fighting for truth, justice, and a kick-butt lotus notes experience.

 
alt

Detlev Poettgen

 

Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

 13 Juli 2017 15:10:19
A customer called me today, that he has trouble with a few of his Traveler users.
After updating IBM Traveler to v9.0.1.18 users are no longer able to sync and the deletion of these Traveler devices (using the traveler delete command) is not working any more.

When trying to delete the Traveler user using:

tell traveler delete * Detlev Poettgen


He gets this errors on the console:

Traveler: SEVERE  Detlev Poettgen[*] NotesException Notes error: You are not authorized to perform that operation
                          id=4000 occurred trying to access device profiles Exception Thrown: Notes Exception(4000) : Notes error: orized to perform that operation
Traveler: SEVERE  Detlev Poettgen[*] NotesException Notes error: You are not authorized to perform that operation
                         id=4000 occurred trying to access device security profiles Exception Thrown: Notes Exception(4000) : Note not authorized to perform that operation



IBM enabled the Run-as-User function with Traveler 9.0.1.18 and the way Traveler will access the users mail database:


Starting with IBM Traveler 9.0.1.18, the new run as user feature will now be enabled by default. When running as the user, the Traveler server will access the user's mail file as the user ID instead of the server ID.

This feature resolves several long standing issues with accessing the user's mail file as the server ID, including:
  • Honor ACL controls on mail file and corporate lookup for the user.
  • Prevent event notices and automated responses from being sent from the server ID.
  • Prevent the server ID from being assigned as the owner of the mail profile when there is no owner defined.

Important:
For run as user feature to function properly, the Traveler server must be listed as a trusted server in the user's Mail Server document.


So we first checked, if the Traveler server was listed as a Trusted Server in the mail server document.
That was all fine and other users located on the same mail server were able to sync.

So when looking at the ACL of the users mail database, we found really quick the reason:

Image:Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

For the users mail database the Maximum Internet name and password access was set to Reader.
After changing it to Editor, the user was able to sync again and a traveler delete command works again.


Update 17.07.2017:


During the last few days I got asked, how you can check, if all your Traveler users are having set Maximum Internetname and password access to Editor.

As far as I know, there is no out-of-the-box solution available from IBM. The Admin-Client will not show this ACL setting in a view and catalog.nsf will not contain this setting.

So I created a small database QuickFix for Traveler , which will query the mail databases of all Traveler users and shows some consolidated database properties (Size, Quota, Template, ACL, Owner, Soft Deletions, Max. Internet Access, #Documents).
From there you can select the databases with Max. Internet access lower then Editor and it will fix it for you.

If you want to use this database, too - just drop me an Email or leave a comment with your mail address. I will send you the QuickFix for Traveler app.





 



Kommentare

1Bernd Steidele  13.07.2017 16:27:37  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Hi Detlev,

Thank's for sharing this Informationen. Do you know a quick way to list the Internet access level of all mail files?

2Brian  13.07.2017 17:56:34  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Welcome to borrow from this code.

Create an Agent in the Domino Directory.

Runtime: Action menu selection

Target: All selected documents

'Admin\Inspect User Mail Database properties:

Option Public

Option Declare

' === HOW TO RUN ===

'Open the Domino Administrator client. Enable the option for Administration > Full Access Administration.

'Return to the Notes client, and open the Domino Directory's People view.

'Select one or more Person documents in the Domino Directory.

'Then run this agent from the actions menu. It will inspect the mail database for each Person selected.

'This agent will:

'1) re-write the "soft delete timer" directly to the database properties, and also to the CalendarProfile document.

'2) verify the maximum internet access level as Editor. (Required for Lotus Notes Traveler 9.0.1.18)

'About: Users edit their CalendarProfile profile document very often. For example, if they edit a Mailrule, the settings

' are compiled back to the CalendarProfile profile document. Adminp process also tries to write to the CalendarProfile

' when Adminp applies the Policy for trash expiration. Adminp is not always successful.

' You may need to run this agent a few times, on different days, until the change is replicated down to the user's client, without any conflicts.

