Setting access control for Symantec AntiVirus/Filtering 3.1.x for Domino or a Symantec Mail Security for Domino database

Article:TECH79850  |  Created: 2002-01-08  |  Updated: 2009-01-10  |  Article URL http://www.symantec.com/docs/TECH79850
Article Type
Technical Solution

Product(s)

Environment

Issue



To maintain security in your Lotus Domino environment, restrict access to the Symantec AntiVirus/Filtering 3.1.x for Domino, or Symantec Mail Security 5.x, 7.x , 8.x for Domino databases to administrators only by setting the access control list (ACL) for the following databases:
Symantec Domino Settings (Sav.nsf)
Symantec Domino Log (Savlog.nsf)
Symantec Domino Help (Savhelp.nsf)
Symantec Domino Definitions (Savdefs.nsf), if used
Symantec Domino Quarantine (Savquar.nsf)


Solution



Beginning with the Settings database, set access control for each Symantec Domino product database.

To set access control for Symantec Domino databases
  1. Log on to the account that you plan to use to administer the Symantec Domino product.
  2. In the Lotus Notes workspace, right-click the Settings database, then click Database > Access Control.
  3. In the Access Control List window, add yourself or other users as necessary to the Access Control List as Managers with Delete Documents rights. The user type must be set to "Person"
  4. Change the default access level to No Access.
  5. Repeat steps 1 through 4 for the rest of the Symantec Domino product databases.

Assigning Quarantine Roles
The Quarantine database requires that you also assign Roles to Quarantine database users. These roles restrict access to various Quarantine views, and control who can release documents from the Quarantine. If you are setting access control to the Quarantine database, assign Roles to those groups and users who use the Quarantine. For example, many of your users may be assigned Roles that let them view all documents containing content violations or virus infections in either the Quarantine or Backup views, but restrict them from viewing the content of actual content violations. You assign Roles to the users of the Symantec Domino product through the Quarantine with the Access Control List.


Note: If a user is not assigned these roles, they will not see any documents in the database. LocalDomainServers must also have these Roles in order for the database to replicate.

You can assign the following Roles
  • CFViewer: Lets the user read and enter comments about Quarantined and Backup documents containing content violations, but restricts the user from viewing the content that triggered the violation.
  • CFContentViewer: Gives the user CFViewer access plus the rights to open a view that contains the actual content that triggered the violation, but restricts the user from releasing the document to its original database.
  • CFReleaser: Gives the user CFContentViewer access plus the rights to release a Quarantined document containing a content violation to its original database without causing Symantec Domino to rescan it and quarantine it again.
  • VirusViewer: Lets the user read and enter comments about Quarantined and Backup documents containing virus infections, but restricts the user from releasing the documents to their original databases.
  • VirusReleaser: Gives the user VirusViewer access plus the rights to release Quarantined documents containing virus infections to their original databases as long as the infection has been removed from the document. Released documents are rescanned for viruses.

Only users who have the appropriate Role assignments can view, manage, or release Quarantined documents. Roles are hierarchical. For example, users who have the CFViewer Role can manage the document to some extent, but they can’t view the text of the violation or release the document unscanned to its original databases. CFContentViewer Roles can do everything but release the document, while CFReleaser Roles can do everything, including release the document.

As long as users have CFViewer and VirusViewer Role assignments, they can view and manage Backup documents.

You must manually add the appropriate persons or groups to the Access Control List of the Quarantine database and assign them the appropriate Quarantine Roles. You should see all of the Quarantine Roles in the LocalDomainServers group and the current server. If you don't, then add these Roles to the group that you use instead; otherwise, the database does not replicate properly.

To assign Roles to Quarantine database users
  1. Log on to the account that you plan to use to administer the Symantec Domino product.
  2. In the Lotus Notes workspace, right-click the Quarantine database, then click Database > Access Control.
  3. In the Access Control List window, make sure that the appropriate persons or groups to manage the Quarantine are added to the Access Control List as Managers with Delete Documents rights.
  4. If you have not already done so, in the Access Control List window, change the default access level to No Access for each person or group to manage the Quarantine.
  5. In the Access Control List window, under Roles, select one or more Roles for each person or group to manage the Quarantine.
  6. In the Access Control List window, click OK.






Legacy ID



2002040816132054


Article URL http://www.symantec.com/docs/TECH79850


Terms of use for this information are found in Legal Notices