NI: Security Requirement Details (4316582)

Domino Coexistence Server Security

For program installation, an AD account with remote logon and server administration rights to both Windows Servers on which the Domino Servers reside.

For the modification of the routing scheme in Domino, a Lotus Notes ID with a minimum of Editor Rights to the Domino Directory is required. In addition, the ID must at a minimum have the following roles assigned:

• NetCreator
• NetModifier
• GroupCreator
• GroupModifier

 A Notes ID with greater administration rights is preferred for modification of the Domino routing scheme.

• To provide Zero-Touch Application Remediation (ZApp) access to Domino Administrators to diagnose ZApp issues, a multipurpose group needs to be created in Domino. This group should be called BTZAppREADERS. This group should contain LOCALDOMAINADMINS (or equivalent group name) and LOCALDOMAINSERVERS (for scalability and failover).

Windows Coexistence IIS Server Security

The Windows BTDirSync service is running on the Windows Coexistence Server, the user running the service must have the following rights:

•  Administrator rights to the SQL Server machine
•  Log on as a service Windows Security right on the system hosting the SQL Server.

The following procedure enables the Log on as a service Windows Security right for the user account.

1. Go to Start - Control Panel - Administrative Tools - Local Security Policy.
2. Select Local Policies - User Rights Assignment in the left pane.
3. Right-click the Log on as a service policy in the right pane, and select Properties.
4. Click the Add User or Group button.
5. Specify the user name and click the OK button.

SQL Server Security and Role Requirements

• SQL account with Server Role dbcreator and Database Role of db_datawriter to create the BTCodex Database
• During Installation of the CMT for Coexistence Software, a SQL Script will be run with the SQL account to create the DB and populate tables with default records
• Windows Domain Service account with db_datawriter
• During Installation of CMT for Coexistence Software on Windows IIS Server, it will validate the access for the Windows Domain Service account
• The Domino Coexistence servers will access the BTCodex database via the SQL account because Domino does not run well with a service account.
• The Windows Coexistence servers will access the BTCodex Database via the service account running the Binary Tree DirSync Service.
• DBAs can remove the Server Role dbcreator on the SQL account after installation
• SQL Management Studio needs to be installed on a server to access the BTCodex DB with the accounts provided for management of tables, views and records.

AD/Exchange Access Requirements

To deploy CMT for Coexistence Free/Busy on the IIS Coexistence Server, an AD account with Server Administration rights must be able to log on to the server interactively. The account must be able to run programs with Administration-level access on the target Exchange Server and specifically be able to open a PowerShell with the Exchange management tools.

•  LDAP or Global Catalog Read Access for in scope OU’s
• Add/Modify/Delete contact objects in the scoped OU specified for Domino Contact
• Migration Only Requirements

• Exchange Organization RBAC Role (For Provisioning Users)
• Full Access Exchange Permissions to all mailboxes for migrated users