DIRECTORY SERVICES


Extended ACL access settings
There are several access settings you use to control a subject's access to an extended ACL target. For each access setting you choose Allow or Deny. You can leave an access setting unchecked, but if you do, other subjects in the extended ACL or database ACL determine whether the subject is allowed or denied the access. It's better to select Allow or Deny to help ensure you get the access control results you expect.

Access settings apply to existing documents at a selected target. If the selected target is a category of documents, access settings also apply to documents added to the category in the future.

An extended ACL cannot restrict the access of a user with Manager database access or an administrator with "Full Access administrators" access to a server (controlled through the Server document in the IBM® Lotus® Domino™ Directory. An extended ACL also cannot prevent a user with Designer or Manager database access from modifying the directory design.

Note For ease of reading, this topic uses the terms document, field, and form. If an extended ACL will control LDAP access, apply the LDAP-equivalent terms instead: entry, attribute, and object class.

The following access settings control access to a document as a whole:
Access settingTasks allowed
BrowseAllows a user to access a document.
CreateAllows a user to create a document.
DeleteAllows a user to delete a document.
The following access settings control access to a field within a document:
Access settingTasks allowed
ReadAllows a user to read a field. The user must also have Browse access to the document.
WriteAllows a user to modify a field.
When more than one type of document uses a particular field, you control access to the field separately for each type of document.

If you are controlling the access of IBM® Lotus® Notes® and Web users, be aware of the following issues. These issues do not apply to access through other means, such as LDAP access or Notes application access, except where indicated.

Administer access

Grant Administer access to allow someone with Designer or Editor access in the database ACL to modify access settings at an extended ACL target. Someone with Manager access in the database ACL can modify an extended ACL without having Administer access. Grant Administer access to allow someone to manage access to documents under a target category without granting the person Manager access in the database ACL. A user with Editor or Designer access in the database ACL does not have the Administer access by default; you must grant the user that access explicitly. You grant someone Administer access to a target category and not to a specific document.

Note You can give a Domino server Administer access to a selected target category. This access enables the server to be an extended administration server whose Administration Process manages documents below the selected target category.

See also