DIRECTORY SERVICES


Extended ACL: example 2
The Acme company uses one IBM® Lotus® Domino™ domain. The directory name hierarchy within the Domino Directory consists of the organization O=Acme, and two organizational units below that, OU=West and OU=East. The Acme Domino Directory includes three groups of administrators: Security goals

To establish security, Acme has these goals:

1. Allow members of the Admins/Acme group to:

2. Allow members of the Admins/West/Acme group to: 3. Allow members of the the Admins/East/Acme group to: 4. Allow authenticated users not in any of the administration groups to browse and read only Person, Group, and Resource documents throughout the database but not other documents, and prevent these users from creating, deleting, and modifying any documents.

5. Prevent anonymous users from accessing the directory.

How Acme achieve its goals

The following tables describe how Acme sets up the Domino Directory database ACL and the extended ACL to accomplish its security goals.

Database ACL
SubjectAccessDescription
-Default-ReaderRequired to allow non-administrators to browse and read Person, Group, and Resource documents
Admins/Acme group
  • Manager
  • Delete
  • All administration roles
Allows members of Admins/Acme to manage all documents and the entire extended ACL -- no extended ACL settings needed
Admins/West/Acme group
  • Editor
  • Create, Delete
  • All administration roles
Required to allow members of Admins/West/Acme to create, modify, delete, and manage the extended ACL for West/Acme documents
Admins/East/Acme group
  • Editor
  • Create, Delete
  • All administration roles
Required to allow members Admins/East/Acme to create, modify, delete, and manage the extended ACL for East/Acme documents
AnonymousNo AccessPrevents anonymous users from accessing any information in the directory. No extended ACL settings needed

/ (root) target in extended ACL
SubjectAccessThis container and all descendants?Description
-Default-Default:
  • Deny all
Person, Group, and Resources:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
YesAllows non-administrators to read only Person, Group, and Resource documents
Admins/West/Acme groupDefault:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
YesPrevents members of the Admins/West/Acme group from modifying documents at the / (root) and O=Acme targets
Admins/East/Acme groupDefault:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
YesPrevents members of the Admins/East/Acme group from modifying documents at the / (root) and O=Acme targets

OU=West target in extended ACL
SubjectAccessThis container and all descendants?Description
Admins/West/Acme groupDefault:
  • Allow all
YesAllows members of Admins/West/Acme to have full access to documents under OU=West

OU=East target in extended ACL
SubjectAccessThis container and all descendants?Description
Admins/East/Acme groupDefault:
  • Allow all
YesAllows members of Admins/East/Acme to have full access to documents under OU=East
See also