SECURING
A database designer can assign special access to database design elements and database functions by creating roles. A role defines a set of users and/or servers. They are similar to groups that you can set up in the Domino® Directory. However, unlike groups, roles are specific to the database in which they are created.
About this task
Once a role is created, it can be used in database design elements or functions to restrict access to those elements or functions. For example, you may want to allow only a certain group of users to edit certain documents in a database. You could create a role named DocEditors. That role would then be added to the Authors fields of those documents, and assigned to those users who are allowed to edit those documents.
You must have Manager access to create roles in the database ACL. You must create a role before you assign it to a name or group in the ACL. Once you have created roles in an ACL, they are listed in the Roles list box on the Basics panel of the ACL dialog box. Role names appear in brackets -- for example, [Sales]. When you add an entry to a database ACL, you can assign them to a role by selecting a role from the Roles list box.
Note: If you do not have Manager access to the ACL (meaning that you are not allowed to edit the ACL), the Roles tab does not appear in the ACL dialog box.
This table describes the design elements to which the database designer can restrict access by using roles.
Table 1. Roles used to restrict access to design elements
Using roles to restrict access to database elements is not a foolproof security measure. For example, if a designer restricts access to certain documents in a database, the database manager or Domino administrator must remember that documents inherit their Reader access list from the Reader access option that is set in the Form Properties box for the form used to create the document. Therefore, anyone with Editor access or greater in the database ACL can change a document's Reader access list.
Parent topic: The database access control list
Creating and editing roles
You must create a role before you can assign it to a name in the ACL.
In the Domino Administrator you can create, modify, or delete roles for multiple database ACLs, but you cannot assign a name to a role or remove a name from a role in the ACL or display names assigned to a role, as you can in the Notes® client.
To create and manage roles, you must have Manager access in the database ACL.
Procedure
1. Make sure that you have Manager access in the database ACL.
2. From the Domino Administrator Server pane, select the server that stores the databases.
3. Click Files and select one or more databases from the Domino data directory.
4. Click Tools -> Database -> Manage ACL.
5. Click Roles.
6. Do one of the following, and then click OK, and click OK again to save your changes:
Note: In Domino Administrator, you do not need to include any brackets in the role name when adding or removing a role. However, when you rename a role, you must type the role name exactly as it appears in the ACL, including the brackets and case-sensitive characters.
Because roles are specific to a database, you must modify database ACLs on an individual basis in order to assign roles to users.
2. Open the database ACL that you want to modify.
3. Highlight the user to whom you want to assign a role.
4. In the Roles list box, select the role that you want to assign to that user.
5. Repeat steps 3 and 4 for each user to whom you want to assign a role.
6. Click OK to save your changes.
Related concepts The database access control list
Related tasks Configuring a database ACL