Every few weeks or so I get into an argument with people when I recommend they drop the ACL level for a user from "Manager" to "Editor" on a users' mai file. There are numerous reasons to do this including but not limited to:
  • Stops users deleting their entire mail file from the server (yes, I have seen this *multiple* times)
  • Stops users jacking up the ACL and locking out servers, administrators, et al
  • "Manager" is not required to delegate or enabled Out of Office (it used to....but that was releases back, and you should be using OOO Service now anyway)

Still, I get push back. Usually along the lines of change control, or the oft mentioned phrase "it's the way we've always done it". Well, today I have new reason.....

If you use clustering you really, really don't want your users having Manager ACL access. Why? Because Server_Resticted ignores bouncing your users to another cluster mate if the user is a manager of the connecting to database.

See Technote 1089278 for further details and this post on the use of Server_Restricted.

So there you have it. Editor ACL access. Do it. It's good for you. Like fiber for breakfast.
Darren Duke   |   August 12 2013 09:21:06 AM   |    domino  notes    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (3)

Gravatar Image
1 - Mat Newman    http://www.matnewman.com    08/13/2013 12:08:31 AM

The savy ones will be able to make minor changes to their design when they find a great blog post describing an enhancement they like, and your server restrictions should prevent them from running unauthorised server-based agents.

My $0.02

Gravatar Image
2 - Simon O’Doherty    http://sodoherty.com    08/13/2013 7:37:15 AM

Don't forget "Enforce Consistent ACL" to stop casual modifications at the client side replica.

Gravatar Image
3 - Darren Duke    http://blog.darrenduke.net    08/13/2013 7:41:25 AM

@2, I'd actually use a condensed directory for that, but you're not wrong....you need to prevent unwanted replications coming back, but IBM added PIRC for that.