Professional Documents
Culture Documents
Installing FirM!.............................................................................................13
Introduction".........................................................................................................................................13
Who should install FirM?"....................................................................................................................13
How this product is delivered"..............................................................................................................13
Installation & Configuration of FirM".....................................................................................................13
Quick Installation Process"...................................................................................................................13
Stage 1: Encryption key creation"........................................................................................................14
Stage 2: Initial install of FirM"...............................................................................................................15
Stage 3: Basic FirM Configuration.".....................................................................................................18
Stage 4: FirM System Profiles Set Up"................................................................................................19
Stage 5: FirM User Profiles Set Up".....................................................................................................21
Stage 6: FirM Group Profiles Set Up"..................................................................................................22
Importing Certifiers & Passwords"........................................................................................................24
System Configuration!................................................................................25
Target Audience"..................................................................................................................................25
Introduction".........................................................................................................................................25
System Configuration – Databases"....................................................................................................25
System Configuration - Servers"..........................................................................................................26
System Configuration - Directories".....................................................................................................27
System Configuration – Admin Settings"..............................................................................................27
System Configuration – Billing"............................................................................................................30
System Configuration – Name Validation"...........................................................................................30
Name Uniqueness Checking"..............................................................................................................30
System Configuration – Workflow".......................................................................................................32
System Configuration – Archiving & Expiry".........................................................................................33
System Configuration – Active Directory (AD)"....................................................................................34
System Configuration – BlackBerry"....................................................................................................35
System Configuration – License".........................................................................................................35
Administration Tools!...................................................................................36
Config Tab"...........................................................................................................................................36
Profiles Tab".........................................................................................................................................36
Monitoring Tab"....................................................................................................................................36
Import Tab"...........................................................................................................................................37
'Group Restore' Tab"............................................................................................................................37
BlackBerry Management Tab"..............................................................................................................37
System Views Tab"...............................................................................................................................38
BlackBerry Overview!...............................................................................116
Architecture."......................................................................................................................................116
Installing the BlackBerry interface"....................................................................................................116
BlackBerry Transactions!..........................................................................118
Authorisation".....................................................................................................................................118
BlackBerry Provision"........................................................................................................................118
BlackBerry Enable"............................................................................................................................119
BlackBerry Disable"...........................................................................................................................119
BlackBerry Reset Password".............................................................................................................120
BlackBerry Delete".............................................................................................................................120
FirM Databases!.......................................................................................137
Request Processor"...........................................................................................................................137
Log Database"...................................................................................................................................137
Extended AdminP processor".............................................................................................................137
Group Registry"..................................................................................................................................137
Monitored Group Shadow Repository"...............................................................................................138
Certifier Repository"...........................................................................................................................138
Password Repository"........................................................................................................................138
ID Repository"....................................................................................................................................138
ESCROW Database".........................................................................................................................139
Audit Repository"................................................................................................................................139
Archive Repository"............................................................................................................................139
Billing Database"................................................................................................................................139
Deleted Records Database"..............................................................................................................139
Application Monitor"...........................................................................................................................139
Application Usage Log"......................................................................................................................139
1. Introduction
1.1. The Chairmanʼs Introduction
Congratulations on choosing and using FirM - the premier solution for optimising the management of your
Domino infrastructure. Over the R5 to nd8.5 releases of Domino the Lotus arm of IBM has worked hard to
increase the value that can be derived from your Domino infrastructure. We at HADSL are committed to
ensuring that you can unlock this value without the penalty of increased administration costs, in fact, with
FirM you can match the value gains from your Domino infrastructure with equal gains in value in your
Domino administration. Our designers and architects not only track technical changes in Domino but also
follow best practice usage patterns in IT management in general and Domino Administration in particular; to
bring you a truly effective solution for controlling and reducing your administration and management costs.
With HADSL solutions you will not only keep pace with the market, but move ahead of the market in best
practice administration and management.
At HADSL we value each and every one of our customers, to make sure that you get the best from FirM and
HADSL, make sure that you give us any feedback, both good and bad on the use of any of our products or
services. We particularly urge you to let us know how you would like to see our products develop. Keeping
us in touch with your problems helps us to make sure that our solutions make your life easier.
Ian Tree,
Chairman, HADSL
1.4.1. Why is FirM the best Domino User and Group Management tool?
FirM is very easy to install and implement and does not require expensive code-changes to reflect
your business model.
FirM is very easy for the end-user to use.
FirMʼs operations are based on ʻprofilesʼ held within FirM. Profiles pre-define all the technical
infrastructure-based settings of a particular type of request. This means that a business user
making a request, say, to create a new user, only needs to supply information relevant to their
business needs. In the case of creating a new user all that is required is the userʼs name.
FirMʼs ʻdynamic fieldsʼ enable the FirM Administrator to specify in a profile that, when a request is
made, information specific to the request is provided by the Requester. For example, the Requester
may be presented with a question such as ʻWhat is the personʼs new office telephone number?ʼ.
The supplied information, in this case the telephone number, is then written to the personʼs
document in the appropriate field.
FirM is based on LotusScript, which means that dedicated add-in tasks do not need to be run on the
server. Add-in tasks are a frequent cause of instability.
FirM can run on multiple servers with failover capability, giving reliable 24x7 operations.
At particular stages in a request, FirM can run Domino agents in designated databases. For
example, when a ʻUser Createʼ request succeeds, FirM can run an agent in a designated database
and pass it all the information from the request document.
FirM may be integrated into other applications using object-oriented LotusScript classes. This
enables group-management functionality to be simply added to an in-house application, say a web-
user management application for the intranet, by writing less than 20 lines of LotusScript code.
FirM supports a Domino multi-domain environment.
1.4.2. How does FirM take advantage of load-balancing and server clusters?
FirM fully exploits Domino load-balancing and server clusters. The following happens when a user is
created:
The new name is checked for duplicates in all Domino directories. If the name already exists then
numbers are optionally added to ensure uniqueness
the name elements are optionally checked against an external database, such as a global short
name directory
the user is added to relevant groups based on information in the profile
profile-based information is used to query the directory in order to determine the least-loaded server
The user's mail file is created using a profile-specified template name and user access level. If that
server is part of a cluster and the configuration variable ʻAdd mail file to all clustersʼ is set in the
System Configuration, then replica mail files are created on all cluster mates
Static fields, i.e. the pre-defined content of specific fields on the person document which this profile
creates or modifies.
Dynamic fields, i.e. the content of fields on the person or group document being created or modified,
which is provided by the Requester at the time a request is made
The groups to which a newly created person should be added.
1.7.1. Upgrading to R6, R7, R8, or R8.5 will reduce administration effort in any case ?
Case studies and reports have shown that Domino sites upgrading to newer versions of Lotus Domino can
show significant TCO decreases. These sites report that many facilities within the new administration client
substantially increase the productivity of their support staff. Many sites will have reduced TCO because they
are able to take advantage of the infrastructure consolidation that is possible with later releases. Admin
client utilities for registering users, and many enhanced AdminP functions too will reduce TCO.
However, this does not solve the problem addressed by FirM - a skilled and trained administrator is still
needed to be able to use the Notes administration client. The Notes administration client is a complex,
sophisticated and highly technical tool. Not the sort of software that a business user would want to have to
use and who, because the tool is inappropriate, would make many errors resulting in replication conflicts and
duplicated groups.
FirM provides a ʻzero technical knowledgeʼ interface to Domino administration, and does so in a safe and
secure way. FirM may be easily operated by non-technical business staff that do not need any knowledge or
skills in Domino group and user administration.
FirM, in fact, extends in many ways the capabilities of the administration client. Groups are only ever edited
centrally so replication conflicts should not occur. Also group membership rules are enforced as are naming
conventions. Additionally, a full audit trail and request history is maintained for actions carried out against
the address book.
FirM complements and significantly enhances the core administration functionality of R6 enabling significant
further reductions in TCO whilst simultaneously delivering an increase in system control.
1.11.1. Introduction
The Federated Identity and Resource Manager is a Delegated Proxy Administration system for Lotus
Domino. This means that:
Administrators can delegate common user, group and application tasks to non-technical personnel.
These personnel can request that tasks be performed
FirM automatically validates and checks that the tasks are correct, and if so, carries these tasks out
automatically.
Typically, tasks will be completed within 10 minutes of request (depending on authorisation stage and
replication topology).
1.11.2. Architecture
Architecturally, FirM is a number of Lotus Domino databases. The entire set of these databases reside on the
FirM processing server (or servers, should you choose to have a backup FirM processing server).
A subset of these databases can be replicated throughout the Domino environment to allow requesters
(people who request FirM tasks) to interact with FirM.
The processing server need only be a supported version of Lotus Domino server, running on a supported
server platform. Typically, this server will also be the Administration server for that environment.
FirM can manage single or multiple Lotus Domino domains.
1.11.3. Workflow
Within FirM, there is a two-stage workflow process.
The person creating the request (The “Requester”) may also be allowed to “Authorise” the request. In this
case, the request is processed immediately.
Should the Requester not be permitted to authorise this request, then details are mailed to personnel
allowed to authorise this request. One of these group of people can then Authorise or reject this request.
2. Installing FirM
2.1. Introduction
This document contains a step-by-step guide to the procedures that must be followed to install and set up
FirM. The installation instructions are written for Domino administrators and assume familiarity with basic
Domino administration tools and procedures.
If problems are encountered please contact your sales consultant, who will be able to provide assistance and
route your question to technical support if necessary.
6. Access to the server console, either physical access or through a remote server management tool
such as PCAnywhere, VNC etc..
7. The certifier ID(s) for all hierarchies to be managed together with the password(s) for these certifiers.
Note that FirM does not currently support certifier IDs that have been set up to require multiple
passwords.
k) Give the key a secure password in accordance with your security guidelines and procedures.
l) Save to a file on a removable disk or to a network path accessible from the administratorʼs
workstation.
m) Repeat steps 1h. to 1m. for the keys…
ʻiDM ID Encryption Keyʼ
FirM Administration Manual v3.0! ! © 2009 HADSL
3 I N S TA L L I N G F I R M! ! PA G E 15 O F 147
In order to prevent ECL (execution control list) errors whilst installing FirM, its best to copy the
installer NSF database to your local data directory, and sign the database using your ID file.
When you open the database using your normal Notes client, the first page of the installation wizard
dialog is displayed.
N.B. Installation will fail if the administrator's ID does not contain the FirM encryption keys. These
should have been created and imported during Stage 1 of this installation.
Once the installation is
complete, you will see the
following screen:
The installation process will
generate a number of requests
to sign databases with the
server ID which, by the time this
point is reached, should have all
completed successfully. If some
requests are still pending then
their processing may be
expedited by issuing the ʻtell
adminp process allʼ command at
the server console.
Where specific security standards require that databases be signed with a special development ID,
this must be carried out manually.
Configure the Access Control Lists for the FirM databases as required. Only FirM Administrators
should be members of the [Administrator] role.
Replicate a copy of the FirM Extended AdminP database to each Domino server that will host users
and/or applications managed by FirM.
During the installation phase, the primary processing server will be requested to sign the FirM Request
Processor database with the server's ID file. In many cases, the server will be listed in the Administration
Execution Control List (ECL). Should the server NOT be listed in the Domino Administration ECL, the FirM
Request Processor database may be signed with the normal ʻapplication signingʼ ID file.
Later, the scheduled agents in the FirM Request Processor and, optionally, the FirM Extended AdminP
databases will be signed with an ID capable of running restricted agents.
The ʻDefault FirM Administratorʼ is used in conjunction with notification profiles to enable an
administrator, group of administrators or mail-in database to receive notifications. Default
administrators can also resubmit, cancel and ʻprocess nowʼ transactions.
