IBM Support

Policies and settings documents signed by John Doe/ACME are no longer valid

Technote (troubleshooting)


Problem

The server console display error message like "Policies and settings documents signed by John Doe/ACME are no longer valid because this person does not have the required access level or roles to the Domino Directory." from time to time.

Cause

An administrator who initially set up Policy and Settings Documents no longer works for the company. As these documents were signed by a user that no longer has the appropriate roles, the current administrator received the following error:

"Policies and settings documents signed by <Administrator> are no longer valid because this person does not have the required access level or roles to the Domino Directory."


Environment

Domino 8.5.3 FP6 on Windows 2008 64bit

Diagnosing the problem

To debug policy from server side, please enable following notes.ini
parameters on Domino server:
Debug_Policy=1
Debug_ThreadID=1
Console_log_enabled=1

In one case, console.log display extra debugging information after applied above parameters:


[14B0:007F-189C] 2014/09/08 04:33:07 Policies and settings documents signed by John Doe/ACME are no longer valid because this person does not have the required access level or roles to the Domino Directory.
[14B0:0096-18F8] CPolicy:: Policy Debug Logging on Verbose
[14B0:0096-18F8] 2014/09/08 04:33:07.94 InitPolicySettingsTypes> Reusing cached policy types.
[14B0:0096-18F8] 2014/09/08 04:33:07.94 NAMEGetPolicyExt2> Name CN=John Doe/O=ACME, view NONE, settings SecSets, server , hNames 0x0, flags 0x0
[14B0:0096-18F8] 2014/09/08 04:33:07.94 PolicyOpenNABLocal> Opened : No error
[14B0:0096-18F8] 2014/09/08 04:33:07.94 GetPolicy> Getting SecSets policy the old way for CN=John Doe/O=ACME in view NONE, explicit policy , server NONE
[14B0:0096-18F8] 2014/09/08 04:33:07.94 GetPolicy> Dumping NamesList for CN=John Doe/O=ACME
[14B0:0096-18F8] 0 - CN=John Doe/O=ACME
[14B0:0096-18F8] 1 - John Doe
[14B0:0096-18F8] 2 - *
[14B0:0096-18F8] 3 - */O=ACME
[14B0:0096-18F8] 4 - ProjectManagers
[14B0:0096-18F8] 5 - NotesTraveler_S
[14B0:0096-18F8] 2014/09/08 04:33:07.94 GetPolicy> Returning eff SecSets policy for CN=John Doe/O=ACME
[14B0:0096-18F8] 2014/09/08 04:33:07.94 NAMEGetPolicyExt2> EffectiveNoteHandle = 0x2000345E, tdLastPolMod = , returning: No error


Resolving the problem

This issue has been reported to Quality Engineering as SPR# JIMS6T8MLS as an enhancement request asking for improved capabilities of managing the Policy and Settings documents when the document creator/editor changes positions or leaves the company.


One possible workaround is to create a 'generic' Admin ID to sign the documents, there is an Action available in the Policies (or Settings) view which allows the administrator to re-sign the selected documents.

Admin checked the setting document named SecSets then choosed 'Actions -> Resign Policy', there were no more error messages after doing so.

Document information

More support for: IBM Domino
Policies

Software version: 8.5.3.6

Operating system(s): Windows

Reference #: 1692433

Modified date: 04 January 2015