Dim session As NotesSession

Dim nab As NotesDatabase

Dim softDeleteHours As Integer

Dim memoLog As NotesDocument

Dim memoLogBody As NotesRichTextItem

Sub Initialize

'soft delete timer for all mailboxes (change if needed)

softDeleteHours = 992

Set session = New NotesSession

Set nab = session.CurrentDatabase

'init log

Set memoLog = New NotesDocument( nab )

Set memoLogBody = New NotesRichTextItem( memoLog, "Body" )

'prevent other users from running this agent (change if needed)

'If Not( session.CommonUserName = "Brian Green" ) Then

'Print "you are not authorized to run this agent (see LotusScript code)"

'Exit Sub

'End If

'collect the selected documents in the view

Dim dc As NotesDocumentCollection

Set dc = nab.UnprocessedDocuments

If( dc Is Nothing ) Then Exit Sub

If( dc.Count = 0 ) Then Exit Sub

'process each Person document

Dim personDoc As NotesDocument

Set personDoc = dc.GetFirstDocument

While Not( personDoc Is Nothing )

If( Cstr(personDoc.GetItemValue("Type")(0)) = "Person" ) Then

Call SetMailboxInfo( Cstr(personDoc.GetItemValue("MailFile")(0)) )

End If

'next

Set personDoc = dc.GetNextDocument( personDoc )

Wend

'email the log information

Call memoLog.ReplaceItemValue( "SendTo", session.UserName )

Call memoLog.ReplaceItemValue( "Subject", "Domino Directory report" )

Call memoLog.Send( False )

Print "Done"

End Sub

Sub SetMailboxInfo( filepath As String )

If( filepath="" ) Then Exit Sub

On Error Goto ErrHandle

Dim myUndeleteExpireTime As String

'Inspect the soft delete timer for the database, and update the database property if needed.

Dim mailDb As NotesDatabase

Set mailDb = New NotesDatabase( nab.Server, filepath )

If( mailDb.IsOpen ) Then

myUndeleteExpireTime = Cstr(mailDb.UndeleteExpireTime)

If( myUndeleteExpireTime = Cstr(softDeleteHours) ) Then

'ok

'Call AppendLog( mailDb.Title + " ... OK, " + myUndeleteExpireTime )

Else

'Update the datrabase property

Call AppendLog( mailDb.Title + " ... RESET, " + myUndeleteExpireTime )

mailDb.UndeleteExpireTime = softDeleteHours

'Also update that entry on the CalendarProfile profile document.

Dim calendarProfile As NotesDocument

Set calendarProfile = mailDb.GetProfileDocument( "CalendarProfile" )

If Not( calendarProfile Is Nothing ) Then

Call calendarProfile.ReplaceItemValue( "SoftDeleteExpireTime", softDeleteHours )

Call calendarProfile.ReplaceItemValue( "dspSoftDeleteExpireTime", softDeleteHours ) 'this isn't a computed-for-display field, it's a regular field.

Call calendarProfile.Save( False, False )

End If

End If

End If

'Check the ACL, for compatibility with Lotus Notes Traveler

Dim acl As NotesACL

Set acl = mailDb.ACL

'must be at least Editor access

If( acl.InternetLevel < 4 ) Then

acl.InternetLevel = 4

Call acl.Save

Call AppendLog( mailDb.Title + " ... reset maximum internet access to: Editor" )

End If

Exit Sub

ErrHandle:

Print "ERROR - " + filepath + " - " + Error

Exit Sub

End Sub

Sub AppendLog( txt As String )

Call memoLogBody.AddNewline( 1 )

Call memoLogBody.AppendText( Cstr(Now) + " " + txt )

Print txt

End Sub

3Detlev Poettgen  13.07.2017 20:21:50  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Hi Brian,

thx for sharing.

I will send Bernd the customized Agent tomorrow and will post it here.

Thank you

Detlev

4Jan Krejcarek  14.07.2017 15:49:10  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Hello, thanks a lot for sharing this. I will pass this to my colleague. We had the same problem with our most prominent user (in the end we reverted Traveler to the old behavior).

Regards,

Jan

5Jay Marme  17.07.2017 23:36:13  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Very timely information!

6Giuseppe  25.07.2017 14:41:44  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

For all who use YTRIA Tools e.g the ACL Tool you can check this property for all databases very quickly

7Carsten Lührmann  28.07.2017 11:02:50  Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Any information why this is needed? I thought all Traveler access to the mail files would be via NRPC. Or has it something to do with the Out of Office API?

Archive