Data Access and IBM Notes

By Nigel Cheshire

When Mark Zuckerberg puts on a tie, you know something big is happening. Facebook's been in the news a lot recently, mostly because of concerns around access to data. During his testimony to Congress on April 10 and 11 of this year, Mark Zuckerberg was grilled about what personal data Facebook holds, and in particular who has access to it.

Personally, I've always assumed that anything you post on Facebook is, by its nature, in the public domain, and will be sold to advertisers. After all, that's Facebook's business model, and they make a lot of money. By the way, in the interests of full disclosure, here at Teamstudio we don't use Facebook for advertising, but we do use Google and LinkedIn, both of which companies have similar business models to Facebook's. 

Anyhow, my point is that there's been a big brouhaha in the press recently about access to data, and the recent revelations that your own personal data is effectively available for sale. What's really driven this interest of course is not the fact that Nike could target you for a new pair of running shoes, but the possibility that "foreign actors" could influence the outcome of our elections or referendums.

So what does any of this have to do with IBM Notes/Domino? Notes has arguably one of the best and most configurable security models of any application server environment. Access control lists, execution control lists, roles, groups, readers/authors fields, and the ability to set access control at database or document level give developers and administrators an unequalled level of control over who has access to what.

ACLscreenshot.png

Well the problem is that the Notes security model is so configurable at such a fine level of detail that it becomes almost impossible to answer the simplest questions about security and access to data. For example, there is no easy way to answer the questions "what databases does user X have access to?" or "who has what level of access to database Y?"

And this stuff matters. When someone leaves the company, you need to make sure you can reliably remove their access to data, and prove that you have done so. In the case of a GDPR subject access request, you may need to be able to prove exactly who has access to a given document in a particular database.

So what's a stressed-out Notes/Domino admin to do? There are some rudimentary tools built in to Notes that allow you to get some parts of the information you need. But as soon as you start looking into nested groups, conflicts or duplications between group and explicit access grants as well as the potential for conflicts across different domains, the standard tools run out of steam fast.

That's where Teamstudio Adviser can help. By looking at the Effective Access panel in the Catalog module of Adviser, you can quickly see, by user name, who has what level of access to a given database. Nested groups are unraveled and you can see whether the access grant is explicit or via a group or groups. Conversely, by looking at any given user, you can quickly see exactly what level of access that user has to which databases. Adviser will also show you which groups the user is a member of.

Effective Access is just one small part of what Adviser can help you understand about your Notes/Domino application environment. It also reports on database usage, application design complexity, and can even combine those aspects with business value data to come up with guidance for the future path of each application (retain, archive, retire, etc).

Mark Zuckerberg is not the only person who could be put on the spot and asked awkward questions about who has access to the data under his control. To learn more about Teamstudio Adviser, or any of the tools we have available to help manage, maintain or migrate your Notes/Domino applications, click the button below. We'd love to chat!