Gerenciando ACLs com o ACLHelp
Usando o ACL Help
O ACLHelp é uma task do Domino que auxilia adicionar, modificar e inspecionar a ACL das bases através do Console do Domino, bastante útil quando o administrador perde a permissão em uma base.
Exemplos em Português
Adicionando o administrador em todas as bases de correio com permissão de manager e do tipo person
load aclhelp mail\* -manager -person -allroles Administrador/MinhaOrganizacao
Exemplos em Inglês:
To add an unspecified manager called LogManagers? to the ACL of the log file, use this command:
load aclhelp log.nsf LogManagers?
and this command does the same:
load aclhelp log.nsf -manager LogManagers?
because -manager is the default.
If you want to add a group of people at author level but without the rights to create of delete documents you can use this command:
load aclhelp apps\mydatabase.nsf -persongroup -author -nocreate -nodelete AppAuthors?
You can also list the entries at a specified level using a user name of ? like this:
load aclhelp log.nsf -reader ?
to list the log.nsf readers or list all ACL entries like this:
load aclhelp log.nsf ?
Instead of a single database name you can use a directory name wildcard like this:
load aclhelp mail\* -manager $SysAdmin?
and finally you can use wildcard symbols * and ? in the filename to process a number of databases or templates on the server. So
load aclhelp * ?
will list the ACL for every database and template on your server.
Remember that ACLHelp will not process any database with 'enforce consistent ACL' turned on.
A full list of switches appears later in this document.
Can I use abbreviated names?
Yes - this works too:
load aclhelp log.nsf Ian Cherrill/4NF
to add Ian Cherrill/4NF as manager.
In ACLHelp there some extra features:
(1) Change more than one database at a time. This is done by using wildcard symbols * and ?.
(2) Specify a number of switches that determine the level of access and type of the new entry, for example -author -nocreate -nodelete -persongroup.
(3) Remove an entry from an ACL with the -remove switch
(4) List the entries by using a ? on its own for the entry name.
(5) Change or add an administration server
(6) Add an entry even if the name is already in the ACL.
What are the safeguards?
Number one - you must have the rights to run console commands (ie you are the system administrator) to use ACLHelp, and you must have copied it to the program directory of your server.
Also, by default ACLHelp will not add you to the ACL of a database with 'enforce consistent' checked in the advanced ACL settings. This is because changing ACLs on such databases could stop replication happening altogether, and because the most likely database you have 'enforce consistent' on is your public address book (alright then Lotus, your 'directory', whatever) and we don't want to change that now do we?
What are the switches (options) I can use in ACLHelp ?
The 'type of entry' switches are: -person -server -mixedgroup -persongroup -servergroup -adminserver Most of these are obvious - they set the type of the entry you want. You can use as many of these switches as necessary and they must be used after the database filename and before the entry name.
For -adminserver the option to allow the Administration Process to manage Reader and Author fields is turned off, so you can specify you want it on by using -adminserver+
The 'access level' switches are: -manager -designer -editor -author -reader -depositor -noaccess and with no switch at all ACLHelp assumes you want the entry to be a manager so that the command:
load aclhelp mail\icherril Ian Cherrill
adds Ian Cherrill as an unspecified manager
The 'access modifier' switches are: -nocreate -nodelete
and without them the 'Can Create Documents' and 'Can Create Documents' options are switched on.
also: -privateagents -publicreader -publicwriter
and: -scriptagents -privateviews -sharedviews
which do exactly the same as: -javaagents -privatefolders -sharedfolders
The 'delete entry' switch is: -remove
To clear replication history use -clearhistory
To clear the replication cutoff date use -clearcutoff
To put the new entry in all roles use -allroles
To override the check for 'enforce consistent ACL' you can use the -force switch
To display some extra messages when running ACLHelp you can use the -debug switch
Ver também