If you use the "Deny Access Group" to lockout disgruntled employees - you may be surprised to learn that it only denies access to *new* sessions. Pre-existing sessions remain active. And you must use the "Drop" command to force the user from all servers where a session may be active.
So if you have the following scenario, as i did, you may get a surprise.
Here's what happened....
- Manager B asks that "Dave" be address to the Deny Access list at 4pm Thursday night. Because at 9am Friday morning he is going to be asked to clean out his desk
- at 4pm your admin dutifully adds Dave to the list - replicates the list to all servers and heads home.
- at 10am Friday - you get an angry call - asking how Dave could send email when he was supposed to be locked out!
- You look at the server log - and see a lot of entries showing "Dave has been denied access to server" (so obviously the Deny Access is working, right?)
- You look in Dave's mail file and see in the "database usage" and in the Sent messages tab - that Dave has been creating mail just fine since he was told he was being let go...
- Then after a couple weeks of working with Lotus Technical Support - you finally get to the person who knows the answer (which is not documented in the Admin Manual)
- Dave never closes his mail file or shutdowns down his PC
- Dave has his refresh in-box interval cranked up to 10-15 minutes
- Dave's refresh inbox interval defeats the idle session time-out
- When Dave comes back to his desk in the morning - his original Notes ( pre-pink slip) session is still open and functioning
- he only gets a failure when he tries to access the Domino Directory or any other resource (these are the deny access messages noted in the log).
- he can compose and send mail just fine as long as he manually addresses the sendto: (which he does with great enthusiasm/anger)
Lesson Learned:
- add Dave to Deny Access List
- edit the acl in Dave's Mail File
- at 4pm go to console, enter "drop dave/acme" (without the quotes)
- repeat at each server (just to be sure)
- send note to manager indicating that all reasonable measures have been taken.
Thanks, AJ.
Technorati tag: SnTT Show-n-Tell Thursday
Comment posted by Pierre12/31/2009 12:08:03 AM
Also I recall that with HTTP (Inotes), unless the DenyList is explicitely listed on the ACL, it makes no difference.
Comment posted by woonjas12/31/2009 07:58:29 AM
Homepage: http://woonjas.linuxnerd.org
Should also work with HTTP etc. if you set the Enforce server access settings option to enabled/yes on the ports-internetports section of the server document
Comment posted by Denny Russell12/31/2009 08:30:26 AM
Homepage: http://www.lotusdr.com
Gregg,
Thanks for the tip.
Comment posted by Keith Brooks12/31/2009 12:32:18 PM
Homepage: http://www.vanessabrooks.com
Once again proving that relying on a system process is NOT security. Of course if you have such a user, security should observe and escort them appropriately.
Comment posted by Tim E. Brown12/31/2009 06:42:59 PM
Another great scenario in the Lotus Listserv world :)
Thanks for posting!
-Tim E. Brown
Comment posted by Gregg Eldred12/31/2009 07:20:09 PM
Homepage: http://www.ns-tech.com/blog/geldred.nsf
@Tim - LOL! Thanks for noticing. I may have to update the post some of the other great comments that came after this, the original.
BlogSphere V1.3.1
Join The WebLog Revolution at BlogSphere.net