Professional Documents
Culture Documents
Table of Contents
1. Introduction ........................................................................4 Configuring Agent Trigger Profiles...........................................56
The Chairman’s Introduction.......................................................4 8. Creating a new Request..................................................57
What is FirM?...................................................................................4 Creating a single request.............................................................57
What does FirM do?.......................................................................4 Creating Bulk requests................................................................58
How does FirM handle large groups? ........................................5
What are profiles? How are they used?...................................5 9. FirM Domino User Transactions Explained................60
Does FirM work with Domino 5, 6, 7 and 8?...........................6 User Create....................................................................................60
Feature List v2.4..............................................................................6 User Modify....................................................................................64
What does FirM consist of? .........................................................9 User Disable...................................................................................65
Target Audience...............................................................................9 User Enable.....................................................................................66
HADSL – About us.........................................................................9 User Delete....................................................................................67
2. How FirM Works.............................................................10 User HTTP password reset........................................................72
User Move Server.........................................................................73
Introduction....................................................................................10 User Move in Hierarchy..............................................................74
Architecture...................................................................................10 User Move Location.....................................................................76
Workflow .......................................................................................10 User Rename Common Name..................................................78
Client Experience..........................................................................10 User Recertify................................................................................80
3. Installing FirM....................................................................11 User Resend User ID and Password........................................81
Introduction....................................................................................11 User Password Digest Enable....................................................83
Who should install FirM?............................................................11 User Password Digest Disable...................................................84
How this product is delivered...................................................11 User Password Digest Reset......................................................85
Installation & Configuration of FirM .......................................11 User Roaming Enable...................................................................86
Stage 1: Encryption key creation...............................................12 User Roaming Disable.................................................................87
Stage 2: Initial install of FirM.......................................................14 User Mail file Grant Access........................................................88
Stage 3: Basic FirM Configuration.............................................17 User Cross-Certify.......................................................................90
Stage 4: FirM System Profiles Set Up.......................................20 User MailFile Quota.....................................................................91
Stage 5: FirM User Profiles Set Up............................................22 User Move Domain......................................................................92
Stage 6: FirM Group Profiles Set Up........................................25 10. Configuring FirM User Transactions..........................94
4. Importing Certifiers & Passwords................................30 Common Tab - Authorisation....................................................94
Name Construction and Token Replacement........................95
5. System Configuration......................................................31 User Create Profile......................................................................96
Target Audience............................................................................31 User Modify Profile.......................................................................99
Introduction....................................................................................31 User Disable Profile.....................................................................99
System Configuration – Databases...........................................31 User Enable Profile.....................................................................100
System Configuration - Servers................................................32 User Delete Profile....................................................................100
System Configuration - Directories.........................................32 User Reset HTTP Password Profile.......................................101
System Configuration – Admin Settings..................................33 User Move Server Profile.........................................................101
System Configuration – Billing...................................................35 User Move Profile.......................................................................101
System Configuration – Name Validation...............................35 User Move Location Profile.....................................................101
System Configuration – Workflow...........................................39 User Rename Profile..................................................................103
System Configuration – Archiving & Expiry...........................39 User Recertify Profile................................................................103
System Configuration – Active Directory (AD)...................40 User Resend User ID & Password Profile............................103
System Configuration – BlackBerry ........................................40 User Password Digest Enable..................................................104
User Password Digest Disable................................................104
6. Administration Tools.......................................................41
User Password Digest Reset....................................................104
Config Tab.......................................................................................41 User Roaming Enable.................................................................104
Profiles Tab.....................................................................................41 User Roaming Disable...............................................................105
Monitor Tab....................................................................................42 User Mail File Grant Access.....................................................105
Import Tab......................................................................................43 User Cross-Certify.....................................................................105
'Group Restore' Tab.....................................................................43 User MailFile Quota...................................................................105
BlackBerry Management Tab......................................................45 User Move Domain....................................................................106
System Views Tab..........................................................................46
11. FirM Group Transactions Explained........................107
7. Configuring System Profiles...........................................48 Group Create..............................................................................107
Common System Profile Tab – “Fields”..................................48 Group Modify..............................................................................109
ID Profiles.......................................................................................49 Group Manage Members..........................................................111
Country Profiles............................................................................50 Group Delete..............................................................................112
Certifier Profiles...........................................................................50
Location Profiles............................................................................51 12. FirM Application Transactions Explained................114
Business Group Profiles..............................................................52 Application Create.....................................................................114
Company Profiles..........................................................................52 Application Modify......................................................................116
Internet Address Profiles............................................................52 Application Delete......................................................................117
Group Profiles...............................................................................53 13. Configuring Application Transactions.....................119
Automatic Recertification Profiles............................................55
Configuring Notification Profiles..............................................55 Common Tab – Authorisation................................................119
1. Introduction
The Chairman’s Introduction
Congratulations on choosing and using FirM - the premier solution for optimising the management of your Domino
infrastructure. Over the R5 to D7 releases of Domino the Lotus arm of IBM has worked hard to increase the value
that can be derived from your Domino infrastructure. We at HADSL are committed to ensuring that you can
unlock this value without the penalty of increased administration costs, in fact, with FirM you can match the value
gains from your Domino infrastructure with equal gains in value in your Domino administration. Our designers and
architects not only track technical changes in Domino but also follow best practice usage patterns in IT
management in general and Domino Administration in particular; to bring you a truly effective solution for
controlling and reducing your administration and management costs. With HADSL solutions you will not only keep
pace with the market, but move ahead of the market in best practice administration and management.
At HADSL we value each and every one of our customers, to make sure that you get the best from FirM and
HADSL, make sure that you give us any feedback, both good and bad on the use of any of our products or services.
We particularly urge you to let us know how you would like to see our products develop. Keeping us in touch with
your problems helps us to make sure that our solutions make your life easier.
Ian Tree,
Chairman, HADSL
What is FirM?
FirM is an Identity Management suite for Lotus Notes/Domino designed to automate group and user management.
It enables the delegation of most user and group-related administrative functions to non-IT personnel thereby
providing considerable cost savings without any loss of security and with increased service levels.
FirM is very easy to install and implement and does not require expensive code-changes to reflect your
business model.
FirM is very easy for the end-user to use.
FirM’s operations are based on ‘profiles’ held within FirM. Profiles pre-define all the technical
infrastructure-based settings of a particular type of request. This means that a business user making a
request, say,to create a new user, only needs to supply information relevant to their business needs. In the
case of creating a new user all that is required is the user’s name.
FirM’s ‘dynamic fields’ enable the FirM Administrator to specify in a profile that, when a request is made,
information specific to the request is provided by the Requester. For example, the Requester may be
presented with a question such as ‘What is the person’s new office telephone number?’. The supplied
information, in this case the telephone number, is then written to the person’s document in the
appropriate field.
FirM is based on LotusScript, which means that dedicated add-in tasks do not need to be run on the
server. Add-in tasks are a frequent cause of instability.
FirM can run on multiple servers with failover capability, giving reliable 24x7 operations.
At particular stages in a request, FirM can run Domino agents in designated databases. For example, when
a ‘User Create’ request succeeds, FirM can run an agent in a designated database and pass it all the
information from the request document.
FirM may be integrated into other applications using object-oriented LotusScript classes. This enables
group-management functionality to be simply added to an in-house application, say a web-user
management application for the intranet, by writing less than 20 lines of LotusScript code.
FirM supports a Domino multi-domain environment.
FirM allows you to create profile information on all user and group operations and allow delegation to non-
technical users, in a completely automated, secure and audited manner, thus reducingadministrator burden and
increasing service level
User Operations
● User Create. Full Lotus domino user creation with
● Load balancing - given a selection of Lotus Domino serves, FirM will choose the one with least users.
● User Delete. A multi-ability deletion process, including full retention of person document, group
membership, optional archiving of mail file to archive server, optional "data owner" workflow cycle,
allowing another user to view the mail file for a limited period of time
● User Modify. Allow modification of specific fields on a users' person document for directory maintenance.
● User Http Password Reset. Allow a non-administrator to set a new internet password for a user
● User Resend User ID and Password. Allow the sending of the latest user ID and password from the
secure repositories.
● User Disable. The addition of a user to a terminations group, preventing user access to your Lotus
Domino environment.
● User Enable. The removal of a user from a terminations group, allowing user access to your Lotus Domino
environment
● User Move in Hierarchy. Recertify a user to a new Lotus Notes certificate hierarchy, with no administrator
intervention whatsoever.
● User Recertify. Recertify a user with his existing certificate to extend access to your Lotus Domino
environment.
● User Move Server. Move a user (and their mail files) to a new Lotus Domino server automatically.
● User Move Location. Move a user (and their mail file) from one location to another, optionally removing
the user from location specific groups and adding the user to new location specific groups. Also recertify
the user to a new hierarchy if required.
● User Grant Mail File Access. Grant temporary mail file access to a users mail file to another person.
● User Password Digest Enable. Enable user password periodic changes for a user
● User Password Digest Disable. Disable user password periodic changes for a user
● User Password Digest Reset. Allow access to a user if they have exceeded their password change time
period.
● User Roaming Enable. Set the user to a "Roaming" style ND6 user. .
● User Roaming Disable. Stop the user being a "Roaming" style ND6 user. .
Group Operations
● Group Create. Create a new Lotus Domino group with full authentication and delegation rights.
ApplicationOperations
● Mail in Database Create. Create a new application and all relevant replicas from a list of allowed templates.
Populate the applications ACL’s and grant modification access to the application owner. Set the application
quota and warning thresholds. Create a directory mail-in database entry in the Domino directory.
● Mail in Database Delete. Remove a mail in database and all replicas, the groups associated with this mail-in
database, and the directory mail-in document itself.
● Scanning all applications and providing user usage and ACL change log information across all databases in
your environment.
● Group Manage Members: Add or remove users from Active Directory groups
BlackberrySupport
As of version 2.4, FirM supports the followingBlackberryhandset operations:
● ProvisionHandset
● Disable Handset
● Delete Handset
● Kill Handset
Automated Tasks
● Automatic User Recertification: Users can be automatically recertified should they match an
administrator-defined profile
● User Expiration. You can specify when a User should be expired from the system. A pre-set number of
days beforehand, an automated message will be sent to the person's manager asking them to confirm or
reject deletion of this user. Should the manager do nothing or confirm deletion, the user is deleted on
that specified date.
● Group Expiration. You can specify when a Group should be expired from the system. A pre-set number
of days beforehand, an automated message will be sent to the group's owner asking them to confirm or
reject deletion of this user. Should the manager do nothing or confirm deletion, the Group is deleted on
that specified date.
● AdminP Push around. FirM supports multi-domain environments, and allows the administrator to specify
which AdminP transactions should be copied between the various domain admin4.nsf databases.
Security Features
The ID Repository, Password Repository and Certifier Repository are all encrypted databases with each database
using a different encryption key.
The system maintains a complete audit history of every processed transaction.
Target Audience
This document is targeted at the FirM Administrators, likely to be Notes Super-Administrators who will configure,
monitor and maintain FirM.
It is assumed that these people are:
● Notes Administrators with Notes Administration access to their Domino environments
● Skilled Notes Administrators with at least three years experience of Domino Administration, PCLP
accreditation for Release 5 onwards or both.
HADSL – About us
HADSL is an IBM Business partner, and BlackBerry business parter. Its sole focus is the FirM suite of Identity and
Resource Management tools.
FirM comprises a core team of highly experienced Domino consultants and 10+ associate consultants. The core
FirM team includes:
● Bill Buchan. Bill is a dual-PCLP in Domino v3, v4, v5 and v6, as well as dual-CLP in ND7. He is a 10-year
veteran of Lotus Domino. He was invited to present at Lotusphere 2005-2008. As well as Domino
qualifications, Bill is also IBM Websphere v4 certified, Portal v5 (admin and development) certified, Java v2
programmer and Microsoft MCSE/NT certified. He has worked on Enterprise-level groupware projects
since 1995, all over Europe.
● Richard Sampson. Richard is a PCLP (application development) for Domino v4, v5 and v6 and has been
developing solutions for Notes and Domino since 1996 for firms including BDO, Lotus/IBM,JP Morgan
amongst others. He has worked as an accountant, and has an honours degree in Physics.
● Roy Holder. He started his IT career in mainframe operations and has been involved in corporate IT ever
since. He started with Lotus Notes v3 and has been involved with Domino for 10 years.
● Tony Holder. Tonyis our Commercial & Sales Manager, and has 10 years direct experience in the Lotus
Domino market.
● Ian Tree. Ian is our business Mentor and has been in IT for the last 30 years, at senior management and
technical positions.
Our multi-discipline team means that you get the best knowledge and the best product
Architecture
Architecturally, FirM is a number of Lotus Domino databases. The entire set of these databases reside on the FirM
processing server (or servers, should you choose to have a backup FirM processing server).
A subset of these databases can be replicated throughout the Domino environment to allow requesters (people
who request FirM tasks) to interact with FirM.
The processing server need only be a supported version of Lotus Domino server, running on a supported server
platform. Typically, this server will also bethe Administration server for that environment.
FirM can manage single or multiple Lotus Domino domains.
Workflow
Within FirM, there is a two-stage workflow process.
The person creating the request (The “Requester”) may also be allowed to “Authorise” the request. In this case,
the request is processed immediately.
Should the Requester not be permitted to authorise this request, then details are mailed to personnel allowed to
authorise this request. One of these group of people can then Authorise or reject this request.
Client Experience
The requester interacts with FirM via a Lotus Notes client. They can only see options that have been made
available to them, and every item of information is validated before proceeding.
From v2.1.01 onwards, web clients are now supported. See “Web Interface Client Experience” on page 150 for
examples of this.
3. Installing FirM
Introduction
This document contains a step-by-step guide to the procedures that must be followed to install and set up FirM.
The installation instructions are written for Domino administrators and assume familiarity with basic Domino
administration tools and procedures.
If problems are encountered please contact your sales consultant, who will be able to provide assistance and route
your question to technical support if necessary.
6. Access to the server console, either physical access or through a remote server management tool such as
PCAnywhere, VNC etc..
7. The certifier ID(s) for all hierarchies to be managed together with the password(s) for these certifiers.
Note that FirM does not currently support certifier IDs that have been set up to require multiple
passwords.
FirM uses three encryption keys to keep sensitive files and passwords secure.
The three keys are created in the server’s ID file and are subsequently imported into the administrator’s ID file.
N.B. Problems have been experienced when passing the keys between the ID files in the other direction due to
differing degrees of security in the two ID files. Please ensure that the encryption keys are created in the server’s
ID file and then imported into the administrator’s ID file.
