Troubleshooting Database Access
The most important tool for controlling access to your application is the database's Access Control List (ACL). Within the database ACL, you define which people, groups, and/or servers have access to your database and what functions they can each perform.
 | Every Domino database contains an Access Control List. Users, groups, or servers with Manager access can add, modify, and remove users and groups, and they assign them specific access to the application. Whenever users attempt to access this database (from either a Notes or Web client), the ACL is used to determine their respective privileges. |
ACL Fundamentals
Database security for any database on a server is handled by the database Access Control List. The ACL lists users, groups, and servers, and assigns them specific rights to the database. Access levels range from Manager, who has total access to the database, to No Access. The database manager creates and controls the ACL. An additional database-level security feature is local encryption, which causes local databases to be encrypted so that only the user who sets local encryption can access them.
The users, groups, and servers contained within the ACL entries are defined within the Domino Directory. The Domino Directory is actually another Domino database itself. (Prior to Domino Release 5, this database was referred to as the Public Address Book.)
Four layers of security are contained within the Domino security framework:
Server-level security
Database-level security
Documents-level security
Field-level security
Access Levels
Within the Database Access Control List are seven levels of access. Table 2.6 lists each access level and describes each level's access.
| Access Control Level | Privileges |
|---|---|
| Manager | Can perform all functions, create and modify database ACLs, and delete the database (using the Notes client). |
| Designer | Can perform all the functions of an Editor (unless there are specific document-level restrictions), make modifications to the database design and design elements, and create/update a full-text index for the database. Designers cannot delete the database or modify the database ACL. |
| Editor | Can create, read, and edit all documents (unless there are specific document-level restrictions). |
| Author | An author can create, read, and edit documents he has created. However, if the Create Documents ACL setting has been disabled for this entry, users cannot create new documents. For an author to edit her own document she must have an Authors field with her name in it on the document. |
| Reader | Can only read documents (cannot create, edit, or delete documents). |
| Depositor | Can only create documents (cannot read, edit, or delete documents even if he or she created them). Users cannot see any documents, either, even those they have previously created. |
| No Access | No access to the database. |
 | Theoretically, a user who has No Access to a database may still be able to view some of the database contents. If a user has been granted No Access to the database, but the Read Public Documents option has been selected, the user has access to read documents contained within a shared view/folder if the documents contain an item title ($PublicAccess) that has a value of 1. This capability is used within the Notes calendaring capability. |
In the Access Control List, you list users, groups, and servers who need access to your database. Users, groups, and servers are given one of the same seven access levels described in Table 2.6.
ACL Entries
ACL entries within a database can be categorized as one of the following:
Username
Server name
Group name
Database replica ID
Default
Anonymous
Usernames in the ACL should be entered exactly as they appear in the user's ID file. If your organization uses hierarchical names, you should enter the fully distinguished hierarchical name—for example, Tim Bankes/Marketing/LibertasTechnologies. If the server on which your database resides and the person you are adding are both in the same organization, you can enter just the common name in the ACL, but the fully distinguished name is more secure, because two people cannot have the same fully distinguished name.
Server names are entered in much the same way as usernames. You should use the server's fully distinguished name—for example, Tsunami/Marketing/LibertasTechnologies. But you can use the common name if the servers are in the same organization.
 | Notes enables you to use the asterisk wildcard (*) to replace any component of a hierarchical name below the organization. Using wildcards, one ACL entry can grant access to everyone within a single organization or organizational unit. For example, the entry */LibertasTechnologies gives access to anyone in the organization LibertasTechnologies (including Tim Bankes/LibertasTechnologies or Dave Hatter/Development/LibertasTechnologies). |
It is possible for users to be assigned to more than one access level by being assigned explicitly within the database ACL and by being a member of a group name in the database ACL. Table 2.7 outlines the possible scenarios in which a user might be assigned with multiple access levels.
| Situation | Resolution |
|---|---|
| The user is listed individually and as a member of a group. | The access granted to the explicitly listed username takes precedence over the access granted in the group, even if the group access is higher. |
| The user is included in two or more groups. | The user is granted the access of the group with the highest access, even if one of the groups has been assigned No Access to the database. |
| The user appears in the ACL as well as in specific design element. | The specific design access refines the database access lists. |
Group names in the ACL can be any group of people or servers that is defined in the Domino Directory. Using group names in your ACLs has several advantages over individual names, including the following:
One group representing many users keeps the number of entries in the ACL low. This makes managing the ACL much easier.
