IBM Support

LO70994: UNABLE TO REGISTER USER WITH XACL WHEN THE ADMIN HAS DESIGNER ACCESS AND DENY WRITE ACCESS IN FIELD HTTP PASSWORD

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • Unable to register user with xACL when the admin has Designer
access and deny write access in field Http Password


Customer is trying to achive that the administrators are able to
register users, but the administrators should not be able to
change the HTTP Password for the users.


- L2 reprodueced issue that customer is experiencing.

to reproduce the issue L2 used the sample names.nsf provided by
the
customer, in which is enabled extended ACL and the Administrator
Group
has Designer accesss in the ACL of the names.nsf.

Steps to reproduce:

Environment only contains one server for simplicity of the
reproducible scenario- domino 853

1. Register a second administrator for example : Second
Admin/ACME

Make sure that the Second Admin/ACME in included in the Server
Document, in the Security tab " Administrators" field
Also make sure that is listed in the server document> Security
tab> Server Access in the fields Create databases & templates
and Create New Replicas, Create Master Templated

Also make sure that the Second Admin/ACME is inlcuded in the ACL
of the certlog.nsf database with manager access

2. Add the Second Admin/ACME in the ACL of the Domino Directory
with the following access

User type= Person
Access = Designer
Make sure that all the roles are marked (even when only
UserCreator role
is the minimum required)

3. Enable xACL

In the Extended Access have the following settings

Target --> select the Top Root of the containers "/"
Accessl list --> add the Second Admin/ACME
Click on from and Fields accesss button
on Forms --> Select  "Person"
on Fields --> Select "HTTP Password" and to the right of the
Fields in
the Access select

Read = allow
Write = deny

click ok to save xACL changes

4. Switch the id to the Second Admin/ACME
and try to register a user
the registration fails, the person document never gets created.



5. If you change the Access to allow to Write in the form field
"Http
Password2 for the Second admin/ACME, then the admininstrator is
able to
register users correctly

for example

In the Extended Access have the following settings

Target --> select the Top Root of the containers "/"
Accessl list --> add the Second Admin/ACME
Click on from and Fields accesss button
on Forms --> Select  "Person"
on Fields --> Select "HTTP Password" and to the right of the
Fields in
the Access select

Read = allow
Write= allow


6. If you dissable xACL and you give to the administrator "
Second Admin/ACME" designer access in the ACL of the Domino
directory, the Admin is able to register users correctly.



According to Administration Help Manual these are the mimimun
requirements  to be able to register a user : Editor access or
Author
access with Create Documents and the UserCreator
role in the Domino Directory on the registration server.

Exact access levels are documented in infocenter document


Using Basic Notes user registration with the Domino
Administrator

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?
topic=%2Fcom.ibm.help.domino.admin.doc%2FDOC%2FH_BASIC_USER_REGI
STRATION_STEPS.html



Conclussion: Desigener access in the ACL should allow to
register users
( as the http password is not set when user is being registered)
but when xACL is enabled with the conditions described, is not
possible to register users

Local fix

  • Workaround is to have xACL with following settings below, or to
dissable altogether xACL,

But this workaround do not help to achive what the customer
wants to achive, which is to be able to register users, but not
able to modify the http password for user with the involed
administrator user account.


In the Extended Access have the following settings


Target --> select the Top Root of the containers "/"
Accessl list --> add the Second Admin/ACME
Click on from and Fields accesss button
on Forms --> Select  "Person"
on Fields --> Select "HTTP Password" and to the right of the
Fields in
the Access select

Read = allow
Write= allow

Problem summary

  • This APAR is closed as FIN. We have deferred the fix to a
 future release.

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is associated with SPR# BBSZ8WYJDR.
This APAR is closed as FIN. We have deferred the fix to a
 future release.

    



APAR Information




    

  • APAR number
    LO70994
    • 

  • Reported component name
    DOMINO SERVER
    • 

  • Reported component ID
    5724E6200
    • 

  • Reported release
    852
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-08-08
    • 

  • Closed date
    2012-08-17
    • 

  • Last modified date
    2012-08-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    

  • R852  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.2","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 August 2012
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback