Signing databases and Admin ECL

[apinkerton]

I want to roll out a new set of Admin ECL's to the users on our system, having gone through the admin help and a few books, there is not a great deal of information on the subject. I would like a surefire way to easily complete this, but have come up with a few hitches.
1. I need to find out which databases have had the signatures altered from the original Lotus signatures so users will have uninterrupted access once the rollout is complete and to able to resign just those signatures. The only way to do this that I can think of is to open each and every database in the designer and check manually.
2. I need a method to ensure the the user has pressed the button to change the ECL's (as described in the admin help on the subject). At the moment I have it configured to receipt the mail so I know the user has opened it and also to send another mail once the user clicks on the ECL change button. This is not failsafe as the user can abort the ECL change, but allow the mail to be sent thus making me asume the ECL's have changed.
3. Some databases create personal views when certain items are changed (such as the discussion template). If I was to disable users from editing their ECL's, would this adversley effect these kinds of databases.

Thanks in advance.

 

[geier]

Regarding your questions:
1. I have thought about this and I haven't come up with a better solution either. Perhaps you could write a program that reads out those signatures from all related databases into a seperate database and check them there. On the other hand: When you sign all relevant databases with the New Admin ECL you should have no problems because the program would run under the admin signature instead of the original Lotus signature. Or have you planned to use different admin signatures with different security levels on the same databases? Personally I wouldn't recommend that. We have enforced a very thight ECL policy within our organization, but we only use one admin signature that can perform all operations on the user's client.
2. There is no way that you can ensure that the user actually presses the button. You can inform them per mail beforehand that they must do it but in the end you just have to hope for the best. There are always people who won't do it and will come back to you once they get the security violation errors.
3. I don't think so. As metioned under 1. we have also restricted the ACL but users are still able to access private views within the discussion templates (at least the standard ones like 'My Favourites'.). But: our users are never allowed to create their own private views apart from the standard ones provided by Lotus anyway.

One thing you have to keep in mind once you have updated all user ECL's and your ECL-policy is running smoothly: Every time in the future you plan to perform anything on the user's client with a button in a mail you must sign the button with the admin signature before you send it - otherwise all your users will get the security violation error message.

 

[apinkerton]

That is pretty much what I figured - cant wait until Rnext - the ECL can be updated without sending a mail with a button and the user doesnt have a choice in the matter. Regardsing #1, I would ideally like to keep as many of the original signatures intact so I can easily know what has and has not been changed - it is easy enough to go in and re-save the portions that have been changed under a trusted ID. I have done very little dev work in Notes/Domino, I have been using it for less than 12 months, so I am not even close to being in a position the writing something that even resembles an agent or the type of program you suggested ! The best I can do at the moment is butcher what Lotus has already done - some very basic stuff at that ! I guess if the user doesnt press the button, we can send around Bob to rearrange their legs a little - six months off in traction ought to re-adjust their minds to do what IT ask them to do ! at the very least it will releive the helpdesk for six months of stupid questions from annoying users !