: 4582 | 108668 | 12353

On Windows platform, make database deletion a recycle bin affair 
Use this IdeaSpace to post ideas about Domino Server.

: 15
: 33
: 18
: Domino Server / Other
: deletion, database
: Mark Demicoli11797 09 Jan 2010
:
: / Email
Ever accidentally deleted a database?  It can't be that hard to use the Recycle Bin on Windows Platforms instead of effecting an irriversible file system deletion.
 
This should occur at the API level so that all methods of deleting databases use the OS recycle bin if available.



1) Peter von Stöckel2682 (09 Jan 2010)
Accidents will happen, but that's what backups are for. If someone keeps deleting databases "by accident" then maybe they shouldn't be Manager of databases, or administrators of Domino servers?
2) Mark Demicoli11797 (09 Jan 2010)
Not sure how to respond to that gem, but I'll try.

The recycle bin feature is a flavour of backup. It has the same function as media backup but is far more convenient and faster to use than media backup. The only real difference is that it does not mitigate hardware failure. Media backup is still crucial, they both have their place.

By your argument , you would recommend the removal of the soft deletion feature in Notes Databases, because users should be more careful? *waves finger at naughty users*

How about we also remove the password restore feature because people shouldn't be so naughty.

Foolproofing, undo capabilities are a crucial stream of progress in software.
3) Mark Demicoli11797 (09 Jan 2010)
I'd go as far as to say that in the future we will see more move toward system-wide undo capabilities. We see this in Windows System Restore points. Allthough this technology is not yet perfect, the idea is to make systems as forgiving as possible. It makes life easier.
4) Peter von Stöckel2682 (10 Jan 2010)
What this also mean is that you will make more work for admins, by making them delete things twice. First through the Domino server, and then through the Windows recycle bin. Also keep in mind that many Domino admins aren't admins of the server, which means that another person will have to go in and empty the recycle bin.

The undo possibility is great for the ordinary user interfaces, but it gets in the way when doing admin stuff.
5) Mark Demicoli11797 (10 Jan 2010)
That's not an issue. A properely implemented undo function is a single step performed by the server.

Scenario 1: Currently what happens (duration: hours to days).

1. Database is deleted (could be a mail file, or application. Users normally have Manager access to their mail files.)
2. Business user or admin panic
3. Domino admin submits request to cranky backup engineer
4. Dialog potentially takes place between backup engineer and domino admin (manual, potentially time intensive exchange)
5. Restore may not be possible because data lost was entered between backups
6. If restore is feasible, backup engineer performs restore. Could take hours or days.
7. Database is restored

Scenario 2: Database delete undo implemented in Domino Administrator and accessible via script & API

1. Database is deleted
2. Business user panics, admin thanks God that retrieval is almost instant and doesn't have to deal with cranky backup engineer
3. Admin finds deleted database through Administrator and clicks restore

Are you telling me that this is not an improvement?
6) Peter von Stöckel2682 (10 Jan 2010)
Scenario 2:

1. Database is deleted
2. Business user panics. Admin tries to get hold of the Windows technician that would be able to undo the delete.
3. The Windows technician is as usual too busy to be able to get to the restore immediately, because we all know how stable Windows is, so he has lots to do, so he gets back to the Domino admin the next day (best case scenario).
4. The Windows technician asks the Domino admin for the exact filename and location, and when it was deleted, because he has found no less than 23 files with that name, deleted on different dates, originating in different directories.
5. The Windows technician gets back to the Domino admin to tell him that he's sorry, but there's no such file. It was probably too big to be stored in the recycle bin.
6. The Domino admin goes to the backup engineer to have him restore the file from backup.

Please note: All mentioned technicians could as well have been female. The words "he" and "him" should be read as "he or she" and "him or her".
7) Mark Demicoli11797 (10 Jan 2010)
I think you missed "A properely implemented undo function is a single step performed by the server." Which means your steps 3 to 6 are irrelevant.
8) Peter von Stöckel2682 (10 Jan 2010)
No, if it was, then my steps 3 and 4 would be irrelevant. Step 5 would be Domino telling you that, instead of the Windows technician. Step 6 would still be the same, just one day earlier.

