Blog

Blog Search

Search this site

Advertisements

Everything Else

Sponsor

Wood Watch Review

Google Custom Searches

Custom Blogger Search
Custom Sametime Search
Custom XPages Search

Subscribe

Subscribe via RSS

Recent Tweets

Hosting by

You are here: Home › Blog

Disabling Full Access Administrator Rights


Tags :


Why would you want to do something so crazy as that?  To disable a new feature that provides the admin with logged, yet incredible access?  Well to restrict what the heck they can see still.  Sure, there is xACL for certain things, but that power is scary.   And as much as I don't like to say it, a lot of admins aren't sure of exactly what access this gives them.

Let's visit technote #7003449

What Rights Do Full Access Administrators Have?
This is the highest level of administrative access to the server.  Administrators who have full administrator access to the server have the following rights:
  • All the rights granted to "Administrators", plus
  • Manager access, with all roles and access privileges enabled, to all databases on the server, regardless of the database ACL settings
  • Manager access, with all roles and access privileges enabled, to the Web Administrator database (WEBADMIN.NSF)
  • Access to all documents within databases on the server, regardless of reader name field controls
  • Unrestricted agent rights
  • Overrides "Enforce a consistent ACL across all replicas" setting
  • Supersedes directory link ACLs and .ACL files

Note:  Full Access Admin does not allow access to read encrypted fields.  In the case of mail encryption (and other documents encrypted using public keys), the specified user's private key is required to decrypt.  In the case of document encryption using secret keys, the secret key is required to decrypt.

Image:Disabling Full Access Administrator Rights

Disabling the feature via the Notes.ini
Customers can disable this feature by setting SECURE_DISABLE_FULLADMIN=1 in Notes.ini.  When this value is set, the server will ignore any values in the Full Admin Access field in the server document.  This parameter cannot be reset via a remote or local console or via the server configuration document.  It can only be reset by editing the server's notes.ini file.  It is constructed so that a site that wishes to disable this feature in a way that it cannot be reenabled without direct access to the server's file system can do so.


So I am unsure if one should create a separate id file as suggested in that technote or attempt to know when to use the toggle yourself.