SECURING


Access levels in the ACL
Access levels assigned to users in a database ACL control which tasks users can perform in the database. Access level privileges enhance or restrict the access level assigned to each name in the ACL. For each user, group, or server listed in the ACL, you select the basic access level and user type. To further refine the access, you select a series of access privileges. If the application designer created roles, assign them to the appropriate users, groups, or servers.

Access levels assigned to servers in a database ACL control what information within a database the server can replicate.

To access a database on a particular server, IBM® Notes® users must have both the appropriate database access, as well as the appropriate server access specified in the Server document in the IBM Domino® Directory.

To view a database ACL, users must have Reader access or higher.

Caution: Special ACL access

There are some cases in which users can have significant access to a database that is not defined in the database ACL. This access is granted through rights set up in other areas of Domino, or by having access to the server itself. As an administrator, you need to understand these other kinds of access in order to be able to fully protect server databases.


Table 1. User Access Levels from Highest to Lowest
Access levelAllows users to Assign to
ManagerModify the database ACL.

Encrypt the database.

Modify replication settings.

Delete the database.

Perform all tasks allowed by lesser access levels.

Two people who are responsible for the database. Then if one person is absent, the other can manage the database.
DesignerModify all database design elements.

Create a full-text search index.

Perform all tasks allowed by lesser access levels.

A database designer and/or the person responsible for future design updates.
EditorCreate documents.

Edit all documents, including those created by others.

Read all documents unless there is a Readers field in the form. If an editor is not listed in the Readers field, the user with Editor ACL access cannot read or edit the document.

Any user allowed to create and edit documents in a database.
AuthorCreate documents if the user or server also has the Create documents access level privilege. When you assign Author access to a user or server, you must also specify the Create documents access level privilege.

Edit the documents where there is an Authors field in the document and the user is specified in the Authors field.

Read all documents unless there is a Readers field in the form.

Users who need to contribute documents to a database.
ReaderRead documents where there is a Readers field in the form and the user name is specified in the field.Users who only need to read documents in a database but not create or edit documents.
DepositorCreate documents, but otherwise has no access, with the exception of options to Read public documents and Write public documents. These are privileges that designers may choose to grant.Users who only need to contribute documents but who do not need to read or edit their own or other users' documents. For example, use Depositor access for a ballot box application.
No AccessHas no access, with the exception of options to Read public documents and Write public documents. These are privileges that designers may choose to grant.Terminated users, users who do not need access to the database, or users who have access on a special basis.

Note: You may want to specifically assign No Access to individuals who should not have access to a database, but who may be members of a group that does.


Related concepts
Access level privileges in the ACL
Setting up a database ACL for server-to-server replication

Related tasks
Maximum Internet name-and-password access
Restricting administrator access
Configuring a database ACL
User types in the ACL
Roles in the ACL
Editing entries in multiple ACLs