Meet the Extended ACL

I'm ashamed to admit it but I broke one of those cliche' but all too true rules that I've been trying to inculcate in my children: "Don't judge a book by its cover" or "Just because that other kid is eating paste and smells strange doesn't mean he wouldn't make a nice friend." Well, when I first met the Extended ACL (xACL) I had two reactions: One, "Boy I wish I had this when I was in the e-mail hosting business." But more importantly, "This is way too complicated to implement in any corporate Domino shop unless they really needed it." The dialog box for configuring it is arguably the least intuitive and most complex of any that has ever come out of Cambridge and that is really saying something. Now that I've been faced with a legitimate situation that warranted its use, I'm here to tell you that it is not so scary and can be quite useful.

First, let me give you a quick background on xACL. It is an extension of the Domino Directory's ACL and allows you to further refine access to the directory. It never grants users additional privileges; it can only narrow the scope of what a user or group can do. The situation that I found it useful in, and one that is fairly common, is when you have a user management group that is separate from your Domino administrators. This group needs to be able to modify, create or delete every person document, group document and mail-in database document, and every field in each -- but you don't want them to ever edit server, connection, configuration or domain documents. This is a perfect job for the xACL because it is fairly simple; you aren't granting or restricting access to specific fields or manipulating access for lots of different groups. Simplicity is critical when dealing with the xACL, since it can get hard to manage quickly.

In the following diagram I'm going to outline exactly how you would configure the xACL to give you the configuration above. You will only need to make one entry in the xACL for the user management group. Everyone else's rights will remain the same, managed by the ACL.

1. First you will need to add the group, in this example CorpUserManagement, as an Editor of the NAB in the ACL (You will restrict this access further in the xACL).

2. Add the group to the access list of the xACL and give them the rights shown in the diagram below. These are the defaults that will effectively make them "readers" in the NAB. Next we will grant them edit rights to just the forms that we want.

   

3. Click on the "Form and Field Access" button and assign them the rights in the image below for each form that you want them to be able to work with. (Browse-Allow, Create-Allow, Delete-Allow)

4. Also assign the default entry for fields the rights in the diagram. (Read–Allow and Write-Allow)

   

That is all there is to it. Now you have a group that can do everything when it comes to user management but can't wreck your servers. Take advantage of the "Effective Access" button in the xACL to establish exactly what rights an entity has.

Some parting notes of things to watch out for. Be aware that if you do give them full rights to group documents you have still given them the keys to the kingdom, since they can put themselves into any group they want to -- but that is auditable and would only occur out of bad intentions. In order to enable the xACL, you need to turn on "Enforce a consistent ACL across all replicas." This may make administering the Directory a bit harder to manage, since it makes some useful back doors harder to use. Also note that if you have any R5 servers still in your domain, they will not be able to update the Domino Directory once the xACL is enabled. In general this is OK so long as your administration server of the Directory is ND6.

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT ACL Update the ACL from the Roles view with LotusScript Controlling access to the Domino Directory with Extended ACL Security expert offers Notes/Domino downloads Seven tips to strengthen your Domino e-mail security How to remove "Enforce uniform/consistent access" flag even without access to the database! Managing groups entries in ACL Retrieve documents from Notes database, which are locked by Readers field Bulk ACL fixer Changing an ACL on a non-NT platform Anonymous access doesn't always work Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Access, Permissions and Authentication How DirLint verifies data in Lotus Notes Domino 8 directories Fix and update Lotus Notes documents with limited access Lotus Notes access error: 'database is not opened yet' Formula language button manages Deny Access list searches Update the ACL from the Roles view with LotusScript Secure Lotus Notes 8 with the Internet password lockout feature Find a Lotus Notes user within NAB Deny Access groups Move a Lotus Domino server to a new certifier without a reinstall Troubleshoot Lotus Notes Out of Office (OOO) agent error messages Securely connect Lotus Domino servers on different domains RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.