Configuring Lotus Notes Group Types for IDM



The Lotus Notes driver for IDM 3.01 (v2.2.5 is the latest in the patch "idm301notesir1" at the time of writing) is a tricky driver to configure. The documentation is relatively complete but time-consuming to go through.

An area the documentation does not really cover is the use of Groups in Lotus Notes.


It turns out Notes has an extra attribute of interest on Group objects: GroupType. This attribute has at least 5 values (there may be more, but I could only figure out 5):

0 - Multipurpose Group

1 - Mail Only group

2 - ACL only group

3 - Deny Access group

4 - Server only group

The consequences of each type are subtle and Notes-specific, so consult a local Notes admin for help on subtle things.

In general, a Mail group is for mailing lists, basically a distribution list. In general, an ACL group is used for granting rights to users to things (often other users or databases). A Multipurpose group can do both Mail and ACL. Deny Access groups are sort of negative mail groups, which is where deleted users are usually put to deny email access to them.

Server groups contain servers for things servers do. (Ask a Notes admin why this is, and let me know!)

You may only want to handle certain types of groups in your IDM implementation, in which case you add an attribute in eDirectory for GroupType and add it as an Aux class to Groups. You also add it to the filter and map it in the Schema mapping rule.

Then you can test on Group-creates - if it is a certain type, you can allow or veto its creation.


How To-Best Practice
Comment List