The default value for ʻAutomatic recertificationʼ of ʻDisabledʼ should be used for initial installation.
j) ʻBillingʼ tab:
Billing information is only written to the FirM Billing Repository database when ʻEnable Billingʼ is
set to ʻYesʼ.
Select each request type to be recorded in the Billing Repository database.
k) ʻName Validationʼ tab:
This tab allows the elements of both user and group names to be comprehensively defined.
Under the ʻGroup Namesʼ sub-tab the way in which groups are split may be selected. The
options are to split a group when the group exceeds 15KB in size or when a specified number of
group members is exceeded.
Ensure that a subgroup separator character is specified (ʻ_ʼ is suggested).
ʻExternal Lookupʼ tab:
FirM supports the use of an external database which database that can be used to provide
additional keys and codes to ensure unique naming standards. The default setting of ʻNoʼ
should be used as this is an advanced option and setting up this database is beyond the scope
of these installation instructions.
l) ʻWorkflowʼ tab:
Accept the default of 3 hours for ʻNotify Every:ʼ
It is recommended that all days, i.e. Sunday through to Saturday, are checked in ʻNotification
Window Daysʼ
Similarly, change the notification times to start at ʻ1ʼ and end at ʻ23ʼ.
m) ʻArchiving & Expiryʼ tab:
These settings control the archiving of requests from the FirM Request Processor to the FirM
Archive Repository database.
The default values are usually sufficient. Archiving may be enabled at a later date.
n) ʻADʼ tab:
Active Directory support may be enabled by clicking the ʻYesʼ radio button. A licence for Active
Directory support must have been purchased to enable this extension.
o) j. Click on the ʻSave & Closeʼ button to save the changes.
The ʻCertifiersʼ, ʻCompaniesʼ, ʻCountriesʼ and ʻBusiness Groupsʼ tabs similarly allow for the selection
of a relevant pre-defined profile for this type of ID request.
The ʻID & Passwordʼ sub tab allows the recipients of any newly generated user ID and password
pairs to be defined.
The Authorisation tab enables the definition of those users (Requesters) who are permitted to create
new users with this profile. Specify either individual names, or the names of multi-purpose groups
from the address book.
The ʻAuthorisersʼ sub-tab enables the definition of those users who will authorise the creation of new
users made with this User Create profile. If a Requester should not authorise their own request,
provide the name of an alternative Authoriser. It is common to find that the LocalDomainAdmins
group is used for the Authorisers field.
In the ʻNotificationʼ tab specify the names of users or groups who should receive a notification
whenever an ID is created using this profile. This is especially useful where there are security
considerations for certain certification hierarchies.
Click on ʻSaveʼ.
Repeat these steps for as many user creation profiles needed.
Similar profiles must be created for each type of user request that FirM is able to process. For
example, User Modify, User Delete, User Disable etc..
In profiles other than the ʻcreateʼ profiles an additional sub-tab will be found in the Authorisers tab – the
ʻUsers Managed by this Profileʼ tab. This should contain a name mask, such as ʻ*/ACMEʼ, thereby restricting
who can be deleted, renamed, etc., using this profile.
FirM Administration Manual v3.0! ! © 2009 HADSL
3 I N S TA L L I N G F I R M! ! PA G E 22 O F 147
In order for a group to be managed with FirM it must have an entry in the FirM Group Registry. This entry
contains information about the group such as which profile it will use, which domain it belongs to, and who
are the Owners and Administrators of this group.
The roles of Owner and Administrator are described in the FirM Help database, but broadly an Owner is a
person who is able to modify the groupʼs list of owners and administrators, manage the content of the group,
and request the groupʼs deletion. An Administrator is a person who is only able to manage the content of the
group.
A typical Domino installation will have many groups in each Domino Directory, and the import utility is used to
create Group Registry entries for each of these groups. The tool is run from the FirM Request Processor,
and is accessed from the ʻToolsʼ button under ʻImport Group(s)ʼ.
1. Click on the ʻToolsʼ entry in the menu on the left-hand side of the screen.
2. Click on ʻImportʼ tab, and ʻgroupʼ sub-tab.
Click on ʻImport Groupsʼ
You will be presented with a dialog with instructions. Click on 'Forward' to continue.
FirM Administration Manual v3.0! ! © 2009 HADSL
3 I N S TA L L I N G F I R M! ! PA G E 23 O F 147
Select whether a single group, a selection of groups or all groups of a type in the directory should be
imported.
Select the Directory/Domain from which the group/groups is/are to be imported.
Select whether the groups are to be imported straight into a ʻLiveʼ state (i.e. can be managed from
FirM without further intervention) or into a ʻDraftʼ state, in which case the groups must be manually
moved to Live from within the Group Registry.
It is possible to import spanned groups into FirM as a hierarchy. In order to do this the spanned
groups must follow the naming convention of
[parent group name][separator character][number of subgroup]
Also, the parent group must contain only the names of subgroups. FirM will honour the existing
separator characters and will add and remove users from subgroups in this hierarchy.
The settings in the ʻOwnershipʼ tab allow default entries for group owners and administrators to be
specified. The values contained in these fields will be added as an owner and administrator
(respectively) to each group imported with the utility.
Assign which group profiles should be set for each type of group imported:
This step should be performed before users are allowed access to FirM.
2.11.4. Stage 10: Replicate FirM to the rest of the Domino Environment
The final stage in setting up FirM for use to replicate it to all relevant servers.
1. Replicate the following FirM Databases to all servers (and any intermediate replication servers)
where users will access the FirM Request Processor:
1. The FirM Request Processor (firmrequestprocessor.nsf)
2. The FirM Group Registry (firmgroupregistry.nsf)
3. The FirM Log Database (firmlog.nsf):
2. Replicate the following FirM Databases to all servers (and any intermediate replication servers)
where users and/or applications are to be managed by FirM:
1. the FirM Extended AdminP Request Processor (firmextendedadminp.nsf)
FirM is now installed, configured and ready to be used to create and process user and group management
requests.
Note that if you replicate FirM to other domains in your environment, you should add ACL groups to the
databases mentioned above in order to allow inter-domain replication. We have deliberately left out the
'OtherDomainServers' ACL entry in order to improve default security. You should use the Admin client to set
the relevant groups for your environment in each database appropriately.
If the two passwords match, the certifier and password is imported into
FirM.
During this process, the ID file provided is
checked to ensure that it is a certifier file, and its
certifier hierarchy is extracted. FirM then checks
to see if these already exist in the FirM certifier repository and the FirM Password
repository. If they do, the old versions may be overwritten with the new versions if
desired.
The Certifier has now been imported into the FirM
Certifier repository.
3. System Configuration
3.1. Target Audience
This section is intended for use by the FirM Administrator.
3.2. Introduction
The System Configuration dialog box contains all system-wide configuration settings for FirM. The users
never see this dialog – only the FirM Administrators. This is usually set up at FirM installation time, and is not
normally updated.
To navigate to the System Configuration Pane, click on the Tools option, followed by the “Config” tab.Then
click on ʻEdit the System Configurationʼ
File Locations Local In the ʻFile Locationsʼ tab two temporary directories must be specified.
Temporary The first temporary directory (Local Temporary Directory) is located on
Directory the administratorʼs workstation and is used during initial set-up and
when certifiers are imported in to FirM. The second temporary
Servers directory (Serverʼs Temporary Directory) is located on the server, is
Temporary used to run scheduled agents and is required for the normal operation
Directory of FirM.
These directories will temporarily contain items such as certifier IDs,
user IDs etc.. It is important that these directories are not accessible
to users. These directories must be created manually. Should these
directories not exist, then the normal ʻtempʼ directory defined on the
operating system will be used.
On a Unix-based system (such as Linux, AIX, Solaris, HP/UX for
instance), the directory should be specified in the form ʻ/tmp/ʼ, using
forward slashes to separate directories. On a Windows-based system,
the directory should be specified in the form ʻc:\temp\ʼ where a drive
letter followed by a colon and the backslash character is used to
separate directories.
The contents of the fields on the other tabs have been automatically
populated by the installer. These values should be changed only if the
databases have been renamed or moved.
This Database Request The complete file path to the firmRequestProcessor.nsf database,
Processor
Group Registry Group Registry The complete file path to the firmGroupRegister.nsf database,
Enable ID If Yes, then the ESCROW database will be required, and the ID
Recovery recovery process agents made available
Process
Marvel Marvel Client The complete path to the Marvel Client main processing database on
the Primary FirM processing server
Field Explanation
Primary Server The fully qualified name of the FirM Domino server.
Secondary The ʻSecondary serverʼ field should be left blank until the correct configuration and
Server operation of FirM has been confirmed. Once FirM has been installed and is working
correctly, return to this field and specify a secondary server if increased system
resilience is required.
Secondary The secondary server delay value is critical. The secondary server will wait until a
Server Delay request is this number of minutes ʻoldʼ before attempting to process it. Should the
primary and secondary servers be clustered, then this value can be as low as thirty
minutes. Should the primary and secondary server just rely on scheduled replication,
then this figure should be at least three times the replication period defined between
these two servers for this database.
If this value is too low, then both servers will attempt to process requests, resulting in replication conflicts and
at worst, instances where executing the transaction twice would result in duplicate entries – for instance User
Create, group create, etc..
We recommend that two program documents be created in your directory to support this configuration.
One program document should run on your primary server, and have the command “rep
<secondaryServer> <firmDirectory”>, and schedule type of “startup”
The second program document should run on your secondary server, and have the command “rep
<primaryServer> <firmDirectory”>, and schedule type of “startup”
This ensures that the FirM directory is immediately replicated should a server be down for any reason, and
prevents requests being processed twice.
Field Explanation
Admin4 The database filename for the admin4.nsf database for that domain
Domains can be added, edited or removed by clicking on the relevant button at the bottom of the list.
Use the ʻAdd Entriesʼ button to add the directories to be managed by FirM. Each directory (names.nsf)
should have both an Admin4 database (admin4.nsf) and a ʻDeny Accessʼ group specified for that domain.
Note that the installer creates the first ʻdefaultʼ directory entry but cannot at that stage define the
terminations group used in the environment. It is therefore important that the default entry be edited
post-installation to define a terminations group for the primary environment.
If more than one domain is to be managed, then the directory and the admin4.nsf database should
be replicated on a scheduled basis from the other domains onto the primary (and secondary server,
if defined). The other domainsʼ directory and administrative databases can then be added to this list
of domains to be added.
It is important that if more than one domain is to be managed, that each domain has a unique
domain identifier set in the directory profile in each directory database. This can be updated by:
Opening the directory database
Clicking on the Actions menu, and then ʻEdit Directory Profileʼ
Editing or updating the ʻDomain defined by this directoryʼ field.
The ʻEdit Entriesʼ and ʻRemove Entriesʼ buttons can be used to manage the directories list.
Log Settings Debug Level The debug level will initially be set to ʻ4. Very Detailedʼ. This will
generate a large amount of logging and debugging information which
is of use during the initial configuration phase of FirM. During normal
operation, this value should be set to ʻ3. Detailedʼ in order to provide
more manageable levels of logging and debugging information.
Number of Days Choose the number of days you wish to retain log entries for
Log File Mail In If you add a Mail-In document in your directory pointing at the FirM
Address Log database (firmlog.nsf), then the client can eMail in log entries
instead of having to open the database. This also means that you do
not have to replicate the firmLog.nsf database to other servers from
the FirM Primary processing server.
(This is highly recommended)
Choose the Mail-In address from the address boo.
Should Clients This switches the client log mode from directly writing to the
Mail In their log FirmLog.nsf database, and rather uses the mail-in address defined
documents above. This has a direct performance gain, as the client no longer has
to open the log database, and of course this means that the Log
database need not be replicated to all servers – it need only reside on
the Primary and Secondary Processing servers.
Other server processes that create log documents will use the mail
address if it is defined, unless the other servers are the primary or
secondary processing servers.
