Using Manager Groups in Notes



By: pnuffer

January 17, 2007 2:45 am

Reads: 150

Comments:0

Rating:0

Problem

A Forum reader recently asked:

“One of our customers is attempting to use a group for the mail-acl-manager-name name and is wondering what the correct format should be. We have tried cn=$groupname, but that is not working. Also, the trace shows this on the add – “Notes: createMailFile – Mail ACL Manager Group: null”. Is Mail ACL Manager Group an option we can use? I can’t seem to find it anywhere in the docs.”

And here’s the response from Novell’s Perry Nuffer …

Solution

I believe there is an undocumented custom parameter included in the IDM3 version of the NotesDriverShim named mail-acl-manager-group. The ACL entry type created is MIXED_GROUP, to easily allow for support of groups that contain a variety of Notes object types.

Another lesser known feature that was added in the IDM3 NotesDriverShim, is the ability to specify multiple entries for the mail-acl-manager-name, mail-acl-manager-id, and mail-acl-manager-group tags, with the value entries separated by semi-colons. So the XML attribute may look like
mail-acl-manager-name=”CN=Moe Manager/OU=west/O=acme;CN=Larry
Manager/OU=east/O=acme;CN=Curly Manager/OU=south/O=acme”
and
mail-acl-manager-group=”LocalDomainAdmins;EastManagers;WestManagers”

If you’re using IDM3, try inserting the following GCV into your configuration:

<definition display-name="Add User E-Mail: Mail ACL Manager Group"
item-separator=";" name="account.email.aclmanagergrp" type="list">
  <description>Enter the desired Notes E-Mail Database Manager Group Name.
Leave blank to not attach extra group manager ACLEntries to the mailfile
database. If ACL access of the mail database is less than MANAGER, then an
e-mail manager needs to be set using this setting or the 'Mail ACL Manager
Person' setting. More than one name can be specified when separated by a
semicolon (i.e. LocalDomainAdmins;mailAdminGroup)</description>
  <value>
    <item>LocalDomainAdmins</item>
    <item>MailAdmins</item>
  </value>
</definition>

And then use the following rule somewhere within the subscriber creation policy set or subscriber command transformation policy set:

<rule>
  <description>    Add User E-Mail: ACL Manager Group</description>
    <conditions>
      <and>
        <if-global-variable name="account.email.aclmanagergrp"
op="available"/>
        <if-global-variable name="account.email.aclmanagergrp"
op="not-equal"/>
      </and>
    </conditions>
    <actions>
      <do-set-xml-attr expression="../add[@class-name='User']"
name="mail-acl-manager-group">
        <arg-string>
          <token-global-variable name="account.email.aclmanagergrp"/>
        </arg-string>
      </do-set-xml-attr>
    </actions>
</rule>
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment