Access Control List Fundamentals

The Access Control List, commonly referred to as the ACL, is used to manage database access for users. The ACL is incorporated into all Lotus Notes databases and is an integral part of its operation. It controls not only who can access the database but also what functions they perform and what data they can see (or access). At the most rudimentary level, the ACL consists of the following main components:

• Person, group, or server
• User type
• Access level definition
• Access role

Although the ACL dialog contains many additional settings, these areas are used to determine what functions and data are available for all users and other Domino servers (see Figure 19.1).

Figure 19.1. Components of the ACL

Person, Group, and Server

A database user can be characterized as a Person, Group, or Server (see Figure 19.2). A Person is defined as a single Lotus Notes userID (such as Mark Elliott/Raleigh/IBM). Individual users are typically added to the ACL when few in number or when a person needs a specific security setting. However, best practices recommend that individual user names not be added to the ACL directly. Instead, all users should be included in one or more groups that are included in the ACL.

A Group contains one or more persons (or servers) where all members in the group have the same access permission or role in the database. When working with groups, only the group name is placed in the ACL. All persons or servers associated with the group are actually managed via the Domino Directory (see Figure 19.3). This approach should be utilized when managing users that require similar access levels and permissions. A group can be created for persons, servers or a combination of both.

A Server, as the name implies, is defined as a single Domino server. This third type permits other Domino servers to access the database. Again, consider using groups to manage ACL settings for multiple database servers.

User Type

The user type value indicates to the Domino server the category of user that will be accessing the database. This is an additional layer of security that prevents or limits certain database functions when the user and user type values in the ACL fail to match that of the user accessing the database. All users must be associated with one of the following values:

Unspecified Signifies that the users type is unknown or not defined in the ACL.

Person Signifies that the user is a single person.

Server Signifies that the user is a single server.

Mixed Group Signifies that the user is a group that potentially contains one or more persons and/or servers.

Person Group Signifies that the user is a group that contains one or more persons (and does not contain any servers).

Server Group Signifies that the user is a group that contains one or more servers (and does not contain any persons).

Note

Always be sure to associate the user with the correct user type. For example, the user type for groups should be Mixed Group, Person Group, or Server Group. If the user is not correctly associated with the correct user type, access to the entire database may (or may not) be available to the user(s).

Access Levels

The access level determines what actions a given user can perform in the database. There are seven access levels that can be assigned. All users in the database ACL must be assigned one of these access levels. The following describes each level in order from the least to greatest level of authority.

No Access Prevents user access to the database. Users are unable to add the database to the Lotus Notes workspace, open the database, view information, or perform any actions with the database.

Depositor Users can only compose or create new documents. However, no data is visible in any of the views. This access level might be used in a customer survey or feedback database application.

Reader Users can view existing documents and information but cannot create new documents in the database.

Author Users can create new documents and modify/delete their own existing documents. Users cannot modify documents composed by another user. However, its important to understand that security settings on the form can override the database access level settings. If the form contains a "Readers" or "Authors" field, these settings will supercede those set in the database ACL. Note that controlled access sections and encrypted fields may be used to further refine access.

Editor Users can create new documents as well as modify or delete any document (both their own and others) in the database. However, its important to understand that security settings on the form can override the database access level settings. If the form contains a "Readers" field, these settings will supercede those set in the database ACL. Note that controlled access sections and encrypted fields may be used to further refine access.

Designer Users can perform all of the same transactions available to lower access levels, plus they have the ability to modify the database design and create a full-text search index.

Manager Users can perform all of the same transactions available to lower access levels, plus they have the ability to modify the ACL, encrypt the database design, modify replication settings, and delete the database.

Access Role

Another method to refine access to data and design elements is through the use of roles. A role is a special security setting that is defined in the ACL and referenced by the database design. Using roles, you can further refine database functionality, display of information, and ability to edit content. For example, with roles, you can manage

• What views are displayed
• What data is displayed
• What forms can be used to create new documents
• What action buttons are displayed
• Who can modify documents and when
• Who can edit a particular section of data

Each person, group, or server in the ACL can be assigned one or more roles in the database. However, its important to recognize that the creation of roles in the ACL is only half of the equation. The role subsequently needs to be married to functions in the database design. In other words, simply creating and assigning a role to a person has no effect unless the role is utilized and integrated into the database design.

Lets take, for example, a procurement request database where each request requires three distinct approvals before the item can be ordered. Each request must be approved by the persons immediate business manager, finance manager, and an executive manager. Each of these approvals could equate to a role. These roles could then be utilized in the database design.

