Controlling access to the Domino Directory and other system administration functions is a huge task in large organizations.
Asking one central IT department to manage a Lotus Notes environment for a worldwide organization -- with thousands of employees and many Organization Units -- is usually unrealistic. But trying to farm out parts of the administration process to far-flung departments and countries can be chaotic.
This problem has created a niche for third-party products that offer various solutions, such as Cassetica Group Manager, MailRat GroupHawk, and GSX ID Manager, each of which has some value. Beginning with R6, Lotus also offered its own assistance with managing a large Lotus Notes infrastructure via the Extended ACL feature.
Extended ACL (E-ACL), as the name implies, is an additional level of database access control, beyond the standard access control list. In brief, E-ACL allows you to control access to sets of documents within a database. It is technically possible to daccomplish the same goal by using Reader and Author fields carefully; E-ACL allows you to do this much more easily.
The first point to understand about E-ACL is that this feature is only available for a few administration databases: Domino Directory (names.nsf), Extended Directory Catalog, and Administration Requests. Unfortunately, E-ACL cannot be used as a general-purpose access control mechanism for other Lotus Notes databases.
The second key concept is that E-ACL is used to further restrict the access granted by the standard database access list. E-ACL cannot give a user access that the ACL does not grant.
To enable E-ACL for a database, use the checkbox found at File -> Database -> Access Control -> Advanced -> Enable Extended Access. Whenever you use E-ACL, you must also enable the option "Enforce a consistent ACL across all replicas," and you will be reminded if you forget. After enabling E-ACL, you must wait for the server to convert the Domino database to extended access, which can take a while for a large database.
After it is enabled, use the E-ACL feature by pressing the (now visible) button found at File -> Database -> Access Control -> Basics -> Extended Access.
You set up the E-ACL by selecting one or more "targets," such as Person documents in OU=Marketing/O=Acme Corp. For each target, you select people, groups or servers that can operate on the target, such as the MARKETING_MANAGERS group. Finally, you specify what those people/servers can do to the target, such as Allow=Read, Deny=Write.
IBM Lotus recommends (and I concur) that you should use groups, rather than individuals, in E-ACLs. It is much easier to maintain an E-ACL (and an ACL also) if they contain group names. To modify the people who are granted the specified access, just change the group membership in the Domino Directory.
What if your organization is so small that one person handles Notes/Domino administration? It is still a good idea to control access via group names. Hopefully your organization is growing, so you will appreciate the fact that you planned ahead. Just create a group with one person in it.
One warning: If you use LDAP to read your Domino Directory, enabling E-ACL will disrupt normal LDAP access to the directory. To solve this problem read the instructions found at Domino Administration Help -> Index -> Extended ACL -> LDAP.
For more information, see Domino Administration Help -> Index -> Extended ACL.
About the author: Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.
Do you have comments on this tip? Let us know. Related information from SearchDomino.com:
Please let others know how useful this tip is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our tip contest and you could win a prize.