We’ve recently enabled Journaling, with a rule that copies messages to a local database. In Server Configuration document\Journaling, we’ve selected UserA to encrypt on behalf of. We’ve added UserB and UserC to the database ACL (so that they could read those messages, too. they read all messages with no problem. Now Notes presents them an error: “You cannot access portions of this document because it is encrypted and was not intended for you, or you do not have the decryption key”. What happened? Is there anyway to return to the previous cenario.
Thanks.
CC
Subject: what on earth are you talking about???
are you referring to transaction logging? personal journal databases? what has the server config document got to do with it? do you perhaps mean mail archiving? if you have a document encrypted for person A why would you expect persons B and C to be able to read it?
Subject: RE: what on earth are you talking about???
Hi Alan.
No I’m not talking about transaction logging.
I’m talking about Mail Jornaling, that copies every mail message to a local database located on the server (because I specifically told it to do so, with a rule in Configuration Settings Document). As for your last question, I need to provide access to more than one user to those documents (don’t know if it’s possible). the truth is that i worked for a while.
Thanks.
CC
Subject: I didn’t know about that at all, thanks for educating me!
That was the first I had heard about this feature, sorry for being a bit abrupt!
Subject: RE: I didn’t know about that at all, thanks for educating me!
Hi Allan.
Thanks anyway (for trying to help).
CC
Subject: Providing access to Journaling database to other users
Well, if all messages are encrypted with the public keys of User A, then obviously User B and C can’t read those encrypted messages since their private keys won’t match the public keys of User A.
Subject: RE: Providing access to Journaling database to other users
Hi Thomas.
Yes, I agree with you. That’s how it should been working from the beginning. But, how can we explain that those same users (UserB and UserC) could read all messages until last week.
Can I encrypt on behalf of two or more users?
Thanks.
CC
Subject: RE: Providing access to Journaling database to other users
Hello Christina,
Wow, I’m very surprised that User’s B & C could read the messages before. They certainly shouldn’t have. I’ll mention this to the security team.
As far as your goal of having several different users with the ability to read the messages, that isn’t supported. However, the original intention of have the messages encrypted by an ID was the ‘missle silo’ approach. That is, a special ID (call it the Journalling Admin ID) is created and that ID is specified in the journalling configuration. That ID could be created such that multiple passwords would be needed to use it (like to missle operators having to both turn a key together for it to work.) The idea here was that journalled messages would be so critically sensitive that its access should be tightly controlled. In fact, one might imagine that the different passwords used to log into such an ID would be provided by a System Admin, Manager, HR, and corporate consul. It sounds like your mail policies don’t require such strict access controls.
Regards,
Mark
Subject: RE: Providing access to Journaling database to other users
Hello Mark.
Wow, I’m very surprised that User’s B & C could read the messages before.
Right now, even I’m not sure.
Thanks Mark for such a good explanation.
Regards,
Cristina