Setting and Reading ACLs
“Best practices” dictate that you should carefully plan the ACL of a database based on the users' and server's access requirements. After this planning stage, you can add users, groups, roles, or servers to the ACL by selecting them from the Domino Directory or manually entering them.
 | Keep in mind that you should create roles and groups before using them in the ACL and that you must have Manager access to the database to change the ACL. |
Adding Valid ACL Entries
When adding entries to an ACL, the following types are acceptable:
Wildcard entries, such as */LibertasTechnologies. Wildcard entries are treated as groups.
Database replica IDs.
User, server, and group names, such as Dave Hatter/LibertasTechnologies.
Anonymous.
Alternate names.
LDAP name (a Light Weight Directory Access Protocol directory name).
The maximum length of an ACL entry is 255 characters. To add names to the ACL, follow these steps:
1. | Select the database whose ACL you want to change. |
2. | Select File, Database, Access Control, or right-click the database and select Database, Access Control from the pop-up menu, which opens the database Access Control List dialog box shown in Figure 5.1. |
3. | Click the Add button to open the Add User prompt. |
4. | Enter (or select) the name of a user, server, or group, and click OK. |
5. | Select a user type for the new entry. This is a good idea because it provides additional security. |
6. | Select an access level for the new entry. |
7. | Optionally select the appropriate Optional Privileges for the new entry to refine the ACL. |
8. | Click OK to save your changes. |
 | Add names to the ACL in hierarchical form to increase security. For example, use Dave Hatter/LibertasTechnologies rather than Dave Hatter. |
Using Groups
Domino enables you to create groups, which contain a list of users, servers, and other groups that have something in common.
After a group document has been created in the Domino Directory (you may need your Administrator to do this), you can add members to the group and then use the group name in the ACL of a database to implicitly grant or deny access to all the members of the group.
 | Although there is no limit to the number of names in a group, the total size of the members list cannot exceed 15KB. |
After you have added a group to the ACL, you assign it permissions the same way that you would to an individual user or server.
For example, you might create a group named LiberasEditors and grant it Editor access to a database and create another group named LibertasAuthors and grant that group Author access to the database. As additional users need to access the database, you simply add them to the appropriate groups.
 | It is always a best practice, whenever possible, to use groups in the ACL of a database rather than individual names to reduce administrative overhead and to reduce the size of the ACL. Remember this information for the exam. |
ACL Conflicts
ACL conflicts can occur when users are named explicitly in the ACL and also in a group named in the ACL, or when users are members of more than one group in the ACL. Table 5.3 explains what happens when this situation occurs.
| Type of Conflict | Conflict Resolution |
|---|---|
| A user is named both individually and as a member of a group. | The individual access level takes prece-dence over the access level assigned to the group. |
| A user is named in two or more groups. | The user receives highest level of access between the two groups. |
Default ACL
When a new database is created, several entries are added to the database ACL by default:
Default— This entry is used to grant blanket access to all users, groups, and servers not explicitly named in the ACL. For example, if you set the Default to Reader, then any user not named explicitly or in a group has Reader access to the database. Additionally, if the ACL does not contain an Anonymous entry, Anonymous (unauthenticated) users are granted access based on this entry. You cannot remove this entry from the ACL.
Anonymous— This entry is used to grant access to unauthenticated Notes and Internet users.
Database creator user name— The user that creates the database is automatically added to the ACL and is granted Manager access.
LocalDomainServers— This group contains the names of the servers in the same domain as the server where the database is created. The default access for LocalDomainServers is Manager. This group should have at least Designer access so that design changes can replicate across the domain.
OtherDomainServers— This group contains the names of the servers outside the domain of the server where the database is stored. The default access for this group is No Access.