Extended ACL (xACL)
Domino 6 introduced the concept of extended access control lists (xACL). An extended access control list or xACL is an optional access control feature that can be used with a Domino Directory created from the PUBNAMES.NTF template.
Extended ACLs are part of a database and can be accessed through its Access Control list. You can use an xACL to refine the access the ACL grants a user, but you cannot use it to increase a user's access beyond that specified by the ACL. Some of the benefits of xACLs include the following:
Provide access to specific parts of the Directory.
Delegate administration. As an example, you can allow groups of administrators to maintain documents for a particular organizational unit.
Restrict access of users who manage the Directory through any supported protocol, for example, Notes (NRPC), Web (HTTP), or LDAP.
Set access to documents and fields globally rather than using multiple Readers and Authors fields.
You can implement an xACL when you need to control access to any of the following:
A specific field within a specific document
A specific document
All documents of a specific type, such as all Person documents
All documents with hierarchical names at a particular location in the directory name hierarchy, such as all documents whose names end in OU=West/O=Acme.
Extended ACLs are )configured through the Extended Access at Target dialog box, shown in Figure 10.5. The Extended Access at Target dialog box is accessed from the database Access Control List dialog box.
Before you can configure an Extended Access Control list for a Directory, you must enable extended access for the database.
Enabling Extended Access to a Database
Before you enable extended access to a database, you should be aware of the following issues:
If you enable extended access, you must make Directory modifications using a Domino 6 client.
Extended access requires using the Enforce a Consistent Access Control List Across All Replicas option.
After extended access has been enabled, Domino enforces the database ACL, extended ACL, and Readers and Authors fields for Notes clients attempting to look up names in the directory.
To enable extended )access for a Domino Directory or Extended Directory Catalog follow the steps listed here. You must have Manager access to do this.
1. | Select a Directory database and open the ACL. |
2. | Click the Advanced tab. |
3. | Click the Enable Extended Access check box. |
4. | Answer Yes to the prompt. |
5. | If the Enforce a Consistent Access Control List Across All Replicas option is not enabled, click Yes when the next prompt appears to enable it. Enforce Consistent Access Control List Across All Replicas must be enabled to use xACLs. |
6. | Click OK in the Access Control List dialog box. |
7. | Click OK at the next prompt. |
Configuring Extended Database Access
To configure an) extended ACL on a Directory database, follow these steps:
1. | Select the Directory database that should support an extended ACL. |
2. | Open the database ACL. |
3. | On the Basics tab, click the Extended Access button, which opens the Extended Access dialog box, shown previously in Figure 10.5. |
4. | Expand target categories and select the target in the Target box at the left. |
5. | In the Access List section, choose one of the following settings for the People, Servers Groups drop-down. Choose Show Modified to display only subjects whose access is set at the target, or choose Show All to show subjects whose access is set at a higher target using the This Container and All Descendants scope setting. |
6. | To configure a subject for access to the selected target, click the Add button and then choose one of the following from the drop-down:
|
7. | In the Attributes section, choose an entry in the Scope of Target field from the following: |
8. | Select the appropriate Allow and Deny settings in the Attributes section for the selected target. |
9. | Click OK to save your changes. |