You can change the access for an entire group of people rather than changing the access of several individual users.
A single group can be in the ACL in several databases. Simplify administration by centralizing changes within the Domino Directory.
Using groups, you can list a descriptive name that makes up a set of people, so you don't have to worry about typing in each individual entry, just the group name.
 | By default, the database Access Control List (ACL) affects only databases stored on a server. If the Enforce a Consistent Access Control List Across All Replicas of This Database property is selected, the ACL is enforced locally and across all other servers that contain database replicas of the current database. When the database replicates, all other replicas must share the same ACL list and specific settings. They can be modified on only the Administration server. After they have been modified on the Administration server, they are pushed to the other replica copies. If the database is modified on a replica copy that is not designated as the Administration server, replication is permanently disabled for that replica database. To enable this security, choose File, Database, Access Control from the menu bar. Click the Advanced tab that appears and select the Enforce a Consistent Access Control List Across All Replicas of This Database option. |
Four standard entries are created by default for every new database:
Default— Set to No Access unless the database was created from another database or a template with the default entry set to another access level.
Current Server— If created on a server, this entry is set to Manager access.
Beyond these standard entries in the ACL, you will add additional entries for users, servers, and groups of users or servers. These additional entries affect the bulk of the database users.
ACL entries are created with the Access Control List dialog box. You can also modify database ACL entries. Right-click the database icon for which you want to set up an ACL and select Database, Access Control (see Figure 2.12).
In the People, Servers, Groups field, you can filter the entries listed in the ACL. You can add, delete, or update entries in the list. Use the following procedure to add names to the list:
1. | Click the Add button (located below the People, Servers, Groups list). Domino displays the Add User dialog box (see Figure 2.12). |
2. | Enter a single name in the People, Servers, Groups box. Or click the Person button to open the Names dialog box, which is used for looking up entries in the Domino Directory. The entries can be servers, server groups, people, people groups, or mixed groups. |
3. | When you have added all the desired ACL entries, click OK. The names now appear in the Database ACL list. The default access level of newly added entries matches the access level of the currently highlighted entry in the ACL list. |
To rename an item in the list, select the name you want to rename and click on the Rename button in the Access Control dialog box. Enter the new name or use the Domino Directory by clicking on the Person button.
To delete a name from the list, select the name you want to delete and click on the Remove button in the Access Control dialog box.
After you have entered the correct names, you can assign access levels to those names by using the following procedure:
1. | Select a name from the list in the People, Servers, Groups list box. |
2. | In the Attributes area of the ACL window, select the appropriate User Type. |
3. | Select the appropriate access from the Access pull-down list. |
4. | Below the Access list are eight check boxes that you should check to further refine a user's access rights. The rights available for modification depend on the access level you assigned the user. For example, the Create Documents box is unavailable for a user with Reader access because a Reader, by definition, cannot create documents. Any unavailable items are grayed out. Items that are selected and grayed out are automatically set as a result of the access level and cannot be modified. These options are covered in greater detail in Chapter 5, “Security.” |
5. | Finally, you can select any roles assigned to this user, if any are defined, in the Roles list box. |
You can add, modify, and/or remove roles by clicking on the Roles icon located on the left section of the Access Control List dialog box. Roles enable database security to assign a subset of users additional access to specific database components. Role names cannot exceed 15 characters.
You can view the change history of modifications made to the database ACL by clicking on the Log icon located on the left section of the Access Control List dialog box.
You can modify Advanced options by clicking on the Advanced icon located on the left section of the Access Control List dialog box (see Figure 2.13).
With these advanced options, you can
Select the Administration Server.
Determine whether the Administration Process should modify Reader and Author fields.
Enforce a consistent Access Control List across all replicas of this database.
Set the maximum Internet access with authenticated Web users.
Look up user types for Unspecified users on the Basics tab from the Domino Directory.