Hello,We need to setup a secondary admin that would have access to register new users. We don’t want this person to have access to make other server changes or access user databases etc.
Since we use server-based CA process I added the user to CA as Registration Authority (RA) and tried to register a new user using this admin account. I am getting different errors:
-
first that the account did not have access to update certlog.nsf
-
then no access to update public address book ( I added him to ACL as Editor)
-
then “You are not authorized to add Group documents in this Domino Directory”
-
then something like “you are not authorized to create database”
I thought this would be simple but it’s not, unless I give away the keys to the entire environment, which I don’t want to do since that person is a junior with no experience with Domino.
Are there any step-by-step instructions how to set it up?
Peter
Subject: Secondary Admin setup
Susan and Jean-Yves,Thank you for your responses and suggestions.
Glancing at some of the technotes I think I covered it all but again maybe I missed something. I will go through all this once again and let you know how it goes.
Thank you again,
Peter
Subject: Secondary Admin setup
Not sure about where it might be documented - but here’s what you need
Give the new admin the correct roles in the ACL (Group Creator and Group Modifier and User Creator and User Modifier), then add them to the field on the Server Documents, Security Tab that is labelled Create databases & templates: and the field Create New Replicas if you have clustered servers. (Better yet, create a Group called RegistrationAdmins or something like that and put that group in those fields and the ACLs - and add this admin plus any future ones to that group.)
Sounds like you need to give the admin or your new group Editor access to certlog.nsf also.
I think that will eliminate all the errors you stated here.
Subject: RE: Secondary Admin setup
Hi,
A few technotes that might help you:
What ACL rights should be granted to a Domino system administrator
Your Lotus® Domino® environment is maintained by a team of system administrators, and you need to grant only the minimum level of database access control to each member that is absolutely required for her to fulfill her duties. What are the guidelines for granting ACL-level access to Domino system administrators?
What functions can be accomplished by Author versus Editor ACL access when using the Administration Process? What functions can be accomplished by “Author” versus “Editor” ACL access when using the Administration Process?
Notes users registered by CA process are not documented in the certlog.nsf
Lotus Notes users registered on the Domino server using the Certificate Authority (CA) process are not documented in the certlog.nsf database. Similarly, the certlog.nsf is not updated for users who are recertified using the CA process.
How to provide access for users to create and delete users only
How do you provide access to create and delete users only?
JYR
Subject: RE: Secondary Admin setup
JYR:
If there is ever a Lotusphere Game Show based on the TechNotes, can I be on your team? 
You are amazing!
Gregg
Subject: RE: Secondary Admin setup
hehehehe,
JYR
Subject: RE: Secondary Admin setup
Hey Gregg, you can be in my team!
it would be a fun game.
10 contestants at the Kinmono’s (Aahhh, good souvenirs form my LS 2003 ) with there laptop trying to be the fastest person to find particular Technotes.
I think it would be very funny!
JYR