These encryption keys are called:
● iDM Certificate Encryption Key
● iDM Password Encryption Key
● iDM ID Encryption Key
h) Name the key ‘iDM Certificate Encryption Key’. Enter the name without
quotes and retain capitalisation.
i) Choose an appropriate encryption type, e.g. North American, International,
ND6+, etc. (if the option is available). Enter a description for the key and
click ‘OK’.
N.B. The encryption keys do not need to be distributed to users or administrators in order for them to operate
FirM. The only server IDs that require these encryption keys are the FirM primary (and optionally secondary)
processing servers. You should store these encryption keys securely in the same manner that you normally secure
certificate files.
2. The installation process will generate a number of requests to sign databases with the server ID which, by
the time this point is reached, should have all completed successfully. If some requests are still pending
then their processing may be expedited by issuing the ‘tell adminp process all’ command at the server
console.
3. Where specific security standards require that databases be signed with a special development ID, this
must be carried out manually.
4. Configure the Access Control Lists for the FirM databases as required. Only FirM Administrators should
be members of the [Administrator] role.
5. Replicate a copy of the FirM Extended AdminP database to each Domino server that will host users
and/or applications managed by FirM.
During the installation phase, the primary processing server will be requested to sign the FirM Request Processor
database with the server's ID file. In many cases, the server will be listed in the Administration Execution Control
List (ECL). Should the server NOT be listed in the Domino Administration ECL, the FirM Request Processor
database may be signed with the normal ‘application signing’ ID file.
Later, the scheduled agents in the FirM Request Processor and, optionally, the FirMExtended AdminP databases will
be signed with an ID capable of running restricted agents.
e) Click on ‘Edit the System Configuration’ and edit, if necessary, the following :
g) ‘Servers’ tab:
● The ‘Primary server’ field must contain
the fully qualified name of the FirM
Domino server.
● The ‘Secondary server’ field should be left
blank until the correct configuration and
operation of FirM has been confirmed.
Once FirM has been installed and is
working correctly, return to this field and
specify a secondary server if increased system resilience is required.
● Accept the default value for ‘Secondary Server Delay’ (5 minutes).
h) ‘Directories’ tab:
● Use the ‘Add Entries’ button to add the
directories to be managed by FirM. Each
directory (names.nsf) should have both an
Admin4 database (admin4.nsf) and a ‘Deny
Access’ group specified for that domain.
● Note that the installer creates the first ‘default’ directory entry
but cannot at that stage define the terminations group used in
the environment. It is therefore important that the default
entry be edited post-installation to define a terminations group
for the primary environment.
● The ‘Edit Entries’ and ‘Remove Entries’ buttons can be used to
manage the directories list.
j) ‘Billing’ tab:
● Billing information is only written to
the FirM Billing Repository database
when ‘Enable Billing’ is set to ‘Yes’.
● Select each request type to be
recorded in the Billing Repository
database.
l) ‘Workflow’ tab:
● Accept the default of 3 hours for ‘Notify
Every:’
● It is recommended that all days, i.e. Sunday
through to Saturday, arechecked in
‘Notification Window Days’
n) ‘AD’ tab:
● Active Directory support may be enabled by clicking the ‘Yes’ radio button. A licence for Active
Directory support must have been purchased to enable this extension.
3) The ‘Add Certifier’ file-attach dialogue will be displayed. Select the certifier ID file to be imported. Type the
password for the certifier into the next dialogue and then reconfirm the password. Note: certifiers requiring
multiple passwords cannot be used with FirM.
e) Static and dynamic field settings and default groups can be specified if necessary.
f) Click on ‘Save’ or ‘Close’.
g) Repeat these steps for as many locations as necessary.
8) System ID Profiles specify the type of ID to be generated in a given user request. To create an ID profile, click
on the ‘System ID Profiles’ radio button and do the following:
a) Click on ‘Create a new Profile‘
b) System ID profiles allow for the comprehensive specification of
IDs; for instance, International or North American, the
recertification period, whether a mail file should be created, etc..
Note that the mail template name refers to the actual file name
of the Domino template which must exist on the server. It is
possible to specify different classes of user ID with this profile type – e.g. ‘Staff’, ‘Contractors’, ‘and
Functional Ids’, etc..
c) Static and dynamic field settings and default groups can be specified if necessary.
d) Click on ‘Save’ or ‘Close’.
e) Repeat these steps for as many ID Types as necessary.
9) System Business Group Profiles are optional.
10) System Country Profiles are optional.
11) System Agent Trigger Profiles are not relevant during this initial set-up of FirM.
12) System Notification Profiles. At each step of the process of executing a transaction, an admin-defined
notification email may be sent. A default set of notification profiles is supplied with FirM and these may be
changed as necessary. A tag language enables different parts of the request to be inserted into the message;
for instance, the name of the requested user ID.
2. Click on the ‘User Create profiles’ radio button and perform the following steps:
Click on ‘Create a new Profile’
Give the profile a meaningful name (e.g.
‘London Staff User’)
In the Fields and Groups tab specify static and dynamic field settings and default groups as
necessary.
3. Similar profiles must be created for each type of user request that FirM is able to process. For example,
User Modify, User Delete, User Disable etc..
In profiles other than the ‘create’ profiles an additional sub-tab will be found in the Authorisers tab – the ‘Users
Managed by this Profile’ tab. This should contain a name mask, such as ‘*/ACME’, thereby restricting who can be
deleted, renamed, etc., using this profile.
● In the Name tab, the mask for the group name is created. If a
group is not to be given an Internet address when it is
created then the Internet Address field should be left blank.
The tag ‘<GROUPNAMEUSERELEMENT>’ will be replaced
with the user’s descriptive element of the group name.
● The final three tabs are ‘Request’, ‘Authorise’ and ‘Notify’.
These fields need to be populated with the names of people
who are able to request and authorise the creation of a group.
The rights for modification, deletion and management are
governed by the group’s entry in the database ‘FirM Group
Register’.
● The Notification tab allows the person to be specified who
will be notified when a request progresses through the workflow for the creation, management or
modification of a group created with this profile.
● Click on ‘Save’ or ‘Close’.
3. Repeat for as many different types of group profiles as are necessary. It is possible and perfectly normal to
have more than one type of profile for each group type. This is useful when different naming conventions
must be enforced for, say,a global mailing group as opposed to a regional mailing group, and to assign the
authority to create each of these group types to different people or groups of people.
4. At a minimum there must be a profile defined for each of the basic Domino group types Mail Group, ACL
Group, Multipurpose group, Server Group and Terminations (Deny only) group.
In order for a group to be managed with FirM it must have an entry in the FirM Group Registry. This entry contains
information about the group such as which profile it will use, which domain it belongs to, and who are the Owners
and Administrators of this group.
The roles of Owner and Administrator are described in the FirM Help database, but broadly an Owner is a person
who is able to modify the group’s list of owners and administrators, manage the content of the group, and request
the group’s deletion. An Administrator is a person who is only able to manage the content of the group.
A typical Domino installation will have many groups in each Domino
Directory, and the import utility is used to create Group Registry
entries for each of these groups. The tool is run from the FirM
Request Processor, and is accessed from the ‘Tools’ button under
‘Import Group(s)’.
1. Click on the ‘Tools’ entry in the menu on the left-hand side
of the screen.
2. Click on ‘Import’ tab, and ‘group’ sub-tab.
● Click on ‘Import Groups’
● You will be presented with a dialog with
instructions. Click on 'Forward' to continue.
3. If groups have been imported into a Draft status, open the FirM Group Registry, navigate to the Draft
Groups view, and once the group entry is confirmed to be correct, select the group from the view, and use
the ‘Tools’, ‘Flag selected groups as Live’ action to mark the group as live for management.
4. This operation must be carried out for every directory that contains groups that are to be managed.
1. Open the FirM Request Processor and select the 'Tools' menu from the left hand side. When the control
panel appears, select the 'Monitor’ tab, then the ‘Scheduled Agents' tab.
If the two passwords match, the certifier and password is imported into FirM.
During this process, the ID file provided is checked to ensure that it is a certifier file,
and its certifier hierarchy is extracted. FirM then checks to see if these already exist in
the FirM certifier repository and the FirM Password repository. If they do, the old
versions may be overwritten with the new versions if desired.
The Certifier has now been imported into the FirM Certifier repository.
5. System Configuration
Target Audience
This section is intended for use by the FirM Administrator.
Introduction
The System Configuration dialog box contains all system-wide configuration settings for FirM. The users never see
this dialog – only the FirM Administrators. This is usually set up at FirM installation time, and is not normally
updated.
To navigate to the System Configuration Pane, click on the Tools option,followed by the “Config” tab.
● In the ‘File Locations’ tab two temporary directories must be specified. The first temporary directory
(Local Temporary Directory) is located on the administrator’s workstation and is used during initial set-up
and when certifiers are imported in to FirM. The second temporary directory (Server’s Temporary
Directory) is located on the server, is used to run scheduled agents and is required for the normal
operation of FirM.
● These directories will temporarily contain items such as certifier IDs, user IDs etc.. It is important that
these directories are not accessible to users. These directories must be created manually. Should these
directories not exist, then the normal ‘temp’ directory defined on the operating system will be used.
● On a Unix-based system (such as Linux, AIX, Solaris,HP/UX for instance), the directory should be
specified in the form ‘/tmp/’, using forward slashes to separate directories. On a Windows-based system,
the directory should be specified in the form ‘c:\temp\’ where a drive letter followed by a colon and the
backslash character is used to separate directories.
● The contents of the fields on the other tabs have been automatically populated by the installer. These
values should be changed only if the databases have been renamed or moved.
● Note that the installer creates the first ‘default’ directory entry
but cannot at that stage define the terminations group used in
the environment. It is therefore important that the default
entry be edited post-installation to define a terminations group
for the primary environment.
● If more than one domain is to be managed, then the directory
and the admin4.nsf database should be replicated on a
scheduled basis from the other domains onto the primary (and
secondary server, if defined). The other domains’ directory and
administrative databases can then be added to this list of
domains to be added.
It is important that if more than one domain is to be managed,
that each domain has a unique domain identifier set in the
directory profile in each directory database. This can be
updated by:
● Opening the directory database
● Clicking on the Actions menu, and then ‘Edit Directory Profile’
● Editing or updating the ‘Domain defined by this directory’ field.
● The ‘Edit Entries’ and ‘Remove Entries’ buttons can be used to manage the directories list.
● The ‘Default FirM Administrator’ is used in conjunction with notification profiles to enable an
administrator, group of administrators or mail-in database to receive notifications. Default administrators
can also cancel requests.
● The default value for ‘Automatic recertification’ of ‘Disabled’ should be used for initial installation.
● If you wish to monitor groups, enable the Group Changes Monitoring. This will then allow the selection of
groups in the Group Registry for monitoring. Should any monitored groups be changed, the changes are
noted and communicated to selected users.
● Allows the definition of a
rich-text footer which will be
appended to all notification
messages generated by FirM.
This can be used to add
graphics, as well as a standard
footer explaining to the user
that this is a system-
generated email message.
● The”Allow Extended AdminP to Update Person Documents” flag defaults to “No”. If this is set to “Yes”, and
the “Check Mail Users MailFile Quota” agent in the Extended AdminP database is set to process, there will be
a large initial update to every person document in the environment. See the section titled “User MailFile
Quota Management” on Page 166 for more information before setting this flag.
● If the flag “Allow Extended AdminP to Update Person Documents” is set, then the administrator should
define fields on the person document that will be used to hold User Quota Management information. Note
that these fields need NOT be added to the “Person” form in order to make these fields visible.
● “If a user does not have a MailFile quota Set” allows the administrator to define how users without existing
bands are set. It is recommended that the setting “Set to level above users current MailFile size” is used in the
first instance, as this allows mail file quotas to be set without initially locking users from their mail files.
‘Name Validation’tab, ‘First Name’, 'Middle Initials' and 'Last Name' subtabs:
● Is required – check this box if this name field is required.
● Minimum Length – this defines the minimum length (in characters)
allowed for a first name in your environment.
● Maximum Length – this defines the maximum length (in characters)
allowed for a first name in your environment.
● Allow Non-ASCII – checking this box allows characters other than A-Z,
a-z in this name field.
● Allow Numbers – checking this box allows number characters 0-9 in this
name field.
● Allow Underscores – this allows the underscore character ‘_’ to be
used in this name field.
● Allow Hyphens – this allows the hyphen character ‘-’ to be used in this
name field.
● Allow Punctuations – this allows punctuation characters such as ‘;’, ‘,’ etc.
to be used in this name field.
● Allow Spaces – this allows the space character to be used in this field. This
could allow people with two words in their first name – for instance, ‘Jan
Willem’.
● Force Case. This forces this name field to be one of the following:
● No Change. No case changing is performed. For example if the
requester types in ‘jan williem’, it is left as ‘jan williem’
● All Lowercase. The name field is converted to lowercase. For
example if the requester types in ‘Jan Williem’, it is converted to
‘jan williem’
● All Uppercase. The name field is converted to uppercase. For
example if the requester types in ‘jan williem’, it is converted to
‘JAN WILLIEM’
● Propercase. The first letter of each word is made uppercase, and the
rest of the word made lowercase. For example if the requester types in
‘jan williem’, it is converted to ‘Jan Williem’
● Allowed Characters. This allows the definition of non-ASCII characters
allowed in name fields, without allowing every possible non-ASCII
character.
● REJECTED – these are requests where the Authoriser has declined the transaction.
● CANCELLED – requests that have been cancelled by the Requester, an Authoriser or the default FirM
administrator will be archived according to this setting.
● FAILED OR INVALID – requests that have failed processing or rejected due to broken signatures will be
archived according to this setting.
Requests that are awaiting processing, deferred or awaiting approval will never be archived.
FirM has the ability to create and monitor groups and users for auto-expiry. That is to say, that a date can be set
after which an automatic deletion workflow will remove them from the environment.
This facility is not currently available from the standard FirM UI and is only accessible from the FirM LotusScript
API – this facility may be accessible from the UI in a future release of FirM.
The three settings relating to the automatic expiry of users and groups should therefore be ignored in the standard
install of FirM and only changed under instruction of HADSL or one of its resellers.
System Configuration –
BlackBerry
6. Administration Tools
The Administration Tools panel is accessible only to FirM Administrators – people who have the ACL role
[Administrator] enabled. To access the administration tools, click on “Tools” on the left hand navigator in the FirM
Request Processing database.
The Administration Tools assist the administrator in the set-up, configuration and day to day running of the FirM
application.
Config Tab
The Config Tab enables the administrator to:
● View and edit the global system configuration. See the
section titled “System Configuration” on page 31 for
more information.
● Update the License key within FirM. This may be
necessary from time to time with new releases in
order to enable new transactions. To Update your
license key,
● Click on “Update the FirM License”
● Copy and paste the License key information
supplied to you by HADSL into the relevant
fields
● Click on “Update License.