Log Switch this on in order to log output from the configuration object. We
Configuration have found that in an idle system, the output from the configuration
Object object represents about 85% of the log output. This reduces the
chatter on a stable system.
Misc Settings Disable UI This setting is used to disable the standard UI creation of requests in
request creation the situation where a bespoke front-end has been implemented for
for non- FirM, and is beyond the scope of this administration manual.
administrators
Recertification The number of days before the end-user certificate expires that the
Days recertifcation engine processes users. This should normally be greater
than the 90 days that the Notes client starts warning the user of the
certification expiry
Group Changes This will then allow the selection of groups in the Group Registry for
Monitoring monitoring. Should any monitored groups be changed, the changes
are noted and communicated to selected users.
Use Password If enabled, this allows the user ID and password recovery mechanism
Recovery to to use the Password Recovery mechanism to recover ESCROW ID
recover files. files. You must be running on Domino 7.0.2 or above (8.x or above
recommended) in order for this to work. You must also identify
Recovery Authorities in each Certifier profile, and these recovery
Authorities must exist in the ID and Password repositories.
Default Footer Allows the definition of a rich-text footer which will be appended to all
Notification notification messages generated by FirM. This can be used to add
Footer graphics, as well as a standard footer explaining to the user that this is
a system-generated email message.
Application Maximum age The number of days manual scanning should go back in the user
Montior activity log.
Maximum Users The Total number of users in your environment. This is used to
indicate how many users may access this application, where the ACL
contains elements such as *.
Ignore Zero This allows the reduction in the number of access logs recorded, by
Read/Zero Write ignoring sessions which dont result in reads or writes. However, this
Records does give the false impression that nothing is accessing the
application.
Ignore Server This allows you to ignore the server based activity, which results in a
based Records huge reduction of tracking records.
Mail File Bands The administrator should define up to five band “names”, and the Mail
Quota File Quota figures to should increase from top to bottom. The last
Management figure - for “unlimited” - should be set to zero.
If you do not wish to use a particular band, leave its name blank.
Allow Extended The mechanism relies on writing ʻhiddenʼ fields to the users Person
AdminP to document in order to communicate the users Mail File Quota band,
update Person replica ID of mail file, etc. This has to be enabled for the mechanism to
Documents work.
Note that when this is enabled, there will be a large number of
updated Person documents in the first night, as the Mail File
managment system uipdates each person document.
FieldName Each of these fields allow you to define what this hidden field is called,
For... in order to reduce the possibility of collisions. Note that if these are
changed, it may take several days for the Mail File quota managment
system to recover. It is recommended that these are only changed
before enabling the system.
If a user does Chose the action to perform if a user does not have a mail file quota
NOT have a set. It is recommended that the option ʻSet to level above users
mailfile quota currentl mail file sizeʼ is chosen.
set...
ID Backup Mail In Address Create a mail-in document pointing at the FirM request processor in
order for the ID backup mechanism to work.
AdminP Search The number of hours back that the mechanism will search looking for
Hours requests to process.
Store retention This is the number of hours that an ID Backup will retain the
hours temporary records of processed AdminP records.
Reminder (In Days). The number of days between reminds that users will receive
Frequency to back up their ID and Password. This should be a minimum of one
day.
Maximum The maximum number of reminders that a user will receive in order to
Reminders back up their ID file.
Users to include A list of users specified by wildcards - NOT group names - for people
to be incldued in this ID backup mechanism.
External Enable External Enable External queue processing if you wish to handle mailed-in
Queue Queue requests, and requests generated in other databases.
Processing Processing
Only accept A list of people or groups that are allowed to send in requests. This
requrests from means that you can restrict this functionality to a subset of users - for
these people or instanced. signed, scheduled agents.
groups
Document field Enter a fieldname on the target document, and a success & failure
and Value value to set. This means that after processing the document is
updated using the field and values appropriate to the target database.
CSV data is in The fIeld that contains Comma Separated Values that represent the
field request(s) contained in this document.
Field Explanation
Enable Billing Billing information is only written to the FirM Billing Repository database when ʻEnable
Billingʼ is set to ʻYesʼ
Bill for the Enable the transactions you wish the Billing engine to record.
following
transactions
Write biliing It is recommended that the ʻWrite Billing Records for sub transactionsʼ be set to ʻNoʼ.
records for In most billing circumstances, only the initial or main transaction is relevant for billing
subtransactions purposes. For instance, should a User Create transaction be created, its four or more
sub transactions (send User ID, Create Replica Mail file, etch) are of little value from a
billing perspective.
Billing target for The field ʻFor Groupsʼ should be set to the individual relevant for group transactions;
Groups that is the owner of the group, or the person who requests the group change.
Short Name uniqueness. The Short Name field within the Notes environment is often used to store
the users AD login name, or mainframe login name. We advise that the short name also be unique
across all systems, in order to successfully implement a single-sign-on policy.
Your current existing name uniqueness standards can be enforced by using FirM. Bear in mind that now that
creating new accounts is far simpler to the end user, FirM can actually strengthen and enhance your name
uniqueness policies.
Each domino directory configured within FirM is checked, then the external shortname database (if
configured) and finally the deleted users repository. Deleted users are checked in order to prevent name
ʻspoofingʼ, where an existing user is deleted, and a new user is created with exactly the same name. It is up
to the Domino Administrator to decide how long deleted person documents should remain in the deleted
users repository.
Name Name This tab defines which name uniqueness checks are to be performed
Uniqueness Uniqueness during FirM operation:
ʻFull Name Uniquenessʼ. This checks the entire Lotus Notes name of
an object. For instance, ʻJoe Bloggs/HADSLʼ would be compared
against ʻJoe Bloggs/Acmeʼ. It is recommended that this value is
checked.
ʻShort Name Uniquenessʼ. This checks that each object has a unique
Lotus notes ʻshortnameʼ. For instance, ʻJBloggsʼ would be compared
against ʻJBloggsʼ (and found to be non-unique). It is recommended
that this value is checked.
First Name Is required Is required – check this box if this name field is required.
Middle Initials
Last Name Minimum This defines the minimum length (in characters) allowed in your
Short Name Length environment.
Alternate Name
Group Name Maximum This defines the maximum length (in characters) allowed in your
Mail In Length environment.
Allow Non- Checking this box allows characters other than A-Z, a-z in this name
ASCII field.
Allow Checking this box allows number characters 0-9 in this name field.
Numbers
Allow This allows the underscore character ʻ_ʼ to be used in this name field.
Underscores
Allow This allows the hyphen character ʻ-ʼ to be used in this name field.
Hyphens
Allow This allows punctuation characters such as ʻ;ʼ, ʻ,ʼ etc. to be used in
Punctuations this name field.
Allow This allows the space character to be used in this field. This could
Spaces allow people with two words in their first name – for instance, ʻJan
Willemʼ.
Force Case This forces this name field to be one of the following:
No Change. No case changing is performed. For example if the
requester types in ʻjan williemʼ, it is left as ʻjan williemʼ
All Lowercase. The name field is converted to lowercase. For
example if the requester types in ʻJan Williemʼ, it is converted to ʻjan
williemʼ
All Uppercase. The name field is converted to uppercase. For
example if the requester types in ʻjan williemʼ, it is converted to ʻJAN
WILLIEMʼ
Propercase. The first letter of each word is made uppercase, and the
rest of the word made lowercase. For example if the requester types
in ʻjan williemʼ, it is converted to ʻJan Williemʼ
Group Name Membership The number of users in each group before splitting into subgroups.
Limit Typically this should be around 200 names, but in some cultures with
more names, this might be lower.
Subgroup The Character used to separate the group name from the subgroup
Separator text
External Allow If you enable this, it allows lookups against an external database in
Database External order to perform name uniqueuess checking.
Database
Lookup
View Name The View to check. We use the name component, and if an entry is
found in this view, using the name as a keyword, then the uniqueness
check fails.
Field Explanation
Notify Every The number of hours that the workflow messages should be sent out.
Notification Choose the working days appropriate for your work environment
Windows Days
Field Explanation
Staus of There are several status values that can have expiry periods set:
Requests DRAFT – this is the status of a request that has been added to the Request
Processor but not yet submitted. This status is not available from UI-
created requests and will only occur if a request was created from an
external process using the FirM LotusScript API.
COMPLETE – this is the setting for removing old requests that have fully
completed their processing.
REJECTED – these are requests where the Authoriser has declined the
transaction.
CANCELLED – requests that have been cancelled by the Requester, an
Authoriser or the default FirM administrator will be archived according to
this setting.
FAILED OR INVALID – requests that have failed processing or rejected due
to broken signatures will be archived according to this setting.
Requests that are awaiting processing, deferred or awaiting approval will never be
archived.
FirM has the ability to create and monitor groups and users for auto-expiry. That is to say, that a date can be
set after which an automatic deletion workflow will remove them from the environment.
This facility is not currently available from the standard FirM UI and is only accessible from the FirM
LotusScript API – this facility may be accessible from the UI in a future release of FirM.
The three settings relating to the automatic expiry of users and groups should therefore be ignored in the
standard install of FirM and only changed under instruction of HADSL or one of its resellers.
Field Explanation
Person Documents The name of the field on each of these types of document, which will be
Group Documents updated with an expiry date.
Mail-in Database
Documents
Active Directory Set this to Yes to enable active directory support within FirM.
Enabled A license for Active Directory support must have been purchased
to enable this extension.
Due to the amount of UI changes this causes, its best to save the
configuration document and restart FirM.
AD Domains Domain List Add, Edit and Remove supported Active Directory domains from
this list by clicking on the add, Edit and Remove Entries buttons.
Each entry requires
The Domain Name. This should be the ʻDNʼ part of the
top of the Active Directory tree - such as ʻhadsl.localʼ,
instead of the NT domain name (“HADSL”)
The name of the primary AD server. This will be the
windows server which calls back to the FirM processing
server and collects user and group transations to
process. You should enter the ʻCommon Nameʼ part of
the server (such as ʻServer1ʼ) instead o the full AD name
(such as ʻServer1.servers.hadsl.localʼ)
AD Name Name Validation This sub-tab allows you to define the same name validation rules
Validation as exist for Lotus Domino.
Synchronisation Perform Set this to yes to enable AD directory syncronisation between the
Syncronisation Active Directory domains defined above, and the Lotus Notes
domains controlled by FirM.
Start Time When should the syncronisation agent tell the windows machine
to start sending its directory information? We recommend a time
outside of normal business hours and outside of the backup
windows (when the servers are going to be busy).
Admin Settings Web Service When the windows web service collects its configuration, it is told
cycle time by this setting how often (in seconds) it should poll for new work.
The default is 300 seconds (5 minutes). It is not recommended
that this be set to less than one minute.
Users Notes For User ID and Password resend, we can drop a new copy of
Folder within the users ID file into the users home directory on their home file
Home follder server.
name Enter the name of the Lotus Notes data directory within a normal
users home share in order for the ID to be placed in the correct
folder.
Field Explanation
BlackBerry Blackberry Support can be enabled by setting the radio button to Yes. A license for
Enabled BlackBerry support must have been purchased to enable this extension. Note that
BlackBerry transactions, profiles, etc will not be visible until this has been set to 'Yes.
Due to the sheer amount of UI changes that this causes, its recommended that after
this is changed, you save the configuration document and exit FirM.
Verbose Logging This echoes the actual output from the BlackBerry Resource kit to the FirM log,
dramatically increasing the size of the log file. It is recommended that this only be
switched on whilst debugging BlackBerry Resource Kit issues.
BlackBerry The BlackBerry Resource Kit Executable name has to be set. This means that the
Reource Kit BlackBerry resource toolkit must be installed on the same location on both the primary
Executable and secondary FirM processing servers.