Another problem would be that the recycle bin wouldn't be exclusive for Domino. It'd also used by the operating system. You, being the Domino admin, would most likely not be allowed to control it. The Windows technician responsible for the server would make sure of that.
9) Ulrich Krause4897 (10 Jan 2010)
I would go one step further. Use the administration process for (server) database deletions. We do not have to care about local databases, as every local database should only be a replica of a database on the server. The admin process is more flexible than the recycle bin, as you can use the bin only on Windows servers.
The functionallity is already there; you are asked for deletion of replicas on all other servers when you delete a database on one server. So why not enhance this to the initial delete as well.
10) Mark Demicoli11797 (10 Jan 2010)
Makes sense, however then the Domino server would have it's own concept of a recycle bin so that it works across platforms. Doesn't sound too hard.
11) Mark Demicoli11797 (10 Jan 2010)
Databases could be put in a special compost bin and allowed to decompose. The released methane could be harnessed and used to power a turbine? :)
12) Bill Malchisky9254 (10 Jan 2010)
@0 -- Mark, your arguments are missing a few points, with all due respect:

1. You are thinking in terms of non-regulated firms; your model would make any legal team and security officer cringe in a professional or otherwise regulated firm concerned with compliance;

2. The Windows recycle bin is most definitely not a flavor of backup. To say it is, introduces worst practices akin to telling users that they can store messages in the Notes Mail Trash folder rather than a temporary folder. Any quality admin most definitely advises users against this practice;

3. Your position forgets that Notes runs on Linux and Mac as well, not just Windows, and focusing such a platform specific capability ignores and complicats needlessly the excellent work Lotus introduced with Eclipse for consistent feature sets across the board for Notes (still in-progress, for clarity);

4. Setup your users with the Domino Server Roaming profile feature will provide a reliable backup of their Journal, Mail (if local), Desktop, Contacts DBs at a much greater frequency and reliability than a OS level filesystem undo

5. Roaming user is a best practice that accomplishes your goal quite nicely and is recommended for all users, regardless of the number of workstations they use;

6. Users should never be manager of their mail file -- best practice is Editor with ND7 or newer;

7. Good backups and a cluster server guard against most scenarios where one would need to complicate the work or introduce legal liability to a firm;

8. Server-based recycle bins only exist on Windows: Unix, Linux, iSeries, zSeries do not have these, nor need them; this appears, with all due respect, to be another scenario where Microsoft has introduced bad computing practices to guard against flaws with their OS model and thus, people (not saying you, Mark) become used to the issue and panic when it's unavailable elsewhere; for clarity, I am not saying anything negative against you here;

Finally, not all backup engineers are cranky, some are quite nice. :)

Overall, shore-up the security model, limit the number of DB managers, and setup roaming and clustering for critical or high-impact DBs and one can negate the need here. If you still feel the need, I think there is an adjustment for when Adminp deletes a DB, and that might assist you further.
13) Mark Demicoli11797 (10 Jan 2010)
No I think you've missed the point bill (with all due respect ofcourse), an Undo at the database level is exactly the same functionally as at the document field level, and any other level.

Domino is a development platform, best practices are designed within organisations and are rarely ubiquitous.

You have to separate system features from policy. To ponder that a programmatic enhancement will somehow translate to a breakdown of your company policies is just fantasy really. You could point to a billion features that can be misused. Again, nothing to do with the features per-se, but their implementation by you, the designer.
14) Bill Malchisky9254 (10 Jan 2010)
@13 Hi Mark... I tactfully disagree, with all due respect.

First, you stated in your title that you wanted to make DB deletion a "Windows recycle bin affair". This implies outside of the Notes DB, application and requires an API call to the OS-level bin, that you site. This action of leaving data to be maintained by the OS does introduce and substantiate my concerns quite nicely.

Additionally, an Undo at the DB level is different than the document level...as the document level would rely upon the respective DB's trash folder within itself, whereas purging an entire application file can not utilize that folder.

Your point in @10 contradicts your Idea's main body of how your feature would work, creating confusion it appears for individuals commenting here. I refer to your body text specifically.

In your third paragraph, you need to know that I deal with legal teams and compliance officers on a regular basis. So, the point I raise here about left over data is in-fact reality, not "fantasy" to utilize your term. The Windows recycle bin is a concern for them --- especially as it offers little to no security --- and would make more work for Domino admins, as @4 and @8 raised in his notes.

Your point on best practices is partially correct. Yes, firms hone a list if practices -- both development and administration -- but customers also want to know what the ISV suggests (in this case IBM Lotus), and what partners experience. I know many business partners that would disagree on your prose in your second paragraph--being respectful here of course.

It appears that you are looking at this from a purely development standpoint, whereas I, from the architecture and administration perspective. They are different.