Profiles Tab
The Profiles tab allows the administrator access to the FirM
profiles that define how each transaction should be processed.
● See the Section entitled “Configuring System Profiles”
on page 48 for more information on the system profile
tab
● See the section entitled “Configuring FirM User
Transactions” on page 94 for more information on the
User Profiles tab
● See the Section entitled “Configuring Application
Transactions” on page 119 for more information on the Application Profiles
● See the section entitled “Configuring AD Transactions” on page 136 for more information on the Active
Directory Profiles.
● See the section entitled “Configuring BlackBerry Transactions” on page 146 for more information on the
BlackBerry profiles.
Note that the Active Directory and BlackBerry profiles will only be visible if these options are switched on (and
you are properly licensed to use these transactions) within the System Configuration Screen. See the section titled
“System Configuration” and the sub-sections sections on Active Directory and Blackberry on page 40 for more
information.
Monitor Tab
The Monitor tab assists the administrator in
viewing the current status of the FirM
processing environment.
Import Tab
The Import tab is used to import various objects to the FirM
Environment.
● The Certifier ID sub-tab allows you to import new
Certifier ID's into the FirM processing system. See the
section entitled “Importing Certifiers and Passwords”
on page 30 for more information on this.
BlackBerryUsers sub-tab
The BlackBerry Users sub-tab allows you to view all
BlackBerry handset users that FirM has detected within the
BackBerry Enterprise servers defined within System Location
Profile documents.
BlackBerryServers sub-tab
The BlackBerry Servers sub-tab shows all BlackBerry servers
defined in location documents within the FirM environment.
System Variablessub-tab
The System Variables sub-tab shows internally
defined system variables used by FirM. These
variables are used to override default system
behaviours, and as such should not be changed
unless expressly instructed to do so.
If you open one of these variables, you can observe the variable name
and its value.
Defining Fields
Fields. Define fields that are created on the new users Person document. For instance:
● OfficePhoneNumber=121-212-232-1212
o Will populate the field “OfficePhoneNumber” on the person document with the value “121-212-
232-1212”. This is useful for defining static information that is common for all users created using
this profile type.
Owner,AUTHOR=LocalDomainAdmins
o This will create a field called “Owner”, set it as an Author field, and assign it the value
LocalDomainAdmins.
Groups
Groups. Should one or more groups be added to this field, then all users created using this profile will be
automatically added to these groups.
ID Profiles
ID Type profiles are mandatory profiles used during a User Create
process. One or more of these profiles may be associated with a
particular User Create profile.
The profile has four tabs:
The details tab allows you to enter this ID profile name. It is recommended that you use Profile names that are
meaningful to your business, as these names may be visible and used for choices during User operations.
● Notes ID Type. Lotus Notes supports two Notes Client key lengths - 64 bit (International) and 128 bit
(Global or US).
● ID Validity in Days. Typically this would be measured in years (720+ days ) for full time staff, or in
hundreds of days for Contractors. Note that setting this value to a lower number means more
administrative work recertifying these people.
● Password Length. The length of password that FirM allocates these people when they are created.
● Minimum Password Length: The minimum length of password that these people have to use when they
choose a new password.
● Create HTTP Password: This should be set to ‘Yes’ to allow FirM to create their Internet (or ‘HTTP’)
password at the same time that the users are created.
● Password Change interval. This value is written to the new users’ Person document in the directory, and
dictates how often the new user should change their password.
● Grace Period. This allows the user to NOT change his password beyond his change interval – usually 14
days or so. Only after the password change interval AND the grace period have expired is the users
account locked by Domino.
● Password Digest Enable Profile. If a Password Digest Enable profile is selected here, then the User
Password Digest function is ran after a user is created, using the details defined in the selected profile.
● Roaming Profile. If a Roaming Enable profile is selected here, then the User Enable Roaming function is ran
after a user is created, using the details defined in the selected profile. (Note that Roaming User enable is
only relevant in Domino v6 or above)
● ID File Name. This field allows you to define how the users’ ID file is created.
● It should be noted that the user’s mail server is determined using their Location Profile.
Country Profiles
Country profiles are profiles used to help define country specific
information in the User Create and the User Move Location processes.
Zero, one or more of these profiles may be associated with a particular
User Create profile. You must, however, associateone Country profile
with each Location profile.
The first tab allows you to define the name of this country profile. Care must be taken to define profile names that
are meaningful for your business users – as the country profile names may be visible and offered as choices during
user transactions.
Certifier Profiles
Certifier profile documents contain information on how to use the
certifier within the User Create, User Move and User Rename
transactions.
There are three sets of information in the certifier profile document.
The detailed information tab:
The Textual Name field is used to distinguish certifier profiles to Requesters and should therefore have some form
of meaningful name that can be easily understood.
The Certifier Hierarchy field is picked directly from the Certifier Repository's list of certifiers and cannot be
edited. This ensures that this certifier profile always points at a valid certificate entry in the Certifier Repository.
This hierarchy field is also used to find the certifier password from the Password Repository.
Location Profiles
Location profiles are mandatory profiles used in the
User Create Process, and explicitly chosen in the User
Create profile document.
● ‘Name’ Field allows definition of this Location
profile. Care must be taken to define profile
names that are meaningful for your business
users – as the location profile names may be
visible and offered as choices during user
transactions.
● The ‘Target Mail Servers’ field contains a list
of one or more target mail servers relevant
for this location name. In the above example
there is one mail server named. This server
will be the one chosen for the user’s target
mail file.
If there is more than one mail server
explicitly named in this field, the load
balancing rule defined below will be used.
● If one or more servers are specified in the
Replica Mail Servers field then all users created using this profile will have replicas of their mail files
created on these servers.
● This location should be associated with a particular Country profile. This allows the User Move Location
transaction to calculate groups associated with Countries and Locations.
● The load balancing method for this method should be used. If there is more than one server to choose
from, FirM will use one of these rules to decide which server is most appropriate. The choices are::
1. Least Users. At the moment the new user is created, the directory will be queried to establish the
server with the fewest number of users.
2. Most Free Disk Space . At the moment a new user is created, the System Extended AdminP view
“Server Heartbeat” will be queried to establish which server has the most available free disk space.
3. Most Percentage Free Disk Space. At the moment a new user is created, the System Extended
AdminP view “Server Heartbeat” will be queried to establish which server has the most available
free disk space.
Company Profiles
Company profiles are non-mandatory profiles used to help define
country specific information in the User Create process. Zero, one or
more of these profiles may be associated with a particular User Create
profile.
‘Name’. Care must be taken to define profile names that are meaningful for your business users – as the Company
profile names may be visible and offered as choices during user transactions.
‘Name’. Care must be taken to define profile names that are meaningful for your users – as the Internet Address
profile names may be visible and offered as choices during user transactions.
‘Internet Domain‘. Enter the domain part of the Internet Address in this field, for instance “hadsl.com”. Do not
include “@” in this field.
‘Local-Part Construction‘. Enter the tags required for constructing the local part of the Internet Address in this
field. For instance, “<FIRSTNAME>.<LASTNAME>”. These tags will be replaced during request processing, when
the Internet Address is calculated.
Group Profiles
Group Profiles define the type of groups that users are allowed to create with FirM.
Fields Defined:
● Trigger Event - This is the transaction type. For
example, a User Create transaction.
● Trigger Name - This is a transactional stage. In
this case, a notification message is sent out at the
‘SendID’ stage of the User Create transaction.
● Principal - The name that appears in the ‘From’
field of the mail message that the user or
administrator receives, regardless of where this
agent runs. This is useful to demonstrate to
users that this email address is non-functional,
and should not be sent mail. It can also be used
to differentiate error messages from status
messages and from informational messages.
● Recipients - To, CC,BCC. In many cases, the
users receiving this message are set by the process. In the case of the UCR-SendID file notification, the
person to whom this message is sent is named in the transaction as the ‘ID Recipient’. The ‘To,CC, BCC’
fields can hold additional names of people who will also receive this message.
● Attach files: You may define files that are attached to the email message from the hard drive of the FirM
processing servers. (This feature may be more conveniently performed by attachingthe files within the
Rich Text footer – see below.
● Encrypt mail message - If this is set then only the Notes user(s) intended to get this message can read this
message. In the case of User ID files and passwords, it is strongly recommended that this is set to ‘Yes’.
● Keep Private: Switching this to “Prevent”.. ensures that the recipient of the notification cannot print,
forward nor copy the notification to the clipboard,
● View Icon Number: By selecting a view icon number, the notification is sent and a view icon displayed in
the recipient’s inbox. This is useful in differentiating system created mail messages or messages that
require urgent attention from other email messages.
● Subject line - Enter the subject line text that the
user receives, with optional tokens to be
replaced at run-time. For instance, during this
User Create transaction, the token ‘<firstname>‘
is replaced with the user’s first name, etc..
● Body Text - The text that appears in the body of
the mail message. Tokens may be included.
A “Checking security
settings” dialogue will appear for a few seconds. At this
point in time, FirM is establishing (by looking up all FirM
profiles) precisely which transactions this particular
requester may be able to see.
The requester may now select one or more names to perform the selected transaction
on. In this case, the requester has chosen to select a number of names from the address
book.
All of the names entered are then validated against the directory to ensure that they
exist. The list of Accepted and Rejected users is now shown.
The requester may now be prompted for a profile name for this particular
transaction. In this case, the requester has been prompted for a “Delete
User” profile name.
The transaction is now performed against all selected users and a status for each
selected user is displayed.
Walkthroughof transaction
To create new request, select“New Request” and click forward to the
request selection dialog. Now select ‘User Create’.
The requester may be prompted for the name of a user create profile.
Select one and click “Forward”
Depending on the settings in the User Create profile, the Requester may
be prompted for one or more pieces of ‘dynamic’ data, which will then
be used to update the new user’s ‘person’ document in the Domino
Directory.
Click on the “Tick” mark on each piece of Dynamic Data.
FirM Processing
The Requester of the transaction will be compared against the
Requester and Administrators fields in the User Create profile. (See
“User Create Profile” on Page 96). If the Requester is not allowed to
submit this request then it will fail.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor makes exhaustive checks to ensure that the user names requested (Notes Full Name, Short name,
Internet Name and common name - all are configurable in the System Configuration Profile) are unique across all
domains managed by FirM.
The Requester then constructs the user ID in the home FirM directory (irrespective of target domain) - and then
moves that record to the correct domain. (This is a notes limitation). Any static or dynamic ‘fields’ specified in the
User Create profile, or any of the six system Profiles (ID, Location,Certifier, Company, Country or Business Unit)
is also applied, replacing ‘tokens’ with run-time variables as necessary.
The user’s Notes ID (if requested by the ID profile) and the user’s initial password are stored in the encrypted
User ID repository and the Password Repository.
A UUP (Resend User ID and Password) request is constructed which will mail the user’s Notes ID (if created) and
their password to the ID and Password recipients listed in the initial request.
Zero or more group manage member requests are created to add the user to groups specified in the User Create
profile, and any of the six system profiles (ID, Location, Certifier, Company, Country or Business Unit) is also
applied, replacing ‘tokens’ with run-time variables as necessary
Using the User Create profile, the correct Location profile is examined to establish the target server. If more than
one target mail server is listed, the target server with the fewest users (according to the Domino Directory) is
used as the target server (load balancing).
The users’ primary replica mail file path is then constructed, together with the cluster mail file if this has been
specified. Otherwise the cluster mail file name will be the same as the primary replica mail file path.
An Admin4 request is then issued to create the user’s primary replica database:
● On the correct target server
● Using the template name, quota and trigger level specified in the ID profile
● Adding the user's name to the mail file ACL at the level specified in the ID profile.
If a cluster replica mail file/s is/are specified in the ID profile, and the server is part of a Domino cluster (again,
established from the Domino directory), then an Extended AdminP request is constructed, which:
● Replicates to the user’s primary mail server, and waits until the user’s mail file has been created by AdminP
● Creates one or more AdminP requests creating the mail file replica on the other cluster mates as
governed by AdminP
Once processing has completed then any people specified within the Notification list for the relevant group profile
will be sent an email telling them that the group has been created.
If the System ID profile dictates Roaming and/or Password digest operations, sub transactions will be created to
perform these tasks.
The request will remain in the state ‘Pending Sub transaction’ until the AdminP requests and the Extended AdminP
Requests have completed. It will then progress to ‘Complete’.
As with all FirM requests, logging information at every stage is created in the Log Database, Audit trail records are
created in the Audit Database, and Billing information is created in the Billing Database.
A welcome message (defined in System Notification profiles, with a name of “UCR-Welcome” will be mailed to the
user.
User Modify
Allows a user to modify details on a person record in a FirM-registered Domino Directory.
Details relating to the notification of completion of this transaction are stored in the User Modification profile.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Modify’.
Should the requester be allowed to see more than one type of User
Modify profile, they are prompted for the profile to use.
Click Forward to go to the next screen.
Select the user that you wish to modify from a normal ‘address’ selection
dialog. This means that you can select any user from any domain.
Click Forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the list of valid Requesters defined in the User
Modification profile document. If the Requester is not allowed to submit this request then it will fail. A similar
check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor then updates the person document identified in the request with the information entered by the
user.
Once processing has completed then any people specified within the Notification list defined in the User
Modification profile will be sent an email telling them that the group has been created.
User Disable
The User Disable transaction allows a requester to disable a user in a FirM-registered Domino Directory. The user
is disabled by adding their name to the relevant “terminations” group in the Domino Directory.
Details relating to the notification of completion of this transaction are stored in the User Disable Profile.
Walkthroughof transaction
To create new request, select‘New Request”, ‘User Disable’.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Details of the User Disable request that is being submitted are displayed
on the screen. Clicking Submit will submit this request for processing by
FirM.
FirM Processing
The Requester of the transaction will be compared against the User
Disable Profile Requesters and Administrators field. If the Requester is
not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and also in the request.
The processor will now add the user to the deny-access group defined in the System Settings - Directories tab.
Once processing has completed then any people specified within the Notification list for the relevant User Disable
Profile will be sent an email telling them that the request has succeeded.
User Enable
Allows a user to request a user to be enabled in a FirM-registered Domino Directory. The user is enabled by
removing their name from the relevant “terminations” group in the Domino Directory.
Details relating to the notification of completion of this transaction are stored in the User Enable Profile.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Enable’.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Select the user you wish to delete. Since the user is selected using a
standard addressing dialog box, you may not be allowed to manage this
user. Your authority to manage this user is calculated using the User
Enable Profile setting: ‘Name Mask’. If you cannot manage this user, you
will be prompted to select another.
Click Forward to go to the next screen.
