I have ~160 Notes DB’s that need to be locked down tonight. I am looking for a way to automate this work. Is there a command that will allow me to lock down my databases so that I do not have to open all 160 on my client and then navigate via right click-> Database->Access Control…
What I’d really like to be able to do is access each databases users via java, loop through the users and set all to No Access except for our Notes Super Admin’s group.
If I can’t do that, I wonder if it is possible to create a script that can be run at the server with commands to lock down each?
Tonight? Then why are you asking now already, if you’ve got so much time left?
If we are talking about mail databases here, that all reside in the same folder, and they should all end up with the same ACL, you can simply use the Admin Clients paste ACL feature. Set the ACL of one DB as you want it, copy it to the clipboard, select all target databases and paste that ACL.
If you want to maintain the original owner’s names, but just set them to No Access, you will have to code.
Subject: RE: Disable DB Access via Command Script?
NO - I don’t have much time left, but I just got this work assigned (seems like there is a reason for everything, doesn’t it ). Our Notes guru (only one in a company of 3k) bailed last week. We have a couple of admin types, but we’re all in the same boat.
These are not mail databases.
What you suggest sounds like a better solution than how I thought I’d have to do this.
If there is a command that can be used, slapping that into a java app shouldnt be a real challenge. Last Monday I wrote an app to track usage using NotesSQL; I’ve already got a db to back that up that lists all of my servers, it would be easy to create a table to loop through server-> db and execute a command, if I can figure out what that command is, and if there is one!
I’m an Oracle DBA so I guess I’m expecting the functionality of Notes administration to be somewhat similar. My mistake!!!
Thanks for your help! It’s never fun to be put in this position so late in the day.
Subject: RE: Disable DB Access via Command Script?
No, there is no single command to revoke access (for whom?). As Paul stated, a lot depends on how ACLs look now (always one single user? many different users? what about groups of users?) and how they should look like after. If all ACLs should contain nothing but your SuperAdmin group, your LocalDomainServers group and your administration server, that would certainly make it easier.
Still you would have to write a Java agent using the Domino Object Model. You would have to loop through all databases in question (what do they have in common to identify them?), get an ACL object for each, loop through the entries and - if appropriate - change the access level. If you’re not familiar with the Domino Object Model, this sounds like a good piece of work. Also, because of all the variable issues, there cannot be ready-baked code for this task.
If those databases are all in the same directory, you could also set up a directory ACL.
Subject: RE: Disable DB Access via Command Script?
You can write and run a java agent and target the server where your databases exist. You might be able to write an external java application as well but you will still need to know the Domino Object Model. I suggest you look into the following objects in Notes Designer help:
DbDirectory
Database
ACL
ACLEntry
The following code should get you started but it is in no way complete and I have not tested it so please use it at your own risk. It should give you some understanding on how to go about doing what you want to do. Good Luck:
import lotus.domino.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext = session.getAgentContext();
DbDirectory dir = session.getDbDirectory("yourSeverName");
Database db = dir.getFirstDatabase(DbDirectory.DATABASE);
while (db != null) {
// check if this is a db that you want to update - may be use db.getTemplateName() if all your target dbs have same template name
if (true){
db.open();
ACL acl = db.getACL();
ACLEntry entry = acl.getFirstEntry();
while (entry != null);
{ACLEntry entryNext = acl.getNextEntry(entry);
entry.remove();
entry = entryNext;}
db.grantAccess("YourSuperAdminGroup",ACL.LEVEL_MANAGER);
acl.save();
}
db = dir.getNextDatabase(); }
}catch(Exception e) {
e.printStackTrace();
}
why don’t you simply revoke access at the server level? Remove all access to the server except for LocalDomainServers and Administrators on security tab in server doc.
Subject: RE: Disable DB Access via Command Script?
OK, you were not clear about that in your post. How do you propose to lock down the db with the ACL? Are you going to remove an entry from the ACL or change it to No Access? Is there more than 1 ACL entry that needs to be changed? DO all of the ACLs have the same entry? It would be difficult to do this with script unless you know which entries exist and which ones need to be changed. Presumably each db has it’s own ACL group names.
Subject: RE: Disable DB Access via Command Script?
I’m an Oracle DBA so, thanks for your patience - this is a last minute request, sort-of mission impossible…
We are doing this knowing that we could end up with a few screamers, we don’t have usage beyond a 2 week period, so we are going to change everyone but Super Admin to No Access and leave the list intact.
Some of the databases have groups, some have individuals listed, or a combination of both. These have been developed over years with no standards…
I was hoping there was a server command that I could execute via NotesSQL if I had a list of servers and databases that needed to be locked down. I might just have to do this manually???
I guess the upside of this is, if I have to go through them all manually tonight I get the flex time!!!
Subject: RE: Disable DB Access via Command Script?
It can be done with lotus script but I don’t think you have the time. with a list of dbs you could cycle through them then cycle through the ACL and for each entry change it to No Access except for your SuperAdmin group and the admin server entry. Not sure what your end goal is but I think your easiest and best bet is to just lock down the entire server for the time that you’re doing whatever it is you’re doing. Are the dbs all on the same server?
Subject: RE: Disable DB Access via Command Script?
Well, we have obsolescence here - the DB’s have been replaced or their functionality has been rolled into another system.
We want to decommission these databases - asap.
There are two servers that host the databases to be shutdown. There are 13 branch servers that they replicate to. We are shutting the branch servers down Wed night after we re-direct .ini files to 1 of the 2 central (clustered) servers.
The two main servers will continue to host 318 Notes databases - that’s why we cant lock the servers down. We’re not looking for a maintenance window here.
What is the name of the lotuss cript that can execute at the server?
Would I have to create a notes database in designer and then create the script via designer?
I have many databases at my disposal for samples of lotuscript and javascript. As a java developer, I’d be most comfortable using straight Java though.
Do you know what the command would be to change the access to No Access? Do you know what db document I’d query to get the list of users granted rights?
Subject: RE: Disable DB Access via Command Script?
so your are wanting to “lock down” the databases on the branch servers? Do these dbs replicate to the central servers? Will the dbs need to still be accessible on the central servers? If so then changing the ACL won’t work unless you prevent the ACL from replicating up to your central servers.
Subject: RE: Disable DB Access via Command Script?
I don’t know what you mean by “a command to remove a user from the ACL” and I am not familiar with NotesSQL. I’m a Notes guy so I deal with LS and the bulit in Formula language. In LS it would look something like this to remove an ACL entry.
Dim session As New NotesSession
Dim db As NotesDatabase
Dim acl As NotesACL
Dim entry As NotesACLEntry
Set db = session.CurrentDatabase
Set acl = db.ACL
Set entry = acl.GetEntry( “Shelly McPhail/East/ACME” )
I guess it is probably too late now, but for “just” 160 database, I would have used the ACL copy feature in the Admin client: right click on a database in the Files window, choose Access Control, copy or paste.
