IBM Domino Administrator 9.0.1 Social Edition Help

CONFIGURING

Extended ACL - example 2
The Renovations company uses one DominoŽ domain. The directory name hierarchy within the Domino Directory is comprised of the organization O=Renovations, which contains two subordinate organizational units, OU=West and OU=East.

About this task

The Renovations Domino Directory includes three groups of administrators:

The Admins/Renovations group, responsible for managing documents throughout the directory.
The Admins/West/Renovations group, responsible for managing documents that fall under OU=West and that have names ending in West/Renovations.
The Admins/East/Renovations group, responsible for managing documents that fall under OU=East and that have names ending in East/Renovations.

To establish security, Renovations has these goals:

1. Allow members of the Admins/Renovations group to:

Have full access to all documents in the directory
Manage access at any target in the extended ACL

2. Allow members of the Admins/West/Renovations group to:

Read all fields in all documents in the directory
Create, modify, and delete only documents that fall under OU=West
Manage the extended ACL at the OU=West target

3. Allow members of the the Admins/East/Renovations group to

Read all fields in all documents in the directory
Create, modify, and delete only documents that fall under the OU=East
Manage the extended ACL for the OU=East target.

4. Allow authenticated users not in any of the administration groups to browse and read only Person, Group, and Resource documents throughout the database but not other documents, and prevent these users from creating, deleting, and modifying any documents

5. Prevent anonymous users from accessing the directory.

The following tables describe how Renovations sets up the Domino Directory database ACL and the extended ACL to accomplish its security goals.

Table 1. Database ACL

Subject Access Description

-Default- Reader Required to allow non-administrators to browse and read Person, Group, and Resource documents

Admins/Renovations group

Manager
Delete
All administration roles
Allows members of Admins/Renovations to manage all documents and the entire extended ACL -- no extended ACL settings needed

Admins/West/Renovations group

Editor
Create, Delete
All administration roles
Required to allow members of Admins/West/Renovations to create, modify, delete, and manage the extended ACL for West/Renovations documents

Admins/East/Renovations group

Editor
Create, Delete
All administration roles
Required to allow members Admins/East/Renovations to create, modify, delete, and manage the extended ACL for East/Renovations documents

Anonymous No Access Prevents anonymous users from accessing any information in the directory. No extended ACL settings needed

Table 2. Using / (root) target in extended ACL

Subject Access This container and all descendants? Description

-Default- Default:

Deny all Person, Group, and Resources:
Allow: Browse, Read
Deny: Create, Delete, Write, Administer
Yes Allows non-administrators to read only Person, Group, and Resource documents

Admins/West/Renovations group Default:

Allow: Browse, Read
Deny: Create, Delete, Write, Administer
Yes Prevents members of the Admins/West/Renovations group from modifying documents at the / (root) and O=Renovations targets

Admins/East/Renovations group Default:

Allow: Browse, Read
Deny: Create, Delete, Write, Administer
Yes Prevents members of the Admins/East/Renovations group from modifying documents at the / (root) and O=Renovations targets

Table 3. OU=West target in extended ACL

Subject Access This container and all descendants? Description

Admins/West/Renovations group Default:

Allow All
Yes Allows members of Admins/West/Renovations to have full access to documents under OU=West

Table 4. OU=East target in extended ACL

Subject Access This container and all descendants? Description

Admins/East/Renovations group Default:

Allow All
Yes Allows members of Admins/East/Renovations to have full access to documents under OU=East

Related tasks
Extended ACL examples

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help

All Help Contents

Subject	Access	Description
-Default-	Reader	Required to allow non-administrators to browse and read Person, Group, and Resource documents
Admins/Renovations group	Manager Delete All administration roles	Allows members of Admins/Renovations to manage all documents and the entire extended ACL -- no extended ACL settings needed
Admins/West/Renovations group	Editor Create, Delete All administration roles	Required to allow members of Admins/West/Renovations to create, modify, delete, and manage the extended ACL for West/Renovations documents
Admins/East/Renovations group	Editor Create, Delete All administration roles	Required to allow members Admins/East/Renovations to create, modify, delete, and manage the extended ACL for East/Renovations documents
Anonymous	No Access	Prevents anonymous users from accessing any information in the directory. No extended ACL settings needed

Subject	Access	This container and all descendants?	Description
-Default-	Default: Deny all Person, Group, and Resources: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Allows non-administrators to read only Person, Group, and Resource documents
Admins/West/Renovations group	Default: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Prevents members of the Admins/West/Renovations group from modifying documents at the / (root) and O=Renovations targets
Admins/East/Renovations group	Default: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Prevents members of the Admins/East/Renovations group from modifying documents at the / (root) and O=Renovations targets