Details of the User Enable request that is being submitted are displayed
on the screen. Clicking Submit will submit this request for processing by
FirM.
FirM Processing
The Requester of the transaction will be compared against the User Enable Profile Requesters and Administrators
field. If the Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor will now add the user from the deny-access group defined in the System Settings - Directories tab
for the user’s domain.
Once processing has completed then any people specified within the Notification list for the relevant User Enable
profile will be sent an email telling them that the request has succeeded.
User Delete
The User Delete transaction allows Requester to request deletion of a user in a FirM-registered Domino
Directory.
Details relating to the notification of completion of this transaction are stored in the User Delete Profile
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Delete’.
The requester may be asked to choose which profile should be used
for this transaction, should the requester have the choice of two or
more.
Click forward to go to the next screen.
Select the user you wish to delete. Since the user is selected using a
standard addressing dialog box, you may not be allowed to manage this
user. Your authority to manage this user is calculated using the User
Delete Profile setting: ‘Name Mask’. If you cannot delete this user, you
will be prompted to select another.
Click Forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the
Requesters and Authorisers in the User Delete Profile. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and
also in the request.
If a ‘data owner’ has been defined, the data owner is informed that he has access to the user’s mail file. A mail
message is sent using the notification profile UDE-DDONotify.
A ‘System ACL’ Extended AdminP Process is spawned to grant the Data Owner access to the user’s mailfile. The
ACL entry is by default set to ‘READER’.
The ACL for the user’s mailfile will be updated in order to change the ACL level for the DDO.
A ‘class variable’ called ‘DDOACLLevel’ allows you to set different Data Owner ACL Levels. In order to change
this, edit the class definition for the UDE, go to the ‘Class Settings’ tab on the class definition, and ensure that in
the ‘Class Settings’ section, you create a new line with:
‘DDOACLLevel=<ACLLEVEL>‘,where <ACLLEVEL> is replaced with one of:
● Depositor
● Reader
● Author
● Editor
● Designer
● Manager
(See the section “System Variables Sub-tab” on page 46)
If a ‘data owner’ has been defined:
● The transaction will defer itself for 30 minutes, and wait until the ‘System ACL’ Extended AdminP
transaction is complete, and has been replicated back to the FirM processing server. It will keep repeating
this check until the ‘System ACL’ request is complete.
● Once the transaction is complete, FirM will then retrieve the users mail file database replica ID from the
ACL request, and use it to populate the ‘<DBLINKBYUNID’ token on the UDE-DDONotify mail message,
in order that the data owner can then click on a database link to open the users mailfile.
The transaction then ‘defers’ itself to the supplied Deletion Day. On or after 1 minute past midnight on that day, it
will then proceed to the next stage.
If the deletion date is today (that is, the user is to be immediately deleted) the transaction defers itself for 30
minutes to allow time for the UDI operation to complete.
Note that the AdminP request – A type ‘0’ – ‘Delete User in Directory’ spawns these other requests, including the
‘Approve Mail File Deletion’ request (Type ‘22’). This means that the Domino Administrator has to approve the
removal of the user’s mail databases in the AdminP database before they will physically be removed.
● Works out which other servers are in the same cluster as this server.
● For each other server in the cluster, it generates a (SYSDBDEL) transaction, passing the database replica
ID of the user’s mail file.
● It then marks this transaction as complete, and terminates.
Note that this mechanism is NOT used to remove the user’s primary mail file from the cluster, as its entirely
possible that the AdminP process to ‘archive’ this mail file might still be in operation. It is left up to the AdminP
process to remove the primary mail file once the archive process has completed.
The new (SYSDBDEL) ExAmp transactions then replicate to the cluster mates of the user’s home server.
Each cluster mate picks up the ExAmp (SYSDBDEL) transaction. If it finds a replica of the user’s mailfile (by path
or by replicaID), it then generates a (SYSDBDEL2) EXAMP transaction, destined for the AdminP administration
server for the domain. This is defined as the server listed as the administration server of the Domino directory for
this domain.
The (SYSDBDEL2) transactions are then replicated to the Administration server for the domain.
The administration server Extended AdminP process then picks up these (SYSDBDEL2) transactions, and forms
type ‘21’ ‘Delete Mail file’ AdminP transactions for each of the replicas found on the cluster mates. Note that no
authorisation is required within AdminP for these transactions to continue (unlike the non-archive process flow
listed above).
AdminP then replicates back to the servers containing the user’s mail file, and removes those databases.
At this point, the UDE itself is complete. Note that it may take some time for the ExAmp and AdminP transactions
themselves to complete – perhaps four or five replication cycles. The UDE transaction itself sets itself to ‘awaiting
sub transactions’ and awaits the SYSMBD and SYSDBDEL transactions to complete.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘Reset HTTP password”.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Walkthroughof transaction
To create a new request, select ‘User MoveServer’.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Select the user you wish to move. Since the user is selected using a
standard addressing dialog box, you may not be allowed to manage this
user. Your authority to manage this user is calculated using the User
Move Server Profile setting: ‘Name Mask’. If you cannot manage this
user, you will be prompted to select another.
Click Forward to go to the next screen.
You will be prompted for:
● The Target server you wish this user to move to. You must
choose a server object from the Notes directory, and you
cannot choose the user’s existing server.
● The name of the user’s mail file on that server.
Click Forward to go to the next screen.
Details of the User Move Server request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the User
Move Server Profile Requesters and Administrators field. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and
also in the request.
The processor will now initiate an AdminP request to move this user from their existing server to a new server,
and optionally rename their mail file database name.
Once processing has completed then any people specified within the Notification list for the relevant User Enable
Profile will be sent an email telling them that the request has succeeded.
The request will remain in the state ‘Pending Sub transaction’ until the AdminP request has completed. It will then
progress to ‘Complete’.
Walkthroughof transaction
To create new request, select‘User Move in Hierarchy.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Select the user you wish to Move in Hierarchy. Since the user is selected
using a standard addressing dialog box, you may not be allowed to
manage this user. Your authority to manage this user is calculated using
the User Move in Hierarchy Profile setting: ‘Name Mask’. If you cannot
manage this user, you will be prompted to select another.
Click Forward to go to the next screen.
Select the new Hierarchy - based on a list of all possible hierarchies.
Click Forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the
Requesters and Authorisers in the User Move in Hierarchy Profile. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request. An AdminP Request is then spawned requesting that the user be available for Move in Hierarchy
This request is then immediately accepted by the ‘target’ certifier.
The AdminP Process then confirms with the user that they accept this Move in Hierarchy.
If they answer ‘Yes’, then the user's IDis updated, and their name changed using normal AdminP Processes.
The request will remain in the state ‘Pending Sub transaction’ until the AdminP request has completed. It will then
progress to ‘Complete’.
Should there be any groups defined in the users source and target Certifier profile document, then the user will be
removed from the groups defined in the source Certifier Profile document, and added to the groups defined in the
Target Certifier Profile.
Walkthroughof transaction
To create new request, select‘User Move Location’.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more
profiles.
Click forward to go to the next screen.
Select the user you wish to Move Location. Since the user is selected
using a standard addressing dialog box, you may not be allowed to
manage this user. Your authority to manage this user is calculated using
the User Move Location Profile setting: ‘Name Mask’. If you cannot
manage this user, you will be prompted to select another.
Click Forward to go to the next screen.
FirM will try and establish what the user’s current location is, by using
the users home server. If there is more than one location corresponding
to this user’s home server, youwill be asked to choose a relevant
Current Location.
Based on the User Move Location Profile, you may have the choice of
one or more target Locations to move this user to. In this case, the user
can choose from more than one target Location.
Click Forward to go to the next screen.
If the users current Hierarchy is not allowed in the new Location, you
will be prompted (using a list of all allowed hierarchies for the new
Location) for a new Hierarchy
Click forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the
Requesters and Authorizers in the User Move Location Profile. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and also in the request.
If the users change in location means a change in server, then a User Move Server transaction is initiated.
If the users change in location means a change in notes name hierarchy, then a User Move in Hierarchy transaction
is initiated.
The user is removed from his current Location (and Country groups, if this change in location means a change in
Country), and added to his new Location and Country groups.
Walkthroughof transaction
Create new request, select ‘User Rename Common Name’.
The requester may be asked to choose which profile should be used for this
transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Select the user you wish to rename. Note that this presents a standard
address selection dialogue box. When you select a user, the selection is
confirmed as a user record, and the current Requester is confirmed as
being allowed (authorisation is granted in the User Rename Common
Name Profile document) to rename this user. Otherwise, the Requester
is warned, and invited to select another user.
Click Forward to go to the next screen.
The users current name elements are displayed, and can be edited.
Click Forward to go to the next screen.
Details of the User Rename Common Name request that is being
submitted are displayed on the screen. Clicking Submit will submit this
request for processing by FirM.
FirM Processing
The Requester and Authoriser of the transaction will be compared
against the User Rename Common Name Profile document. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and
also in the request.
The processor will now initiate an AdminP Request which will:
● Invite the user to accept their rename request (if the user is
running the Notes v5 client. The Notes v6 client automatically
accepts name change requests by default)
● If the user accepts, the user record is then updated via AdminP
● The request will now complete. The AdminP database should be monitored for a successful completion of
the AdminP request.
User Recertify
This transaction allows a Requester to recertify a user in a FirM-registered Domino Directory.
Details relating to the notification of completion of this transaction are
stored in the User Recertify Profile.
Walkthroughof transaction
To create new request, select‘New Request’, ‘User Recertify’.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Select the user you wish to recertify. Since the user is selected using a
standard addressing dialog box, you may not be allowed to manage this
user. Your authority to manage this user is calculated using the User
Recertify Profile setting: ‘Name Mask’. If you cannot delete this user, you
will be prompted to select another.
Click Forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the
Requesters and Authorisers in the User Recertify Profile. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and
also in the request.
An AdminP Request is then spawned requesting that the user be recertified, with the expiry time dictated by the
relevant ID profile selected in the User Recertify Profile.
The user's ID is updated, and their public key updated to show the new expiry date using normal AdminP
Processes.
The request will remain in the state ‘Pending Sub transaction’ until the AdminP request has completed. It will then
progress to ‘Complete’.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Resend User ID
and Password’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to modify from a normal ‘address’ selection
dialog. This means that you can select any user from any domain.
Click Forward to go to the next screen.
The user is then prompted for the users’ names who will receive the
user ID, and which users will receive the Password. Both are mailed out
in encrypted form.
Click Forward to go to the next screen.
Details of the User Resend User ID and Password request that is being
submitted are displayed on the screen. Clicking Submit will submit this
request for processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Resend ID and Password Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then the request will fail, detailing the reasons
for failure in the FirM log and also in the request.
The processor then find the user ID and Password stored in the User ID repository and Password repository for
this user. If these cannot be found, the request will fail.
Two mail messages (using ‘notification’ profile documents UUP-SendID and UUP-Send Password) are constructed,
the information attached, encrypted and sent.
Once processing has completed then any people specified within the Notification list defined in the User Resend
ID and Password Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Password Digest
Enable’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to modify from a normal ‘address’ selection
dialog. This means that you can select any user from any domain.
Click Forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Password Digest Enable Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor then creates an AdminP process request to enable password digest usage for this user.
Once processing has completed then any people specified within the Notification list defined in the User Password
Digest Enable Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Password Digest
Disable
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to modify from a normal ‘address’ selection
dialog. This means that you can select any user from any domain.
Click Forward to go to the next screen.
Details of the User Password Disable request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Password Digest Disable Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor then creates an AdminP process request to disable password digest usage for this user.
Once processing has completed then any people specified within the Notification list defined in the User Password
Digest Disable Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Password Digest
Reset’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to modify from a normal ‘address’ selection
dialog. This means that you can select any user from any domain.
Click Forward to go to the next screen.
Details of the User Password Reset request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Password Digest Reset Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor then creates an AdminP process request to reset the password digest for this user.
Once processing has completed then any people specified within the Notification list defined in the User Password
Digest Reset Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Roaming Enable’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to modify from a normal ‘address’ selection
dialog. This means that you can select any user from any domain.
Click Forward to go to the next screen.
Details of the User Roaming Enable request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Roaming Enable Profile document.
If the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then the request will fail, detailing the reasons
for failure in the FirM log and also in the request.
The processor will then submit an AdminP request to enable Roaming for this user.
Once processing has completed then any people specified within the Notification list defined in the User Roaming
Enable Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Roaming Disable’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to manage from a normal ‘address’
selection dialog. This means that you can select any user from any
domain.
Click Forward to go to the next screen.
Details of the User Roaming Disable request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Roaming Disable Profile document.
If the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then the request will fail, detailing the reasons
for failure in the FirM log and also in the request.
The processor will then submit an AdminP request to disable Roaming for this user.
Once processing has completed then any people specified within the Notification list defined in the User Roaming
Enable Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Grant Mail file
Access’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to manage from a normal ‘address’
selection dialog. This means that you can select any user from any
domain.
Click Forward to go to the next screen.
The user is then prompted for the data owner who should have access
to the target user’s mailfile, and whether to automatically remove his
access at a later date.
Click Forward to go to the next screen.
Details of the User Grant Mailfile Access request that is being submitted
are displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Grant Mail file Access Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor will then issue an Extended AdminP request to change the target users mailfile ACL. Once that has
completed, then the data owner is sent an eMail informing them that they now have access.
Optionally, at the end of the access period, another Extended AdminP request is issued to remove the data-owners
access from the target users mail file.
Once processing has completed then any people specified within the Notification list defined in the User Grant
Mail file Access Profile will be sent an email telling them that the request has succeeded.
The following information is defined in the selected User Grant Mail file Access Profile
● Which Requesters can submit requests of this type
● Which Authorisers are allowed to approve these requests
● Who shall be notified of a successful completion of this request
● Should the data owner be automatically removed at the end of a pre-determined period.
● Which group of users (by organisational hierarchical structure) that this request can be applied against)
User Cross-Certify
The User Cross-Certify transaction allows a requester to cross-certify a user with a new Notes Hierarchy.
Details relating to the notification of completion of this transaction are
stored in the User Cross-Certify Profile.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Cross-Certify’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to manage from a normal ‘address’
selection dialog. This means that you can select any user from any
domain.
Click Forward to go to the next screen.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User Cross-Certify Profile document. If
the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then the request will fail, detailing the reasons
for failure in the FirM log and also in the request.
The processor then find the user’s latest Safe-ID stored in the repository, and then apply a Cross-Certificate
operation against that and the new Hierarchy defined in the Profile document.
Once processing has completed then any people specified within the Notification list defined in the User Cross
Certify Profile will be sent an email telling them that the request has succeeded.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User MailFile Quota’
The requester may be asked to choose which profile should be used for this transaction, should the requester have
the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to manage from a normal ‘address’
selection dialog. This means that you can select any user from any
domain.