We can agree to disagree, but I am still demoting this idea. Sorry.
15) Ben Poole1705 (10 Jan 2010)
In voting this up, I consider this more from a local client machine standpoint than the server. As a user, I would expect local deletions to use the client OS deletion facility. This is consistent with many other workstation applications (especially on OS X), and I don't see why it does any harm.

Now, the server: I can see the arguments against such a process, especially as the "bin" concept is not universal.

However for the client machine, i think that this sort of functionality is a shoo-in (and you're more likely to be a Manager of a local database of course).
16) Mark Demicoli11797 (10 Jan 2010)
I think we're arguing over technicalities Bill. You don't think a undelete database feature is a good idea, lets leave it at that.
17) Bruce Lill6687 (10 Jan 2010)
At the client level only, there is now need at the server level since backups are performed. Also if you delete on a server by mistake the only copy, you will learn to be more careful.

I voted No, as I would like the client to be the same across platforms. If you wanted an undelete for notes client that would be different. The user doesn't look inside the Trash for deleted for anything else the delte in Notes, why would database be different.
18) Ed Maloney59 (10 Jan 2010)
Current user expectations are that deleted files can be easily recovered. From a security or Admin view, you may not want this. Way back in my Novell days... there was a hidden directory named deleted.sav that could only be accessed by someone with Admin rights. If you don't want to use the Windows recycle bin then create a hidden folder in the Notes\Data directory and store deleted files there.
19) Paul Davies12381 (10 Jan 2010)
this would seem to be a simple and effective solution to the quick accidental deletion. Gets a Yes from me.
20) Matt White9280 (10 Jan 2010)
Agreeing with @15 here. If this is for the client then yes, for the server then no.
21) Giulio C686 (10 Jan 2010)
I think this is unnecessary. Deletion of databases is quite a serious affair in the scheme of things, it's not simply a "file". So, consideration is given to deletion.

Usually if you're that nervous about deleting, people usually make backups anyway. As they say, "6 of 1, half a dozen of the other"
22) Doctor API2824 (10 Jan 2010)
I think this should be an option in the notes.ini file and if the admin wants to implement it the go ahead and if not then don't... a kind of democracy.
23) Craig Wiseman21821 (11 Jan 2010)
Definitely on the client - no doubt/issues.

As said above, on the server, the biggest issue I see is that once you put it in the recycle bin, it never leaves until you empty it. I'd be fine with it if it (like the trash folder in email, self emptied NSFs/NTFs after a (configurable) set time period. That would be inconsistent with the way the recycle bin works, but seems to be the only sensible approach.
24) Gregg Eldred5345 (11 Jan 2010)
Excellent discussion. I most appreciative of, for example, Bill Malchisky and Peter von Stöckel, for explaining the reasons they voted this down. Since reading the comments, I am with those that side with "Yes" on the client, "No" on the server.
25) Mark Demicoli11797 (11 Jan 2010)
Verdict is split. Agree that file deletion should use the operating systems standard mechanism - Windows should use recycle bin, at least on the client.

On the server, controvercial. I stand by my point however that anything that is reversible is by defintion progressive. Would a database undelete turn Admins and Users into rampant delete cowboys? Seems some think so!
26) Philip Storry849 (12 Jan 2010)
I've voted against this, because it's in the Server space.

For the client, yes, going to the recycle bin would be fine. It should be cross-platform, which means Windows/KDE/Gnome/Mac awareness. It would probably be useful to users.

But on the server side? Even if we only look at Windows, there are still huge issues...

1. ACCESS
All of my servers are installed to run under the LocalSystem account. If this is added, how do I access the recycle bin?
The obvious answer is to use a system account, as under Linux/AIX and so forth. But even then, there are issues. I lose accountability, for example - everyone on the admin team must be able to log in with the service account to access the recycle bin, so there's no way to see who emptied it if someone does it maliciously.

2. MANAGEMENT
Last time I checked, the recycle bin manages itself on one factor only - percentage of disk space used. It will not clear itself out based on time, so this is just a good way to lose 15% of your available disk space to deleted databases.
The management facilities for the recycle bin are also, as far as I can see, only available when I log on locally, which isn't acceptable.
It's also worth noting that full-text indexes represent a further complication - it could be very difficult to match the right one to the right deleted version of the database, and this could cause unexpected results with searching if the wrong one is removed.

3. COMPLIANCE
In many cases, what is deleted should stay deleted. Some industries and services have strict legislation or guidance on this. And even for public companies, lawsuits may mean that there are discovery issues resulting from this feature. These are not trivial issues.

