SECURITY


Collecting information for a new administration ECL
Before you can create an Admin ECL to distribute, identify the individual people and/or organizations that you can trust to create and sign active content. Identify a few users who use a broad range of typical Lotus Notes applications, then ask them to complete these steps.

1. Remove all entries from the workstation ECL except the following:


2. Make a list of the entries you remove so that if those entries were, in fact, not needed, they can later be added with "No access" in the administration ECL.

3. Make these changes to the remaining entries in the ECL:
For "When signed by"For "Allowed"
*/org, where org is a local domain/organizationDeselect all selected items.
-Default-Deselect all selected items. "Default" should have no permissions.
-No signature-Deselect all selected items.
Lotus Notes Template Development/Lotus NotesSelect all items. This signer should have all permissions.
4. For a designated time period (a week should be sufficient), when the Execution Security Alert dialog box appears, click "Trust signer," with the following exceptions:

The resulting ECLs for these users should contain more signers than what the ECL originally contained, unless your organization has managed the signing process up front and only uses objects signed by a small number of known trustworthy signers.

After the designated time period is complete, the administrator should combine the signatures in the users' ECLs to create an updated administration ECL.

The workstation ECL log

The IBM® Lotus® Lotus® Notes® client logs ECL-related operations in the Client log (LOG.NSF) in Miscellaneous Events. This includes:


It is possible to write an agent to run on Lotus Notes clients and parse the ECL logging data to provide administrators with specific information on how users are managing their workstation ECLs, as well as current information about applications or other code that should be added to Admin ECLs.

See also