Click Forward to go to the next screen.
Details of the User MailFile Quota request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the User MailFile Quota Profile document. If
the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then the request will fail, detailing the reasons
for failure in the FirM log and also in the request.
The processor then generate an Extended AdminP request to update the users mailfile Quota and Threshold
Levels.
Once processing has completed then any people specified within the Notification list defined in the User MailFile
Quota Profile will be sent an email telling them that the request has succeeded.
Note that this transaction ONLY moves the person document between domains, and therefore assumes:
● that all servers in all domains to be manage exist in all domain directories. This can be achieved by cutting and
pasting server documents between directories.
● All servers in all domains use Directory Assistance to make available all other Domain directories to all servers.
At the end of this operation, the user is still on the same server, with the same mail directory, but has been moved
between domain directories. The users person document has been set with the correct target domain.
In order to move users between domains and servers in the same operation, see the User Move Location
Transaction.
Details relating to the notification of completion of this transaction are
stored in the User Move Domain Profile.
Walkthroughof transaction
To create a new request, select ‘NewRequest’, ‘User Move Domain’
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click Forward to go to the next screen.
Select the user that you wish to manage from a normal ‘address’
selection dialog. This means that you can select any user from any
domain.
Click Forward to go to the next screen.
Details of the User Move Domain request that is being submitted are
displayed on the screen. Clicking Submit will submit this request for
processing by FirM.
FirM Processing
The Requester of the transaction will be compared against the list of valid Requesters defined in the User Move
Domain Profile document. If the Requester is not allowed to submit this request then it will fail. A similar check is
performed against the Authoriser of the request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor then moves the users person document between Domain directories, and resets the user domain
name in the person document to the name of the target Domain.
Once processing has completed then any people specified within the Notification list defined in the User Move
Domain will be sent an email telling them that the request has succeeded.
Authoriserstab
The Authorisation, Requesters tab controls which group of users may
use this profile – the Requesters. This field can contain both user
names and groups.
The Authorisation, Authorisers tab controls who may authorise
transactions created using this profile. Should the requester appear in
both tabs (either explicitly named or by virtue of group membership),
then the transaction is deemed immediately authorised and then
processed.
You may enforce separate requesters and authorisers to override this
behaviour in more secure circumstances. Should this be set to
“Separate Requester and Authoriser”, then a new Authoriser is
required regardless of the requesters appearance in this tab.
This tab allows you to define who is sent notifications when this profile
is used.
This tab defines the users against which this transaction may run (This
tab does not appear on User Create profiles). Users may be specified as
“*” for everyone, or by hierarchy such as “*/Acme”.
This tab allows the requester to defer this transaction, if set to “Allow”.
The unique number tokens are added to the name field being constructed, and then the potential name is then
tested against the Domino Directory and the Deleted User Repository.
For instance, if the short name field contains “<FirstNameInitial><LastName><UNIQUENUMBER2>,” and the
user “John Smith” is being created, then the system will construct “Jsmith01” and test for uniqueness. If it is not
unique, it will then increment the number and continue to test uniqueness until the name is unique.
This means that user “John Smith” might have short name “Jsmith01”, and Barney Stone might have short name
“BStone01”, and so forth.
It is important to note that this name uniqueness and unique number tokens is only available on the four names
fields – ShortName, FullName, Internet Address and Alternative Language Name. Fields such as Mail File Name or
Cluster File Name do not test for uniqueness.
You may specify what primitives the new users Notes name
is constructed from. Note that the insertion of static text is
not supported at this stage. Click on the Keywords button
to see a list of supported “tags” which will be replaced at
run-time with relevant values.
You may now choose whether the Shortname is generated,
or whether the requester may type in the Shortname.
Translation features are now available on this field to ensure
uppercase, lowercase, mixed case, etc. This results in the
User Create request “Name” dialog prompting for
Shortname.
Alternate name support allows support to assign users a second “name” within Notes in their native (non-ascii)
language. This will result in an additional prompt in the user create “name” dialog which prompts for this users
non-ascii name.
Next, specify whether you want the outbound address to be calculated and applied automatically, or whether there
should be a selection displayed to the requester at request creation time. If you apply the address automatically,
then you must select an outbound profile from the list in the Outbound Internet Address field.
If you want to enable additional inbound Internet Addresses, then specify a person document field name in the
“Inbound field name” field. If this field is left blank then it will default to using the “FullName” field.
The “Always add Outbound address to Inbound field” will ensure, if enabled, that the user's Internet address is
always added to the inbound field. Use this, for instance, to make sure that user's Internet address always appears
in the FullName field.
Finally, use the “Mandatory or Optional” field to determine how additional inbound Internet addresses are assigned.
You can set the profile so that additional addresses are never added, that all additional addresses are automatically
calculated and added, or to allow the requester to select which addresses should be added at request creation
time.
The Mail File Naming tab defines how the new users’ mail
file will be named, as well as the cluster mail file should it be
allowed. Note that the mail file name and the cluster mail
file name may be different, as in this example.
You may also choose various translations that are
appropriate for the mail file name and the cluster mail file
name.
The Name field is the name of this user Modify profile. Ensure
that this name makes sense in the context of your business as
the requesters may be prompted using this name.
Description. A textual description of this profile
Users can modify themselves. This allows any user to modify
their own person document.
The Fields tab allows you to define one or more static or dynamic field
settings. In this case, the requester is prompted for a new telephone
number for this end user.
For example, clicking on the “Dynamic Fields” button prompts you for:
Which then allows you to create a new dialog box during a user modify
event.
Archive the mail file. This does not delete the users mail file but moves it to a server. If this is set to “yes” ,
then
o Archive Server. Select whether to archive to a directory on the user's mail server or to a specific
mail server. Choose the server that the target users mail file will be moved if appropriate.
o Archive Directory. Enter a directory name that the users mail file will be moved to.
On the User Mailfile Grant Access tab, the fields defined are:
Target Name – that is, the person who will be granted access.
Send Mail Message to user – yes or no.
Requester can set Access Period – Yes or no.This allows the
requester to choose at run-time how long access should be
granted.
Number of working days to grant access.
Access Control Level – can be set to any valid ACL level
Remove this entry: Can be set to Always Remove, Ask the
Requester, or Never Remove.
User Cross-Certify
The User Cross-Certify profile allows the administrator to define who can request that a target user has their user
ID cross-certified with another hierarchy.
Walkthroughof transaction
To create a new request, select ‘NewRequest’ at the top of the FirM
Request Processor. Then, under Group Management, select ‘Group
Create’.
Select the profile that will be used to govern this group's attributes and
behaviour. These profiles are defined and managed by a FirM
administrator.
Click Forward to move to the next Screen.
Enter the free-text part of the group name. This is the part of the group
name that the Requester specifies. Additional elements will be added to
the group name to enforce naming standards and consistency as
determined by the selected Group Profile.
Select the domain in which this group is to be created. Although FirM
supports the management of groups in different domains with the same
name, it is possible that the administrator has switched on enforcement of ‘globally unique group names’ within the
FirM configuration setup.
Click Forward to move to the next screen.
The group naming rules will be applied to the group name to ensure that
it meets such specified requirements as only containing acceptable
characters and that it meets the minimum or maximum length.
The calculated full group name is displayed, together with the Internet
name if the profile specifies that one is required.
Enter the group description.
Click Forward to the next screen.
Specify the name of the Group Owner. The Group Owner is the person
with ultimate responsibility for the group and is usually also the billing
contact. The Group Owner is also by definition a group manager for this
group.
Add the group managers and administrators.
Group managers are able to create requests to rename this group,
change the ownership, management and administration lists, change the
group description, manage the group's membership content and
ultimately delete the group. The Administrators are only able to change
the group's membership content.
Click Forward to the next screen.
FirM Processing
The Requester of the transaction is compared against the list of people allowed to submit Group Create requests
for a group using the selected profile. See the section “Group Profiles” on page 53 for more information. The
request fails if the Requester is not an authorised FirM Requester.
If the Requester is permitted to submit the request but may not authorise the request then details of the request
are sent to all the listed Authorisers in the profile. The Authorisers then follow the doclink in the mail and either
authorise or reject the request.
If the Requester is also present in the authorisation list and the option ‘enforce separate authorisation’ is not
selected in the relevant group profile, then the request requires no further intervention.
Processing checks that all relevant information is present in the request. If, for any reason, vital information is
missing (although this should not be possible), the request fails with failure details written to the FirM log and to
the request.
The proposed group name is checked for uniqueness in the target domain, and optionally across all managed
domains. If the name is unique then a new group document is created in the Domino Directory and a shadow
entry added to the FirM Group Repository - this ensures that the group is available for management by FirM.
Name uniqueness is tested against other group names, mail-in database names, user names, resource names, server
names, etc..
Once processing has completed, people specified in the Notification list for the relevant group profile are sent an
email notifying them of the successful group creation.
This group can now be managed within FirM.
Who is permitted to request the creation of this type of group and who is able to authorise the request.
A further restriction may also be defined that the Requester and the Authoriser must be different people.
Who will be notified when a group is created with this profile and when a group based on this profile is
modified, deleted or managed.
The profile selected when a group is created will be recorded in the group’s record in the FirM Group Repository.
This can only be changed by directly editing the repository record, and it governs the group’s membership masks
and some security settings.
Group Modify
The Group Modify transaction allows a FirM Requester to request the modification of a FirM-registered group in a
FirM-registered Domino Directory and to manage the Ownership, Management and Administration permissions
for that group.
Walkthroughof transaction
To create a new request, select ‘Group Modify’.
Select the group to be modified from the list. The list will only contain
those groups in which you are the owner or have been given
management rights. This list is managed through the Group Modify
function.
Click Forward to the next screen.
If modifying the group name, enter the new free-text part of the group
name. Clicking on the recalculate button applies the relevant profile's
name mask and displays the new group name. The group's Internet
name is also recalculated. If the new name is the wrong length or
contains prohibited characters, correct the error before proceeding.
Click Forward to the next screen.
Details of the group modify request are displayed on the screen. Click
Submit to submit this request for processing by FirM.
FirM Processing
The Requester of the transaction is compared against the Owner and
Managers list for this group. The request will fail if the Requester is not
allowed to submit this request.
Checks are now made to ensure that all relevant information is present
in the request. If required information is missing (which should not be
possible) the request fails. The reasons for the failure are detailed in the
FirM log and also in the request.
If group rename is specified then the new group name is checked for uniqueness in the directory according to the
rules specified in the FirM setup configuration.
The group document in the Domino Directory is modified with the new name and all subgroup names adjusted
accordingly. The membership of the parent group is updated to reflect the new subgroup names and the
descriptions of the subgroups are modified accordingly.
An AdminP sub request is created which requests ‘group rename in address book’. The status of this AdminP
request is monitored for completion.
If group description change has been requested, the description of the group in the group document in the Domino
Directory is updated with the new description.
If a request to update the owner or managers list of the group has been requested, FirM updates the group's entry
in the FirM Group Repository.
If a request to update the administrators list of the group has been requested then FirM updates the group's entry
in the FirM Group Repository.
Once processing is complete, any people specified in the Notification list for the relevant group profile are sent an
email notifying them of the modifications to the group.
If there are any incomplete AdminP requests open, the request is marked with a status of ‘Pending Sub-transaction’
Once any sub-transactions have completed the request is marked with the status of ‘Complete’.
FirM searches for the group profile that governs the behaviour of this group. The following information in this
profile is relevant to the ‘group manage members’ request:
The name mask to be applied to the group name and the group Internet name. For example, ‘_mail_’ is to
be prepended to all mail group names. If no Internet name mask is specified then no Internet name will be
created for the group.
Who will be notified when a group with this profile is modified.
Walkthroughof transaction
To create a new request, select ‘Group ManageMembers’
Select the group to be managed from the list. The list will only contain
those groups in which you are the owner or have been given
management rights. This list is managed through the Group Modify
function.
Click forward to go to the next screen.
Using the address helper or by typing, create the lists of people to add
or remove from the group.
Click forward to go to the next screen.
FirM Processing
The Requester of the transaction is compared against the Owner,
Managers and Administrators list for this group. The request fails if the
Requester is not allowed to submit this request.
Checks are now made to ensure that all relevant information is present
in the request. If required information is missing (which should not be
possible) the request fails. The reasons for the failure are detailed in the FirM log and also in the request.
Each person on the delete list is removed from the group and any of its spawned subgroups.
Each name on the add list is evaluated to determine the type of entity it represents. It is compared against the list
of allowable members as determined by the profile governing the group. If the name satisfies all criteria it is added
to the list. If the name does not pass any of the criteria an error is generated, the name is not added to the list and
processing passes to the next name on the add list.
If a group exceeds its size limit, as determined by the FirM setup Configuration, subgroups are automatically
created according to the following: a new subgroup is created and the contents of the parent group member list
are copied into this subgroup. A new subgroup is created, and the member is added to that group. The parent
group's membership is replaced with a list of all its subgroups. New subgroups will be spawned whenever there is
no room for the new member in any subgroup.
Once processing is complete, any people specified in the Notification list for the relevant group profile are sent an
email notifying them that the group has been created.
The request is marked with the status of ‘Complete’.
Group Delete
‘Group delete’ allows a user to request the deletion of a FirM-registered group in a FirM-registered Domino
Directory.
Information relating to the notification of completion of this transaction is stored in the Group Profile documents.
Walkthroughof transaction
To create a new request, select ‘Group Delete’.
Select the group to delete from the list. The list will only contain those
groups in which you are the owner or have been given management
rights. This list is managed through the Group Modify function.
Click forward to go to the next screen.
FirM Processing
The name of the Requester of the transaction is checked to see that
either it is the Owner of the group or is in the list of Managers for this
group. The request fails if the Requester is not allowed to submit this
request.
Checks are now made to ensure that all relevant information is present in the request. If required information is
missing (which should not be possible) the request fails. The reasons for the failure are detailed in the FirM log and
also in the request.
A copy of this group and all FirM subgroups contained in the group are added to the FirM ‘Deleted Groups and
Users’ repository.
The status of the entry for this group in the FirM Group Repository is changed to ‘Deleted’ and the name of the
person deleting this group is added to the record together with the date and time at which the group was deleted.
The group is now deleted from the specified domain’s Domino Directory and a sub-request is created to create
and track an AdminP ‘Delete group in address book’ transaction.
Once processing is complete, any people specified in the Notification list for the relevant group profile are sent an
email notifying them that the group has been deleted.
The request remains in the state ‘Pending Sub transaction’ until the AdminP request completes. It then changes to
‘Complete’.
Application Create
The Application Create request allows a user to request the creation of an Application database record, its
associated database and any replicas on cluster-mates of the database server.
