fighting for truth, justice, and a kick-butt lotus notes experience.

Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

 13 Juli 2017 15:10:19
A customer called me today, that he has trouble with a few of his Traveler users.
After updating IBM Traveler to v9.0.1.18 users are no longer able to sync and the deletion of these Traveler devices (using the traveler delete command) is not working any more.

When trying to delete the Traveler user using:

tell traveler delete * Detlev Poettgen


He gets this errors on the console:

Traveler: SEVERE  Detlev Poettgen[*] NotesException Notes error: You are not authorized to perform that operation
                          id=4000 occurred trying to access device profiles Exception Thrown: Notes Exception(4000) : Notes error: orized to perform that operation
Traveler: SEVERE  Detlev Poettgen[*] NotesException Notes error: You are not authorized to perform that operation
                         id=4000 occurred trying to access device security profiles Exception Thrown: Notes Exception(4000) : Note not authorized to perform that operation



IBM enabled the Run-as-User function with Traveler 9.0.1.18 and the way Traveler will access the users mail database:


Starting with IBM Traveler 9.0.1.18, the new run as user feature will now be enabled by default. When running as the user, the Traveler server will access the user's mail file as the user ID instead of the server ID.

This feature resolves several long standing issues with accessing the user's mail file as the server ID, including:
  • Honor ACL controls on mail file and corporate lookup for the user.
  • Prevent event notices and automated responses from being sent from the server ID.
  • Prevent the server ID from being assigned as the owner of the mail profile when there is no owner defined.

Important:
For run as user feature to function properly, the Traveler server must be listed as a trusted server in the user's Mail Server document.


So we first checked, if the Traveler server was listed as a Trusted Server in the mail server document.
That was all fine and other users located on the same mail server were able to sync.

So when looking at the ACL of the users mail database, we found really quick the reason:

Image:Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

For the users mail database the Maximum Internet name and password access was set to Reader.
After changing it to Editor, the user was able to sync again and a traveler delete command works again.


Update 17.07.2017:


During the last few days I got asked, how you can check, if all your Traveler users are having set Maximum Internetname and password access to Editor.

As far as I know, there is no out-of-the-box solution available from IBM. The Admin-Client will not show this ACL setting in a view and catalog.nsf will not contain this setting.

So I created a small database QuickFix for Traveler , which will query the mail databases of all Traveler users and shows some consolidated database properties (Size, Quota, Template, ACL, Owner, Soft Deletions, Max. Internet Access, #Documents).
From there you can select the databases with Max. Internet access lower then Editor and it will fix it for you.

If you want to use this database, too - just drop me an Email or leave a comment with your mail address. I will send you the QuickFix for Traveler app.





 



Kommentare

1Bernd Steidele  13.07.2017 16:27:37  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Hi Detlev,

Thank's for sharing this Informationen. Do you know a quick way to list the Internet access level of all mail files?

2Brian  13.07.2017 17:56:34  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Welcome to borrow from this code.

Create an Agent in the Domino Directory.

Runtime: Action menu selection

Target: All selected documents

'Admin\Inspect User Mail Database properties:

Option Public

Option Declare

' === HOW TO RUN ===

'Open the Domino Administrator client. Enable the option for Administration > Full Access Administration.

'Return to the Notes client, and open the Domino Directory's People view.

'Select one or more Person documents in the Domino Directory.

'Then run this agent from the actions menu. It will inspect the mail database for each Person selected.

'This agent will:

'1) re-write the "soft delete timer" directly to the database properties, and also to the CalendarProfile document.

'2) verify the maximum internet access level as Editor. (Required for Lotus Notes Traveler 9.0.1.18)

'About: Users edit their CalendarProfile profile document very often. For example, if they edit a Mailrule, the settings

' are compiled back to the CalendarProfile profile document. Adminp process also tries to write to the CalendarProfile

' when Adminp applies the Policy for trash expiration. Adminp is not always successful.

' You may need to run this agent a few times, on different days, until the change is replicated down to the user's client, without any conflicts.

