Lotus Domino Administrator 8 Help - Extended ACL: example 2

DIRECTORY SERVICES

Extended ACL: example 2
The Acme company uses one IBM® Lotus® Domino™ domain. The directory name hierarchy within the Domino Directory consists of the organization O=Acme, and two organizational units below that, OU=West and OU=East. The Acme Domino Directory includes three groups of administrators:

The Admins/Acme group, responsible for managing documents throughout the directory.
The Admins/West/Acme group, responsible for managing documents that fall under OU=West and that have names ending in West/Acme.
The Admins/East/Acme group, responsible for managing documents that fall under OU=East and that have names ending in East/Acme.

Security goals

To establish security, Acme has these goals:

1. Allow members of the Admins/Acme group to:

Have full access to all documents in the directory
Manage access at any target in the extended ACL

2. Allow members of the Admins/West/Acme group to:

Read all fields in all documents in the directory
Create, modify, and delete only documents that fall under OU=West
Manage the extended ACL at the OU=West target

3. Allow members of the the Admins/East/Acme group to:

Read all fields in all documents in the directory
Create, modify, and delete only documents that fall under the OU=East
Manage the extended ACL for the OU=East target.

4. Allow authenticated users not in any of the administration groups to browse and read only Person, Group, and Resource documents throughout the database but not other documents, and prevent these users from creating, deleting, and modifying any documents.

5. Prevent anonymous users from accessing the directory.

How Acme achieve its goals

The following tables describe how Acme sets up the Domino Directory database ACL and the extended ACL to accomplish its security goals.

Database ACL

Subject Access Description

-Default- Reader Required to allow non-administrators to browse and read Person, Group, and Resource documents

Admins/Acme group

Manager
Delete
All administration roles
Allows members of Admins/Acme to manage all documents and the entire extended ACL -- no extended ACL settings needed

Admins/West/Acme group

Editor
Create, Delete
All administration roles
Required to allow members of Admins/West/Acme to create, modify, delete, and manage the extended ACL for West/Acme documents

Admins/East/Acme group

Editor
Create, Delete
All administration roles
Required to allow members Admins/East/Acme to create, modify, delete, and manage the extended ACL for East/Acme documents

Anonymous No Access Prevents anonymous users from accessing any information in the directory. No extended ACL settings needed

/ (root) target in extended ACL

Subject Access This container and all descendants? Description

-Default- Default:

Deny all
Person, Group, and Resources:

Allow: Browse, Read
Deny: Create, Delete, Write, Administer
Yes Allows non-administrators to read only Person, Group, and Resource documents

Admins/West/Acme group Default:

Allow: Browse, Read
Deny: Create, Delete, Write, Administer
Yes Prevents members of the Admins/West/Acme group from modifying documents at the / (root) and O=Acme targets

Admins/East/Acme group Default:

Allow: Browse, Read
Deny: Create, Delete, Write, Administer
Yes Prevents members of the Admins/East/Acme group from modifying documents at the / (root) and O=Acme targets

OU=West target in extended ACL

Subject Access This container and all descendants? Description

Admins/West/Acme group Default:

Allow all
Yes Allows members of Admins/West/Acme to have full access to documents under OU=West

OU=East target in extended ACL

Subject Access This container and all descendants? Description

Admins/East/Acme group Default:

Allow all
Yes Allows members of Admins/East/Acme to have full access to documents under OU=East

See also

Extended ACL examples

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Subject	Access	Description
-Default-	Reader	Required to allow non-administrators to browse and read Person, Group, and Resource documents
Admins/Acme group	Manager Delete All administration roles	Allows members of Admins/Acme to manage all documents and the entire extended ACL -- no extended ACL settings needed
Admins/West/Acme group	Editor Create, Delete All administration roles	Required to allow members of Admins/West/Acme to create, modify, delete, and manage the extended ACL for West/Acme documents
Admins/East/Acme group	Editor Create, Delete All administration roles	Required to allow members Admins/East/Acme to create, modify, delete, and manage the extended ACL for East/Acme documents
Anonymous	No Access	Prevents anonymous users from accessing any information in the directory. No extended ACL settings needed

Subject	Access	This container and all descendants?	Description
-Default-	Default: Deny all Person, Group, and Resources: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Allows non-administrators to read only Person, Group, and Resource documents
Admins/West/Acme group	Default: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Prevents members of the Admins/West/Acme group from modifying documents at the / (root) and O=Acme targets
Admins/East/Acme group	Default: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Prevents members of the Admins/East/Acme group from modifying documents at the / (root) and O=Acme targets