Details relating to the notification of completion of this transaction are stored in the Application Create profile
documents.
Walkthroughof transaction
To create a new request, select ‘ApplicationCreate’.
The requester may be asked to choose which profile should be used for
this transaction, should the requester have the choice of two or more.
Click forward to go to the next screen.
Specify one or more users or groups who are the designated ‘owners’ of
this mail-in database record. The owners may update or delete this mail-
in database record.
Click forward to go to the next screen.
FirM Processing
The name of the Requester of the transaction is checked to ensure that
it is contained in the list of allowed Requesters in the Application Create
profile. The request fails if the Requester is not allowed to submit this
request.
Checks are now made to ensure that all relevant information is present
in the request. If required information is missing (which should not be possible) the request fails. The reasons for
the failure are detailed in the FirM log and also in the request.
A check is made on the name of the Application database in the target domain. If an Application database already
exists with that name the request fails.
An Application database record is created in the Domino directory and is populated with information from the
request. The owner’s field is populated using the list of owners supplied by the Requester and the list of default
owners defined in the ‘Application Create’ profile. Similar action is taken for the administrator’s field.
An AdminP request is submitted to create the mail-in database on the Domino server with the supplied template
name.
An Extended AdminP request is submitted to update the database Access Control List with any default database
managers defined in the ‘Application create’ profile.
If the ‘Application create’ profile record requires the creation of a cluster replica of the mail-in database, and the
target server is in a cluster, then an Extended AdminP request is created that will create an AdminP request on the
target server to create a cluster replica of the mail-in database.
Once processing is complete, any people specified in the Notification list for the relevant ‘mail-in database create’
profile are sent an email notifying them that the mail-in database record has been created.
The request remains in the state ‘Pending Sub transaction’ until the Extended AdminP request(s) and the AdminP
request are all complete. It then changes to ‘Complete’.
Configurationfor ApplicationCreate
FirM uses the ‘Application Create’ profile selected at the start of the transaction.
The following information in this profile is relevant to the mail-in database create request:
The Application mail address and the Requester’s Application title
The ultimate Application notes mail address (combined with the Requesters Application title)
The Internet address and with the Requester’s mail-in database title.
The path to the mail-in database.
Whether or not the database should be replicated to any cluster servers.
The Application cluster replica name.
The list of target servers on which the mail-in database may reside.
The list of templates that may be used to create the Application database.
The list of default owners for all Application databases created using this profile.
The list of default administrators for all Application databases created using this profile.
The list of entities to add as managers in the Access Control List of the target Application.
Who may authorise mail-in database deletions using this profile.
Who will be notified upon successful creation of an Application Create.
Application Modify
The Mail-In Database Modify profile allows a user to request modification of a mail-in database record and its
associated database and any replicas on cluster-mates of the database server.
Details relating to the notification of completion of this transaction are stored in the Mail-In Database Modification
profile documents.
Walkthroughof transaction
To create a new request, select ‘Mail-InDatabase Modify’.
Select the mail-in database record to modify. The list of entities, i.e.
users, groups, mail-in databases and servers, in the standard ‘address’
dialog allows the selection of any domain and any mail-in database.
After the entity is selected:
The entity is checked to ensure that it is a mail-in database.
The mail-in database record's owner and administrator fields are checked to ensure that the Requester’s
name is either in these fields explicitly or implicitly by being contained in one of the specified groups.
Click forward to go to the next screen.
Existing mail-in database information is now displayed. Specifically:
The Domino address book’s mail-in address
The Internet address
The Administrator’s field
The Owners’ field (if this user is listed as an owner)
FirM Processing
The name of the Requester is compared against the owner and
administrator fields in the Application database record. If the Requester
is not listed directly (by Notes full name) or indirectly (by being the
member of a group or subgroup), the request fails.
Checks are now made to ensure that all relevant information is present
in the request. If required information is missing (which should not be
possible) the request fails. The reasons for the failure are detailed in the
FirM log and also in the request.
The Application record is updated with the information in the request.
Once processing is complete, any people specified in the Notification list for the relevant ‘Application modify’
profile are sent an email notifying them that the mail-in database record has been modified.
Configurationfor ApplicationModify
FirM uses the selected ‘Application Modify’ profile selected at the start of the transaction. The following
information in this profile is relevant to the mail-in database modification request:
Who may request Application modifications using this profile
Who may authorise Application modifications using this profile
Who will be notified upon modification of this Application.
Application Delete
The Application Delete request allows a user to request the deletion of an Application record, its associated
database and any replicas on cluster-mates of the database server.
Details relating to the notification of completion of this transaction are stored in the Application Delete Profile
documents.
Walkthroughof transaction
To create a new request, select ‘ApplicationDelete’.
If the requester is allowed to use more than one Application Delete
profile, the requester will be prompted for which profile to use.
Select the Application record to delete. The list of entities, i.e. users,
groups, mail-in databases and servers, in the standard ‘address’ dialog
allows the selection of any domain and any mail-in database.
After the entity is selected:
The entity is checked to ensure that it is a mail-in database
The mail-in database record's owner field is checked to validate that the Requester’s name is in the field,
or is contained in any group (or subgroup) in the field.
Click forward to go to the next screen.
FirM Processing
The name of the Requester is compared against the owner and
administrator fields in the mail-in database record. If the Requester is
not listed directly (by Notes full name) or indirectly (by being the
member of a group or subgroup), the request fails.
Checks are now made to ensure that all relevant information is present
in the request. If required information is missing (which should not be
possible) the request fails. The reasons for the failure are detailed in the
FirM log and also in the request.
A copy of this Application record is added to the ‘FirM Deleted Groups and Users’ repository.
The mail-in database record in the domain’s Domino Directory is deleted and a sub-request is created to create
and track an AdminP ‘Delete in Names Field’ request.
An AdminP request is created which:
Runs on the server specified in the mail-in database record.
Creates deletion AdminP requests for all cluster mates of the server for any replicas of the database.
Deletes the database specified in the Application record.
A further AdminP request is created which:
Deletes all references to the mail-in database from any author name or reader name (names fields) in the
environment.
Once processing is complete, any people specified in the Notification list for the relevant ‘mail-in database modify’
profile are sent an email notifying them that the mail-in database record has been deleted.
The request remains in the state ‘Pending Sub transaction’ until the Extended AdminP request has completed. It
then changes to ‘Complete’.
Configurationfor ApplicationDelete
FirM uses the Application Delete profile selected at the start of the transaction. The following information in this
profile is relevant to the ‘mail-in database delete’ request:
Who may request Application deletions using this profile.
Who may authorise Application database deletions using this profile.
Who will be notified upon deletion of this Application.
Application Create
Define one or more Template databases that the user can use
to create the target application. Note that the template
database must exist on the target server for AdminP to
successfully create the database.
Application Modify
The application Modify profile allows the FirM administrator to delegate the management of applications to non-
technical users.
Profile Name: Set the modification profile name to some name that
makes contextual sense in your business.
Application Delete
The application Delete profile allows the FirM administrator to delegate the management of applications to non-
technical users.
Profile Name: Set the modification profile name to some name that
makes contextual sense in your business.
Architecture
FirM is a set of native Lotus Domino applications that run on an IBM Lotus Domino Server. FirM manages Lotus
Domino identities and resources, and the FirMAD component allows you to manage Active Directory ("AD")
Accounts.
The central processing core of FirM is the FirM Request Processor database.
In order to manage AD it is necessary to run FirM on a win2k or win2k3 server which must be a domain
controller and a valid member of the AD forest that you wish to manage.
FirM communicates with AD through an LSX (a special DLL file which extends LotusScript).
User Home Directories and User Profile Directories are created by a Windows Service component, which must
be installed on each target Windows server. The service relies upon a Lotus Notes client (which must be installed
on the target server) to communicate with FirM and it performs all of the folder manipulation on the target server.
ExAmp
FirM
AD Operation
Notes FirM AD
Client Service
User
Lotus
LSX Shared
Domino
Folders
Windows 2000
AD / 2003 File Server
Object User
Profile
Management
Folders
Server
Active Directory
This diagram illustrates the FirM Architecture. The blue circle represents a Domino-Only version of FirM, and the
red components represent AD only components.
It should be noted that both the Lotus Domino server and all win2k3 servers have to be in the same Active
Directory domain.
For instance, A FirM AD User Create Operation would perform the following processing:
A new FirM AD User create Transaction is created in the Firm Request Processor database.
On the FirM Primary processing server, the FirM “Process Requests and Workflow” agent (in
the Firm Request Processor database) validates and checks the request. If it is valid it will then:
o Pass an “Create User in Active Directory” operation to the LSX, which will then
call Active Directory.
Prerequisites
The FirM AD Component and its accompanying setup program both are reliant the “Microsoft .NET Framework
Version 2.0 Redistributable Package (x86)”.
MS .Net v2.0 framework loaded onto the target computer. This is usually downloaded automatically as part of the
automatic update process – but can be manually downloaded and installed from this web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-
aab15c5e04f5&DisplayLang=en
In particular, if you receive this error message:
If you require this server to also support session based users, you may use the Domino 7.x feature 'Internet
Sites' to allow users to log in using session-basedauthentication,whilst also allowing Web Service agents to log
in without using session-basedauthentication.To achieve this:
● Enable 'Use Internet Site Documents'on the first page of the server setup document.
● Create a new Internet Site document for default usage, and enable session-basedauthentication
● Creae a new Internet Site document using a differenthost name, and disable session-based
authentication.
● Enable in DNS the new hostname,pointing at the same IP address as your Domino server.
Please examine the Lotus Administrationmanual on these features if you are unsure of this process.
Logging Information
When this service runs, it creates logging information in the Windows Event log, in the Applications area.
A common issue we have encountered is that the Event Log fills up (especially if verbose level debugging is
enabled). In order to prevent the error 'Event Log Full', you can right click on the 'Application' folder on the left
pane and allow the Event Log to overwrite older events.
Heartbeat Task
In normal operation, the FirM AD service will update a document in the FirM Extended AdminP database on the
FirM primary server. This document confirms that this component is “alive” and also reports back on disk space
characteristics for this file server. This allows us to correctly calculate the most relevant win2k3 file server based
on disk space usage to create new users on.
To view this
heartbeat
information,
open the FirM
Extended
AdminP
database
database, click
on “System
Profiles”, and
select “Server
Heartbeat”
Lotus Domino Servers hosting the Extended AdminP database are shown with their full Lotus Notes abbreviated
names, and win2k3 file servers are shown using their short “common” names.
The highlighted entry is a win2k3 file server, and the “status” column shows that the service is running, as well as
the last time the service updated this heartbeat record.
This is a useful test of the functionality of the service, without having to create any FirM transactions.
Share Names
When the FirM AD service runs, it is passed (from the FirM processor, which calculates the share information
based on the FirM AD User Create profile) a directory name of the form:
\\<servername>\<sharename>\<userDirectory>
Where <servername> is the name of the win2k3 file server, the “shareName” is the name of the windows file
share hosting all the users directories, and the <userDirectory> is the name of the directory we shall create for
the user.
For instance
“\\aphrodite\users\Mike Rondin”
indicates the directory “Mike Rondin” in the share “users” on server “Aphrodite”.
This means that the share “users” must be created on this file server and point to a valid directory on the server,
for the FirM AD to be able to establish what that directory is and then create the subdirectory “Mike Rondin”
Walkthroughof transaction
To create new request, select“New Request” and click forward to the
request selection dialog. Now select ‘AD User Create’.
The requester may be prompted for the name of an AD User Create
Profile. Select one and click “Forward”
FirM Processing
The Requester of the transaction will be compared against the
Requester and Administrators fields in the User Create profile. If the
Requester is not allowed to submit this request then it will fail.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible)
then the request will fail, detailing the reasons for failure in the FirM
log and also in the request.
The processor makes exhaustive checks to ensure that the user names requested (Login Name, Common Name -
all are configurable in the AD User Create Profile) are unique across Active Directory.
The Requester then constructs the user object in Active Directory, setting all relevant AD Person object fields. Any
static or dynamic ‘fields’ specified in the AD User Create profile, is also applied, replacing ‘tokens’ with run-time
variables as necessary.
The user’s initial password is stored in the encrypted Password Repository.
A UUP (Resend User ID and Password) request is constructed which will mail the user’s AD Password to the
Password recipients listed in the initial request.
Zero or more AD Group Manage Member requests are created to add the user to groups specified in the AD
User Create profile.
Using the AD User Create profile, the correct Location profile is examined to establish the target file server. If
more than one target mail server is listed, the target server with the most amount of percentage free disk space is
used as the target server (load balancing).
An Extended Admin4 request is then issued to create the user’s Home and Profile Directories.
Once processing has completed then any people specified within the Notification list for the relevant group profile
will be sent an email telling them that the group has been created.
The request will remain in the state ‘Pending Sub transaction’ until the AdminP requests and the Extended AdminP
Requests have completed. It will then progress to ‘Complete’.
As with all FirM requests, logging information at every stage is created in the Log Database, Audit trail records are
created in the Audit Database, and Billing information is created in the Billing Database.
AD User Disable
AD User Disable create allows a Requester to disable a user in Active Directory.
Details relating to the notification of completion of this transaction are stored in the AD User Disable profile
documents.
Walkthroughof Transaction
If the requesteris allowed to use more than one AD Disable User
profile, the requesteris prompted as to which profile should be used.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the AD User Disable Profile document. If
the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and also in the request.
The processor then find the selected user within the AD environment, and sets the “Disabled” flag to 'true'.
Once processing has completed then any people specified within the Notification list defined in the profile will be
sent an email telling them that the request has succeeded.
AD User Enable
AD User Enable create allows a Requester to enable a user in Active Directory.
Details relating to the notification of completion of this transaction are stored in the AD User Enable profile
documents.
Walkthroughof Transaction
If the Requesteris permittedto use more than one AD Enable profile,
the Requesteris prompted as to which profile to use.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the AD User Enable Profile document. If the
Requester is not allowed to submit this request then it will fail. A similar
check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and also in the request.
The processor then find the selected user within the AD environment, and sets the “Disabled” flag to 'false'.
Once processing has completed then any people specified within the Notification list defined in the profile will be
sent an email telling them that the request has succeeded.
Walkthroughof Transaction
If the requesteris allowed to use more than one AD Reset User
Password Profile, he will be prompted for the AD Reset Password
Profile to use.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the AD User Reset Password Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and also in the request.
The processor then find the selected user within the AD environment, and sets the user password to the one
specified by the Requester.
Once processing has completed then any people specified within the Notification list defined in the profile will be
sent an email telling them that the request has succeeded.
AD User Modify
AD User Modify allows a Requester to modify a user in Active Directory.
Details relating to the notification of completion of this transaction are stored in the AD User modify profile
documents.
