Skip to main content

Configuring a deny-access group

Lotus Domino servers do not provide a native disable user operation. The most common solution to this problem is for you to create a "deny access" group on the Domino server with no access to any of the server’s resources. You can then move users in and out of this group, thus enabling or disabling their access to the server’s resources. The agtdmno agent uses the Disable and Enable account operations to move users in and out of the "deny access" group. By default, these operations are disabled and must be configured once the group is created.

Warning

If a deny-access group is present in the agtdmno.cfg file but not on the server, all users will be denied access.

To create the deny access group on the Domino server:

  1. Log into the server with administrative privileges.

  2. Select the People and Groups tab.

    1. Click on Deny Access Groups, then use Add Group to add a new group.

      Set the group’s Category to "Administrator" and Group Type to "Deny List only".

  3. Select the Configuration tab.

    1. Select Server > Current server document.

    2. Select the Security tab.

    3. In the Server Access section, set Not Access server to the new deny access group you just created.

  4. Ensure that your changes are saved.

To configure the Disable, Enable, and IsEnabled account operations for agtdmno on the Bravura Security Fabric server: edit the "deny-access" option in the Domino server configuration file to include the name of the deny-access group. See Writing a configuration file for Lotus Domino target systems for details.

Note

If the user is an administrator that is listed or is part of a group that is listed in the "Full Access administrators" field in the Domino server’s Security tab, then that user can not be disabled using this method.