I'm ashamed to admit it but I broke one of those cliche' but all too true rules that I've been trying to inculcate in my children: "Don't judge a book by its cover" or "Just because that other kid is eating paste and smells strange doesn't mean he wouldn't make a nice friend." Well, when I first met the Extended ACL (xACL) I had two reactions: One, "Boy I wish I had this when I was in the e-mail hosting business." But more importantly, "This is way too complicated to implement in any corporate Domino shop unless they really needed it." The dialog box for configuring it is arguably the least intuitive and most complex of any that has ever come out of Cambridge and that is really saying something. Now that I've been faced with a legitimate situation that warranted its use, I'm here to tell you that it is not so scary and can be quite useful.
First, let me give you a quick background on xACL. It is an extension of the Domino Directory's ACL and allows you to further refine access to the directory. It never grants users additional privileges; it can only narrow the scope of what a user or group can do. The situation that I found it useful in, and one that is fairly common, is when you have a user management group that is separate from your Domino administrators. This group needs to be able to modify, create or delete every person document, group document and mail-in database document, and every field in each -- but you don't want them to ever edit server, connection, configuration or domain documents. This is a perfect job for the xACL because it is fairly simple; you aren't granting or restricting access to specific fields or manipulating access for lots of different groups. Simplicity is critical when dealing with the xACL, since it can get hard to manage quickly.
In the following diagram I'm going to outline exactly how you would configure the xACL to give you the configuration above. You will only need to make one entry in the xACL for the user management group. Everyone else's rights will remain the same, managed by the ACL.
- First you will need to add the group, in this example CorpUserManagement, as an Editor of the NAB in the ACL (You will restrict this access further in the xACL).
- Add the group to the access list of the xACL and give them the rights shown in the diagram below. These are the defaults that will effectively make them "readers" in the NAB. Next we will grant them edit rights to just the forms that we want.
- Click on the "Form and Field Access" button and assign them the rights in the image below for each form that you want them to be able to work with. (Browse-Allow, Create-Allow, Delete-Allow)
- Also assign the default entry for fields the rights in the diagram. (Read–Allow and Write-Allow)
That is all there is to it. Now you have a group that can do everything when it comes to user management but can't wreck your servers. Take advantage of the "Effective Access" button in the xACL to establish exactly what rights an entity has.
Some parting notes of things to watch out for. Be aware that if you do give them full rights to group documents you have still given them the keys to the kingdom, since they can put themselves into any group they want to -- but that is auditable and would only occur out of bad intentions. In order to enable the xACL, you need to turn on "Enforce a consistent ACL across all replicas." This may make administering the Directory a bit harder to manage, since it makes some useful back doors harder to use. Also note that if you have any R5 servers still in your domain, they will not be able to update the Domino Directory once the xACL is enabled. In general this is OK so long as your administration server of the Directory is ND6.
Do you have comments on this tip? Let us know.
Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.