Partitioning data by corporate departments

I have a new project coming up very soon, and it is the security aspect of this project that has me concerned. We have many, many branches across the U.S. that will be accessing this database, and of course each branch will be able to view only their own information. My concern is that when "John Smith" accesses the database, I'm not sure of the best way to detect if he is from Branch ABC or Branch XYZ. What would be, in your opinion, the best way to handle this? Groups for each branch, maybe? It just seems that would be an excessive amount of groups in the ACL wouldn't it?

Thanks very much for your assistance.

As you indicated, you could set up a group for each branch. Then assign each group a different database role. Then use these roles in a Reader field within each document, to control access. In theory, this will work. (And I have seen it work.) It is a fair amount of effort though to get it just right. You have to correctly compute the Reader field for every new document and make sure it stays correct for edited documents. You also have to handle Author and Editor access correctly.

If your corporate security model for this application is that people see and use only the documents for their branch, there is another way to go. Just create a separate copy of the application for each branch. Security becomes much simpler. People simply have access to ALL the documents in their branch's database. You probably still want a group name for the set of people working at each branch, and use that in the database ACLs. Security is also tighter, since the restricted documents aren't even in the database that someone is viewing. It is easy to let someone work in more than one branch -- just add them to more than one group. And you don't need Reader fields, removing that complexity.

Chuck Connell

Dig Deeper on Domino Resources

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...