Extended ACL - example 2

The Renovations company uses one Domino® domain. The directory name hierarchy within the Domino Directory is comprised of the organization O=Renovations, which contains two subordinate organizational units, OU=West and OU=East.

About this task

The Renovations Domino Directory includes three groups of administrators:

  • The Admins/Renovations group, responsible for managing documents throughout the directory.
  • The Admins/West/Renovations group, responsible for managing documents that fall under OU=West and that have names ending in West/Renovations.
  • The Admins/East/Renovations group, responsible for managing documents that fall under OU=East and that have names ending in East/Renovations.

To establish security, Renovations has these goals:

  1. Allow members of the Admins/Renovations group to:
    • Have full access to all documents in the directory
    • Manage access at any target in the extended ACL
  2. Allow members of the Admins/West/Renovations group to:
    • Read all fields in all documents in the directory
    • Create, modify, and delete only documents that fall under OU=West
    • Manage the extended ACL at the OU=West target
  3. Allow members of the the Admins/East/Renovations group to
    • Read all fields in all documents in the directory
    • Create, modify, and delete only documents that fall under the OU=East
    • Manage the extended ACL for the OU=East target.
  4. Allow authenticated users not in any of the administration groups to browse and read only Person, Group, and Resource documents throughout the database but not other documents, and prevent these users from creating, deleting, and modifying any documents
  5. Prevent anonymous users from accessing the directory.

The following tables describe how Renovations sets up the Domino Directory database ACL and the extended ACL to accomplish its security goals.

Table 1. Database ACL
Subject Access Description
-Default- Reader Required to allow non-administrators to browse and read Person, Group, and Resource documents
Admins/Renovations group
  • Manager
  • Delete
  • All administration roles
Allows members of Admins/Renovations to manage all documents and the entire extended ACL -- no extended ACL settings needed
Admins/West/Renovations group
  • Editor
  • Create, Delete
  • All administration roles
Required to allow members of Admins/West/Renovations to create, modify, delete, and manage the extended ACL for West/Renovations documents
Admins/East/Renovations group
  • Editor
  • Create, Delete
  • All administration roles
Required to allow members Admins/East/Renovations to create, modify, delete, and manage the extended ACL for East/Renovations documents
Anonymous No Access Prevents anonymous users from accessing any information in the directory. No extended ACL settings needed
Table 2. Using / (root) target in extended ACL
Subject Access This container and all descendants? Description
-Default- Default:
  • Deny all Person, Group, and Resources:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
Yes Allows non-administrators to read only Person, Group, and Resource documents
Admins/West/Renovations group Default:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
Yes Prevents members of the Admins/West/Renovations group from modifying documents at the / (root) and O=Renovations targets
Admins/East/Renovations group Default:
  • Allow: Browse, Read
  • Deny: Create, Delete, Write, Administer
Yes Prevents members of the Admins/East/Renovations group from modifying documents at the / (root) and O=Renovations targets
Table 3. OU=West target in extended ACL
Subject Access This container and all descendants? Description
Admins/West/Renovations group Default:
  • Allow All
Yes Allows members of Admins/West/Renovations to have full access to documents under OU=West
Table 4. OU=East target in extended ACL
Subject Access This container and all descendants? Description
Admins/East/Renovations group Default:
  • Allow All
Yes Allows members of Admins/East/Renovations to have full access to documents under OU=East