Understand the enhanced capabilities of the Password plug-in.
During the setup of a Domino HTTP Password Synchronizer, customers are instructed to add all Administrators or Users that can change password to be members of the IDIPWSync group, and then to grant the group access to "Run unrestricted methods and operations". This has presented a security problem for customers for cases when the customer's policy is not to allow users to have the "Run unrestricted methods and operations" rights. The Lotus documentation recommends that only a small number of most trusted users should have such a strong level of access.
The instructions and documentation have been updated to provide an alternative setup which will limit the scope of users that are granted "Run unrestricted methods and operations" in order to run the Domino HTTP Password Synchronizer. A dedicated account (person) will be configurable in Domino that will be the only one to sign agents that need to execute restricted operations and sign the TDI agents with that account. Users from the IDIPwSync group will already have enough access to execute this agents (read access in the database that contains the agent is required).
Parent topic: Overview of IBM TDI version 7.1