Name On installing the BlackBerry Resource Toolkit, you were prompted to generate a new
password for security purposes. Enter that password to FirM by clicking the
“Password” button.
Set SQL If your BES servers share a common SQL server, then enter the username and
Username and password that is in use.
Password If your BES servers run local databases for their operation - they do NOT use a
separate MS SQL database - leave this entry blank.
BlackBerry List all of the BlackBerry Enterprise Server “BlackBerry” policies that you wish to
Policies expose to FirM for management. Note that at this point, it is not possible for FirM to
automatically build that list, and so the administrator must maintain this list manually.
You must now visit each Location document and enter the servers which are running your BlackBerry
enterprise server software, in order that relevant locations are associated with zero or more BES servers.
See the entry “Location Profiles - BlackBerry servers tab” on page 34 for more information on this.
4. Administration Tools
The Administration Tools panel is accessible only to FirM Administrators – people who have the ACL role
[Administrator] enabled. To access the administration tools, click on “Tools” on the left hand navigator in the
FirM Request Processing database.
The Administration Tools assist the administrator in the set-up, configuration and day to day running of the
FirM application.
5.1.2. Groups
Groups. Should one or more groups be added to this field, then all users created using this profile will be
automatically added to these groups.
5.2. ID Profiles
ID Type profiles are mandatory profiles used during a User Create process. One or more of these profiles
may be associated with a particular User Create profile.
Detals Profile Name Give the profile a meaningful name in the context of your environment.
Description A description (that only the adminstrators can see) of this profile
Mail File Mail Template Gve the filename of the template you wish to use to create a user using
this profile. The template must exist on the target server you wish to
create the user upon.
ACL Level Choose the ACL level the user should be granted in the mailfile
Mail Quota Set a mail file quota (in Mb) for this mail file
Mail Set a mail file warning threshold (in MB) for this mail file
Threshold
Create If the user is being created on a mail server which has cluster mates,
Replica on all and this parameter is set to ʻYesʼ, then their mail file would also be
Cluster created on all other members of the cluster.
Servers
ID Type User Type Choose whether users created using this profile are Notes users (and
therefore have an ID file created for them) or Web Users (where an ID is
not created)
Notes ID Type Lotus Notes supports two Notes Client key lengths - 64 bit
(International) and 128 bit (Global or US).
ID Validity Typically this would be measured in years (720+ days ) for full time staff,
or in hundreds of days for Contractors. Note that setting this value to a
lower number means more administrative work recertifying these
people.
Minimum The minimum length of password that these people have to use when
Password they choose a new password.
Length
Create HTTP This should be set to ʻYesʼ to allow FirM to create their Internet (or
password ʻHTTPʼ) password at the same time that the users are created.
Password Change interval. This value is written to the new usersʼ Person document in the directory,
and dictates how often the new user should change their password.
Grace Period. This allows the user to NOT change his password beyond his change interval –
usually 14 days or so. Only after the password change interval AND the grace period have expired is
the users account locked by Domino.
Password Digest Enable Profile. If a Password Digest Enable profile is selected here, then the User
Password Digest function is ran after a user is created, using the details defined in the selected
profile.
Roaming Profile. If a Roaming Enable profile is selected here, then the User Enable Roaming
function is ran after a user is created, using the details defined in the selected profile. (Note that
Roaming User enable is only relevant in Domino v6 or above)
ID File Name. This field allows you to define how the usersʼ ID file is created.
It should be noted that the userʼs mail server is determined using their Location Profile.
FirM Administration Manual v3.0! ! © 2009 HADSL
7 C O N F I G U R I N G S Y S T E M P R O F I L E S! ! PA G E 41 O F 147
Detals Profile Name Give the profile a meaningful name in the context of your environment.
Detals Profile Name Give the profile a meaningful name in the context of your environment.
Certifier This is picked directly from the Certifier Repository's list of certifiers and
Hierarchy cannot be edited. This ensures that this certifier profile always points at
a valid certificate entry in the Certifier Repository. This hierarchy field is
also used to find the certifier password from the Password Repository.
ʻNameʼ. Care must be taken to define profile names that are meaningful for your business users – as the
Company profile names may be visible and offered as choices during user transactions.
ʻNameʼ. Care must be taken to define profile names that are meaningful for your users – as the Internet
Address profile names may be visible and offered as choices during user transactions.
ʻInternet Domainʻ. Enter the domain part of the Internet Address in this field, for instance “hadsl.com”. Do not
include “@” in this field.
ʻLocal-Part Constructionʻ. Enter the tags required for constructing the local part of the Internet Address in
this field. For instance, “<FIRSTNAME>.<LASTNAME>”. These tags will be replaced during request
processing, when the Internet Address is calculated.
Certain restrictions can be placed upon group types, for instance the Domino group-type. This means that
users of FirM do not have to have technical knowledge about the difference between a Mail Group, an ACL
group and a Multi-Purpose group.
Allowed membership of the group can be restricted so that, for instance, SMTP addresses cannot be added
to a group that has been set up using a ʻConfidential Internal Emailsʼ profile.
Workflow can also be set up. For instance, restrictions can be placed upon who can submit group create
requests, who can authorise them and who is notified.
Profile Name
Users Managed by this Profile. You may enter a “name mask” such as “*/Acme”, or “*” in this field, or
a list of user names, or a list of group names.
Recertification Profile. Choose the Recertification profile that should be used for these users for this
profile.
ID Profile. This is used to calculate the expiry period of this recertification event.
Automatically re-certify: Choose Yes for the Recertification Engine to perform automatic recertificationʼs on
these users.
Select the trigger type – “Success” means that the transaction was successful.
Enter the name of your database
Enter the name of your agent.
The fields “Name”, “Address”, “Postcode”, “Phone Number” are defined in the top line, and the file contains
one record for “Joe Bloggs”.
The simplest way to generate a CSV file is to use a spreadsheet,
laying out columns and rows to mimic this:
You can then save the spreadsheet as a CSV file. In most
packages, “File”, “Save As” offers a CSV file format:
Requesters Users Self If this is set to YES, then any user can request this transation be
Request applied themselves. No requesters are required, and this
transaction is only visible on the web client.
Authorisors Authorisation Use List of Authorisers Below” means use the authorisors field.
Method Some transactions may allow user self-service, or for the
manager field in the target user document to be used.
Notification Who shall be A list of users or groups who shall recieve a mail message when
Notified the request is complete.
Manage Users Users Managed A list of name masks defining users to be managed by this
by this Profile profile. This allows certain profiles to be only applied against
certain users.
Defer Allow requesters If this is set to NO, then the requesters may not defer requests
to defer requests created using this profile.
Default days to The default value of days that this request will be defered by. The
defer request requester may override this.
Default Deferred The default time at which this process will be executed at. The
request time requester may override this.
MC Marvel Client This allows zero or more Marvel Client configuration commands
Commands to be processed if this request is successful.
Profile The user is being prompted to select one New Accounts user in Bracknell
user Create Profile from the list of profiles
available to him
Location Profile Each of these profile types may be set in the Dublin
User Create profile document. If more than
Certifier Profile one of each type is selected, then the /Acme
requester is asked to choose which
ID Profile particular profile is most appropriate for this Staff
operation.
Company Profile Acme
Country Profile UK
First Name Enter a valid name component for this user. John
This name is checked against name
Middle Initials validation rules to ensure that it conforms to A
the global system configuration Name
Last Name Validation rules set by the administrator. The Smith
Shortname component can be automatically
Short Name generated in which case it is not visible to JSmith101
the requester.
Each of these three name values is
compared against validation rules in the
System Configuration profile. If the names
pass validation rules, then the Domino
Directories are checked for uniqueness. If
any name fails, the Requester is informed
and invited to re-enter them.
Prompt Explanation
A list of people who will receive the users Example
new ID File and Password. Depending on
Password Recipients the profile, this may be a fixed field (in which
case the requester can only see the
recipient) or can select recipients.
Clone User This allows the requester to select another Joe Bloggs/Acme
user in the Directory. The new user will be
added to all groups that the selected clone
user belongs to, along with all other groups
from all selected profiles
An Admin4 request is then issued to create the userʼs primary replica database:
On the correct target server
Using the template name, quota and trigger level specified in the ID profile
Adding the user's name to the mail file ACL at the level specified in the ID profile.
If a cluster replica mail file/s is/are specified in the ID profile, and the server is part of a Domino cluster
(again, established from the Domino directory), then an Extended AdminP request is constructed, which:
Replicates to the userʼs primary mail server, and waits until the userʼs mail file has been created by
AdminP
Creates one or more AdminP requests creating the mail file replica on the other cluster mates as
governed by AdminP
Once processing has completed then any people specified within the Notification list for the relevant group
profile will be sent an email telling them that the group has been created.
If the System ID profile dictates Roaming and/or Password digest operations, sub transactions will be
created to perform these tasks.
The request will remain in the state ʻPending Sub transactionʼ until the AdminP requests and the Extended
AdminP Requests have completed. It will then progress to ʻCompleteʼ.
As with all FirM requests, logging information at every stage is created in the Log Database, Audit trail
records are created in the Audit Database, and Billing information is created in the Billing Database.
A welcome message (defined in System Notification profiles, with a name of “UCR-Welcome” will be mailed
to the user.
Fields Field Field Settings This defines values to set in person document fields, as well
and Definitions as dynamic fields which prompt the requester at run-time.
Groups
Mandatory Default Groups Zero or more Domino groups which the new user will be
Groups added to.
Each group addition is handled in the same manner as a
normal Group Manage Members request, and will therefore
honour any instructions on that group policy – such as
requesting permission from the Group Owner.
Allow user If set to yes, the requester will be prompted for the name of
Cloning a user to clone. That is, the newly created user will be
added to all groups that the selected ʻcloneʼ user is already
a member of.
Each group addition is handled in the same manner as a
normal Group Manage Members request, and will therefore
honour any instructions on that group policy – such as
requesting permission from the Group Owner.
Optional Allow Optional If set to Yes, the requster will be prompted to add the new
Groups Groups user to optional groups
Each group addition is handled in the same manner as a
normal Group Manage Members request, and will therefore
honour any instructions on that group policy – such as
requesting permission from the Group Owner.
Limit optional If set to No, then the requester may choose any group from
groups the directory. If set to yes, then the requester is only shown
the list of groups defined in the profile
Optional A list of Domino Groups which the requester may add the
Groups newly created user to
Termination Enable User This allows name-reuse in that the new user name is
Groups Profile automatically ʻenabledʼ - that is, their name is removed from
the terminations group. Select a User Enable profile in this
field to enable this feature.
Names Full Name Notes Domain Select (from a list) the relevant Lotus Domino domain that
and the new user will be created in. These values are retrieved
Domains from the Global Configuration Profile
Notes Name A list of tokens which help define how the Notes Full Name
is defined. Use the adjacent ʻKeywordsʼ Button to browse
available run-time keywords to use.
Short Name Generate If set to Yes, allow FirM to generate the users ShortName
Short Name value using the rules defined below. If set to No, will prompt
the requester at run-time.
Define Short A list of tokens which help define how the Notes ShortName
Name is defined. Use the adjacent ʻKeywordsʼ Button to browse
available run-time keywords to use.
Optional OU Optional OU This allows the administrator to define how Optional OUʼs
Handling are handled for this profile.
use this OU If a mandatory OU is set then the value in this field is used
as the optional OU component
Choose from If a list of OUʼs is provided, then the requester will be asked
OU to choose one item from this list.
Optional OU is If set to Yes, then the requester is not forced to pick or enter
Optional an optional OU field
Internet Internet Addres If this is set to ʻUse Simple Internet Address Specificaitonʼ
Naming Profiles then the new user will have a single internet address set,
using the rules defined on this tab. Otherwise, the internet
address profile scheme will be used.
