One of the problems I face when deploying a Notes database is maintaining the ACL. For example, suppose you have been assigned the task of creating a mission critical human resources database. The database is required to be secured from most people (after all, we don't want anyone else to know what a Notes Developer's salary is). Once the database has been created, we're faced with the largest dilemma of the project -- how can we maintain the Access Control list?
Normally, we're faced with only two options:
1) Only provide the IT Staff with Manager Access to the database and force some unlucky IT guy, that's by the telephone, to modify the ACL per request. That's an unsatisfactory choice because we (IT Folks) have other duties to perform (like getting to the next level in Doom).
2) Provide a member of the HR group with manager access to the database so he/she can maintain the ACL. This is a frightening prospect though because this person can also modify the design (accidentally or intentionally) and give others Manager access.
However, by adding the code below to a database you create, "ACL Manager" or something similar, you can actually delegate the ACL modification to a user, while only giving that user editor access (or even less). How? Nope, not magic. We can do this by creating a database to serve as the "ACL Manager." Place this database on the server and copy and paste the script below into a new agent. Set the agent's property to run on a regular schedule and on "Any new or modified document since last ran."
Note: You will also want to have the server sign the agent rather than you since the server will have access to the databases already. Don't worry, it's easy to do this -- just go to the server (using the server's ID, open the database in designer, open the agent, click the save button. That's it, the agent should now be saved with the server as the signer.
Finally, create a form with at minimum the following fields:
1. Requestor (hidden and Calc'd based upon the creator's Name)
2. User (This will be the person who is needing access to the database)
3. DBName (This is the full path and filename (i.e. *.nsf) of the database for which the access is being requested
4. Access (This is the access requested. I use a dialog box with only the following values (NONE, DEPOSITOR, AUTHOR, and EDITOR). This is so I can make sure no-one provides Designer or Manager access without my knowledge.)
5. A submit button. This is simply composed of two lines:
You will also need to create a view for these documents. Name it "Requests" if you don't want to have to modify the script below.
For each database you have out on the network that you want to let someone else handle the boring task of ACL additions/subtractions, etc., simply create a new role called "ACLModifier" (you can change this to something else, but you'll have to modify the script also). Add the person whom you want to control the ACL (Usually, finding the department that is using this database and asking the department secretary to handle the ACL Modification works fantastically!) to this role and away you go.
The ACLManager database should have editor access for anyone. Whenever the Admin Assistant, etc. that has been assigned this role needs to add someone else to the ACL, they simply create a request (via the form in the ACLManager database) and the Agent takes it from there.
The purpose of the role is for security. After all, we don't want just any yahoo to be playing around with our ACL. The script checks the database ACL to determine if the requester is a member of the "[ACLModifiers]" role. If so, it performs the modification. If not, it sends them an e-mail telling them they cannot do it.
You'll want to search through the agent below and replace "ServerName" with the name of your server. Since this agent runs as the server rather than the requester, it doesn't matter what access the requester has as long as they're a member of the "[ACLModifier]" role.
The implementation should be very simple. In fact, the summary should take you longer to read than it will to implement this code. Don't tell your boss how quickly you've done it though. We want him to think it took you days! Besides, when else would we find time to golf but during working hours? [PAR]
Sub Initialize 'Dim workspace As New NotesUIWorkspace Dim session As New NotesSession Dim doc As NotesDocument Dim acl As NotesACL Dim entry As NotesACLEntry Dim db As NotesDatabase ' Variable for current database Dim dname As NotesDatabase ' Variable for Database for ACL Change Request to be applied Dim dnam As NotesItem ' Item to hold the value in the DB Name field on the request form Dim duser As NotesName ' Variable to hold the name of the user to be modified in the request form Dim dacc As Variant ' Variable to hold the access requested Access value Dim drequester As NotesName 'Item to hold the requester's name from the request form Dim view As NotesView ' View for getting requests queued in this database Set db = session.CurrentDatabase Set view=db.getView("Requests") Set doc=view.getFirstDocument Set dnam=doc.getFirstItem("DBName") ' Get Database Name Set drequester = New NotesName(Doc.Requestor(0)) 'Set Name of person requesting modification Set duser=New NotesName(Doc.UserNames(0)) ' Set name of person for whom access is to be modified Set dbname=session.getDatabase("ServerName",dnam.Text) Set acl = dbname.ACL Set entry = acl.GetEntry(drequester.abbreviated) Set dacc=doc.GetFirstItem("accesstobeprovided") 'Get level of requested access If entry Is Nothing Then Messagebox "No entry for " & session.CommonUserName & " or " & session.UserName,, "No entry" Exit Sub End If If entry.IsRoleEnabled( "[ACLModifier]" ) Then Call CreateACL(duser.abbreviated, dnam.text, Cint(dacc.values(0))) Else Call SendFailureNote(drequester,dnam.text) End If End Sub Sub CreateACL(user,dbp,acc) On Error Resume Next Dim session As New NotesSession Dim db As NotesDatabase Dim lvl As String Set db=session.getDatabase("ServerName",dbp) Dim acl As NotesACL Dim entry As NotesACLEntry Dim entry2 As NotesACLEntry Set acl = db.ACL Set entry=acl.GetEntry(user) Set entry2 = acl.CreateACLEntry (user, acc ) Call acl.Save End Sub Sub SendFailureNote(nm, d) Dim session As New NotesSession Dim db As NotesDatabase Dim doc As NotesDocument Set db=session.GetDatabase("ServerName","serverMailFile") Set doc=New NotesDocument(db) With doc .form="memo" .to="Jim Parry" .subject="Failed Request" .body="Your request to modify the ACL for " + d.title + "has been rejected because you do not have the proper authority." End With Call doc.send(True,"Jim Parry") End Sub