OpenNTF ACLHelp for Lotus Domino servers Version 1.1 Produced by Ian Cherrill, March 2003 ------------------------------------- What's new in this release? New features: (1) The ACL list feature (when you use ? instead of a name) now lists all ACL entries (2) Console messages from different databases are clearly separated by a line (3) A summary line tells you how many databases were processed and how many updated by your ACLHelp command (4) -serveradmin switch is renamed -adminserver (5) .box databases can be handled by ACLHelp Bugs squashed: (1) program is now working on Domino R6 as well as R5 (2) memory leak in ACL list function fixed Supported platforms: (1) Windows (2) Linux (3) Sun Solaris (SPARC) ------------------------------------- Original Authors and Contributors: Ian Cherrill (www.4nf.co.uk), Nicolas Laureaux, Julian Robicheaux (www.nsftools.com) Copyright: The name ACLHelp is copyright of 4NF Information Technology Ltd (see www.4nf.co.uk) License: Use of ACLHelp is subject to the terms and conditions set forth in the GNU Public License (known as the GPL) which can be examined at: http://www.gnu.org/copyleft/gpl.html. Cost of ACLHelp: There is no charge for using this program. It may be given to other people to use too. ------------------------------------- Installing ACLHelp Copy the appropriate file (naclhelp.exe on NT and aclhelp on UNIX) to the program directory of your server. That's it for Windows. For UNIX platforms it is good practice to make sure the ownership and rights of the file are the same as the other Domino server tasks such as replica, router etc. ------------------------------------- Using ACLHelp ACLHelp is a server task for Lotus Domino that allows a database ACL to be modified or inspected from the console - useful if the administrator has lost access to the database. To add an unspecified manager called LogManagers to the ACL of the log file, use this command: load aclhelp log.nsf LogManagers and this command does the same: load aclhelp log.nsf -manager LogManagers because -manager is the default. If you want to add a group of people at author level but without the rights to create of delete documents you can use this command: load aclhelp apps\mydatabase.nsf -persongroup -author -nocreate -nodelete AppAuthors You can also list the entries at a specified level using a user name of ? like this: load aclhelp log.nsf -reader ? to list the log.nsf readers or list all ACL entries like this: load aclhelp log.nsf ? Instead of a single database name you can use a directory name wildcard like this: load aclhelp mail\* -manager $SysAdmin and finally you can use wildcard symbols * and ? in the filename to process a number of databases or templates on the server. So load aclhelp * ? will list the ACL for every database and template on your server. Remember that ACLHelp will not process any database with "enforce consistent ACL" turned on. A full list of switches appears later in this document. ------------------------------------- Can I use abbreviated names? Yes - this works too: load aclhelp log.nsf Ian Cherrill/4NF to add Ian Cherrill/4NF as manager. ------------------------------------- In ACLHelp there some extra features: (1) Change more than one database at a time. This is done by using wildcard symbols * and ?. (2) Specify a number of switches that determine the level of access and type of the new entry, for example -author -nocreate -nodelete -persongroup. (3) Remove an entry from an ACL with the -remove switch (4) List the entries by using a ? on its own for the entry name. (5) Change or add an administration server (6) Add an entry even if the name is already in the ACL. ------------------------------------- What are the safeguards? Number one - you must have the rights to run console commands (ie you are the system administrator) to use ACLHelp, and you must have copied it to the program directory of your server. Also, by default ACLHelp will not add you to the ACL of a database with "enforce consistent" checked in the advanced ACL settings. This is because changing ACLs on such databases could stop replication happening altogether, and because the most likely database you have "enforce consistent" on is your public address book (alright then Lotus, your "directory", whatever) and we don't want to change that now do we? ------------------------------------- What are the switches (options) I can use in ACLHelp ? The "type of entry" switches are: -person -server -mixedgroup -persongroup -servergroup -adminserver Most of these are obvious - they set the type of the entry you want. You can use as many of these switches as necessary and they must be used after the database filename and before the entry name. For -adminserver the option to allow the Administration Process to manage Reader and Author fields is turned off, so you can specify you want it on by using -adminserver+ The "access level" switches are: -manager -designer -editor -author -reader -depositor -noaccess and with no switch at all ACLHelp assumes you want the entry to be a manager so that the command: load aclhelp mail\icherril Ian Cherrill adds Ian Cherrill as an unspecified manager The "access modifier" switches are: -nocreate -nodelete and without them the "Can Create Documents" and "Can Create Documents" options are switched on. also: -privateagents -publicreader -publicwriter and: -scriptagents -privateviews -sharedviews which do exactly the same as: -javaagents -privatefolders -sharedfolders The "delete entry" switch is: -remove To override the check for "enforce consistent ACL" you can use the -force switch To display some extra messages when running ACLHelp you can use the -debug switch -------------------------------------