Dim session As NotesSession

Dim nab As NotesDatabase

Dim softDeleteHours As Integer

Dim memoLog As NotesDocument

Dim memoLogBody As NotesRichTextItem

Sub Initialize

'soft delete timer for all mailboxes (change if needed)

softDeleteHours = 992

Set session = New NotesSession

Set nab = session.CurrentDatabase

'init log

Set memoLog = New NotesDocument( nab )

Set memoLogBody = New NotesRichTextItem( memoLog, "Body" )

'prevent other users from running this agent (change if needed)

'If Not( session.CommonUserName = "Brian Green" ) Then

'Print "you are not authorized to run this agent (see LotusScript code)"

'Exit Sub

'End If

'collect the selected documents in the view

Dim dc As NotesDocumentCollection

Set dc = nab.UnprocessedDocuments

If( dc Is Nothing ) Then Exit Sub

If( dc.Count = 0 ) Then Exit Sub

'process each Person document

Dim personDoc As NotesDocument

Set personDoc = dc.GetFirstDocument

While Not( personDoc Is Nothing )

If( Cstr(personDoc.GetItemValue("Type")(0)) = "Person" ) Then

Call SetMailboxInfo( Cstr(personDoc.GetItemValue("MailFile")(0)) )

End If

'next

Set personDoc = dc.GetNextDocument( personDoc )

Wend

'email the log information

Call memoLog.ReplaceItemValue( "SendTo", session.UserName )

Call memoLog.ReplaceItemValue( "Subject", "Domino Directory report" )

Call memoLog.Send( False )

Print "Done"

End Sub

Sub SetMailboxInfo( filepath As String )

If( filepath="" ) Then Exit Sub

On Error Goto ErrHandle

Dim myUndeleteExpireTime As String

'Inspect the soft delete timer for the database, and update the database property if needed.

Dim mailDb As NotesDatabase

Set mailDb = New NotesDatabase( nab.Server, filepath )

If( mailDb.IsOpen ) Then

myUndeleteExpireTime = Cstr(mailDb.UndeleteExpireTime)

If( myUndeleteExpireTime = Cstr(softDeleteHours) ) Then

'ok

'Call AppendLog( mailDb.Title + " ... OK, " + myUndeleteExpireTime )

Else

'Update the datrabase property

Call AppendLog( mailDb.Title + " ... RESET, " + myUndeleteExpireTime )

mailDb.UndeleteExpireTime = softDeleteHours

'Also update that entry on the CalendarProfile profile document.

Dim calendarProfile As NotesDocument

Set calendarProfile = mailDb.GetProfileDocument( "CalendarProfile" )

If Not( calendarProfile Is Nothing ) Then

Call calendarProfile.ReplaceItemValue( "SoftDeleteExpireTime", softDeleteHours )

Call calendarProfile.ReplaceItemValue( "dspSoftDeleteExpireTime", softDeleteHours ) 'this isn't a computed-for-display field, it's a regular field.

Call calendarProfile.Save( False, False )

End If

End If

End If

'Check the ACL, for compatibility with Lotus Notes Traveler

Dim acl As NotesACL

Set acl = mailDb.ACL

'must be at least Editor access

If( acl.InternetLevel < 4 ) Then

acl.InternetLevel = 4

Call acl.Save

Call AppendLog( mailDb.Title + " ... reset maximum internet access to: Editor" )

End If

Exit Sub

ErrHandle:

Print "ERROR - " + filepath + " - " + Error

Exit Sub

End Sub

Sub AppendLog( txt As String )

Call memoLogBody.AddNewline( 1 )

Call memoLogBody.AppendText( Cstr(Now) + " " + txt )

Print txt

End Sub

3Detlev Poettgen  13.07.2017 20:21:50  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Hi Brian,

thx for sharing.

I will send Bernd the customized Agent tomorrow and will post it here.

Thank you

Detlev

4Jan Krejcarek  14.07.2017 15:49:10  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Hello, thanks a lot for sharing this. I will pass this to my colleague. We had the same problem with our most prominent user (in the end we reverted Traveler to the old behavior).

Regards,

Jan

5Jay Marme  17.07.2017 23:36:13  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Very timely information!

6Giuseppe  25.07.2017 14:41:44  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

For all who use YTRIA Tools e.g the ACL Tool you can check this property for all databases very quickly

7Carsten Lührmann  28.07.2017 11:02:50  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Any information why this is needed? I thought all Traveler access to the mail files would be via NRPC. Or has it something to do with the Out of Office API?

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive