Professional Documents
Culture Documents
ACL Security
IBM Lotus Domino offers a multi-layered approach to security. Server administrators can secure databases,
servers, and domains. Database designers and managers control the following:
Application Security
Use the database access control list (ACL) to restrict access that specific users and servers have to an
application. You can also use the Advanced section of the ACL to further restrict application access for
Web users.
An access level
A user type
Roles
Note You can further restrict access to specific documents and fields within those databases using the Extended
ACL, which is used in the IBM Lotus Domino Directory, the Extended Directory Catalog, and the
Administration Requests database. Work with your server administrator to apply these security measures.
For more information on server access levels and replication, see Administering the Domino System.
Setting up a database ACL
Plan the database access for the application before you add users, groups, or servers to a database ACL. After
you set up a database ACL, users can click the Effective Access button on the ACL dialog box in the Notes client
to view their level of access to a database.
Note You can make changes to multiple ACLs on a server through the Multi-ACL Management dialog box in the
Administrator Client. You can also edit an ACL for a single database using the File - Database - ACL dialog box in
the Notes client.
To set up a database ACL
1. Make sure that you have:
o
Created the roles and groups that you want to use in the ACL
Krishna
Lotus Notes
ACL Security
4. Add entries for IBM Lotus Notes users, servers, groups, and authenticated Internet users.
5. Set the access level for each entry.
For information on assigning anonymous access for Web users, see Administering the Domino System.
1. (Optional) For additional security, select a user type for the each entry.
2. (Optional) Refine the entries by restricting or allowing additional access level privileges.
3. (Optional) Assign roles to ACL entries. The role displays a check mark when selected. If no role exists in
the database, the role option is not displayed.
4. (Optional) Enforce a consistent ACL across all replicas of the database.
5. (Optional) Click Advanced and accept or change the Web access level in the "Maximum Internet name &
password access" list.
6. Click OK to save your changes.
Access levels in the ACL
Access levels assigned to users in a database ACL control which tasks users can perform in the database.
Access level privileges enhance or restrict the access level assigned to each name in the ACL. For each user,
group, or server listed in the ACL, you select the basic access level and user type. To further refine the access,
you select a series of access privileges.
Note If you are designing a template (an .NTF file) for others to use to create applications, make sure the default
access is at least Reader so that users and/or servers can successfully read from the template when creating or
refreshing .NSF files based on that template.
Access levels assigned to servers in a database ACL control what information within a database the servers can
replicate.
To access a database on a particular server, a IBM Lotus Notes user must have both the appropriate
database access specified in the ACL as well as the appropriate access specified in the Server document in the
IBM Lotus Domino Directory.
For more information on server access levels, see Administering the Domino System.
For more information on database access for Internet users, see Maximum Internet name-and-password access.
Caution Administrators who are listed in the Full Access Administrators, Administrators, and Database
Administrators fields in the Server document are allowed to delete any database on the server, even if they are
not listed as managers in the database ACL.
This table shows the user access levels, listed from highest to lowest.
Access
level
Allows users to
Assign to
Manager
Krishna
Lotus Notes
ACL Security
Encrypt the database.
Designer
Editor
Create documents.
Author
Krishna
Lotus Notes
ACL Security
Reader
Depositor
Create documents.
No Access
Access level
Default privileges
Optional privileges
Manager
Create documents
Delete documents
Krishna
Lotus Notes
ACL Security
Create private agents
Create personal folders/views
Designer
Create documents
Delete documents
Editor
Create documents
Delete documents
Author
Create documents
Delete documents
Create private agents
Create personal folders/views
Krishna
Lotus Notes
ACL Security
Reader
Depositor
Create documents
No Access
None
Create documents
Select this privilege for all users with Author access. If you deselect this privilege to prevent Authors from adding
any more documents, they can continue to read and edit documents they've already created.
Delete documents
Authors can delete only documents they create. If this privilege is deselected, a user can't delete documents, no
matter what the access level. If a form contains an Authors field, Authors can delete documents only if their
name, a group that contains their name, or a role that contains their name appears in the Authors field.
Krishna
Lotus Notes
ACL Security
A user can run private agents that perform tasks allowed by the user's assigned access level in the ACL. Since
private agents on server databases take up disk space and processing time on the server, you may want to
deselect this privilege if performance is a concern.
A server administrator can further restrict a user's right to run agents in the Agent Restrictions section of the
Server document in the IBM Lotus Domino Directory. Therefore, even if you grant a user the "Create
LotusScript/Java agents" access level in a database ACL, the Server document controls whether or not the user
can run an agent on a particular server.
Create personal folders/views
Personal folders and views created on a server are more secure than those created locally, and they can be
made available on multiple servers. Also, administrative agents can operate only on folders and views stored on
a server. If server space is a concern, deselect the "Create personal folders/views" option. Users will still be able
to create personal folders and views on their local workstation.
Create shared folders/views
Deselect this privilege to maintain tighter control over database design and to prevent users from creating folders
and views that are visible to others. A user assigned this privilege can create folders and views that are visible to
others.
Note Users who have this privilege can modify or delete any shared folder, view, or navigator in the database,
regardless of whether they created it. Use caution when granting this privilege.
Create LotusScript/Java agents
Since LotusScript and Java agents on server databases can take up significant server processing time, you
may want to restrict which users can run them.
Whether or not a user can run agents depends on the access set by the Domino administrator in the Agent
Restrictions section of the Server document in the Domino Directory. Even if you select "Create LotusScript/Java
agents" for a name in the ACL, the Server document still controls whether or not the user can run the agent on
the server. Work with your server administrator to set access rights for users to run agents on a server.
Read public documents
Select this privilege to allow users who have No Access or Depositor access to read documents and to see views
and folders with the property "Available to Public Access users." A form must contain a text field named
"$PublicAccess" with an assigned field value of one. Documents created from that form are public document.
Write public documents
Select this privilege to allow users to create/edit specific documents that are controlled by forms having the
property "Available to Public Access users."
Replicate or copy documents
Select this privilege to allow users to:
Krishna
Lotus Notes
ACL Security
copy, print, or forward documents in the database, or parts of these documents; and
Note Deselecting this option is not a true security measure because users can still print using Ctrl+Print Screen
or they can open a document and copy data to the clipboard.
The IBM Lotus Notes-generated field $KeepPrivate captures whether the current user has replicate or copy
privileges for the document. This setting applies only to Notes clients.
Roles in the ACL
A database designer can assign special access to database design elements and database functions by creating
roles. A role defines a set of users and/or servers. Roles are similar to groups that you can set up in the IBM
Lotus Domino Directory. However, unlike groups, roles are specific to the database in which they are created.
Once you create a role, you can use it in database design elements or functions to restrict access to those
elements or functions. For example, you may want to allow only a certain group of users to edit certain
documents in a database. You could create a role named "DocEditors". That role would then be added to the
Authors fields of those documents, and assigned to those users who are allowed to edit those documents.
You must have Manager access to create roles in the database ACL. You must create a role before you assign it
to a name or group in the ACL. Once you have created roles in an ACL , they are listed in the 'Roles' list box on
the Basics panel of the ACL dialog box. Role names appear in brackets -- for example, [Sales]. When you add an
entry to a database ACL, you can assign them to a role by selecting a role from the Roles list box.
Caution If you create a role that restricts access to part of an application and you do not assign it to yourself, you
will be restricted from accessing that part of the application in both the IBM Lotus Notes client and in IBM
Lotus Domino Designer. Make sure you assign each role to yourself as you create it to avoid this problem.
This table describes the design elements to which the database designer can restrict access by using roles.
An Authors field
Sections
Krishna
Lotus Notes
ACL Security
View and read documents in a specific
view
View properties
Folder properties
Form properties
Form properties
Caution Using roles to restrict access to database elements is not a foolproof security measure. For example, if
a designer restricts access to certain documents in a database, the database manager or Domino administrator
must remember that documents inherit their Read access list from the Read access option that is set in the Form
Properties box for the form used to create the document. Therefore, anyone with Editor access or above in the
database ACL can change a document's Read access list.
To create or edit roles
You must create a role before you can assign it to a name in the ACL.
1. Make sure that you have Manager access in the database ACL.
2. Select the database icon from your bookmarks page.
3. Choose File - Database - Access Control.
4. Click Roles.
5. Do one of the following:
o
To create a role, click Add, and type a name for the role.
To rename a role, click Rename. In the Rename Role box, type a new name for the role.
To delete a role, click Remove, and type the name of the role that you want to delete.
6. Click OK twice.
Notes
You do not need to include any brackets in the role name when adding or removing a role. However,
when you rename a role, you must type the role name exactly as it appears in the ACL, including the
brackets and case-sensitive characters.
To display a role assigned to a person, group, or server, select an entry in the ACL. If a check mark
appears next to a role in the Roles box, the selected person, group, or server is assigned to the role.
Krishna
Lotus Notes
ACL Security
10
1. Make sure that you have Manager access in the database ACL.
2. Select the database icon from your Bookmark pane.
3. Select File - Database - Access Control.
4. Select a name.
5. Do one of the following and then click OK:
o
Click Remove.
Change the assigned user type, access level, access level privilege, and roles, as necessary.
Tip To display entries by access level, click the arrow next to "People, Servers, and Groups," and then select a
specific access level.
To add entries to the ACL by access level
1. Make sure that you have Manager access in the database ACL.
2. Select the database icon from your Bookmarks pane.
3. Select File - Database - Access Control.
4. Click Add.
5. Do one of the following to add a name to the ACL:
o
6. Click the arrow and select an IBM Lotus Domino Directory or Personal Address Book. Using the name
picker in the dialog box, you can select from the directories and address books available to you to find
the name you seek.
7. Click Add.
8. (Optional) Select a user type from the list in the User Type box.
9. Select an access level from the list in the Access box.
10. (Optional) Refine the access level by selecting or deselecting additional access level privileges, if
available.
11. (Optional) Select a role from the Roles box. The role displays a check mark when selected.
12. Click OK to save your changes.
Default ACL entries
A new database, by default, contains these entries in the ACL:
-Default-
LocalDomainServers
OtherDomainServers
All of these entries, except for the database creator's user name, are group names. The -Default- group is the
only group that is specific to a database and not related to a group in the IBM Lotus Domino Directory.
Krishna
For more information on creating groups, see Lotus Domino Administrator Help.
Lotus Notes
ACL Security
11
-DefaultUsers and servers receive the access assigned to the -Default- group if they have not specifically been assigned
another access level, either individually or as a member of a group, or from a wildcard entry. You cannot delete
the -Default- group from an ACL. The default access for -Default- depends on the design of the database
template and varies among the different templates.
The access level you assign to the -Default- group depends on how secure you want the database to be. Select
No Access if you want a database available to a limited number of users. Select Author or Reader access to
make a database available for general use. The User Type field for -Default- should be set to "unspecified."
Database creator user name
The database creator user name is the hierarchical user name of the person who created the database. The
default access for the user who creates the database is Manager. Typically, this person retains Manager access
or is granted Designer access to the database.
LocalDomainServers
The LocalDomainServers group lists the servers in the same domain as the server on which the database is
stored. This group is created by default with every Domino Directory. When you create a new database, the
default access for the LocalDomainServers group is Manager. The group should have at least Designer access
to allow replication of database design changes across the domain. The LocalDomainServers group is typically
given higher access than the OtherDomainServers group.
OtherDomainServers
The OtherDomainServers group lists the servers outside the domain of the server on which the database is
stored. This group is created by default with every Domino Directory. When you create a new database, the
default access for the OtherDomainServers group is No Access to prevent a database from replicating outside
the local domain.
Acceptable entries in the ACL
Acceptable entries in the ACL include:
Wildcard entries
User, server, and group names (including user and group names of Internet clients)
Alternate names
LDAP users
Anonymous, which can be used for anonymous Internet user access and anonymous Notes user access
Krishna
Sandra E Smith/West/Acme/US
Lotus Notes
ACL Security
12
For more information on creating hierarchical name schemes, see Lotus Domino Administrator Help.
Wildcard entries
To allow general access to a database, you can enter hierarchical names with a wildcard character (*) in the
ACL. You can use wildcards in the common name and organizational unit components.
Users and/or servers who do not already have a specific user or group name entry in the ACL, and whose
hierarchical names include the components that contain a wildcard, are given the highest level of access
specified by every one of the wildcard entries that match.
Here is an ACL entry in wildcard format:
*/Illustration/Production/Acme/US
This entry grants the chosen access level to:
Mary Tsen/Illustration/Production/Acme/US
Michael Bowling/Illustration/Production/Acme/US
This entry does not grant the chosen access level to:
Sandy Braun/Documentation/Production/Acme/US
Alan Nelson/Acme/US
You can use a wildcard only at the leftmost portion of the ACL entry. When you use a wildcard ACL entry, set the
user type in the ACL as Unspecified, Mixed Group, or Person Group.
User names
You can add to an ACL the names of any individuals with certified IBM Lotus Notes user IDs or Internet users
who authenticate using name-and-password or SSL client authentication.
For Notes users, enter the full hierarchical name for each user -- for example, John Smith/Sales/Acme -regardless of whether the user is in the same hierarchical organization as the server that stores the
database.
For Internet users, enter the name that appears as the first entry in the User name field of the Person
document. You can enter multiple alias names in the User name field, but the first entry is used to
perform the security authorization check so it is the first entry that should be used on all Domino ACLs -that is, server file and database ACLs.
For more information on database access for anonymous Internet users, see Anonymous access.
For more information on setting a maximum level of access for Internet users, see Maximum Internet name-andpassword access.
Krishna
Server names
Lotus Notes
ACL Security
13
You can add server names to an ACL to control the changes a database receives from a database replica. To
ensure tighter security, use the full hierarchical name of the server -- for example, Server1/Sales/Acme -regardless of whether the name of the server being added is in a different hierarchical organization than that of
the server that stores the database.
Group names
You can add a group name -- for example, Training -- to the ACL to represent multiple users or servers that
require the same access. Users must be listed in groups with a primary hierarchical name or an alternate name.
Groups can also have wildcard entries as members. Before you can use a group name in an ACL, you must
create the group in the Domino Directory or in an LDAP directory that has been configured for group expansion
in the Directory Assistance database.
Tip Use individual names rather than group names for the managers of a database. Then when users choose
Create - Other - Memo to Database Manager, they'll know whom they are addressing.
Groups provide a convenient way to administer a database ACL. Using a group in the ACL offers the following
advantages:
You can add one group name instead of adding a long list of individual names to an ACL,. If a group is
listed in more than one ACL, modify the group document in the Domino Directory or the LDAP Directory,
rather than add and delete individual names in multiple databases.
You can change the access level for several users or servers at the same time.
You can use group names to reflect the responsibilities of group members or the organization of a
department or company.
Tip You can also use groups to let certain users control access to the database without giving them Manager or
Designer access. For example, you can create groups in the Domino Directory for each level of database access
needed, add the groups to the ACL, and allow specific users to own the groups. These users can then modify the
groups, but they can't modify the database design.
Terminations group
When employees leave an organization, the Domino administrator should remove their names from all groups in
the Domino Directory and add them a terminations group, which is denied access to servers. Work with your
server administrator to make sure that the names of terminated employees are removed from the ACLs of all
databases in your organization. Make sure that the terminations group is added to the ACLs and that the group is
assigned No Access.
You can also use the Deny Access group for this purpose. The Deny Access group contains the names of Notes
users who no longer have access to Domino servers. When you delete a person from the Domino Directory, you
have the option to "Add deleted user to deny access group," if such a group has been created. (If no such group
exists, the dialog box displays "No Deny Access group selected or available.")
For more information on the Deny Access group, see Lotus Domino Administrator Help.
Krishna
Alternate names
Lotus Notes
ACL Security
14
An alternate name is an optional alias name that an administrator assigns to a registered Notes user, often to
publish a name in two different character sets, such as English and Kanji. You can add alternate names to an
ACL. An alternate name provides the same level of security as the user's primary hierarchical name. An example
of a user name in alternate name format is Sandy Smith/ANWest/ANSales/ANAcme, where AN is an alternate
name.
LDAP users
You can use a secondary LDAP directory to authenticate Web users. You can then add the names of these
Internet users to database ACLs to control user access to databases.
You can also create groups in the secondary LDAP directory that include the Internet user names and then add
the groups as entries in Notes database ACLs. For example, an Internet user may try to access a database on a
Domino Web server. If the Web server authenticates the user, and if the ACL contains a group named "Web," the
server can look up the Web user's name in the group "Web" located in the foreign LDAP directory, in addition to
searching for the entry in the primary Domino Directory. Note that for this scenario to work, the Directory
Assistance database on the Web server must include an LDAP Directory Assistance document for the LDAP
directory with the Group Expansion option enabled. You can also use this feature to look up the names of Notes
users stored in foreign LDAP directory groups for database ACL checking.
When you add the name of an LDAP directory user or group to a database ACL, use the LDAP format for the
name, but use a forward slash (/), rather than a comma (,), as a delimiter. For example, if the name of a user in
the LDAP directory is:
uid=Sandra Smith,o=Acme,c=US
enter the following in the database ACL:
uid=Sandra Smith/o=Acme/c=US
To enter the name of a non-hierarchical LDAP directory group in an ACL, enter only the attribute value, not the
attribute name. For example, if the non-hierarchical name of the LDAP group is:
cn=managers
in the ACL enter only:
managers
To enter the name of a hierarchical group name, include LDAP attribute names in ACL entries. For example, if
the hierarchical name of the group is:
cn=managers,o=acme
in the ACL enter:
cn=managers/o=acme
Krishna
Lotus Notes
ACL Security
15
Note that if the attribute names you specify correspond exactly to those used in Notes -- cn, ou, o, c -- the ACL
won't display the attributes.
For example, if you enter this name in an ACL:
cn=Sandra Smith/ou=West/o=Acme/c=US
because the attributes correspond exactly to those used by Notes, the name appears in the ACL as:
Sandra Smith/West/Acme/US
Anonymous access
Anonymous database access is given to Internet users and to Notes users who have not authenticated with the
server. You can control the level of database access granted to an anonymous user or server by entering the
name Anonymous in the access control list, and assigning an appropriate level of access. Typically you assign
Anonymous users Reader access to a database.
The table below describes different ways that an anonymous user can access a database:
Access specified
Anonymous access
enabled for Internet
protocol
Anonymous access
enabled in database ACL
Krishna
Lotus Notes
ACL Security
Access" in database ACL
Note "Read and write
public documents"
privileges should be
disabled
16
Anonymous users (both those who are given access to a database through the Anonymous entry and those who
have access through the -Default- entry) who try to do something that is not allowed for their access level will be
prompted to authenticate. For example, if Anonymous is set to Reader, and an anonymous user tries to create a
new document, that user is prompted to authenticate with a name and password.
Tip If you want all users to authenticate with a database, make sure that Anonymous is in the database ACL with
an access level of No Access, and add the Internet user's name to the ACL with the level of access you want the
user to have. You should also be sure that the Read Public Documents and Write Public Documents privileges
are not enabled in the database ACL.
The Domino server uses the group name Anonymous solely for access control checks. For example, if
Anonymous has Author access in the database ACL, the true name of the user appears in the Authors field of
documents the user creates in the database. The Domino server can display only the true name of anonymous
Notes users, but not of anonymous Web users, in the Authors field of the document. Authors fields are never a
security feature, regardless if anonymous access is used; if the validity of the author's name is needed for
security, then the document should be signed.
Replica IDs
To allow an agent in one database to use @DbColumn or @DbLookup to retrieve data from another database,
enter the replica ID of the database containing the agent in the ACL of the database containing the data to be
retrieved. The database containing the agent must have at least Reader access to the database containing the
data to be retrieved. Both databases must be on the same server. An example of a replica ID in a database ACL
is 85255B42:005A8fA4.
If you do not add the replica ID to the access control list, the other database can still retrieve data if the -Defaultaccess level of your database is Reader or higher.
To determine the replica ID of a database, choose File - Database - Properties, and click the Info (i) tab. Or
choose File - Database - Design Synopsis, and select Replication.
To add a replica ID to the ACL
Type or copy and paste the replica ID from the Design Synopsis dialog box into the ACL or type the replica ID
you get from the info (i) tab of the Database properties box. You can type the replica ID in uppercase or
lowercase characters, but do not enclose it in quotation marks.
Order of evaluation for ACL entries
ACL entries are evaluated in a specific order to determine the access level that will be granted to an
authenticated Notes user trying to access the database.
Krishna
Lotus Notes
ACL Security
17
The ACL first checks the user name to see if it matches any of the ACL entries. The ACL checks all
matching user names. For example, Sandra E Smith/West/Acme would match the entries Sandra E
Smith/West/Acme/US and Sandra E Smith. In the event that two different entries for an individual have
different access levels (for example, applied at different times by different administrators), the user trying
to access the database would be granted the highest access level, as well as the union the access
privileges of the two entries for that user in the ACL. This can also happen if the user has alternate
names.
Note If you enter only the common name in the ACL (for example, Sandra E Smith), then that entry
matches only if the user's name and the database server are in the same domain hierarchy. For
example, if the user is Sandra E Smith, whose hierarchical name is Sandra E Smith/West/Acme, and the
database server is Manufacturing/FactoryCo, then the entry Sandra E Smith will not get the correct level
of access for ACLs on the server Manufacturing/FactoryCo. The name must be entered in full
hierarchical format in order for the user to obtain the correct level of access to ACLs on servers in other
domains.
If no match is made on the user name, the ACL then checks to see if there is a group name entry that
can be matched. If an individual trying to access the database happens to match more than one group
entry -- for example, if the person is a member of Sales and the two group entries for Sales are
Sales/West/Acme and Sales/Acme -- then the individual is granted the highest access level, as well as
the union of the access privileges of the two entries for that group in the ACL.
Note If the user matches an explicit entry in the ACL, and is a member of a group that is also listed in the
ACL, then the user always gets the level of access assigned to the explicit entry, even if the group
access level is higher.