Walkthroughof Transaction
If the Requesteris allowed to use more than one AD Modify User
profile, the Requesteris prompted to select which AD Modification
profile is most relevant for this target user.
The requester then selects a user (using the AD User picker button) to
modify.
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the AD User Modification Profile document.
If the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then the request will fail, detailing the reasons
for failure in the FirM log and also in the request.
The processor then find the selected user within the AD environment, and modifies the specified attributes to the
values selected by the Requester.
Once processing has completed then any people specified within the Notification list defined in the profile will be
sent an email telling them that the request has succeeded.
AD Group Create
AD Group Create allows a Requester to create a group in Active Directory.
Details relating to the notification of completion of this transaction are stored in the AD Group Create profile
documents.
Walkthroughof Transaction
If the requesteris allows to use more than one AD Group Create
profile, he is prompted for the one to use in this transaction.
Walkthroughof Transaction
If the requesterhas a choice in AD Group Delete profiles,select the
relevant group delete profile:
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the AD Group Delete Profile document. If
the Requester is not allowed to submit this request then it will fail. A
similar check is performed against the Authoriser of the request.
Processing will check that all relevant information is present in the
request. If vital information is missing (this should not be possible) then
the request will fail, detailing the reasons for failure in the FirM log and also in the request.
The processor then ensure that a group of this name already exists. It then removes the group from the Active
Directory environment.
Once processing has completed then any people specified within the Notification list defined in the profile will be
sent an email telling them that the request has succeeded.
AD Group Modify
AD Group Modify create allows a Requester to modify a group in Active Directory.
Details relating to the notification of completion of this transaction are stored in the AD Group Modify profile
documents.
Walkthroughof Transaction
If the requesterhas the choice of relevant AD Modify profiles,he
should choose the most relevant profile:
FirM Processing
The Requester of the transaction will be compared against the list of
valid Requesters defined in the AD Group Modification Profile
document. If the Requester is not allowed to submit this request then it
will fail. A similar check is performed against the Authoriser of the
request.
Processing will check that all relevant information is present in the request. If vital information is missing (this
should not be possible) then the request will fail, detailing the reasons for failure in the FirM log and also in the
request.
The processor then ensure that a group of this name already exists. It then updates the groups attributes to reflect
the changes requested.
Once processing has completed then any people specified within the Notification list defined in the profile will be
sent an email telling them that the request has succeeded.
This dialog defines the list of users – using hierarchical wildcards such as
“*/Acme”, or groups – the list of NOTES user ID's which are allowed to
authorise this transaction. Should a person who's name appears in both
the Requesters and Authorisors list submit a transaction
People listed in the Notification tab (using their Notes ID name) will be
notified should any transaction using this profile succeed.
The “Defer” tab defines whether or not transactions using this profile
are allowed to be deferred to a future date, and if so, the default date
which should appear to the requester.
AD User Create
The Active Directory User Create profile allows the definition of Active Directory user create transactions. These
transactions create new user objects in your Active Directory environment.
AD User Disable
The Active Directory User disable profile only prompts you to define
the name and description. All authorisation for this activity is defined
using the (common) Authorisation tab.
AD User Enable
The Active Directory User enable profile only prompts you to define
the name and description. All authorisation for this activity is defined
using the (common) Authorisation tab.
AD User Modify
The 'Details' tab of Active Directory User Modification profile prompts
you to define the name and description. Remember - all authorisation
for this activity is defined using the (common) Authorisation tab.
The “Fields” tab allows you to define which AD User Object attributes
will be updated for the target user. In this case, we are hard-coding the
'company' and 'homePhone' attributes to values defined in the profile.
Two buttons - “K” and “D” - are available. The “K” button pops up a list
of attributes available for modification, and the “D” button allows you to
use the dynamic field helper to build one or more prompts for the requester at run-time. Each attribute defined in
each prompt will be updated by the AD User Modification transaction.
AD Group Create
The 'Details' tab of Active Directory Group Create profile prompts you
to define the name and description. Remember - all authorisation for
this activity is defined using the (common) Authorisation tab.
AD Group Delete
The 'Details' tab of Active Directory Group Delete profile prompts you
to define the name and description. Remember - all authorisation for
this activity is defined using the (common) Authorisation tab.
AD Group Modify
The 'Details' tab of Active Directory Group Modification profile
prompts you to define the name and description. Remember - all
authorisation for this activity is defined using the (common)
Authorisation tab.
Architecture.
The FirM BlackBerry interface relies on the BlackBerry Enterprise Server Resource kit (BRK). A copy of this kit has
to be installed on the FirM primary (and optionally secondary) processing servers.
BES Serv er 1
Domino
BES Serv er 2 Hand set
BES Serv er 3
BRK Client
Requests entered in the FirM request processor database are then processed on the FirM primary processing
server. This server, once the request has been validated will then make calls to the BlackBerry Resource Kit client
executable. This in turn will make network calls to the relevant BlackBerry Enterprise Server on your intranet, and
perform the required transactions.
From a network perspective, this means that the FirM Processing Server(s) and all BlackBerry Enterprise servers
require to be able to communicate with each other, using whatever network protocol is utilised by the BES server.
As all BlackBerry components are windows based, this does mean that the FirM Primary and Secondary processing
Domino servers also have to be windows based.
Authorisation
The Authorisation process for BlackBerry transactions mirror that for Domino User transactions:
● A list of potential Requesters are defined on the relevant transaction profile document. Only Requesters
listed on that transaction document can create transactions based on that profile.
● A list of Authorisers is listed on that transaction. If a requester is also on the list of Authorisers, then the
transaction is immediately processed.
● A list of name masks is defined on the profile document, showing who this transaction can be applied
against, using that users Lotus Notes name.
BlackBerry Provision
BlackBerry Provision allows you to associate a Lotus Domino mail user with a new BlackBerry device.
To create new request, select“New Request” and click forward to the request selection dialog. Now select
‘BlackBerry Provision’.
The requester may be prompted for the name of a user create profile. Select one and click “Forward”
If the users home mail server is associated with more than one location,
then the requester is prompted to select the location that the user is
actually associated with (in order to choose the correct BlackBerry
Enterprise server). If the user's mail server is only associated with one
location, then that location will be displayed.
An activation password is generated, which the requester may optionally
override.
Once completed, the requester should click “Forward”
BlackBerry Enable
This transaction enables “Mobile Data Service” for a BlackBerry handset user. This is enabled by default when a
new user is created – therefore this transaction is only of value if a BlackBerry handset user has previously been
disabled.
To create new request, select“New Request” and click forward to the request selection dialog. Now select
‘BlackBerry Enable’.
The requester may be prompted for the name of a BlackBerry Enable profile. Select one and click “Forward”
Select the user you wish to enable, and click Forward.
BlackBerry Disable
This transaction disables “Mobile Data Service” for a BlackBerry handset user. This is of value if a user does not
wish to use their BlackBerry handset for a short period of time – say – whilst on vacation.
To create new request, select“New Request” and click forward to the request selection dialog. Now select
‘BlackBerry Disable’.
The requester may be prompted for the name of a BlackBerry Disable profile. Select one and click “Forward”
Select the user you wish to disable, and click Forward.
BlackBerry Delete
This transaction deletes the association between the BlackBerry server and a Lotus Domino mail user.
To create new request, select“New Request” and click forward to the
request selection dialog. Now select ‘BlackBerry Delete’.
The requester may be prompted for the name of a BlackBerry Delete
profile. Select one and click “Forward”
Select the user you wish to delete, and click Forward.
BlackBerry Provision
The BlackBerry Provision Profile allows you to define:
● The name of this profile
● which one of the BlackBerry Enterprise Server
handset profiles (defined in the BlackBerry section
of the configuration document – see page 40) handsets provisioned from this profile will be set to.
BlackBerry Enable
BlackBerry Disable
The BlackBerry Disable Profile allows you to define:
● The name of this profile
BlackBerry Delete
Architecturally, it comprises two databases. These databases should be replicated to each server (and any
intermediate server on your replication path) upon which you wish to measure and track application usage.
To open the Application Monitor database, open the database “firmapplicationmontior.nsf” in your FirM
directory on the main FirM processing server, or click on the Icon.
The “Size” tab shows size information for this instance, and when it was last
updated.
The “ACL” tab shows all instances of this database. Double clicking on one shows
the current ACL of this database:
The “ACL Log” tab shows all ACL modifications for all
instances of this application.
The “Used By” Tab shows usage information for this database,
and allows easy access to the Application Usage database to
highlight actual user usage.
Clicking on the “Submit” button then submits the request and shows its status:
This request has now been successfully created, and is awaiting processing.The “Stop” button allows you to close
this window.
FirM transactionCodes
The following FirM transactions have the ability to be imported via the CSV import interface.
transaction
DDODuration Yes The time, in days, that a DDO should be allowed
access to this users mail file
DataOwner Yes The name of the data owner
An example CSV file for a User Grant Mailfile Access transaction would look like:
Transaction, TransactionProfile, UserName, DDODuration, DataOwner
“UMA, “Default UMA Profile”, “Joe Bloggs/MyCo”, 3,“My Boss/MyCo”
This transaction would allow “My Boss/MyCo” access to “Joe Bloggs/MyCo”’s mailfile fot three days.
Note that a valid Group Manage Members transaction must have at least one of the non-mandatory fields defined
to be valid and effect any changes
BlackBerryProvision Defintion
Header Text Mandatory Comments
Transaction Yes BPR
TransactionProfile Yes A BlackBerry Provision profile defined in FirM
UserName Yes A fully hierarchical name identifying the user for this transaction
Password Yes The users activation Password for Blackberry
Location Yes The name of a location (as you have defined within FirM) that the
users home server is associated with, and has a BlackBerry server
associated with it.
BlackBerryEnable Defintion
Header Text Mandatory Comments
Transaction Yes BEN
TransactionProfile Yes A BlackBerry Enable profile defined in FirM
UserName Yes A fully hierarchical name identifying the user for this transaction
BlackBerryDisable Defintion
Header Text Mandatory Comments
Transaction Yes BDI
TransactionProfile Yes A User Cross Certify profile defined in FirM
UserName Yes A fully hierarchical name identifying the user for this transaction
BlackBerryDelete Defintion
Header Text Mandatory Comments
Transaction Yes BDE
The Shadow Group Monitoring agent provides the engine that periodically checks groups and issues warnings of
changes. This can be configured to run at any periodic interval – hourly, daily,weekly, etc.
The FirM Monitored Group Shadow repository database contains reference copies of the groups and their
contents. Every time the Shadow Group Monitoring agent runs it checks for monitored groups and creates and
deletes these documents as required. If a group's content differs from the contents of it's entry in the shadow
repository then the monitor creates and sends a notification, and then updates the membership contents of the
shadow repository document so that persistent notifications are not created.
The group's entry in the FirM Group Repository contains a check box field that tells the group monitor whether it
should check this group for changes or not.
Finally, the notification profile is the template that is used by the group monitor when it creates notification. You
can tailor this notification to your exact requirements.
Open the firm Group Repository database and select a suitable view to locate the group's entry;
Locate the entry for the group that you want to monitor and double click on it to open the document;
Select the “Details” tab;
Select the check box field “Report unauthorised changes to this group”; and finally
Save and close the group entry
See the sub-section titled “Group Registry” in the “FirM Databases” section on page 174 for more information.
When the Shadow Group Monitor agent next runs, it will create a shadow entry for this group. Whenever the
group membership changes and there is no corresponding FirM Group Manage Members request for the group
then it will report that the group has been modified.
In order for FirM Group Monitoring to be able to monitor a group's content, the group must have been imported
into FirM for management, or the group must have been created using FirM. It is the action of importing or
creating a group that will create the group's entry in the FirM Group Repository.
ID Backup
ID Backup is the process that will actively monitor administration requests that modify the user's ID file, send an
email the user (requesting that they lodge a backup of their ID and password) and process the returned IDs and
passwords so that they are securely stored in FirM's ID and Password repositories.
We recommend enabling this process so that it runs on a periodic basis once per day. The process for ID backup
is as follows:
ID Backup monitors all Administration Process (AdminP) databases for domains managed by FirM for new
requests of type “Rename User”, “Recertify User” and “Update User Password”.
When a request is found ID Backup checks for an outstanding request for the user to lodge the password
& ID. If no current request is found then an email is sent to the user requesting that they lodge their ID
and password. This email contains a rich-text button containing code to return the user's ID and
password. A temporary document is created in the Escrow database – this document contains details of
the status of the backup request, all matching AdminP requests for this user, number of reminders sent,
alternative user names, etc. It has an initial status of “Pending”.
When the end user clicks on the button in the email it will check that they are the mail file owner (this
ensures that incorrect IDs cannot be lodged inadvertently by someone using delegation privileges to
access a mail file), locate the current ID, ask for the password and then create two return emails – one for
the ID file and one for the password. These emails are additionally encrypted (using the public key in the
Escrow database mail-in database document), which ensures that IDs and passwords cannot be
intercepted at any stage of the mail routing.
ID Backup monitors these returned emails, and will then create encrypted documents in the FirM ID and
Password repositories. The email returned from the user is removed, and the temporary backup request
document is updated with a “completed” status.
ID Backup also monitors outstanding notifications with a status of “Pending”. If a response has not been
received from the user within a set period of time then it will send a reminder to the user – the total
number of reminders sent to a user for any outstanding request can be specified in the ID Backup
configuration settings.
Temporary request documents for Completed backup notifications will be retained for a period of time
(in order to prevent repeated requests to back up IDs being triggered by the same AdminP request).
After this time they will be removed from the Escrow database.
Configurationof ID Backup
A few simple steps must be followed to configure and enable ID Backup:
Create a new mail-in database document in your Domino Directory:
The mail-in name must be “escrow”
The domain, server name and file name must point to your copy of the FirM Escrow Agent database
Under the “Administration” tab you will find a section called “Certificates”. You must copy the
public key of the FirM Primary Processing Server into the “Notes certified public key” field (the
server's public key can be found in the “Certified public key” field under the Administration tab of
the server document – this field is only visible for a user with editor or above access, when the
document is in edit mode). Note – if the public key is not present in this document then users will be
presented with a dialog “this email could not be encrypted – ok to send?” when they click on the button in
the backup request email.
Save and close this mail-in database document.
If you are implementing this in a multi-domain environment then you must ensure that this mail-in
database is addressable and can receive encrypted emails from all managed domains.
In the FirM Request Processor database, open the Tools menu, click on the “Config” tab and then click on
the “Edit the System Configuration” link.
Click on the “Admin Settings” tab, and then the “ID Backup” tab underneath this.
