Extended ACL subject

An extended ACL subject is a name for which you are setting access to a selected extended ACL target. To add a subject to an extended ACL, you select the target and then click Add in the "Extended Access at target" dialog box.

About this task

You can specify any of the following as subjects in an extended ACL:

  • Individual user or server
  • Group
  • Wildcard that represents documents at a specific location in the directory name hierarchy, for example, */West/Renovations
  • Anonymous
  • -Default-
  • Self

With the exception of Self, these are the same types of entries that are acceptable in a database ACL.

You specify more than one subject at a target to give each subject its own access to the target. For example the group Admins/West/Renovations and the group Admins/East/Renovations might each have access set at the / (root) target. You can also add the same subject at multiple targets, to give the subject different access to each target.

If the database ACL and an extended ACL both list a particular subject, Administration Process requests can rename or delete the subject in the extended ACL, as well as in the database ACL.

Anonymous as subject

About this task

As in the database ACL, the subject Anonymous controls the access of all users and servers that access a server without first authenticating. Anonymous access applies to access via all the supported protocols.

Self as a subject

About this task

The subject Self is available only for an extended ACL and not the database ACL. At a target category only, you can use Self to define the access that all users have to their own documents that fall under the target category. A user's own document is one with a distinguished name that matches a distinguished name presented by the user. Use Self so that you can use one subject to control all users' access to their own documents at a target category.

-Default- as a subject

About this task

Adding and setting access for the -Default- subject at a target is optional. If you set access for -Default- at a target, all users and servers whose access is not determined by another subject at the selected target get the access set for -Default-. If you add the -Default- subject to a target and you want some users to have different access to the target than the -Default- access, add a subject or subjects that represent those users to the target with the desired access.

Domino® servers as subjects

About this task

In general an extended ACL cannot restrict the access of a Domino® 6 server. The exception is granting a later-release Domino® server Administer access to a target category that represents a particular location in the directory name hierarchy. Doing so allows the server to be an extended administration server that can carry out Administration Process requests for documents under the selected target category.

Advantages to using subjects that represent a group of users

About this task

When possible use subjects that represent groups of users -- -Default-, Self, groups, wildcard subjects -- rather than use individual users as subjects. For example, set access for the group Admins/Renovations, rather than setting access for Renovations administrators individually. When you use subjects that represent groups of users you minimize the number of subjects in the extended ACL to add and manage and you optimize access-checking performance.