Every time SecurityInsider performs a scan, it also looks for changes in group membership and database access. If anything is different from the last scan, the changes can be recorded to an XML file, and a backup of the previous information can be created. This gives you the ability to see how access levels get modified over time.
The directory contains all the information about groups, but there is still a lot of digging you have to do if you want to parse all the information. You might have multiple directories. Groups often have subgroups, and those subgroups can have subgroups, and this subgroup nesting can become very deep and confusing. In addition, groups can contain bad information — incorrect user names, or mail groups inside of security groups for example — so that it looks like a group has certain members but it actually doesn’t. SecurityInsider is able to validate all the group information and flatten it out, so you don’t have to drill down to find what you’re looking for.
Yes. SecurityInsider refers to users as “endpoints”, and it has views of data based on group, database, and endpoint. You can open a group document and see all the members (including members of nested subgroups), you can open a database document and see all the users who have access (again including members of nested subgroups), or you can open an endpoint document and see all the groups and databases that a user has access to.
Every time the SecurityInsider scan runs, it compares the data that is found with the data that is already in the SecurityInsider database. If that data is different — for example, if users have been added to a group since the last run — these changes can be tracked in two different ways. One way is to store a list of all changes that are found in an XML file, and the other is to make a backup of each document that was changed. This allows you to find changes that happened at a certain time, or to a certain group, database, or endpoint. The specific way that changes are tracked (XML file and/or backup) is defined in the configuration document.
SecurityInsider not only parses the information in your Domino directories, it also reads the access control lists (ACLs) of your Domino databases. It then combines that information to give you a flat list of all users who can access a database and what their individual access levels are, including all members of all groups. This allows you to see who has access to data, what kind of access they have, and how they have this access.
The two most common reasons why a user or group member would be listed as “unknown” are because the name isn’t found in any of the Domino directories, or because the name is included improperly in a group. As an example, a user’s mail alias would be a valid name when a group is used for mail, but that same name would be considered “unknown” if the group is used in the ACL of a database.
The server that runs the scan needs to be IBM Domino version 8.x or higher, and the scan can be configured to run against remote servers that run IBM Domino version 6.x or higher. The database uses XPages in the IBM Notes client to display information, which requires client version 8.5.2 or higher.