Internet Allowed First, use the Allowable Profiles field to select the Internet
Profiles Profiles Address Profiles that are to be enabled for this User Create
profile.
Always add The “Always add Outbound address to Inbound field” will
Outbound ensure, if enabled, that the user's Internet address is always
address to added to the inbound field. Use this, for instance, to make
Inbound field sure that user's Internet address always appears in the
FullName field.
Mail File Compute Mail This allows the use of @Formula to define which primary
Naming File and secondary mail file database name should be used for
this user. The first item on the text list returned defines the
primary mail file name, and the second item on the list
defines the cluster mail file name if different.
Mail File Name You define the file name that the new users mail file will
have using tokens, available by pressing the adjacent
ʻKeywordsʼ Button.
Translate Mail Apply any case-translations to the mail file name, such as
File Name setting it all to lowercase.
Cluster Mail You define the file name that the new users cluster file will
File Name have using tokens, available by pressing the adjacent
ʻKeywordsʼ Button. If this is blank the same name as the
mail file will be used.
Sub- ID ID Types Choose one or more ID profiles to use whilst creating new
Profiles users. If more than one profile is checked, the requester will
be asked to choose between them at run-time. At least one
must be chosen.
Locations Locations Choose one or more Location profiles to use whilst creating
new users. If more than one profile is checked, the
requester will be asked to choose between them at run-
time. At least one must be chosen.
Certifiers Certifiers Choose one or more Certifier profiles to use whilst creating
new users. If more than one profile is checked, the
requester will be asked to choose between them at run-
time. At least one must be chosen.
Countries Countries Choose one or more Country profiles to use whilst creating
new users. If more than one profile is checked, the
requester will be asked to choose between them at run-
time.
Business Business Choose one or more Business Group profiles to use whilst
Groups Groups creating new users. If more than one profile is checked, the
requester will be asked to choose between them at run-
time.
Active Active Choose one or more Active Directory profiles to use whilst
Directory Directory creating new users. If more than one profile is checked, the
Profile requester will be asked to choose between them at run-
time. At least one must be chosen.
If one or more is selected, then an Active Directory User
Create transaction will be automatically created when this
Domino User Create transaction is successful.
Set AD Login Use Tokens (available from the adjacent Keywords button)
Name to select tokens to construct the users Active Directory login
name.
ID & ID Files ID Distribution Choose how the ID file will be distributed from the ID
Password repository.
ID Mail Choose how the recipients of the ID file mail message are
Recipients set - either set using the profile or chosen at run-time.
Password Mail Choose how the list of people to receive the users
Recipients Password is constructed.
If a particular User Create profile only allows one Business Group Profile, for instance, it need not be
specificed in the CSV file import.
FirM Administration Manual v3.0! ! © 2009 HADSL
9 F I R M D O M I N O U S E R T R A N S A C T I O N S E X P L A I N E D! ! PA G E 57 O F 147
An example CSV file for a User Create Transaction would look like:
Transaction, TransactionProfile, NewFirstName, NewMiddleInitials, NewLastName,
BusinessGroupProfile, CertifierProfile, CompanyProfile, CountryProfile, IDProfile, LocationProfile,
IDRecipients, PasswordRecipients
“UCR, “Default UCR Profile”, “Joe”, “”, “Bloggs”, “Business Group Profile Name”, “Certifier Profile
Name”, “Company Profile Name”, “Country Profile Name”, “ID Profile Name”, “Location Profile
Name”, “My IT Support/MyCo”, “My Boss/MyCo”
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Certifier Profile The name of the certifier to cross certify target users against.
ID Profile Define the ID profile to be used in order to calculate how long the
Cross-certification is valid for.
Profile The user is being prompted to select the Update Telephone Number
relevant user Modify Profile from the list of
profiles available to him
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Fields Fields One or more field defintions. Dynamic fields - information prompted for at
run-time - can be used by clicking on the Dynamic Fields button.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Active If defined, the Domino User Disable transation will then generate an Active
Directory Directory user Disable transation using this profile.
Profile
BlackBerry If defined, the Domino User Disable transation will then generate a
Profile BlackBerry Disable transation using this profile.
Move Person This option moves the person to the deleted users repository when the
Document to user is disabled. This means that the user is no longer visible in the
Deleted Users Domino directory, nor can authenticate to servers or receive new mail
Repository messages.
Do NOT use this option when including this disable profile in a User Delete
request.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Active Directory If defined, the Domino User Enable transation will then generate an
Profile Active Directory user Enable transation using this profile.
BlackBerry Profile If defined, the Domino User Enable transation will then generate a
BlackBerry Enable transation using this profile.
Allow re-enable This option moves the person from the deleted users repository back
from Deleted into the domino directory when the user is enabled.
Users Reposiitory
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Data Owner The profile can specify that another user -the
Data Owner - can be owner of the deleted
users mail file for a short period of time.
The ACL for the userʼs mailfile will be updated in order to change the ACL level for the DDO.
A ʻclass variableʼ called ʻDDOACLLevelʼ allows you to set different Data Owner ACL Levels. In order to
change this, edit the class definition for the UDE, go to the ʻClass Settingsʼ tab on the class definition, and
ensure that in the ʻClass Settingsʼ section, you create a new line with:
ʻDDOACLLevel=<ACLLEVEL>ʻ, where <ACLLEVEL> is replaced with one of:
Depositor
Reader
Author
Editor
Designer
Manager
(See the section “System Variables Sub-tab” on page 31)
If a ʻdata ownerʼ has been defined:
The transaction will defer itself for 30 minutes, and wait until the ʻSystem ACLʼ Extended AdminP
transaction is complete, and has been replicated back to the FirM processing server. It will keep
repeating this check until the ʻSystem ACLʼ request is complete.
Once the transaction is complete, FirM will then retrieve the users mail file database replica ID from
the ACL request, and use it to populate the ʻ<DBLINKBYUNIDʼ token on the UDE-DDONotify mail
message, in order that the data owner can then click on a database link to open the users mailfile.
The transaction then ʻdefersʼ itself to the supplied Deletion Day. On or after 1 minute past midnight on that
day, it will then proceed to the next stage.
If the deletion date is today (that is, the user is to be immediately deleted) the transaction defers itself for 30
minutes to allow time for the UDI operation to complete.
At this point, the UDE itself is complete. Note that it may take some time for the ExAmp and AdminP
transactions themselves to complete – perhaps four or five replication cycles. The UDE transaction itself
sets itself to ʻawaiting sub transactionsʼ and awaits the SYSMBD and SYSDBDEL transactions to complete.
User Disable Select a Domino User Disable profile from this list. This User Disable
Profile profile will be used to disable the user as soon as this request is
processed.
BlackBerry Profile If defined, the Domino User Delete transation will then generate a
BlackBerry Delete transation using this profile.
Allow retreval This option allows the requester to choose a Domino User to delete
from Deleted from the Deleted users repository.
users
Deletion Allow the the FirM Requester may specify a person who is automatically
Process Requester to granted access to the deleted users' mail file for a period of time.
assign a data The Data Owner is defined at run-time. Use of this option should be
owner in line with your organisationʼs data retention and security guidelines.
Data Owner Allow the requester to choose whether a Data Owner should be
Mandatory assigned
Delete Users Delete Userʼs Mail file. Choose how the delete process should deal
Mailfile with the deleted users mail file.
Hide Person Specify whether you want to hide the person document with reader
Documents fields at the start of the process. If this option is selected then a field
name must be provided, and a list of users, groups or roles that will
see the document. You must ensure that mail and adminp servers are
still able to see the document afterwards – and this includes the name
of the user that enabled the FirM processing agent.
Archiving Archving Choose whether or not to archive the users mail file at the end of the
process.
Archive Server Choose whether the mail files are to be moved to an archive server, or
just to another directory on the same mail server
Server Name The Archive server where the users mail file will be moved
Archive Directory The Directory in which the mail file will be placed.
UserName Yes A fully hierarchical name identifying the user for this
transaction
DataOwner No The name of a person who will “own” this users mail
file.
DeletionDate Yes The date on which this user will actually be removed.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Force Password Force the user to change their HTTP password next time they log into
Change on next Domino using their browser
Login
Password The higher the number, the more complex the password - its specified
Strength on a scale of 0 to 16. Levels are defined in the Lotus Administratorʼs
manual in the article ʻThe Password Quality Scaleʼ.
Active Directory If set, run an Active Directory User Password reset transaction
Profile immediately after the HTTP password reset transaction, setting the AD
password for this user.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Data Owner A user from the directory who will have Auditor McAudit/Acme
access to the target users mail file.
Optionally, at the end of the access period, another Extended AdminP request is issued to remove the data-
owners access from the target users mail file.
Once processing has completed then any people specified within the Notification list defined in the User
Grant Mail file Access Profile will be sent an email telling them that the request has succeeded.
User Target Name Choose how the requester will choose the target user
Mailfile
Grant
Access
Send Mail Setting this to Yes means that the user is sent a message at the start
Message to user of the process informing them that the data owner has access to their
mail, and at the end to inform them that the access has been removed
Requester can set The requester can choose how long the data owner has access to the
Access Period target users mailfile
Number of working The Number of days that the data owner has access to the target
days to grant users mail file.
access
Access Control Choose an appropriate ACL level for the Data Owner
Level granted
Remove this entry Allow the control over the removal of the data owner from the target
from the users users mailfile.
mailfile
An example CSV file for a User Grant Mailfile Access transaction would look like:
Transaction, TransactionProfile, UserName, DDODuration, DataOwner
“UMA, “Default UMA Profile”, “Joe Bloggs/MyCo”, 3, “My Boss/MyCo”
This transaction would allow “My Boss/MyCo” access to “Joe Bloggs/MyCo”ʼs mailfile fot three days.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
7.10.5.2.FirM Processing
The Requester of the transaction will be compared against the list of valid Requesters defined in the User
MailFile Quota Profile document. If the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the request. If vital information is missing
(this should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also
in the request.
The processor then generate an Extended AdminP request to update the users mailfile Quota and Threshold
Levels.
Once processing has completed then any people specified within the Notification list defined in the User
MailFile Quota Profile will be sent an email telling them that the request has succeeded.
7.10.5.3.User Mailfile Quota Profile
The User MailFile Quota profile allows the administrator to define who can request that a target user has
their mailfile set with a Quota and Threshold.
Quota Bands Define which quota bands the requester can assign to the target users mail
Allowed file. Leaving all deselected means that the requester can choose all bands,
In order to move users between domains and servers in the same operation, see the User Move Location
Transaction.
Details relating to the notification of completion of this transaction are stored in the User Move Domain
Profile.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Allowed Select one or more Domino domains which can be used as a target for this
Target transaction.
Domains
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Allowed If one or more entries are selected from this list of profiles, then the
Cerfifiers requester will only have the choice of the selected Certifiers.
Otherwise, the requester will be able to choose from any Certifier
defined within FirM.
User Enable If selected, a User Enable transaction is automatically ran for the users
Profile. new Notes Name. This ensures that if a previous users' notes name
was added to the terminations groups, and this new user name
matched it, then the target user would not be barred from accessing
your Notes environment.
ID Profile. Select an ID profile in order that the ID expiry period can be set.
Optional OU Optional OU The profile can dictate whether a users Optional OU is updated whilst
Handling the move in hierarchy is taking place.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Current Location The FirM location name associated with the Dublin
users current home server. If this cannot be
calculated then the requester is prompted to
choose from a short list of Location Profiles
New Location If the profile allows more than one target Edinburgh
profile, the requester is prompted to choose
the target users new profile
New Certifier If the new locationʼs allowed certfier list (in /Stobart
the location profile) doesnt include the users
current certifier, then the requester is
prompted (if there are more than one
choices) to choose the best certifier
hierarchy for this user.
User Move Server Select a User move Server profile that this transaction will use.
