DIRECTORY SERVICES


Extended ACL target
You select a target to specify either a category of documents or a specific document to which you are controlling a subject's access. Selecting a category of documents as a target is recommended because you can set access to multiple documents at once and because the access applies to documents added to the category in the future. You use the Target box in the "Extended Access at target" dialog box to select a target. You can set access for more than one subject at a target.

The following figure shows the / (root) target selected in the "Extended Access at target" dialog box. By default you can see only the document categories in the Target box and not individual documents. Deselect "Show only containers" to see the documents below the categories.

Target box for extended ACL

How the Target box categorizes documents

The target box categorizes documents by their names. The top category in the Target box is / (root). Access set at / (root) applies by default to all the documents in the directory because documents subcategorized below / (root) inherit the access set at / (root) by default. The Target box subcategorizes documents that have hierarchical names defined by a FullName, ListName, or ServerName field below / (root) by their location in the directory name hierarchy. For example, the Target box categorizes Person documents containing the names CN=Alan Jones/O=Acme, CN=Derek Malone/OU=East/O=Acme, and CN=Karen Lessing/OU=West/O=Acme as follows:

/ (root)

O=Acme

Alan Jones/Acme

OU=East

Derek Malone/East/Acme

OU=West

Karen Lessing/West/Acme

For a document to be categorized by name hierarchy in a subcategory below / (root) its name must contain more than just one part. For example a Person document whose name is defined by a certifier is subcategorized in a category below / (root). In addition, the name of the document must be stored in a field called FullName, ListName, or ServerName. The ListName field stores the names of Domino Group documents, the ServerName field stores the names of Domino Server documents, and the FullName field stores the names of other types of documents, for example Domino Person, Certifier, and Policy documents.

A document with a flat name -- a name with only one part --, or a document with a name specified in a field other than FullName, ListName, or Servername, is categorized directly under / (root). The Target box does not show the documents under / (root) that are named through a field other than FullName, ListName, or ServerName. You can set access to these types of documents through the / (root) target, but cannot set access to an individual one. For example, the names of Holiday and Connection documents are not controlled through a FullName, ListName, or ServerName field, so you cannot see or select these documents under / (root). However, when you set access at / (root), the access applies to the documents.

Advantages to using categories rather than single documents as targets

You can select a specific document as a target at which to set a subject's access, however selecting a target category is recommended instead. When you select a target category, by default you are automatically setting access to all the documents immediately below the selected category as well as to documents below subcategories of the selected category so you minimize the number of times the subject appears in the extended ACL. For example, by setting a subject's access at the target O=Acme, the access by default automatically applies to all documents below O=ACME and any organizational units below, such as OU=West and OU=East.

IBM® Lotus® Domino™ can verify a subject's directory access more quickly when there are fewer occurrences of the subject in an extended ACL than when there are many. In addition, when you use categories as targets it's easier to manage the extended ACL because there are fewer subjects to track.

To take full advantage of using categories as targets, you may want to specify hierarchical names for documents that have flat names in a FullName, ListName, or ServerName field so the Target box can subcategorize them under an appropriate location in the directory name hierarchy. For example, Group documents often have flat names, and in this case the Target box categorizes them directly below / (root), so you may want to change the names of such Group documents to hierarchical.

The following documents usually have hierarchical names defined in a FullName, ListName, or ServerName field and are therefore subcategorized below / (root) under at the appropriate location in the directory name hierarchy.

See also