If no match is made on the group name, the ACL then checks to see if there is a wildcard entry that can
be matched. If the individual trying to access the database happens to match more than one wildcard
entry, the individual is granted the highest access level, as well as the union of the access privileges of
all the wildcard entries that match.
If a group entry and a wildcard entry both apply to a user attempting to access the database, then the
user has the access assigned to the group entry. For example, if the group Sales has Reader access
and the wildcard entry */west/Acme has Manager access, and both entries apply to a user, then the user
has Reader access to the database.
If no match can be made from among the database ACL entries, the individual is granted the level of
access defined for the -Default- entry.
Krishna
Lotus Notes
ACL Security
18
Person Group or a Server Group. To assign a Person Group or Server Group to a name, you must select the
name and manually assign that user type.
To manually assign a user type to a name
1. Make sure that you have Manager access in the database ACL.
2. Select the database icon from your Bookmarks pane.
3. Choose File - Database - Access Control.
4. Select a name to which you want to assign a user type.
5. Select a user type and click OK.
To automatically assign user types to unspecified users
1. Make sure that you have Manager access in the database ACL.
2. Select the database icon from your Bookmarks pane.
3. Choose File - Database - Access Control.
4. Click the Advanced icon.
5. Click "Look Up User Types for 'Unspecified' Users."
6. Click OK.
Enforcing a consistent access control list
You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas
that users make on workstations or laptops.
Select the "Enforce a consistent Access Control List" setting on a replica whose server has Manager access to
other replicas to keep the access control list the same across all server replicas of a database. If you select a
replica whose server does not have Manager access to other replicas, replication fails because the server has
inadequate access to replicate the ACL.
If a user replicates a database locally, the database ACL recognizes that user's access as it is known to the
server. This happens automatically for local replication, regardless of whether "Enforce a consistent Access
Control List" is enabled.
Note Local replicas with "Enforce a consistent Access Control List" enabled attempt to honor the information in
the ACL and determine who can do what accordingly. However, they have some limitations. One limitation is that
group information is generated on the server, not at the local replica. When a database is replicated locally,
information about the group membership of the person doing the replication is stored in the database for use in
ACL checking. If a person/identity other than the one doing the replication accesses the local replica, there will
be no group membership information available for that person, and the ACL can use only the person's identity,
not group membership, to check access.
Additionally, enforcing a consistent access control list does not provide security for local replicas. To keep data in
local replicas secure, encrypt the database on the Database Basics tab of the Database properties box.
Note If a user changes a local or remote server database replica's ACL when the "Enforce a consistent Access
Control List" option is selected, the database stops replicating. The log (LOG.NSF) records a message indicating
that replication could not proceed because the program could not maintain a uniform ACL on replicas.
To enforce or disable a consistent access control list
Use this method to enforce or disable a consistent ACL for a single database.
Krishna
1. Make sure that you have Manager access in the database ACL.
Lotus Notes
ACL Security
19
2. Select the database icon from your Bookmarks pane. If the database has multiple replicas, select the
database icon from a server that has Manager access in the database ACL of the other replicas.
3. Choose File - Database - Access Control.
4. Click Advanced.
5. Do one of the following:
o
To enforce a consistent ACL, select "Enforce a consistent Access Control List across all replicas
of this database."
To disable a consistent ACL, deselect "Enforce a consistent Access Control List across all
replicas of this database."
6. Click OK.
Displaying the ACL history
You can display a chronological history of changes made to a database ACL. Each entry in the list shows when
the change occurred, who made the change, and what changed. The history stores only 20 lines of changes, not
the complete history.
1. Select the database icon from your Bookmarks pane.
2. Choose File - Database - Access Control.
3. Click Log.
4. Select a line of log history. To see the complete text of the log history, look in the field at the bottom of the
dialog box.
5. (Optional) Click Copy to copy the ACL history to the clipboard so that you can paste it in a document.
To display a name's effective access
The "effective" access a person, server, or a group has to documents in a database is not always apparent. For
example, if there are two groups with different levels of access to documents, and someone is a member of both
groups, you may wonder what access the person actually has. You can determine a person's effective access to
the documents from the ACL.
1. Select a database and choose File - Database - Access Control.
2. Click "Effective Access."
3. From the Effective Access dialog box, select the name of the person, server, or and press Enter or click
"Calculate Access."
"Database Access is derived from" in the top left of the dialog box shows the selected name's effective
database access as determined by the database ACL.
The checked boxes on the lower left of the dialog box indicate the access rights for the selected name.
The "Groups" and "Roles" boxes on the right of the dialog box show all the individual and group name
entries and roles that could potentially control the selected name's access to the selected document. If
the person, server, or group is not in the ACL, the "Groups" box displays the group used to determine the
effective access.
4. After you review the effective access for the selected name, click Done.
It's possible to assign users or servers more than one level of access to a database. The following table
describes the order of precedence for competing access levels.
Access level conflict
Resolution
Krishna
Lotus Notes
ACL Security
A name is included in two or more groups
20
Krishna
Lotus Notes
ACL Security
21
members of the Human Resources department, the employee, and the employee's manager, list those people in
a Readers field.
If a form has a read access list, names from the Readers field are added to the access list. Otherwise, the
Readers field controls access to documents created from the form.
Entries in a Readers field cannot give a user more access than what is specified in the database access control
list (ACL); they can only further restrict access. Users who have been assigned "No Access" to a database in the
ACL can never read a document, even if you list them in a Readers field. On the other hand, users with Editor
access or above in the ACL can be restricted from reading documents if they aren't included in a Readers field.
Any users who have Editor (or higher) access to the database can read and edit a document if one of the
following is true:
They are listed in the form's Read access list or Readers field.
