Document Access
Since its earliest days, Notes has provided document-level security that can be enforced through the use of Authors and Readers fields, extending the database ACL and allowing you to further refine the already granular and extensive security model.
Using Readers Fields
Readers fields are a very powerful document level security feature that enable you to further refine database access by restricting the users, groups, servers, and roles that can read a particular document. A Readers field is a special type of text field that interacts with the database ACL, further refining it. When a Readers field is placed in a document and users, groups, servers, and roles are named in it, access to that document is restricted to the named entities. For example, if a document contains a Readers field containing Dave Hatter, Leslee Hatter, Samuel Hatter, Wyatt Hatter, Emma Rose Hatter, and Administrators, only those explicitly named entities would be able to see the document in views and open the document in forms.
Being named in a Reader field does not give a user access to a document if a user is already restricted at the database ACL level. For example, if a user is named either explicitly or implicitly in a Readers field, but has been granted only Depositor or No Access in the database ACL, the user cannot access the document.
However, users with Reader or higher levels of access can have their access to documents declined through the use of a Readers field. If a user has Author or higher access to a database but is not named either explicitly or implicitly in a Readers field, he cannot access that document if there are other entities in the field. Table 5.4 illustrates how a Readers field interacts with each access level.
 | An empty Readers field—that is, one with no entries in it—does not restrict access to the document. |
| User Access Level | User Named in Readers Field |
|---|---|
| No Access | Users cannot open database. |
| Depositor | Users can only add new documents; they cannot read or edit any existing documents. |
| Reader | Users can read any documents that have no Readers field, an empty Readers field, or in which they are named in the Readers field. Users cannot create new documents or edit existing documents. |
| Author | Users can read any documents that either have no Readers field or in which they are named in the Readers field. They can also create new documents and edit any documents in which they are named in an Authors field. |
| Editor | Users can read any documents that either have no Readers field or in which they are named in the Readers field. They can also create new documents and edit any documents. |
| Designer | Users can read any documents that either have no Readers field or in which they are named in the Readers field. They can also create new documents and edit any documents, as well as change design elements. |
| Manager | Users can read any documents that either have no Readers field or in which they are named in the Readers field. They can also create new documents and edit any documents, as well as change design elements, manage the ACL, full-text index the database, and delete the database. |
To create a Readers field in a document, follow these steps:
1. | Open a database in the Designer client. |
2. | Select and open a form that should create a Readers field in underlying documents. |
3. | Place the cursor in the position where the Readers field should appear. |
4. | Choose Create, Field, which opens the Field properties box. |
5. | Name the field and set the type to Readers. If the field is expected to contain multiple names, groups, and/or roles, be sure to check Allow Multiple Values. |
6. | Enter a pre-defined, hard-coded list, or enter a formula that computes a list of users, groups, and/or roles. You can use the @UserName function to return the current user's name in a formula. |
7. | Save the form. |
Using Authors Fields
Much like Readers fields, an Authors field is a special type of text field that interacts with the database ACL, further refining it. In an application, users, groups, and roles may be given Author access to a database, meaning that they can create new documents (if the optional Create Documents privilege is enabled in the ACL) and read existing documents (not secured with Readers fields). However, Author access does not grant the capability to edit documents, not even those a user has created. For a user to edit a document that she has created, she must be explicitly or implicitly named in an Authors field in the document.
Also like Readers fields, being named in an Authors field does not give a user authority to edit a document if a user is already restricted at the database ACL level. For example, if a user is named either explicitly or implicitly in an Authors field, but has been granted only No Access, Depositor, or Reader access in the database ACL, the user cannot edit the document.
However, users with Author access who are named in an Authors field in the document can edit the document. Users with access levels higher than Author (Editor, Designer, or Manager) can edit any document unless restricted by a Readers field. Table 5.5 illustrates how the Authors field interacts with each access level.
| User Access Level | User Named in Authors Field |
|---|---|
| No Access | Users cannot open database. |
| Depositor | Users can only add new documents; they cannot read or edit any existing documents. |
| Reader | Users can read any documents that have no Readers field, an empty Readers field, or in which they are named in the Readers field. Users cannot create new documents or edit existing documents. |
| Author | Users can read any documents that have no Readers field, an empty Readers field, or in which they are named in the Readers field. They may be enabled to create documents, delete documents (if named in an Authors field), and can edit any documents in which they are named in an Authors field. |
| Editor | Users can read any documents that have no Readers field, an empty Readers field, or in which they are named in the Readers field. They can also create new documents, edit any documents, and delete documents (if the delete flag has been set for Editors). |
| Designer | Users can read any documents that have no Readers field, an empty Readers field, or in which they are named in the Readers field. They can also create new documents and edit any documents, as well as change design elements. |
| Manager | Users can read any documents that have no Readers field, an empty Readers field, or in which they are named in the Readers field. They can also create new documents and edit any documents, as well as change design elements, manage the ACL, full-text index the database, and delete the database. |
To create an Authors field in a document, follow these steps:
1. | Open a database in the Designer client. |
2. | Select and open a form that should create an Authors field in underlying documents. |
3. | Place the cursor in the position where the Authors field should appear. |
4. | Choose Create, Field, which opens the Field properties box. |
5. | Name the field and set the type to Authors. If the field contains multiple names, groups, and/or roles, be sure to check Allow Multiple Values. |
6. | Enter a predefined, hard-coded list, or enter a formula that computes a list of users, groups, and/or roles. You can use the @UserName function to return the current user's name in a formula. |
7. | Save the form. |
