When the security settings policy "Allow password authentication with the ID vault" is set to No, this setting blocks not only end-user password authentication against the vault, but also administrative operations performed by authorized Domino/vault administrators (authenticated via their Notes ID (Notes/Admin client)) — specifically extracting an ID file or resetting a user password in the vault.
This behavior has been confirmed by HCL development (case CS1445660) as intentional, but it is not documented anywhere. The setting name ("Allow password authentication") strongly implies it is intended to restrict end-user authentication only, not administrator operations.
As a result, administrators are forced to temporarily change the policy to Yes, perform the required vault operation, and then revert it back to No. This creates unnecessary security risk (the policy is briefly relaxed for all users) and operational overhead.
Please implement a mechanism that allows authorized Domino or vault administrators to perform ID Vault administrative operations (extract ID file, reset password) regardless of the "Allow password authentication with the ID vault" policy setting — for example by checking the administrator's role/privileges rather than the policy, or by adding a separate policy control for administrative operations.
At minimum, please document the current behavior clearly in the Domino documentation.