For information on updating Readers fields, see Updating Readers and Authors Fields if you have installed IBM
Lotus Domino Administrator Help. Or, go to http://www.lotus.com/ldd/doc to download or view Lotus Domino
Administrator Help.
Using an Authors field to restrict who can edit specific documents
An Authors field works in conjunction with Author access in the database ACL. If you assign users Author access
in the ACL, they can read documents in the database but cannot edit their own documents. If you list those users
in an Authors field, they can edit documents in the database.
Entries in an Authors field cannot override the database ACL; they can only refine it. Users who have been
assigned No Access in an ACL can never edit a document, even if you list them in an Authors field. Users who
already have Editor (or higher) access in the ACL are not affected by an Authors field. Authors fields affect only
users who have Author access in the ACL.
You must enter the user's full hierarchical name in the Authors field.
If you manually enter a name in the Authors field, Domino expands and stores, for example, John
Smith/ACME/West is stored as (CN=John Smith/OU=ACME/O=West) in its hierarchical form. The name
displays in its abbreviated form.
If you programmatically enter a name, you must use the full canonical form such as CN=John
Smith/OU=ACME/O=West.
For information on creating Authors fields, see To create Readers and Authors fields .
For information on updating Authors fields, see Updating Readers and Authors Fields if you have installed IBM
Lotus Domino Administrator Help. Or, go to http://www.lotus.com/ldd/doc to download or view Lotus Domino
Administrator Help.
To create Readers and Authors fields
Restrict Read access to documents by creating Readers and Authors fields as follows.
1. Open the form in IBM Lotus Domino Designer.
2. Create a field, or click an existing field. Then choose Design - Field Properties.
3. On the Field Info(i) tab, select Readers or Authors as the type, and then:
o
Select Editable to allow authors and editors to modify the list. (Be sure to include yourself in the
default value formulas, which you create in the Script area of the Programmer's pane -- so there
is at least one value.)
Select Computed to write a formula that computes the reader or author names.
Writing formulas for Readers and Authors fields
When you write a formula for a Readers or Authors field, enclose user names and group names
in quotation marks.
"Marketing"
Krishna
Lotus Notes
ACL Security
22
Select "Allow multi-values" for a field that stores a text list with multiple names. Concatenate the
names in the formula with a colon.
"Mary Sen":"Marketing":"Joyce O'Connor"
Place quotation marks and square brackets around role names that qualify access levels.
"[Scheduling Committee]"
4. To create editable or computed field values, click the Programmer's pane, select a formula type, and
write the formula; click the green check mark to save the formula.
Note Include server names in the formula if the database will replicate.
5. On the Control tab, choose one of the following options to generate a list of readers or authors from
which users can select.
Note Unless "None" is selected as the lookup option for a Readers or Authors field, users press either
CTRL+ENTER or, if specified for the field, the entry helper button to see a list of possible entries. If the
Readers field is located inside a layout region, leave "None" selected; other lookup options do not apply.
o
Use None to rely on a formula or on authors to create the list of names. Select "Look up names
as each character is entered" to speed up typing in editable fields. IBM Lotus Domino fills in
the first name that matches the characters the user types.
Use Address dialog box for choices to display the Names dialog box so users can select names
from a Personal Address Book or from the Domino Directory. Select "Look up names as each
character is entered" to help users fill in a name quickly and Designer looks up a match.
Use access control list for choices to display a list of people, servers, groups, and roles in the
ACL.
Use View dialog box for choices to display a dialog box containing entries from a column in a
Designer database view. Select the database to look up, select a view, and select a column
number.
6. (Optional) On the Field Info tab, select "Allow multi-values" to allow more than one name to be stored in
the field.
7. (Optional) On the Control tab, select "Allow values not in list" to let users enter additional names. This
property is applicable only to Address and Access Control List choices.
8. Save and close the form.
Note When you specify names for reader and author fields, use the full hierarchical name for each user if there
is a chance this database will be copied or replicated to another domain. Within a domain, an abbreviated, or
common name, is sufficient for user authentication, but between domains, you must supply the full hierarchical
name or authentication will fail.
Examples of restricting who can read or edit specific documents
The following examples illustrate how to use Readers fields and Authors fields.
Adding a Readers field to a form
To ensure that employees can read only their own Employee Information documents. Create a computed-whencomposed Readers field named AuthorizedReader that uses this formula:
@UserName
To add additional authorized readers, create a read access list in the Document Properties box for individual
documents.
Krishna
Lotus Notes
ACL Security
23
To use an Authors field on a Slide Show form to let the Production group edit documents, and to save and
display the original author's name for each, you create two fields.
To display the creator's name, create a computed-when-composed field called CreatedBy and use the formula:
@Name([CN];@UserName)
To allow the Production group to edit Slide Show documents, create a computed Authors field and use the
formula:
"Production"
Allowing authors to add other names
To let authors and editors customize the Authors list, create an editable Authors field that uses "View access
control list dialog" to present choices, and select "Allow multi-values" for the field.
Tracking who edits a document
If a document contains an Authors field, IBM Lotus Domino Designer automatically stores the names of the
users who have edited that document in an internal field called $UpdatedBy. Servers involved in replication are
not considered editors, so they're not tracked in this list.
To display the contents of the $UpdatedBy field, users can click and hold the cursor on the Authors field in a
document they're reading. Designer displays a pop-up list of everyone who has modified the document, including
people who did so through agents. Adding pop-up text to the field label helps users understand the list.
If a form is assigned the "Anonymous form" property, its documents do not contain an $UpdatedBy field; instead,
the documents contain an $Anonymous field with a value of "1."
