Controlling access to the Domino Directory with Extended ACL

Controlling access to the Domino Directory and other system administration functions is a huge task in large organizations. Asking one central IT department to manage a Lotus Notes environment for a worldwide organization -- with thousands of employees and many Organization Units -- is usually unrealistic. But trying to farm out parts of the administration process to far-flung departments and countries can be chaotic.

This problem has created a niche for third-party products that offer various solutions, such as Cassetica Group Manager, MailRat GroupHawk, and GSX ID Manager, each of which has some value. Beginning with R6, Lotus also offered its own assistance with managing a large Lotus Notes infrastructure via the Extended ACL feature.

Extended ACL (E-ACL), as the name implies, is an additional level of database access control, beyond the standard access control list. In brief, E-ACL allows you to control access to sets of documents within a database. It is technically possible to daccomplish the same goal by using Reader and Author fields carefully; E-ACL allows you to do this much more easily.

The first point to understand about E-ACL is that this feature is only available for a few administration databases: Domino Directory (names.nsf), Extended Directory Catalog, and Administration Requests. Unfortunately, E-ACL cannot be used as a general-purpose access control mechanism for other Lotus Notes databases.

The second key concept is that E-ACL is used to further restrict the access granted by the standard database access list. E-ACL cannot give a user access that the ACL does not grant.

To enable E-ACL for a database, use the checkbox found at File -> Database -> Access Control -> Advanced -> Enable Extended Access. Whenever y...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ACL Display Lotus Notes user group membership details in a tree view Update the ACL from the Roles view with LotusScript Security expert offers Notes/Domino downloads Seven tips to strengthen your Domino e-mail security Meet the Extended ACL How to remove "Enforce uniform/consistent access" flag even without access to the database! Managing groups entries in ACL Retrieve documents from Notes database, which are locked by Readers field Bulk ACL fixer Changing an ACL on a non-NT platform Lotus Notes Domino Access, Permissions and Authentication Display Lotus Notes user group membership details in a tree view How DirLint verifies data in Lotus Notes Domino 8 directories Fix and update Lotus Notes documents with limited access Lotus Notes access error: 'database is not opened yet' Formula language button manages Deny Access list searches Update the ACL from the Roles view with LotusScript Secure Lotus Notes 8 with the Internet password lockout feature Find a Lotus Notes user within NAB Deny Access groups Move a Lotus Domino server to a new certifier without a reinstall Troubleshoot Lotus Notes Out of Office (OOO) agent error messages

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ou use E-ACL, you must also enable the option "Enforce a consistent ACL across all replicas," and you will be reminded if you forget. After enabling E-ACL, you must wait for the server to convert the Domino database to extended access, which can take a while for a large database.

After it is enabled, use the E-ACL feature by pressing the (now visible) button found at File -> Database -> Access Control -> Basics -> Extended Access.

You set up the E-ACL by selecting one or more "targets," such as Person documents in OU=Marketing/O=Acme Corp. For each target, you select people, groups or servers that can operate on the target, such as the MARKETING_MANAGERS group. Finally, you specify what those people/servers can do to the target, such as Allow=Read, Deny=Write.

IBM Lotus recommends (and I concur) that you should use groups, rather than individuals, in E-ACLs. It is much easier to maintain an E-ACL (and an ACL also) if they contain group names. To modify the people who are granted the specified access, just change the group membership in the Domino Directory.

What if your organization is so small that one person handles Notes/Domino administration? It is still a good idea to control access via group names. Hopefully your organization is growing, so you will appreciate the fact that you planned ahead. Just create a group with one person in it.

One warning: If you use LDAP to read your Domino Directory, enabling E-ACL will disrupt normal LDAP access to the directory. To solve this problem read the instructions found at Domino Administration Help -> Index -> Extended ACL -> LDAP.

For more information, see Domino Administration Help -> Index -> Extended ACL.

About the author: Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.