Default ACL entries
The default access control list includes a set of default entries.
Acceptable entries in the ACL
Refer to this topic for details on any entry you make in an Access Control List (ACL).
Configuring a database ACL
Plan the database access for the application before adding users, groups, or servers to a database ACL. After you add a name to the ACL, assign an access level to the name. Although assigning a user type is optional, it provides an additional level of security. Add access level privileges and roles if the application requires them.
Access levels in the ACL
Access levels assigned to users in a database ACL control which tasks users can perform in the database. Access level privileges enhance or restrict the access level assigned to each name in the ACL. For each user, group, or server listed in the ACL, you select the basic access level and user type. To further refine the access, you select a series of access privileges. If the application designer created roles, assign them to the appropriate users, groups, or servers.
Access level privileges in the ACL
After you assign an access level to each user, group, and server, you can select or deselect privileges within an access level.
User types in the ACL
A user type identifies whether a name in the ACL is for a person, server, or group. When you assign a user type to a name, you specify the type of ID required for accessing the database with that name. The user types are Person, Server, Mixed Group, Person Group, Server Group, and Unspecified. The -Default- group in the ACL is always assigned Unspecified as the user type. If you have added Anonymous to the ACL, then it should have a user type of Unspecified.
Roles in the ACL
A database designer can assign special access to database design elements and database functions by creating roles. A role defines a set of users and/or servers. They are similar to groups that you can set up in the Domino Directory. However, unlike groups, roles are specific to the database in which they are created.
Managing database ACLs
As a Domino administrator, you can use any of these methods to manage database ACLs.
Using the Administration Process to update ACLs
To maintain maximum database security, you must be vigilant about keeping the ACL up to date. You can use the server administration process to do this. The Administration Process is a server program that automatically renames or deletes groups, servers, users, personal views, personal folders, and private agents, and then updates the Domino Directory and any database ACLs that have named the server running the Administration Process as their administration server. This program also updates the Readers and Authors fields for all documents in a database.
Setting up the Administration Process for database ACLs
To use the Administration Process to update and manage names in an ACL and in Readers and Authors fields, assign an administration server to the database. Use this method to specify an administration server for multiple databases.
Editing entries in multiple ACLs
As a Domino Administrator, you can make changes to entries that exist in multiple database ACLs. To edit entries in a database ACL, you must have Manager access to that ACL.
Viewing all database ACLs on a server
You can view all the database ACLs on a server by user name, access level, or by database.
Using the ACL log
You can display a log of all changes made to a database ACL. Each entry in the list shows when the change occurred, who made the change, and what changed. The log stores only 20 lines of changes, not the complete history.
Enforcing a consistent access control list
You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops.
Updating Readers and Authors fields
By default, the Administration Process examines all documents in a database to find and update Readers and Authors fields and to update personal folders and views and private agents. When the Administration Process performs a "Rename person" or a "Delete person" request, it edits or removes the name in all Readers and Authors fields and in personal folders and views, and in private agents. To update Readers and Authors fields in only selected documents, you create a special view in the database and then update that view.
Setting up database access for Internet users
When you set up database access, you must make special provisions for Internet users. See the related topics for more information.
Preventing users from accessing forms and views in a Web application
If you design a database application that users will access with a browser, you may want to restrict browser users from using URL commands that would open forms and views in your application. For example, you can design your application so that a servlet that uses forms or views will only use the forms and views using URL commands. With the Don't allow URL open property set, it will be impossible for browser users to manipulate these application components using Domino URL commands.
Maximum Internet name-and-password access
Users who have Internet or intranet browser access to a database cannot be identified by Notes in the same way Notes users are identified. Use the Maximum Internet name & password access setting to control the maximum type of access that Internet or intranet browser users have to a database. The list contains the standard access levels for Notes users.
Requiring an TLS connection to a database
Transport Layer Security (TLS) is a security protocol that provides communications privacy and authentication for Domino server tasks that operate over TCP/IP. You can require users to access a database using a secure TLS connection. You can also choose to require an TLS connection to a single database or to all databases on a server.