As in Figure 19.4, you could create a separate set of "Approve" and "Decline" buttons for each of the three roles. Only persons assigned that role could click one of the associated buttons. When a person with the given role clicks the button, fields on the database can be updated and the buttons can be hidden.

Figure 19.4. Using roles to control the display of action buttons

In many cases, the role is utilized in the "Hide When" formula for an action button, controlled section, paragraph, or field. They can even be used to control the display of forms, views, and other design elements for the database. Youll learn more about how to create roles later in this chapter.

After one or more roles have been created, they can be integrated into the database design. For example, roles can be used to control the display of the action button through the Hide action if formula is true property. Including a formula similar to the following will allow only users with the "ProcureMgr" role to see and use the button.

@IsMember("[ProcureMgr]";@UserRoles)

An Introduction to the Lotus Domino Tool Suite An Introduction to the Lotus Domino Tool Suite Product Overview Links to developerWorks Getting Started with Designer Getting Started with Designer Installing the Designer Client Launching the Designer Client Creating My First Notes Database Links to developerWorks Navigating the Domino Designer Workspace Navigating the Domino Designer Workspace An Introduction to Designer The Design Pane The Work Pane The Object Pane The Programmers Pane The Action Pane Design Tabs Language Selector Client and Browser Selector Status Bar Links to developerWorks Domino Design Elements Domino Design Elements Building Blocks of a Notes Database Naming Design Elements Working with Forms Working with Fields Working with Layout Regions Working with Sections Working with Buttons Working with Views Working with Application Menus Working with Folders Working with Framesets Working with Pages Working with Shared Code Working with Shared Resources Links to developerWorks An Introduction to Formula Language An Introduction to Formula Language What Is Formula Language? What Is a Formula? Working with Variables Formula Language Keywords Working with Operators General Syntax Rules What Are Functions and Commands? What Are Commands? Working with Text Strings Working with Conditional Branching Working with Iterative Loops Working with Lookup Functions Working with Dates Working with Lists Working with User Prompts Links to developerWorks An Introduction to LotusScript An Introduction to LotusScript Introduction to Object-Oriented Programming LotusScript Classes Keywords Variables Constants Operators Comments Defining Variables and Constants Defining Object Reference Variables Working with Conditional Branching Working with Iterative Loops Communicating with Users Working with Arrays Using Formula Language in LotusScript Code Compiling LotusScript Code Links to developerWorks Fundamentals of a Notes Application Fundamentals of a Notes Application The Five Primary Application Types The Application Development Life Cycle Elements of a Project Plan Elements of a Project Schedule Questions to Ask When Designing a Database Designing a Notes Application Links to developerWorks Calendar Applications Calendar Applications Application Architecture Managing Recurring Events Using Single Documents Managing Recurring Events Using Multiple Documents Project A: Build an Event Calendar Project B: Build a Conference Room Reservation System Links to developerWorks Collaborative Applications Collaborative Applications Project A: Build a Discussion Forum Project B: Build a Project Control Notebook Links to developerWorks Reference Library Applications Reference Library Applications Project A: Build a Connection Document Database Project B: Build a Spreadsheet Generator Workflow Applications Workflow Applications Defining a Workflow Application Project: Building a Workflow Database Links to developerWorks Web Applications Web Applications Defining a Web Application Project: Building a Domino Web Site Security Troubleshooting Links to developerWorks Design Enhancements Using LotusScript Design Enhancements Using LotusScript Custom LotusScript Functions and Routines Compare Two Dates Check for an Element in an Array Replace an Element in an Array Remove a Character from a String Remove an Element from an Array Compare Two Arrays Working with Dynamic Arrays Create a Custom Popup Dialog Box Refresh a Document from the User Interface Search for a Document Working with Dates and Times Compute the Day of the Week How to Reference $ Fields How to Set the ReturnReceipt for LotusScript-Generated Email Add Field Validation to a Form Display an Are You Sure? Message Format a Users Name Automatically Update a History Field When a Document Changes Prompt the User to Describe Document Changes and Update the History Log Create a Unique Document Record Number Limit the Ability to Create Documents on a Local Database How to Zero Pad a Text Number How to Add Text to a Rich Text Object How to Attach a File to a Rich Text Object How to Format Text in a Rich Text Object Change Document to Edit Mode Obtain the Current Roles Assigned to a User Generate a Document in Another Database Generate a New Document by Duplicating an Existing Document Prompt in LotusScript Sending Email to Multiple Recipients