Profile
Allowed Allowed Current Select one or more locations from which you wish to move users from.
Locations Locations Selecting NO profiles means that all system location profiles can be
used.
Allowed Target Select one or more locations to which you wish to move users.
Locations Selecting NO profiles means that all system location profiles can be
used.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Target Server Target server you wish this user to move to. EdinburghServer1/Acme
You must choose a server object from the
Notes directory, and you cannot choose the
userʼs existing server.
Mail File The name of the users mail file on the new mail/FredBloggs.nsf
server. By default this is the same as the
users mail file on his existing server.
An example CSV file for a User Move Server transaction would look like:
Transaction, TransactionProfile, UserName, TargetServer, TargetMailDb
“UMA, “Default UMA Profile”, “Joe Bloggs/MyCo”, “cn=newServer,ou=Acme”,”mail/JoeBloggs.nsf”
This transaction would move user Joe Bloggs to server ʻnewServer/Acmeʼ
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Password Speciy the number of days before the HTTP password is expired, and
Expiration the user forced to change their HTTP password
Grace Period Specify the number of days a user can ignore the ʻchange passwordʼ
prompts before their account is locked out.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
ID Profile Select an ID profile in order that the ID expiry period can be set.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
User Enable If selected, a User Enable transaction is automatically ran for the users
Profile new Notes Name. This ensures that if a previous users' notes name
was added to the terminations groups, and this new user name
matched it, then the target user would not be barred from accessing
your Notes environment.
ID Profile Select an ID profile in order that the ID expiry period can be set.
User Create Select a UCR Profile in order that the User Rename Common Name
Profile transaction can work out the users new internet address. The users
“old” internet address will be appended to the users “fullname” field so
that both internet addresses work for this user.
Append old Setting this to yes appends the users current internet address to their
internet address to fullanem field, so that they can still receive incoming eMail using their
fullname old address.
An example CSV file for a User Rename transaction would look like:
Transaction, TransactionProfile, UserName, NewFirstName, NewMiddleInitials, NewLastName,
OptionalOU
“URC, “Default UCE Profile”, “Joe Bloggs/MyCo”, “Joseph”, “”, Bloggs”, “”
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Password Selecting a profile means that the transaction will run a User
Digest Password Digest Reset transaction, which will clear any
Reset Password Digests, allowing the user to authenticate using an
Profile old password.
ID Mail Define how the list of people to be mailed the ID file will be
Recipients defined - either using the profile, or prompt the requester at
run-time.
Passwords Password Define how the list of people to be mailed the Password will
Mail be defined - either using the profile, or prompt the requester
Recipients at run-time.
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Store on Mail The users roaming information is stored on the users Home server.
Server
Base Roaming The root directory on the domino server under which all roaming users
Directory directories are created
Roaming Folder Enter some keywords to define how the users own roaming folder will
Format be specified.
Client Cleanup Choose between ʻDo Not Clean Upʼ, ʻClean up Periodicallyʼ, ʻAt Notes
Shutdownʼ, and ʻPrompt Userʼ
Store ID in Set this to yes to create an AdminP request to store the users ID file in
Address Book their personal address book.
Create Bookmarks Set this to yes to create a new BookMarks Database in the users
DB for new roaming directory.
Roaming Users
Create Journal for Set this to yes to create a new Journal Database in the users roaming
new Roaming directory.
Users
Create Personal Set this to yes to create a new Personal Directory Database in the
Directory Db for users roaming directory.
new Roaming
Users
UserName Yes A fully hierarchical name identifying the user for this
transaction
User Name The target user against which you wish to Fred Bloggs/Acme
apply this transaction
Prompt Explanation
Profile The user is being prompted to select the relevant Group Profile from the list of
profiles available to him
Free Text Part of This is the part of the group name that the Requester specifies. Additional
Group Name elements will be added to the group name to enforce naming standards and
consistency as determined by the selected Group Profile.
Domain Select the domain in which this group is to be created. Although FirM supports
the management of groups in different domains with the same name, it is
possible that the administrator has switched on enforcement of ʻglobally unique
group namesʼ within the FirM configuration setup.
Calculated Group The group naming rules will be applied to the group name to ensure that it meets
Name such specified requirements as only containing acceptable characters and that it
meets the minimum or maximum length.
The calculated full group name is displayed, together with the Internet name if
the profile specifies that one is required.
Group Owner/ The Group Owner is the person with ultimate responsibility for the group and is
Sponsor usually also the billing contact. The Group Owner is also by definition a group
manager for this group.
Owner Approval Depending on the group profile, the requester may be prompted to choose
whether every group request has to be approved by the group owner.
Group Managers Enter a list of people who will become Group Managers for this group.
Group managers are able to create requests to rename this group, change the
ownership, management and administration lists, change the group description,
manage the group's membership content and ultimately delete the group.
Group Administrators Enter a list of people who will become Group Administrators for this group.
The Administrators are only able to change the group's membership content.
Initial Members to The administrator may have enabled membership content to be added at the
Add to group time of creation to groups created with this group profile. If this is the case then a
screen will be displayed enabling initial membership content to be added. Add
initial members, if required.
If the Requester is permitted to submit the request but may not authorise the request then details of the
request are sent to all the listed Authorisers in the profile. The Authorisers then follow the doclink in the mail
and either authorise or reject the request.
If the Requester is also present in the authorisation list and the option ʻenforce separate authorisationʼ is not
selected in the relevant group profile, then the request requires no further intervention.
Processing checks that all relevant information is present in the request. If, for any reason, vital information
is missing (although this should not be possible), the request fails with failure details written to the FirM log
and to the request.
The proposed group name is checked for uniqueness in the target domain, and optionally across all
managed domains. If the name is unique then a new group document is created in the Domino Directory
and a shadow entry added to the FirM Group Repository - this ensures that the group is available for
management by FirM. Name uniqueness is tested against other group names, mail-in database names,
user names, resource names, server names, etc..
Once processing has completed, people specified in the Notification list for the relevant group profile are
sent an email notifying them of the successful group creation.
This group can now be managed within FirM.
Prompt Explanation
Group Name Select the group to be modified from the list. The list will only contain those
groups in which you are the owner or have been given management rights.
This list is managed through the Group Modify function.
Elements to Update Select the group elements you wish to modify or update
New Free Text Part of Clicking on the recalculate button applies the relevant profile's name mask
Group name and displays the new group name. The group's Internet name is also
recalculated. If the new name is the wrong length or contains prohibited
characters, correct the error before proceeding.
Owner Approval Depending on the Group Profile, choose whether the Owner Approval cycle
is enabled,.
Managers to Remove
Administrators to Add
Administrators to
Remove
If a request to update the owner or managers list of the group has been requested, FirM updates the group's
entry in the FirM Group Repository.
If a request to update the administrators list of the group has been requested then FirM updates the group's
entry in the FirM Group Repository.
Once processing is complete, any people specified in the Notification list for the relevant group profile are
sent an email notifying them of the modifications to the group.
If there are any incomplete AdminP requests open, the request is marked with a status of ʻPending Sub-
transactionʼ
Once any sub-transactions have completed the request is marked with the status of ʻCompleteʼ.
Prompt Explanation
Group Name Select the group to be modified from the list. The list will only contain those
groups in which you are the owner or have been given management rights.
This list is managed through the Group Modify function.
Members to Add Add people to this list whom you wish to add to the group
Prompt Explanation
Members to Remove Add people to this list whom you wish to remove from the group
Information relating to the notification of completion of this transaction is stored in the Group Profile
documents.
Prompt Explanation
Group Name Select the group to be deleted from the list. The list will only contain those
groups in which you are the owner or have been given management rights.
This list is managed through the Group Modify function.
Prompt Explanation
Profile If the requester has the choice of more than one Application Create transaction,
a list of Application Create profiles
Template The name of the template on which the application should be based.
A check is made on the name of the Application database in the target domain. If an Application database
already exists with that name the request fails.
An Application database record is created in the Domino directory and is populated with information from the
request. The ownerʼs field is populated using the list of owners supplied by the Requester and the list of
default owners defined in the ʻApplication Createʼ profile. Similar action is taken for the administratorʼs field.
An AdminP request is submitted to create the mail-in database on the Domino server with the supplied
template name.
An Extended AdminP request is submitted to update the database Access Control List with any default
database managers defined in the ʻApplication createʼ profile.
If the ʻApplication createʼ profile record requires the creation of a cluster replica of the mail-in database, and
the target server is in a cluster, then an Extended AdminP request is created that will create an AdminP
request on the target server to create a cluster replica of the mail-in database.
Once processing is complete, any people specified in the Notification list for the relevant ʻmail-in database
createʼ profile are sent an email notifying them that the mail-in database record has been created.
The request remains in the state ʻPending Sub transactionʼ until the Extended AdminP request(s) and the
AdminP request are all complete. It then changes to ʻCompleteʼ.
Mail Address The mail-in database name of the application that will be created.
Internet Address Should the database also have an internet address associated
with it
Servers Possible Servers Define one or more servers on the “Servers” tab that will be given
as a choice to the requester. If only one is given, then the
application will be deployed on that server. If no choices are given,
the requester can choose any server in the directory.
Templates Allowable Define one or more Template databases that the user can use to
Templates create the target application. Note that the template database must
exist on the target server for AdminP to successfully create the
database.
Owners Default Owners Enter a list of mandatory owners for all applications created using
this profile. These people/groups will be added as “Managers” to
this database ACL and can perform any operation on those
applications.
Administrators Default Enter a list of default Administrators for this Application – personnel
Administrators who can manage this application, but may not delete it.
ACL Managers Default Managers Enter a default list of one or more entities to be added to the
in ACL Application as Default managers.
Details relating to the notification of completion of this transaction are stored in the Mail-In Database
Modification profile documents.
Prompt Explanation
Profile If the requester has the choice of more than one Application Modify Profiles, a list of
Application Create profiles
Prompt Explanation
Profile If the requester has the choice of more than one Application Delete Profiles, a list of
Application Delete profiles
10.1. Architecture
FirM is a set of native Lotus Domino applications that run on an IBM Lotus Domino Server. FirM manages
Lotus Domino identities and resources
FirM manages Active Directory objects and shared directories via a Windows Service component called the
FirM AD Service. This service is installed on target Windows servers and it makes web-service calls back to
the Primary FirM Processing Server to pick up outstanding work. This architecture allows FirM to manage
multiple Active Directory Domains or Forests.
This means that four pre-requisites exist:
The Primary FirM Processing Server must be running Lotus Domino v7.x or above. This is to give
the FirM request processor database the ability to host a LotusScript Web Service.
The FirM AD Service must be installed on all Windows servers that will be used to create (or
manage) home directories or user profile directories.
You must nominate one or more Windows servers in each Active Directory domain or forest to
perform changes within Active Directory. The FirM AD Service must be installed on these servers.
These servers need NOT be domain controllers, but it should be noted that since the FirM AD
service will create, amend and delete AD Objects, the server that these operations are performed on
should be as close to the replication hub in your Active Directory environment to reduce the number
of AD replication events required for the changes to replicate across the environment. We advise
that the FirM AD Updates are at least performed within the same AD 'site' as your current AD 'root'
server.
All windows servers which run the FirM AD service must be able to make web-service calls back to
the FirM processing server across your intranet.
In order to manage the configuration of the Active Directory components within FirM, we make use of a DLL
file which can 'browse' the Active Directory namespace. This component is required by FirM administrators. It
may also be required by FirM Requestors if you make FirM Active Directory requests available to them and
the profiles controlling these requests allow them to choose between multiple Active Directory containers.
This file is installed by FirM when required, or you may elect to incorporate it into your Lotus Notes client
distribution.
11.2.1. Prerequisites
The FirM AD Component and its accompanying setup program both are reliant the “Microsoft .NET
Framework Version 2.0 Redistributable Package (x86)”.
