August 12 2013 Monday
Mail file users having "Manager" ACL, and why it’s a bad idea
Every few weeks or so I get into an argument with people when I recommend they drop the ACL level for a user from "Manager" to "Editor" on a users' mai file. There are numerous reasons to do this including but not limited to:
Still, I get push back. Usually along the lines of change control, or the oft mentioned phrase "it's the way we've always done it". Well, today I have new reason.....
If you use clustering you really, really don't want your users having Manager ACL access. Why? Because Server_Resticted ignores bouncing your users to another cluster mate if the user is a manager of the connecting to database.
See Technote 1089278 for further details and this post on the use of Server_Restricted.
So there you have it. Editor ACL access. Do it. It's good for you. Like fiber for breakfast.
- Stops users deleting their entire mail file from the server (yes, I have seen this *multiple* times)
- Stops users jacking up the ACL and locking out servers, administrators, et al
- "Manager" is not required to delegate or enabled Out of Office (it used to....but that was releases back, and you should be using OOO Service now anyway)
Still, I get push back. Usually along the lines of change control, or the oft mentioned phrase "it's the way we've always done it". Well, today I have new reason.....
If you use clustering you really, really don't want your users having Manager ACL access. Why? Because Server_Resticted ignores bouncing your users to another cluster mate if the user is a manager of the connecting to database.
See Technote 1089278 for further details and this post on the use of Server_Restricted.
So there you have it. Editor ACL access. Do it. It's good for you. Like fiber for breakfast.
Discussion for this entry is now closed.
Comments (3)
Don't forget "Enforce Consistent ACL" to stop casual modifications at the client side replica.
@2, I'd actually use a condensed directory for that, but you're not wrong....you need to prevent unwanted replications coming back, but IBM added PIRC for that.
The savy ones will be able to make minor changes to their design when they find a great blog post describing an enhancement they like, and your server restrictions should prevent them from running unauthorised server-based agents.
My $0.02