Using LotusScript Add a View Icon and Mood Stamp to an Email Retrieve and Update NOTES.INI Environment Values Assign One Rich Text Object to Another Rich Text Object Add a Document, View, or Database Link to a Rich Text Field Create a Button to Add a Calendar Event Links to developerWorks Design Enhancements Using Formula Language Design Enhancements Using Formula Language Formula Language Enhancements Compare Two Lists Expand and Collapse All Document Sections Expand and Collapse All View Categories Get the Current Day of the Week Get the Current Month of the Year Create a Formatted Date String Create an Attach File Button Display the Windows File Finder Dialog Create a New Document Create a Last Updated By Field Create a Last Modified On Date Stamp Format a Users Name Hide Text and Design Elements Based on a Users Role Working with @DBColumn Working with @DBLookup Parse a Text String How to Format Field Values Using Input Translation How to Add Field Validation Display an Are You Sure? Warning Message Generate Email Using Formula Language How to Sort a List of Values View Enhancements View Enhancements Create a New Document by Double-Clicking on a Calendar Date Display Documents in a View by Year and Month Display an Icon in a View Retrieve All Views in a Database Retrieve All Columns in a View Retrieve All Columns for Each View in a Database How to Manage Conflict Documents Display All Documents by Form Name Disable the Ability to Paste Documents into a View Links to developerWorks Sample Agents Sample Agents Agent Enhancements Simple Action Agent to Modify All Documents LotusScript Agent to Modify All Documents Containing a Specific Field Value Agent to Manually Generate an Email Report Schedule Agent to Send a Daily, Weekly, or Monthly Email Report Links to developerWorks Miscellaneous Enhancements and Tips for Domino Databases Miscellaneous Enhancements Disable the Ability to Print, Copy, Cut, and Forward Documents Using Field Hints on a Form Using Static Popups to Display Help Messages How to Inherit Fields Between Forms Add an Icon to an Action Button Create a Custom Application Interface How to Set the Field Tab Order on a Form Domino Shortcut Keys Data Management Data Management Importing Data Exporting Data Migrating Data Creating Tables Modifying Data Using a LotusScript Agent Archiving Data Using an Agent Refreshing All Documents Security Security Access Control List Fundamentals Managing Database Access How to Enforce Consistent ACL Settings Across Replicas Encrypt the Database Managing Access to Views Managing Access to Forms and Documents Managing Access to Fields Managing Access to Source Code Hiding a Database Design Hiding a LotusScript Library How to Sign a Database How to Cross Certify Domino Servers Links to developerWorks Application Deployment and Maintenance Application Deployment and Maintenance What Are Templates? Establishing a Development Environment Migrating a Database Design Preserve a Copy of the Database Design Deploying the Production Database The Importance of Database Backups Process Synopsis Links to developerWorks Troubleshooting Troubleshooting Troubleshooting LotusScript Troubleshooting Agents Common Database Problems Where to Find Additional Assistance Links to developerWorks Appendix A. Online Project Files and Sample Applications Appendix A. Online Project Files and Sample Applications About the Online Materials About the Companion Web Site About the Development Tools and Files Folder Installing a Notes Database Appendix B. IBM® Lotus® Notes® and Domino®Whats Next? Appendix B. IBM® Lotus® Notes® and Domino®Whats Next? Developer-Specific Enhancements What Is a Composite Application? Composite Application Development Tools Adding Value into the Future Endnotes show all menu Previous page Table of content Next page Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment ISBN: 0132214482 EAN: 2147483647 Year: N/A Pages: 293 Authors: Mark Elliott BUY ON AMAZON Excel Scientific and Engineering Cookbook (Cookbooks (OReilly)) Selecting More Than a Single Cell Using Exponents in Formulas Introduction Using Summation Functions Fitting Nonlinear Curves Using Solver MySQL Cookbook Using Column Aliases to Make Programs Easier to Write Selecting Records from the Beginning or End of a Result Set Using a FULLTEXT Search with Short Words Introduction B.3. Web Application Structure 101 Microsoft Visual Basic .NET Applications Working with Microsoft Visual Studio .NET 2003 and Microsoft .NET Framework 1.1 Building Windows Forms User Interfaces Building Web Applications Interacting with the Operating System Securing Applications An Introduction to Design Patterns in C++ with Qt 4 Operator Overloading Part II: Higher-Level Programming Generics and Containers Serializer Pattern Source Selector Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance Enabling Application Inspection Using the Modular Policy Framework Deployment Scenarios Monitoring and Troubleshooting Failovers Site-to-Site IPSec VPNs System Maintenance Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition) Data Communications Basics Wide Area Networking Optical Networking Today and Tomorrow A Brief History of Wireless Telecommunications Beyond 3G Flylib.com © 2008-2020. If you may any questions please contact us: flylib@qtcs.net Privacy policy This website uses cookies. Click here to find out more. Accept cookies