Updating Readers and Authors fields
By default, the Administration Process examines all documents in a database to find and update Readers and
Authors fields and to update private views, folders, and agents. When the Administration Process performs a
"Rename person" or a "Delete person" request, it edits or removes the name in all Readers and Authors fields
and in private folders, views, and agents. To update Readers and Authors fields in only selected documents, you
create a special view in the database and then update that view.
You must select an administration server if you want to select the option to modify Readers and Authors fields.
The default is to not modify Readers and Authors fields.
To update Readers and Authors fields in all documents
Use this method to modify Readers and Authors fields for a single database.
1. Make sure that you have:
o
Krishna
Lotus Notes
ACL Security
24
Krishna
Lotus Notes
ACL Security
25
3. (Optional) In the Section Properties box on the Section Title and Border tab, edit the section title.
4. (Optional) Enter a Section Field Name.
5. (Optional) Choose a border style and border color for the section.
You can insert fields and other design elements into the section after creating it. To append design elements to
the bottom of the section, set the border style as a box. When you have finished appending design elements, set
the border style to no border.
To name the editors for a controlled-access section
1. Click the section title.
2. Choose Section - Section Properties.
3. Click the Formula tab.
4. Select Editable as the section type to allow the document creator to specify the section editors.
5. Select one of the Computed types to use a formula to define the section editors.
6. (Optional for an editable field; Required for a computed field) In the Properties box, write a formula to
define who can edit the field, and click the check mark.
Note When you specify names for section editors, use the full hierarchical name for each user if there is a
chance this database will be copied or replicated to another domain. Within a domain, an abbreviated, or
common name, is sufficient for user authentication, but between domains, you must supply the full hierarchical
name or authentication will fail.
To make a controlled-access section collapsible
1. Click the section marker and choose Section - Section Properties.
2. Click the Expand/Collapse tab and select options for showing the section expanded or collapsed,
depending on whether a document is being previewed, printed, or opened.
3. On the same tab, click the "For Editors" list and select "For Non-editors." A list of options appears for
displaying the section to users who can read but not edit the section.
4. (Optional) Select "Hide title when expanded" if users who are non-editors don't need to see the section
title when the fields are displayed.
5. Save and close the form.
Examples of access-controlled sections
The following examples illustrate different uses for access-controlled sections on forms.
Computing an editors list from the access control list
The status section of a Business Card Request form has a controlled-access section whose formula allows only
administrators (an access role in the ACL) to change the status of a request. The formula for the computed field
is:
"[Business Card Administrators]"
Allowing the author to name section editors
An editable section of a Status Report form has a controlled-access section whose default value formula always
allows the author to edit the status report. Users who have access to the document but are not the author can
read the section but cannot edit it.
"@Author"
Krishna
Lotus Notes
ACL Security
26
The author can choose Section - Define Editors to name additional editors for a particular status report.
Limiting Editor access to sections of forms
In workflow applications, use sections to restrict who can edit or sign parts of a document. If a document requires
more than one approval signature, you create a section on the form for each signature or group. For example,
you might create a section specifically for the Purchasing group.
Edit access lists and the access control list
To specify who can edit parts of a section, select the fields you want to restrict and create a section containing
the fields. Then specify who can edit the fields in one of the following ways:
Let the author of the document choose who can edit the section.
Specify the users, groups, or roles who can edit the section.
For users who are not listed as editors of the section, the fields appear as read-only. Editor access of the section
does not override Editor access in the database access control list (ACL); it only refines it. Privilege names
cannot be used in the Edit access list.
For more information about document access control, see Restricting who can access a section of a document
and Using a Readers field to restrict access to specific documents .
Tip If you use custom roles to refine standard access levels, consider creating a section that corresponds to
each access role. Then create a field named RoleName at the top of the section.
Using a computed field to define section editors
To define a list of section editors, write a formula that populates the list of allowed editors, by including the
current user's name, using @DbColumn to retrieve a list of names, using the value of an approver field, or using
a group name or role from the ACL. Use a computed-when-composed field to create a permanent list of editors
when a document is created.
You can use only formulas that result in a text list containing one or more names; you can then append the
names to the section's edit access list. Enclose the names in quotation marks and concatenate them with a colon
( : ).
"Mary Sen":"Marketing Group"
Access role names must include square brackets and be enclosed in quotation marks:
"[Scheduling Committee]"
For information on using database lookups, see @DbColumn.
Allowing the author to name section editors
To let authors decide who can edit fields in a section, make the section editable.
Krishna
Lotus Notes
ACL Security
27
As a convenience to authors, write a default value formula to create an initial list of editors for the section;
anyone editing the section can then update that list. If there are multiple authors, be sure to select "Allow multivalues" for the field.
An editable section allows the author of each document to create a customized list of editors by double-clicking
the section title when the document is in Edit mode or choosing Section - Define Editors. Any users already
authorized to edit the fields within the section are displayed, and the author can add other editors to the list.
Using a controlled-access section on multiple forms
To use a controlled-access section on more than one form, place the section on a subform and include the
subform in the forms.
Creating read access lists to limit view and folder access
To allow some users and not others to see a view or folder, create a read access list. Users who are excluded
from the access list do not see the view or folder on the View menu. A view or folder read access list is not a true
security measure. Unless the documents are otherwise protected, users can create private views and folders that
display the documents shown in the restricted view. For greater security, use a read access list for a form.
You can add users to the read access list for a view or folder as long as they already have at least Reader
access in the database access control list.
To create a read access list
1. Open the view or folder.
2. Choose Design - View Properties or Design - Folder Properties.
3. Click the Security tab.
4. Deselect "All readers and above."
5. Click each user, group, server, or access role you want to include. A check mark appears next to each
selected name.
