I have a new project coming up very soon, and it is the security aspect of this project that has me concerned. We have many, many branches across the U.S. that will be accessing this database, and of course each branch will be able to view only their own information. My concern is that when "John Smith" accesses the database, I'm not sure of the best way to detect if he is from Branch ABC or Branch XYZ. What would be, in your opinion, the best way to handle this? Groups for each branch, maybe? It just seems that would be an excessive amount of groups in the ACL wouldn't it?
Thanks very much for your assistance.
As you indicated, you could set up a group for each branch. Then assign each group a different database role. Then use these roles in a Reader field within each document, to control access. In theory, this will work. (And I have seen it work.) It is a fair amount of effort though to get it just right. You have to correctly compute the Reader field for every new document and make sure it stays correct for edited documents. You also have to handle Author and Editor access correctly.
If your corporate security model for this application is that people see and use only the documents for their branch, there is another way to go. Just create a separate copy of the application for each branch. Security becomes much simpler. People simply have access to ALL the documents in their branch's database. You probably still want a group name for the set of people working at each branch, and use that in the database ACLs. Security is also tighter, since the restricted documents aren't even in the database that someone is viewing. It is easy to let someone work in more than one branch -- just add them to more than one group. And you don't need Reader fields, removing that complexity.
Dig Deeper on Domino Resources
Related Q&A from Chuck Connell
Is it possible to encrypt a user's name before sending an email? SearchDomino.com expert Chuck Connell weighs in. Continue Reading
Learn how to change authentication timeout interval for Domino Web Access logins. Continue Reading
SearchDomino.com expert Chuck Connell provides a resource for a Lotus Notes administrator who wants to filter out email containing the word "spam," ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.