CONFIGURING


Extended ACL - example 2
The Renovations company uses one Domino® domain. The directory name hierarchy within the Domino Directory is comprised of the organization O=Renovations, which contains two subordinate organizational units, OU=West and OU=East.

About this task

The Renovations Domino Directory includes three groups of administrators:


To establish security, Renovations has these goals:

1. Allow members of the Admins/Renovations group to:

2. Allow members of the Admins/West/Renovations group to: 3. Allow members of the the Admins/East/Renovations group to 4. Allow authenticated users not in any of the administration groups to browse and read only Person, Group, and Resource documents throughout the database but not other documents, and prevent these users from creating, deleting, and modifying any documents

5. Prevent anonymous users from accessing the directory.

The following tables describe how Renovations sets up the Domino Directory database ACL and the extended ACL to accomplish its security goals.

Table 1. Database ACL
SubjectAccessDescription
-Default-ReaderRequired to allow non-administrators to browse and read Person, Group, and Resource documents
Admins/Renovations group
  • Manager
  • Delete
  • All administration roles
Allows members of Admins/Renovations to manage all documents and the entire extended ACL -- no extended ACL settings needed
Admins/West/Renovations group
  • Editor
  • Create, Delete
  • All administration roles
Required to allow members of Admins/West/Renovations to create, modify, delete, and manage the extended ACL for West/Renovations documents
Admins/East/Renovations group
  • Editor
  • Create, Delete
  • All administration roles
Required to allow members Admins/East/Renovations to create, modify, delete, and manage the extended ACL for East/Renovations documents
AnonymousNo AccessPrevents anonymous users from accessing any information in the directory. No extended ACL settings needed

Table 2. Using / (root) target in extended ACL
SubjectAccessThis container and all descendants?Description
-Default-Default:
  • Deny all Person, Group, and Resources:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
YesAllows non-administrators to read only Person, Group, and Resource documents
Admins/West/Renovations groupDefault:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
YesPrevents members of the Admins/West/Renovations group from modifying documents at the / (root) and O=Renovations targets
Admins/East/Renovations groupDefault:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
YesPrevents members of the Admins/East/Renovations group from modifying documents at the / (root) and O=Renovations targets

Table 3. OU=West target in extended ACL
SubjectAccessThis container and all descendants?Description
Admins/West/Renovations groupDefault:
  • Allow All
YesAllows members of Admins/West/Renovations to have full access to documents under OU=West

Table 4. OU=East target in extended ACL
SubjectAccessThis container and all descendants?Description
Admins/East/Renovations groupDefault:
  • Allow All
YesAllows members of Admins/East/Renovations to have full access to documents under OU=East

Related tasks
Extended ACL examples