6. Click the Person icon to add person or group names from a Personal Address Book or from the Domino
Directory.
7. To remove a name from the list, click the name again to remove the check mark.
8. (Optional) Check "Available to Public Access Users" if you want this view or folder available to users with
public access read or write privileges in the access control list for this database.
9. Save the view or folder.
Notes
Do not create a read access list for the default view of a database.
Servers that need to replicate a database need access to views that are read-restricted so that view
design changes can replicate.
Database designers need access to views that are read-restricted so that view design changes can be
made in IBM Lotus Domino Designer.
Krishna
Lotus Notes
ACL Security
28
asking people to complete a Tech Services Review form and mail it to a Service Request Tracking database. In
that database, the reviews are displayed in the "Tech Service Performance" view.
Rajeev wants only his technicians and his own managers to have access to this view. He defines a read access
list for the "Tech Service Performance" view. Then, because there is no group in the IBM Lotus Domino
Directory for the people he wants to include in the access list, Rajeev defines an access role called
[TSMAnagers] in the database ACL, and adds that role to the view's read access list. The access role is stored
within the Service Request Tracking database; it is not added to the Domino Directory.
Creating write access lists to limit folder access
To allow some users and not others to update the contents of a folder, create a write access list for the folder.
You can add users to a write access list for a folder as long as the users already have at least Author access in
the database access control list. Users specified in the write access list for the folder can move and copy
documents into the folder and can remove documents from the folder. With only Author access, they cannot edit
documents in the folder.
1. Select a database.
2. In the Design pane, click Folders.
3. Double-click the view or folder in the Work pane.
4. Choose Design - Folder Properties.
5. Click the Security tab.
6. In the "Contents can be updated by:" section, deselect "All Authors and above."
7. Do any of the following:
o
Click each user, group, server, or access role you want to include. A check mark appears next to
each selected name.
Click the Person icon to add person or group names from a Personal Address Book or from the
IBM Lotus Domino Directory.
To remove a name from the list, click the name again to remove the check mark.
Krishna
Lotus Notes
ACL Security
29
Note When you use a form access list, you restrict access to all or part of a form by setting security parameters
that work with the database ACL. The database ACL predominates -- only users with access to the database
have access to forms within a database. Form security provides an additional measure of access control in
conjunction with the database access control list. However, note that using access-controlled forms is not a true
security measure because a user can create a copy of the form and remove the restriction.
Replicating restricted documents
Adding names to a read access list or to a Readers field limits access to the users, groups, and servers named
in that list or field. Servers that need to replicate this database must be included in the list or field to have Read
access. Otherwise, documents that are read-restricted won't replicate.
To create access-controlled forms
1. Open the form.
2. Choose Design - Form Properties.
3. Click the Security tab.
4. Deselect "All authors and above" in the "Who can create documents with this form" section.
5. Click each user, group, server, and access role you want to include.
6. Deselect "All readers and above" in the "Default read access for documents created with this form"
section.
7. Click each user, group, server, and access role you want to include.
8. (Optional) Check "Available to Public Access users" if you want documents in this view or folder
available to users with public access read or write privileges in the access control list for this database.
To prevent printing, forwarding, and copying of documents
You can discourage users from printing, forwarding, or copying documents created with a form. This feature
helps to prevent accidental distribution of confidential information, but it is not a true security feature because
users can circumvent it by using screen capture programs.
1. Open the form.
2. Choose Design - Form Properties.
3. Click the Security tab.
4. Click "Disable printing/forwarding/copying to clipboard."
To prevent editing of existing documents
You can prevent users with Author access in the database ACL from editing a field in existing documents. This
restriction doesn't apply to new documents.
1. Open the form.
2. Create a field, or click an existing field.
3. In the Field Properties box, click the Advanced tab.
4. Select "Security options: Must have at least Editor access to use" and click the check mark.
Creating public access pages, forms, subforms, outlines, views, agents, and style sheets
Krishna
Lotus Notes
ACL Security
30
The database ACL controls access to specific design elements, such as pages, documents, forms, outlines,
views, folders, and style sheets. Users with No Access or Depositor access in the ACL cannot access the design
elements of a database. There are times, however, when you might want to make design elements accessible to
all users, regardless of access level. To do so, you make the design elements available for Public Access.
For example, public documents are necessary for calendar applications where one user lets another user read or
create appointments on his or her behalf. To create the public documents for this application, you must first
create a public access form containing a public access field. Then you create a public folder or view to display
the document.
Note that you can also make manually run agents available for public access.
To designate a page, form, or subform for public access
1. Open the page, form, or subform.
2. Choose Design - <design element> Properties.
3. Click the Security tab.
4. Select "Available to Public Access Users."
5. On a form or subform, create a field.
6. In the Name field, enter $PublicAccess.
7. In the Type field, select Text and Computed when composed.
8. In the Programmer's pane at the bottom of the form, enter "1" as the default value for the field.
9. To hide this field from users, select the Field Hide When tab and specify hide-when conditions.
To designate a view for public access
1. Open the view.
2. Choose Design - View Properties.
3. Click the Security tab.
4. Check "Available to public access users" if you want to make documents in this view or folder available
to users with public access read or write privileges in the access control list for this database.
To designate an outline for public access
1. Open the outline
2. Choose Design - Outline Properties.
3. Check "Available to public access users."
To create a style sheet for public access
1. Click Resources - Style Sheets in the Design pane.
2. Highlight a style sheet and choose Resource - Resource Properties. The Style Sheet Resource
Properties box appears.
3. Select the Security tab and check "Available to public access users."
To create an agent for public access
1. Open the agent in Designer.
2. Click Options.
3. Select "Available to Public Access Users."
Krishna