MS .Net v2.0 framework loaded onto the target computer. This is usually downloaded automatically as part
of the automatic update process – but can be manually downloaded and installed from this web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-
aab15c5e04f5&DisplayLang=en
In particular, if you receive this error message:
This screen outlines the normal FirM EULA. Click 'I accept the
terms of the License Agreement' and then click on Next.
If the URL is incorrect – for instance, the server name does not resolve
in DNS, or the domino database name is misspelt – then “HTTP Status
404” errors will be generated.
When the FirM AD service correctly calls the FirM Processing server
and receives a correct response, it will generate a short summary of
relevant configuration information. This indicates that the service is
working correctly.
A common issue we have encountered is that the Event Log fills up
(especially if verbose level debugging is enabled). In order to prevent
the error 'Event Log Full', you can right click on the 'Application' folder
on the left pane and allow the Event Log to overwrite older events.
Finally, if the FirM AD Service does not appear to be able to
communicate with the Primary FirM Processing Server then check any
anti-virus software installed, ensuring that it is not quarantining the
service and preventing any network interaction.
...
12.2. Configuration
The normal AD configuration (from the previous chapter) should be completed and successfully tested. Once
this has been achieved, go to the AD Sync database and open the AD Sync Profiles view.
We should then create a new synchronisation profile.
Profile If the requester has the choice of more than one AD User
Create transaction profiles, a list of AD User Create
profiles.
Location Profile Each of these profile types may be set in the AD User Dublin
Create profile document. If more than one of each type is
ID Profile selected, then the requester is asked to choose which Staff
particular profile is most appropriate for this operation.
Company Profile Acme
Country Profile UK
Container If the requester has been given the ability to choose the hadsl.local/
AD container for the target user, then the requester may Users
use the AD brower tool to choose the relevant container
First Name Each of these three name values is compared against Joe
validation rules in the System Configuration profile. If the
Middle Intials names pass validation rules, then the Active Directory is X
checked for uniqueness. If any name fails, the Requester
Last Name is informed and invited to re-enter them. Bloggs
Password Recipient One or more people who are to receive an encrypted mail Manager Bloggs
message containing the userʼs password. This is typically
the new userʼs immediate manager.
Dynamic Fields Depending on the settings in the User Create profile, the
Requester may be prompted for one or more pieces of
ʻdynamicʼ data, which will then be used to update the new
userʼs ʻpersonʼ document in the Domino Directory.
The Requester then constructs the user object in Active Directory, setting all relevant AD Person object
fields. Any static or dynamic ʻfieldsʼ specified in the AD User Create profile, is also applied, replacing ʻtokensʼ
with run-time variables as necessary.
The userʼs initial password is stored in the encrypted Password Repository.
A UUP (Resend User ID and Password) request is constructed which will mail the userʼs AD Password to the
Password recipients listed in the initial request.
Zero or more AD Group Manage Member requests are created to add the user to groups specified in the AD
User Create profile.
Using the AD User Create profile, the correct Location profile is examined to establish the target file server.
If more than one target mail server is listed, the target server with the most amount of percentage free disk
space is used as the target server (load balancing).
An external request is then issued to create the userʼs Home and Profile Directories.
Once processing has completed then any people specified within the Notification list for the relevant group
profile will be sent an email telling them that the group has been created.
The request will remain in the state ʻPending Sub transactionʼ until the AdminP requests and the external
Requests have completed. It will then progress to ʻCompleteʼ.
As with all FirM requests, logging information at every stage is created in the Log Database, Audit trail
records are created in the Audit Database, and Billing information is created in the Billing Database.
Fields and Property Properties Zero or more attribute specifications. These are
Groups Settings similar to the Notes ʻFieldsʼ settings in that
tokens and dyanmic field style specifications
can be used.
However, unlike Domino, these have to be
mapped to existing AD Schema property
names for the Person object - these can be
viewed by clicking the ʻAttributeʼ Button.
Care must be taken not to change ʻnameʼ
information attributes using this method as
these fields will be updated by other AD
processes.
Default Default Zero ore more AD groups that the new user will
Groups Groups be added to. Groups can be added by clicking
on the ʻSelectʼ button.
All AD groups selected will be added to the new
user using the selected AD Group Create
profile.
Names & Directory Container Generate Pre- If this is not enabled, then the requester will be
Shares Naming Naming Windows 2000 prompted to enter the users Pre-Windows 2000
Login Name login name. Otherwise the definition below will
be used.
Users Home Users Home Specify how the users home directory will be
Directory Directory Directory created. Its important to include an existing
share name in this directory specification.
User Owns If set to Yes, the new AD user will be set as the
Directory owner of this new folder, otherwise the
Administrator will be set as owner.
Rights User Access Choose the users rights for the home directory.
Level
Set Rights Set zero or more sets of rights for this directory
by choosing AD objects (using the ʻSelectʼ
button) and appending on the relevant rights
flag.
Profile Profile Users Profile Specify how the users profile directory will be
Directory Directory Directory created. Its important to include an existing
share name in this directory specification.
User Owns If set to Yes, the new AD user will be set as the
Directory owner of this new folder, otherwise the
Administrator will be set as owner.
Rights User Access Choose the users rights for the profile directory.
Level
Set Rights Set zero or more sets of rights for this directory
by choosing AD objects (using the ʻSelectʼ
button) and appending on the relevant rights
flag.
Script File Script File You can choose a script profile. This will result
Name in tokens in the script being replaced at run
time and the script file sent to the users home
drive server. The script will then be ran on the
users home server, allowing you to perform
other common new user operations.
Sub- Locations Locations Choose one or more Locations reevant for this
Profiles profile.
Password Password Choose how you wish the password for the
Distribution new AD user to be distributed
User Name Select an existing AD user from the directory using hadsl.local/Users/Fred Bloggs
the AD Brower tool
User Name Select an existing AD user from the directory using hadsl.local/Users/Fred Bloggs
the AD Brower tool
Once processing has completed then any people specified within the Notification list defined in the profile will
be sent an email telling them that the request has succeeded.
User Name Select an existing AD user from the directory using hadsl.local/Users/Fred Bloggs
the AD Brower tool
Details relating to the notification of completion of this transaction are stored in the AD User modify profile
documents.
User Name Select an existing AD user from the directory using hadsl.local/Users/Fred Bloggs
the AD Brower tool
Details relating to the notification of completion of this transaction are stored in the AD Group Create profile
documents.
Group Name The name of the new group Mail Users - Swindon
Group A description for the new group. This will be visible in Users in the Swindon Office
Description Active Directory
Group Name Select an existing AD group from the directory using hadsl.local/Users/Mail Users -
the AD Brower tool Swindon
Group Name Select an existing AD group from the directory hadsl.local/Users/Mail Users -
using the AD Brower tool Swindon
Processing will check that all relevant information is present in the request. If vital information is missing
(this should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also
in the request.
The processor then ensure that a group of this name already exists. It then updates the groups attributes to
reflect the changes requested.
Once processing has completed then any people specified within the Notification list defined in the profile will
be sent an email telling them that the request has succeeded.
14.1. Architecture.
The FirM BlackBerry interface relies on the BlackBerry Enterprise Server Resource kit (BRK). A copy of this
kit has to be installed on the FirM primary (and optionally secondary) processing servers.
BES Server
Domino
BES Server Handset
BES Server
Requests entered in the FirM request processor database are then processed on the FirM primary
processing server. This server, once the request has been validated will then make calls to the BlackBerry
Resource Kit client executable. This in turn will make network calls to the relevant BlackBerry Enterprise
Server on your intranet, and perform the required transactions.
From a network perspective, this means that the FirM Processing Server(s) and all BlackBerry Enterprise
servers require to be able to communicate with each other, using whatever network protocol is utilised by the
BES server.
As all BlackBerry components are windows based, this does mean that the FirM Primary and Secondary
processing Domino servers also have to be windows based.
6. Create one or more BlackBerry Profiles. See the section titled “Configuring BlackBerry Transactions”
on page 127.
7. Create new FirM requests using these profiles.
15.1. Authorisation
The Authorisation process for BlackBerry transactions mirror that for Domino User transactions:
A list of potential Requesters are defined on the relevant transaction profile document. Only
Requesters listed on that transaction document can create transactions based on that profile.
A list of Authorisers is listed on that transaction. If a requester is also on the list of Authorisers, then
the transaction is immediately processed.
A list of name masks is defined on the profile document, showing who this transaction can be
applied against, using that users Lotus Notes name.
Profile A list of profiles for this transaction if the user has the choice of more
than one.
User Name Choose a user to provision a BlackBerry handset for. Joe Bloggs
At this point, the BlackBerry provision transaction will look up the
users home mail server, and try and establish if this home server is
associated with a location which has a BlackBerry server associated
with it. If not, the requester will be prompted to select another user.
If the users home mail server is associated with more than one
location, then the requester is prompted to select the location that the
user is actually associated with (in order to choose the correct
BlackBerry Enterprise server). If the user's mail server is only
associated with one location, then that location will be displayed.
Location Yes The name of a location (as you have defined within FirM) that the
users home server is associated with, and has a BlackBerry
server associated with it.
Profile A list of profiles for this transaction if the user has the choice of more than
one.
Profile A list of profiles for this transaction if the user has the choice of more than
one.
Profile A list of profiles for this transaction if the user has the choice of more than
one.
Profile A list of profiles for this transaction if the user has the choice of more than
one.
Architecturally, it comprises two databases. These databases should be replicated to each server (and any
intermediate server on your replication path) upon which you wish to measure and track application usage.
The “Size” tab shows size information for this instance, and when it was
last updated.
The “ACL” tab shows all instances of this database. Double clicking on one shows the current ACL of this
database:
The “ACL Log” tab shows all ACL modifications for all
instances of this application.
The Shadow Group Monitoring agent provides the engine that periodically checks groups and issues
warnings of changes. This can be configured to run at any periodic interval – hourly, daily, weekly, etc.
The FirM Monitored Group Shadow repository database contains reference copies of the groups and their
contents. Every time the Shadow Group Monitoring agent runs it checks for monitored groups and creates
and deletes these documents as required. If a group's content differs from the contents of it's entry in the
shadow repository then the monitor creates and sends a notification, and then updates the membership
contents of the shadow repository document so that persistent notifications are not created.
The group's entry in the FirM Group Repository contains a check box field that tells the group monitor
whether it should check this group for changes or not.
Finally, the notification profile is the template that is used by the group monitor when it creates notification.
You can tailor this notification to your exact requirements.
In order for FirM Group Monitoring to be able to monitor a group's content, the group must have been
imported into FirM for management, or the group must have been created using FirM. It is the action of
importing or creating a group that will create the group's entry in the FirM Group Repository.
18.1. ID Backup
ID Backup is the process that will actively monitor administration requests that modify the user's ID file, send
an email the user (requesting that they lodge a backup of their ID and password) and process the returned
IDs and passwords so that they are securely stored in FirM's ID and Password repositories.
We recommend enabling this process so that it runs on a periodic basis once per day. The process for ID
backup is as follows:
ID Backup monitors all Administration Process (AdminP) databases for domains managed by FirM
for new requests of type “Rename User”, “Recertify User” and “Update User Password”.
When a request is found ID Backup checks for an outstanding request for the user to lodge the
password & ID. If no current request is found then an email is sent to the user requesting that they
lodge their ID and password. This email contains a rich-text button containing code to return the
user's ID and password. A temporary document is created in the Escrow database – this document
contains details of the status of the backup request, all matching AdminP requests for this user,
number of reminders sent, alternative user names, etc. It has an initial status of “Pending”.
