrum Technologies ( http://www.albaspectrum.com ), IBM and Microsoft Business Solutions Partner, serving clients in Chicago, Los Angeles, San Francisco, Denver, Phoenix, Houston, Miami, New York, Boston, Atlanta, Seattle, Canada, Australia, UK, Moscow, Germany.