Set the following field values:
“AdminP Search Hours” - this sets the number of hours backwards that ID Backup will
search for matching AdminP requests. This should be set as a minimum to the number of
hours between runs of the ID Backup agent, or the longest replication time from any mail
server Admin4.nsf database to the FirM Processing server (whichever is the longer). This
setting ensures that new administration requests cannot be missed by successive runs of the
ID Backup agent.
“Store Retention Hours” - this sets the minimum number of hours that completed
temporary backup-request temporary documents will be retained in the FirM Escrow Agent
database. Set this value so that it is equal to or greater than the AdminP Search Hours field
value.
“Reminder Frequency” - this is the number of days that will elapse between users being
reminded to back their ID file up (if they have not already responded). This should be set
to be a minimum of one day (note – for testing purposes this field can be set to be a
negative number. In this case then the reminder frequency will be in minutes, not days).
“Maximum number of reminders” - this field should be set so that the user does not
continue to receive reminders indefinitely. It sets the maximum number of reminders that
will be sent to the user after the initial backup request.
“Users to Include” - this is a name-mask field, to enable you to set ID Backup to run for
only a specified subset of users in your organisation. Multiple masks can be defined –
separate entries with new lines. Full usernames or wildcard entries are acceptable – note
that it is NOT possible to specify a group in this name mask field.
Save and close the configuration document.
Change to the “System Profiles” sub tab of the “Profiles” section of the tools menu.
Select “System Notification Profiles” in the radio button selection
Scroll down through the profiles and locate the “IDB-RequestBackup” profile.
Select the “Rich Text Footer” tab
Right-click on the button contained within the rich text footer field, and choose “Edit Button” from
the menu. Note – do not left-click on this button as this will attempt to execute the button code. The
lotusscript edit pane will be displayed.
Place your cursor anywhere on a blank line or at the end of a line within the lotusscript code and
insert a space.
Now click anywhere on the notification profile (except for on the button!) and the lotusscript edit
pane will disappear.
Now use the “Tick” button to save and close this notification profile.
The code contained within the button has now been signed with your ID. This should prevent the
end users from receiving ECL warnings when they click on the received button. If a different ID is
used to distribute code within your environment then use this ID to sign the button code – contact
your FirM support representative for help with this step if it is required.
Now change to the “Validation” tab on the Administration Tools menu and click on the “Refresh Agent
Status” button.
Locate the “Process Incoming Escrow IDs” agent and ensure that this agent is disabled (it should have
a red diamond icon against it). If it is currently enabled then this must be disabled before enabling
the ID Backup agent – click on the green diamond icon to disable it.
Now locate the “ID Backup” agent and ensure that it is set to run on the FirM primary processing
server (this can be changed by clicking on the server name and selecting the server from the address
book dialog). Enable the agent for execution by clicking on the red diamond icon.
The ID Backup process is now configured for execution.
All documentsrelating to the ID Backup process can be viewed through the links under the “ID Backup” menu
section.
The “Requests”views show the temporaryrequest documentsthat are created and updated when new AdminP
requests are found by the agents, emails sent to the users and returns processed.
The “Returns”views show the ID Backup emails that are generatedand returned from users when they click on
the button containedwithin the email. These emails are encryptedwith the server's public key, and you will not
be able to access either the ID file or the password containedwithin them. Once they have been processed
then they will be deleted from the database.
The Identifierthat is referred to within these views and documentsis the UNID of the originatingAdminP
request.
ID Escrow
Since Lotus Notes/Domino v6, a “password recovery” mechanism has been
built into the core Lotus Notes product. ID Escrow is the alternative
mechanism within FirM by which end-user ID files can be captured by
leveraging the password recovery mechanism.
ID files captured with this mechanism do not require end-user intervention, but they
do require password recovery to be performed against them before they can be
used to reconstruct a Notes workstation client.
This process must not be enabled if you are running the FirM ID Backup
procedure – ID Backup should be disabled prior to enabling the ID Escrow
process.
To install “Password Recovery” in your Lotus Notes environment, open the
Lotus Notes Administration Help database, and look for the document
entitled “Setting up ID recovery”. The process is:
● To open the administration client
To enable the Automatic User Recertification Engine, enable the agent “Automatic User Recertification. See the
subsection “Validation Tab” in the “Administration Tools” section on page for more information.
Known Issues
This section lists known configuration and installation issues.
AdminP Database
AdminP – do NOT enable “dont support specialised response hierarchy”. This setting
switches off internal support in LotusScript for Response documents. Response
documents are an integral part of AdminP processing and causes ALL AdminP
processes to fail.
FirM manifests this by never being able to find successful AdminP responses to AdminP
requests that FirM generates. Requests appear to never process.
LANG="en_US"
SUPPORTED="en_US.UTF-8:en_US:en"
SYSFONT="latarcyrheb-sun16"
and change the “Lang=” line to “en_US”. This is especiallytrue if this line contains en_US.UTF-8,as Red Hat
linux UTF-8 support appears to be sub optimal. More informationis availableon this page:
http://cc.jlab.org/services/linux/faq.html
Windows XP
On the bottom right hand side of your taskbar, whilst your Lotus Notes client is open, select a language code page
that does not give this error, such as “EN”.
Request Processor
The core engine of FirM. This
contains:
Help Database
A comprehensive Help database.
Log Database
An application-specific log
database that details all activity
performed by both servers and
users.
See the section titled “The Log Database”
on page 169 for more information.
It has a setup and profile dialog – choose “System Profiles” and then
“Extended AdminP Setup”. Fields defined are:
● “Servers to run on”. You can choose “*” meaning that the
Extended AdminP agents will run on all servers upon which
there is an ExAmp replica, or give a list of servers (or groups or
servers).
● “Servers NOT to run on”. This allows you to easily exclude
zero or more servers from the list defined above.
● “Report Faults to”: Provide a list of FirM administrators who
should be notified upon critical error.
Extended AdminP also provides a “heartbeat” function – every time the agents run on the remote servers, they
update a server specific profile document. This profile document is then replicated back to the main processing
server.
Group Registry
A reference database for group
ownership and responsibility.
This maintains the relationships
between Groups and their
profiles.
Each group defined in the registry can be managed by FirM. The Administrator may modify group references in this
database whilst troubleshooting.
● “Prohibit all FirM Management of this group”. This allows you to define this group within FirM but prevent
FirM from ever changing this group. This may be useful for very high-security applications.
Certifier Repository
Encrypted storage for system
certifiers.
Password Repository
The encrypted passwords of
certifiers and user Ids.
ID Repository
An encrypted repository
containing all user IDs created in
FirM.
User ID's are automatically created in this
database by FirM when new users are
created.
This database can also be used to store
other ID files – such as server ID's,
encryption keys and so forth.
An ID document has the following fields
defined:
● ID Type
● Status – active or deleted.
● Name – the full name of the user
object for this ID
● Previous names – if the user has been renamed, this field will contain a list of previous names.
● Description – you may enter a textua description of this ID
document.
● Document Readers – you may further restrict who has access to
this document by defining reader names in this field.
● ID File – a rich text field containing the ID file
● Encryption Key Name – the name of the encryption key used to
encrypt this document. For more information on encryption keys,
see the section “Stage 1 – Encryption Key Creation” on page 12.
● ID Strength – Global or International
● Expires – the ID expiration date
● Allow ID files to be resent. You mayset this to “no” to prevent this ID file being sent out as part of a
“User Resend User ID and Password” request (for more information on this request, see the section
“User Resend User ID and Password” on page 81)
● Comments – used to record system level information about this ID file.
ESCROW Database
The ESCROW database gives the
administrator a convenient mail-in
database for collecting modified
User ID's as part of the ID recovery
process. See the section titled “User ID
Management and Recovery” on page 162 for
more information.
Audit Repository
Stores a full audit history of actions
performed by the system.
Archive Repository
Contains an archive of all
completed and unsuccessful
requests.
Billing Database
Each FirM transaction can be
configured to create billing
transactions, which can help
recharge costs within your
Domino environment.
Application Monitor
A list of all Domino applications in
your environment, highlighting
ACLs and ACL changes
Overview
In order to illustrate how this agent works, consider an environment where there is:
One administration domain – called ‘Admin’.
one production domain – called ‘Production’
One test domain – called ‘Test’.
All relevant transactions created in the ‘Admin’ domain must be copied to the relevant other domain, i.e.
‘Production’ or ‘Test’. These transactions also may spawn other transactions which need to be copied around.
Consider a ‘Rename in Address Book’ AdminP operation. This is initiated with a
‘8’ = ‘Initiate Rename in Address Book’ operation. This AdminP request then has to be copied into the relevant
admin4.nsf database so that it can be processed and accepted by the user’s home server. When the user accepts
this request, then, at least, the following requests are generated:
‘1’ = ‘Rename in ACL’
‘5’ = ‘Rename in Address Book’
‘20’ = ‘Rename in Reader/Author Fields’
Each of these requests may then have to be copied around the environment into other domains to update that
user name in ACL’s, names fields on documents in databases, etc..
So, considering this rename operation, we may wish to push transaction number ‘8’ from the ‘Admin’ domain to the
‘Production’ domain, and then pull transactions 1, 5 and 20 from the production domain back in the ‘Admin’ and
‘Test’ domains.
System ConfigurationVariables
The push around agent is configured using
‘System Configuration’ variables. These are
simple documents located the Tools ‘System
Views’, ‘System Variables’ which allow the
FirM administrator to override default system
behaviour.
N.B. Other than the push around agent configuration, no other variables should be changed unless instructed to do
so by the FirM Support team.
‘AdminPPusharound_<SOURCEDOMAIN>_<RULENUMBER>=<TRANSACTION>,<DOMAIN>,[<DOMAIN>,…
]
Where:
SOURCEDOMAIN is the domain where the request is copied from
RULENUMBER is a two digit number starting at ‘01’, and is used to differentiate rules. Once the push
around agent finds that a rule number is missing for a particular domain, the agent will assume that the
rules have been exhausted for this domain. It is therefore important to number your rules uniquely and
sequentially starting at ‘01’, then ‘02’, etc..
TRANSACTION is the AdminP Request transaction number.
DOMAIN is the target domain to which this AdminP request should be copied. There are also two
special keywords that can be used instead of the domain name:
o The string ‘<ALL>‘ means copy this request to ALL other domains.
o The string ‘<TARGETDOMAIN>’ means that the push around agent will attempt to find this
object and only copy it to the relevant target domain.
Multiple domains can be specified, separated by the comma character ‘,’.
End If
End Function
Using the CSV interface pro grammatically
This section is intended to document how the Federated Identity and Resource Manager (FirM) can be extended,
by allowing customers to inject new requests pro grammatically.
It should be noted that this interface is quite simple, and allows requests to be built as specified in the CSV
interface. For more information on the CSV interface see section 20 - “The CSV interface”.
A more complex, full API allows full interaction with FirM, and is used to build fully-featured GUI's in Lotus Notes
and HTML clients.
CSV Introduction
In order to use the CSV LotusScript interface, some background description is required.
A "Comma Separated File" is a text file, typically generated by spreadsheets. Usually, the first row (the "header
row") defines keywords, and second and subsequent rows define data per record.
For instance:
"Transaction", "TransactionProfile", "UserName"
"UDI", "User Disable", "Bill S Buchan/HADSL"
is a fairly simple, complete example of a CSV file. (I've added the <TAB> character between columns to help
differentiate columns -these are not required.)
The FirM CSV interface allows you to import one or more transactions, of any kind, and convert them into valid
FirM transactions (should they pass validation and testing). This means that the CSV interface has to use the header
fields to establish what the data means. This also means that the columns can be in any order
All currently supported transaction types and field definitions are listed in the FirM administration manual.
In some instances, some fields may contain more than one logical value. In this case, separate the values WITHIN
the data field with a semicolon character. For instance, this example has two separate names in the same data field.
This will be converted into a multi-value field by the interface.
..., "MembersToAdd", ...
..., "Joe Bloggs/Acme; Fred Bloggs/Acme", ...
The important note is that the data line fields have to correspond to
the same order as the header fields.
Creating an Agent to programmatically create requests
There now follows an example LotusScript agent demonstrating the CSV
interface.
(options)
option public
option declare
Use "class:IMFactoryClass"
Use "class:IMCSVImport"
sub initialise()
dim IMF as variant
' Items in GREEN in this listing illustrate the calls to the FirM API. All other
' lines are normal Lotusscript operations.
' Now print out the errors that FirM has returned to us, one line at a
time.
Forall thisError In E
Print thisError
End Forall
' The following line writes to the FirM log file, flagging the
' message as an error
Call IMF.cLog.Write(LOG_LEVEL_ERROR, "Initialise: Failed to apply CSV line")
Else
Call IMF.cLog.Write(LOG_LEVEL_VERBOSE, "Initialise: Applied CSV line")
' This call flags the current log document with our transaction type.
Call IMF.cLog.setCurrentRequestSummary("UDI")
End If
end Sub
Create FirM requests from your own programs.
FirM includes a full LotusScript Application Programming interface (API). Documentation for this API is available on
request from HADSL. FirM itself uses this interface to create its own user interface, and therefore anything that can
be done from the user interface can be enabled via the API.
This API allows you to create and monitor requests in FirM as if the requests were created using a Notes client.
This is useful in enabling existing processes to create FirM requests to manage your Domino environment.
Example agent
Add the class library ‘class:IMFactoryClass’ to your existing lotusscript code by including the statement:
use ‘class:IMFactoryClass’
in the ‘options’ section of your code Initialise the FirM classes by creating a new instance of the IMFactoryClass
object:
dim IMF as new IMFactoryClass(strTargetserver, _ strTargetDatabase)
Note that you have to pass the name of the target server, and the database path name, of the IMFactory ‘requests’
database for the IMFactory object to successfully construct itself.
If you choose to put your agent in the FIRM database itself, you can replace the servername and database name
with a blank string:
dim IMF as new IMFactoryClass(””, ””)
Check, by calling the IMFactoryClass::isFactoryValid() that the factory has initialised correctly
if (not IMF.isFactoryValid()) then
msgbox ‘The factory failed to initialise’
exit function
end if
Create a new request by instantiating a new IMRequestClass object
dim IMR as Variant
set IMR = IMF.getRequestClass()
Set the request Type and who the requestor is
Call IMR.SetRequestType("UCR")
Call IMR.setRequestorAsMe()
Set the User Create profile name you wish to use. This is the name of an existing Profile for this type of
transaction:
call IMR.setProfile(‘My User Create Profile Name’)
Set the new request type, and gain an instance of the sub-request class type by:
dim IMUCR as Variant
set IMUCR = IMR.getRequestObject()
Now set the data for the sub-request class type. In this instance, we're setting up a User Create Request
Call IMUCR.setFirstname("Derek")
Call IMUCR.setMiddleInitials("D")
Call IMUCR.setLastName("Test ")