When the end user clicks on the button in the email it will check that they are the mail file owner (this
ensures that incorrect IDs cannot be lodged inadvertently by someone using delegation privileges to
access a mail file), locate the current ID, ask for the password and then create two return emails –
one for the ID file and one for the password. These emails are additionally encrypted (using the
public key in the Escrow database mail-in database document), which ensures that IDs and
passwords cannot be intercepted at any stage of the mail routing.
ID Backup monitors these returned emails, and will then create encrypted documents in the FirM ID
and Password repositories. The email returned from the user is removed, and the temporary backup
request document is updated with a “completed” status.
ID Backup also monitors outstanding notifications with a status of “Pending”. If a response has not
been received from the user within a set period of time then it will send a reminder to the user – the
total number of reminders sent to a user for any outstanding request can be specified in the ID
Backup configuration settings.
Temporary request documents for Completed backup notifications will be retained for a period of
time (in order to prevent repeated requests to back up IDs being triggered by the same AdminP
request). After this time they will be removed from the Escrow database.
Now click anywhere on the notification profile (except for on the button!) and the lotusscript edit
pane will disappear.
Now use the “Tick” button to save and close this notification profile.
The code contained within the button has now been signed with your ID. This should prevent
the end users from receiving ECL warnings when they click on the received button. If a different
ID is used to distribute code within your environment then use this ID to sign the button code –
contact your FirM support representative for help with this step if it is required.
Now change to the “Validation” tab on the Administration Tools menu and click on the “Refresh Agent
Status” button.
Locate the “Process Incoming Escrow IDs” agent and ensure that this agent is disabled (it
should have a red diamond icon against it). If it is currently enabled then this must be disabled
before enabling the ID Backup agent – click on the green diamond icon to disable it.
Now locate the “ID Backup” agent and ensure that it is set to run on the FirM primary processing
server (this can be changed by clicking on the server name and selecting the server from the
address book dialog). Enable the agent for execution by clicking on the red diamond icon.
The ID Backup process is now configured for execution.
18.2. ID Escrow
Since Lotus Notes/Domino v6, a “password recovery” mechanism has been built into the core Lotus Notes
product. ID Escrow is the alternative mechanism within FirM by which end-user ID files can be captured by
leveraging the password recovery mechanism.
ID files captured with this mechanism do not require end-user intervention, but they do require password
recovery to be performed against them before they can be used to reconstruct a Notes workstation client.
This process must not be enabled if you are running the FirM ID Backup procedure – ID Backup should be
disabled prior to enabling the ID Escrow process.
To install “Password Recovery” in your Lotus Notes environment, open the Lotus Notes Administration Help
database, and look for the document entitled “Setting up ID recovery”. The process is:
To open the administration client
Click on the “Configuration” tab
Click on the “Edit Recovery Information” option under “tools” (on the right)
Open your Notes Certifiers
Enter the Certifier password
You will see the Recovery Information Dialog screen:
Enter one or more names in the “Recovery Authorities”
Enter a mail-in database name that the modified ID files will be mailed to. We strongly recommend
that the Escrow Database is used for this purpose. See the section “Escrow Database” on page 156
for more information.
From now on, whenever a client updates their local ID file with their notes client – for instance when they
change their password, accept a new name etc. – their ID file will be automatically and (by default) silently
mailed in encrypted form to this database. (Lotus Notes v5 also performed this function, but prompted the
users for confirmation, resulting in a low success rate).
It should be borne in mind that ID's sent back in this manner require to be “recovered” using the Password
Recovery mechanism.
This method is secure, foolproof, and gives you a complete record of all ID files in use in your environment.
This process is the only reliable secure and non-user reliant method of maintaining an up-to-date ID
repository.
SUSE Linux.
“Report Unauthorised Changes to this group”. If set, FirM Group Monitoring will detect changes
made outwith FirM, and report these changes to the group owner.
“Prohibit all FirM Management of this group”. This allows you to define this group within FirM but
prevent FirM from ever changing this group. This may be useful for very high-security applications.
23.8. ID Repository
An encrypted repository containing all user IDs created in FirM.
User ID's are automatically created in this database by FirM when new users are created.
This database can also be used to store other ID files – such as server ID's, encryption keys and so forth.
An ID document has the following fields defined:
ID Type
Status – active or deleted.
Name – the full name of the user object for this ID
Previous names – if the user has been renamed, this field will contain a list of previous names.
Description – you may enter a textua description of this ID document.
Document Readers – you may further restrict who has access to this document by defining reader
names in this field.
ID File – a rich text field containing the ID file
Encryption Key Name – the name of the encryption key used to encrypt this document.
ID Strength – Global or International
Expires – the ID expiration date
Allow ID files to be resent. You may set this to “no” to prevent this ID file being sent out as part of a
“User Resend User ID and Password” request
FirM Administration Manual v3.0! ! © 2009 HADSL
3 1 F I R M D ATA B A S E S! ! PA G E 139 O F 147
23.10.Audit Repository
Stores a full audit history of actions performed by the system.
23.11.Archive Repository
Contains an archive of all completed and unsuccessful requests.
23.12.Billing Database
Each FirM transaction can be configured to create billing transactions, which can help recharge costs within
your Domino environment.
23.14.Application Monitor
A list of all Domino applications in your environment, highlighting ACLs and ACL changes
24.1. Overview
In order to illustrate how this agent works, consider an environment where there is:
One administration domain – called ʻAdminʼ.
One production domain – called ʻProductionʼ
One test domain – called ʻTestʼ.
All relevant transactions created in the ʻAdminʼ domain must be copied to the relevant other domain, i.e.
ʻProductionʼ or ʻTestʼ. These transactions also may spawn other transactions which need to be copied
around.
Consider a ʻRename in Address Bookʼ AdminP operation. This is initiated with a
ʻ8ʼ = ʻInitiate Rename in Address Bookʼ operation. This AdminP request then has to be copied into the
relevant admin4.nsf database so that it can be processed and accepted by the userʼs home server. When
the user accepts this request, then, at least, the following requests are generated:
! ʻ1ʼ = ʻRename in ACLʼ
! ʻ5ʼ = ʻRename in Address Bookʼ
! ʻ20ʼ = ʻRename in Reader/Author Fieldsʼ
Each of these requests may then have to be copied around the environment into other domains to update
that user name in ACLʼs, names fields on documents in databases, etc..
So, considering this rename operation, we may wish to push transaction number ʻ8ʼ from the ʻAdminʼ domain
to the ʻProductionʼ domain, and then pull transactions 1, 5 and 20 from the production domain back in the
ʻAdminʼ and ʻTestʼ domains.
N.B. Other than the push around agent configuration, no other variables should be changed unless
instructed to do so by the FirM Support team.
RULENUMBER is a two digit number starting at ʻ01ʼ, and is used to differentiate rules. Once the
push around agent finds that a rule number is missing for a particular domain, the agent will assume
that the rules have been exhausted for this domain. It is therefore important to number your rules
uniquely and sequentially starting at ʻ01ʼ, then ʻ02ʼ, etc..
TRANSACTION is the AdminP Request transaction number.
DOMAIN is the target domain to which this AdminP request should be copied. There are also two
special keywords that can be used instead of the domain name:
The string ʻ<ALL>ʻ means copy this request to ALL other domains.
The string ʻ<TARGETDOMAIN>ʼ means that the push around agent will attempt to find this
object and only copy it to the relevant target domain.
Multiple domains can be specified, separated by the comma character ʻ,ʼ.
is a fairly simple, complete example of a CSV file. (I've added the <TAB> character between columns to help
differentiate columns -these are not required.)
The FirM CSV interface allows you to import one or more transactions, of any kind, and convert them into
valid FirM transactions (should they pass validation and testing). This means that the CSV interface has to
use the header fields to establish what the data means. This also means that the columns can be in any
order
All currently supported transaction types and field definitions are listed in the FirM administration manual.
In some instances, some fields may contain more than one logical value. In this case, separate the values
WITHIN the data field with a semicolon character. For instance, this example has two separate names in the
same data field. This will be converted into a multi-value field by the interface.
! ...,! "MembersToAdd",! ! ! ...
! ...,! "Joe Bloggs/Acme; Fred Bloggs/Acme",! ...
!
The important note is that the data line fields have to correspond to the same order as the
header fields.
Creating an Agent to programmatically create requests
There now follows an example LotusScript agent demonstrating the CSV interface.
(options)
option public
option declare
Use "class:IMFactoryClass"
Use "class:IMCSVImport"
sub initialise()
dim IMF as variant
' Items in GREEN in this listing illustrate the calls to the FirM API. All other
' lines are normal Lotusscript operations.
' If this agent has to be in another database, then ALL script libraries from the FirM
' Request processor have to be copied to the new database, and
' the path to the FirM request processor passed to the IMFactoryClass
' create as a server, and a filepath.
Set IMF = New IMFactoryClass("", "")
' Now print out the errors that FirM has returned to us, one line at a time.
Forall thisError In E
Print thisError
End Forall
' The following line writes to the FirM log file, flagging the
' message as an error
Call IMF.cLog.Write(LOG_LEVEL_ERROR, "Initialise: Failed to apply CSV line")
Else
Call IMF.cLog.Write(LOG_LEVEL_VERBOSE, "Initialise: Applied CSV line")
' This call flags the current log document with our transaction type.
Call IMF.cLog.setCurrentRequestSummary("UDI")
End If
end Sub
Note that you have to pass the name of the target server, and the database path name, of the IMFactory
ʻrequestsʼ database for the IMFactory object to successfully construct itself.
If you choose to put your agent in the FIRM database itself, you can replace the servername and database
name with a blank string:
dim IMF as new IMFactoryClass(””, ””)
Check, by calling the IMFactoryClass::isFactoryValid() that the factory has initialised correctly
if (not IMF.isFactoryValid()) then
msgbox ‘The factory failed to initialise’
exit function
end if
Create a new request by instantiating a new IMRequestClass object
dim IMR as Variant
set IMR = IMF.getRequestClass()
Set the request Type and who the requestor is
Call IMR.SetRequestType("UCR")
Call IMR.setRequestorAsMe()
Set the User Create profile name you wish to use. This is the name of an existing Profile for this type of
transaction:
call IMR.setProfile(‘My User Create Profile Name’)
Set the new request type, and gain an instance of the sub-request class type by:
dim IMUCR as Variant
set IMUCR = IMR.getRequestObject()
Now set the data for the sub-request class type. In this instance, we're setting up a User Create Request
Call IMUCR.setFirstname("Derek")
Call IMUCR.setMiddleInitials("D")
Call IMUCR.setLastName("Test ")
request Check to see if this request is valid:
if (not IMR.isValidRequest()) then
msgbox ‘The request failed validity check. ‘+_
‘Check the Request Log database for more information’
exit function
end if
And check that we're authorised to submit this document
if (not IMR.isAuthorised()) then
msgbox ‘You are not permitted to submit this request’
exit function
end if
Now that we're sure that its a valid, authorised request, lets write it out to our blank request document:
dim docTarget as NotesDocument
call IMR.getNewRequestDocument()
Write the request to the document
call IMR.WritetoDocument(docTarget)
Sign and save the request
call IMR.SignAndSaveDocument()
That completes the creation and signing of a request document. The back-end process will now revalidate,
and re-authenticate the request before processing it.
Where you need to replace <yoursever> with the name of the primary FirM processing server, and
the <directory> with the name of the directory that the FirM requests are stored.
The strings defined in the request are of the form:
! field=value
Where field is the CSV column name, and value is a string representation of the value.
The web service then posts the request, and attempts to process it, before returning the status of the request
to the calling process.
This means that the Web Service call may take several seconds to complete.
An example User Reset HTTP password (URP) request would look like:
If the request fails, this is the kind of return XML you can expect:
If the request is successful, then the returned XML will look like:
In the array of returned strings, the first character is the return code. The rest of the string/array of strings is a
textual description of the issue and some means of rectifying it.