OVERALL
It could be argued that the recycle bin has a convenience that makes legal issues a worthwhile tradeoff. However, the unresolved issues I see in 1 & 2 still remain, and frankly I don't see how this is any more or less convenient than backups that use transaction logging.

If a "pending deletion" area is required in Domino, which does not purge databases for a given period, then it should be a feature of Domino. OS "trashcans" are not sufficient for purposes of security, management or compliance.

If you create a new Idea for the client, I'll vote yes on that one. ;-)
27) Mark Demicoli11797 (12 Jan 2010)
Oh come on Philip don't bore us with your personal corporate issues. How can you argue that an undo feature is negative? Surely you've made mistakes before?
28) Mark Demicoli11797 (12 Jan 2010)
By the way, arguing that it's different for the client than for the server exposes certain habits which are not productive. The Notes client is in fact a slightly hobbled Notes server (eg since clients don't need to serve POP3, HTML etc). Apart from that the stack is the same.
29) Bruce Lill6687 (12 Jan 2010)
@27 - If a db is on a server it has a backup and I make sure it's replicated somewhere else. I can honestly say in 20 years of Notes admin, I have never deleted a database on a server by mistake.
@28 - a client is controlled by end user, server by trained professionals (OK maybe not all are trained nor professional but some skill) that is a big difference.
30) Alan Dalziel1450 (12 Jan 2010)
You are prompted to confirm a database deletion in the client. If that's not enough you should have a backup available.
My problem with the Recycle bin is when do you empty it? There's no option like soft deletions to say keep it for x days, and you can't expect admins to go in and remove items based on their age from the bins on each server. The only option available is to restrict the size of the bin so the more you delete, the less they last in the bin . . . .
I think the architecture of Notes/Domino allows for enough protections already, particularly if you consider backups, that we don't need yet another data repository to worry about. If you let users know that you can bail them out, they're not going to think about the implications of deleting things so all this will do is increase your workload, not reduce it.
As for @27 comments about corporate issues - I hope you're joking. The larger the environment, the less access Domino Admins get to the OS of the servers that Domino runs on.
31) Philip Storry849 (13 Jan 2010)
Mark,

This isn't a personal corporate issue.

Frankly, there are just better alternatives to this suggestion.


This sounds harsh when it's written down, but it is honestly what I believe: It's unmanageable, it's inherently insecure, and it's quite unnecessary.

As I've said, if you want to resubmit the idea for the Notes idea space, I'd vote yes. In fact, I encourage you to resubmit the idea for the Notes client only, so that I can do so. Be sure to note that Linux and Mac have their own trashcans, too, and should also be supported!

But on a server? No. Sorry, but just no.
32) Peter Presnell26659 (15 Jan 2010)
I vote yes, but for the Notes client only - For many of the reasons already presented. I do so from the point of view of a user and a developer who often sees the impact a simple mistake can cause when an entire database goes south. I do not agree with some suggestions that viable alternatives always exist. We may think they do... e.g. I once had a client who backed up data onto tapes every day (Including data from workstations). If you ever needed to recall a database from tape it could take 1+ week to get the data restored. And often you needed various levels of approval meaning the whole gets to know about the mistake that was made. Of course, I am speaking on behalf of others, because i would never accidentally delete a database ;)
33) Kerr Rainey3860 (19 Jan 2010)
As with most people here I can see that local client deletes being but in the OS trash / recycle bin could be a good thing. But I'm voting no for this idea as worded and argued for by Mark, i.e. using the OS trash / recycle on the server.

The basic idea is a good one. Being able to recover a deleted database with minimal fuss is fine, but shouldn't use the OS trash and needs to be configurable by the Domino admin. However much it might be a boring corporate issue for some, it could be show stopping for others. If the Domino admin need to be able to scrub a database securely off the server then they should be able to do so, without involving the OS admin.










:
:




Welcome to IdeaJam


You can run IdeaJam™ in your company. It's easy to install, setup and customize. Your employees, partners and customers will immediately see results.

Use IdeaJam to:

  • Collect ideas from employees
  • Solicit feedback and suggestions from employees and customers
  • Run innovation contests and competitions
  • Validate concepts
  • Use the power of "crowd-sourcing" to rank ideas and allow the best ideas to rise to the top

IdeaJam™ works with:

  • IBM Connections
  • IBM Lotus Quickr
  • Blogs and Wikis
  • Websphere Portal
  • Microsoft Sharepoint
  • and other applications.

IdeaJam has an extensive set of widgets and API's that allow you to extend and integrate IdeaJam™ with other applications.

Learn more about IdeaJam >>






IdeaJam developed by

Elguji Software Logo