Manage Learn to apply best practices and optimize your operations.

Give a user editor access instead of Manager access to a database

How to maintain the Access Control list.

One of the problems I face when deploying a Notes database is maintaining the ACL. For example, suppose you have been assigned the task of creating a mission critical human resources database. The database is required to be secured from most people (after all, we don't want anyone else to know what a Notes Developer's salary is). Once the database has been created, we're faced with the largest dilemma of the project -- how can we maintain the Access Control list?

Normally, we're faced with only two options:
1) Only provide the IT Staff with Manager Access to the database and force some unlucky IT guy, that's by the telephone, to modify the ACL per request. That's an unsatisfactory choice because we (IT Folks) have other duties to perform (like getting to the next level in Doom).
2) Provide a member of the HR group with manager access to the database so he/she can maintain the ACL. This is a frightening prospect though because this person can also modify the design (accidentally or intentionally) and give others Manager access.

However, by adding the code below to a database you create, "ACL Manager" or something similar, you can actually delegate the ACL modification to a user, while only giving that user editor access (or even less). How? Nope, not magic. We can do this by creating a database to serve as the "ACL Manager." Place this database on the server and copy and paste the script below into a new agent. Set the agent's property to run on a regular schedule and on "Any new or modified document since last ran."

Note: You will also want to have the server sign the agent rather than you since the server will have access to the databases already. Don't worry, it's easy to do this -- just go to the server (using the server's ID, open the database in designer, open the agent, click the save button. That's it, the agent should now be saved with the server as the signer.

Finally, create a form with at minimum the following fields:
1. Requestor (hidden and Calc'd based upon the creator's Name)
2. User (This will be the person who is needing access to the database)
3. DBName (This is the full path and filename (i.e. *.nsf) of the database for which the access is being requested
4. Access (This is the access requested. I use a dialog box with only the following values (NONE, DEPOSITOR, AUTHOR, and EDITOR). This is so I can make sure no-one provides Designer or Manager access without my knowledge.)
5. A submit button. This is simply composed of two lines:
@PostedCommand([FileSave]) and

You will also need to create a view for these documents. Name it "Requests" if you don't want to have to modify the script below.

For each database you have out on the network that you want to let someone else handle the boring task of ACL additions/subtractions, etc., simply create a new role called "ACLModifier" (you can change this to something else, but you'll have to modify the script also). Add the person whom you want to control the ACL (Usually, finding the department that is using this database and asking the department secretary to handle the ACL Modification works fantastically!) to this role and away you go.

The ACLManager database should have editor access for anyone. Whenever the Admin Assistant, etc. that has been assigned this role needs to add someone else to the ACL, they simply create a request (via the form in the ACLManager database) and the Agent takes it from there.

The purpose of the role is for security. After all, we don't want just any yahoo to be playing around with our ACL. The script checks the database ACL to determine if the requester is a member of the "[ACLModifiers]" role. If so, it performs the modification. If not, it sends them an e-mail telling them they cannot do it.

You'll want to search through the agent below and replace "ServerName" with the name of your server. Since this agent runs as the server rather than the requester, it doesn't matter what access the requester has as long as they're a member of the "[ACLModifier]" role.

The implementation should be very simple. In fact, the summary should take you longer to read than it will to implement this code. Don't tell your boss how quickly you've done it though. We want him to think it took you days! Besides, when else would we find time to golf but during working hours? [PAR]

Sub Initialize
	'Dim workspace As New NotesUIWorkspace
	Dim session As New NotesSession
	Dim doc As NotesDocument
	Dim acl As NotesACL    
	Dim entry As NotesACLEntry
	Dim db As NotesDatabase			' Variable for current database
	Dim dname As NotesDatabase		' Variable for Database for ACL Change Request to be applied
	Dim dnam As NotesItem				' Item to hold the value in the DB Name field on the request form
	Dim duser As NotesName			' Variable to hold the name of the user to be modified in the request form
	Dim dacc As Variant					' Variable to hold the access requested Access value
	Dim drequester As NotesName		'Item to hold the requester's name from the request form
	Dim view As NotesView				' View for getting requests queued in this database
	Set db = session.CurrentDatabase
	Set view=db.getView("Requests")
	Set doc=view.getFirstDocument
	Set dnam=doc.getFirstItem("DBName")		' Get Database Name
	Set drequester = New NotesName(Doc.Requestor(0))	'Set Name of person requesting modification
	Set duser=New NotesName(Doc.UserNames(0)) 		' Set name of person for whom access is to be modified
	Set dbname=session.getDatabase("ServerName",dnam.Text)
	Set acl = dbname.ACL
	Set entry = acl.GetEntry(drequester.abbreviated) 
	Set dacc=doc.GetFirstItem("accesstobeprovided")	'Get level of requested access
	If entry Is Nothing Then
		Messagebox  "No entry for " & session.CommonUserName &  " or " & session.UserName,, "No entry"
		Exit Sub
	End If
	If entry.IsRoleEnabled( "[ACLModifier]" ) Then
		Call CreateACL(duser.abbreviated, dnam.text, Cint(dacc.values(0)))
		Call SendFailureNote(drequester,dnam.text)
	End If
End Sub

Sub CreateACL(user,dbp,acc)
	On Error Resume Next
	Dim session As New NotesSession
	Dim db As NotesDatabase
	Dim lvl As String
	Set db=session.getDatabase("ServerName",dbp)
	Dim acl As NotesACL
	Dim entry As NotesACLEntry
	Dim entry2 As NotesACLEntry
	Set acl = db.ACL	
	Set entry=acl.GetEntry(user)
	Set entry2 = acl.CreateACLEntry (user, acc )
	Call acl.Save
End Sub

Sub SendFailureNote(nm, d)
	Dim session As New NotesSession
	Dim db As NotesDatabase
	Dim doc As NotesDocument
	Set db=session.GetDatabase("ServerName","serverMailFile")
	Set doc=New NotesDocument(db)
	With doc
		.to="Jim Parry"
		.subject="Failed Request"
		.body="Your request to modify the ACL for " + d.title + "has been rejected because you do not have the proper authority."
	End With
	Call doc.send(True,"Jim Parry")
End Sub

Dig Deeper on Lotus Notes Domino Administration Tools

  • Favorite iSeries cheat sheets

    Here you'll find a collection of valuable cheat sheets gathered from across the iSeries/ community. These cheat ...