Full Access Administration is dangerous in the wrong hands. Is there the ability at all to be able to disallow access to a mailbox even if the user that gains access to Domino Administrator.
Thanks in advance,
John
Subject: Full Access Administration Question
It is more than gaining access to the admin client. The person must possess an ID file that is included in a group and/or listed in the Full Access Administration section of the Server Doc → Security tab. If the person is not in this group, they cannot access the Db. This assumes that your group owner, mail Db ACLs, etc… are secure.
Subject: RE: Full Access Administration Question
Technically, the only things needed in order to enter Full Access Admin mode (God Mode) are
-
Either edit access to the desired server’s server document OR edit access to a group document whose name is already in the server document’s Full Access Admin field.
-
Access to an Admin client.
Obviously, Michael’s point holds: No garden-variety user has either of the rights in point (1), so there’s no possibility that they can enter God Mode without compromising an administrator’s ID file. However, the right to add my name to the group document which already appears in the server document is something you want to watch that you don’t accidentally grant to a non-trusted admin.
(Note that edits to this server doc field do not require a server restart, and take effect immediately – which, in my experience, means about one minute or less.)