Extended ACL

An extended access control list (ACL) is an optional directory access-control feature available for a directory created from the PUBNAMES.NTF template -- a Domino® Directory or an extended directory catalog. An extended ACL is tied to the database ACL, and you access it through the Access Control List dialog box using a Notes® or Domino® Administrator client.

You use an extended ACL to apply restrictions to the overall access the database ACL allows a user -- you cannot use it to increase the access the database ACL allows. Use an extended ACL to set access to:

  • All documents with hierarchical names at a particular location in the directory name hierarchy, -- for example, all documents whose names end in OU=West/O=Renovations.
  • All documents of a specific type, -- for example all Person documents
  • A specific field within a specific type of document
  • A specific document

An extended ACL allows you to:

  • Delegate your Domino® administration, for example, allow a group of administrators to manage only documents named under a particular organizational unit.
  • Set access to precise portions of the directory contents.
  • Set access to documents and fields easily and globally at one source, rather than requiring you to control access through features such as multiple Readers and Authors fields.
  • Control the access of users who access the directory through any supported protocol: Notes® (NRPC), Web (HTTP), LDAP, POP3, and IMAP.
  • Limit access to Internet passwords stored in the Domino® Directory to protect against attacks by malicious sources trying to guess passwords.

For information on using xACLs to limit access to Internet passwords, see information on securing Internet passwords in the related topics.

Note: Server processes such as the Router task do not enforce extended ACL restrictions. However, in the case of the Router task specifically, you can prevent some users from sending mail to a group by editing the Readers field for the group and including only the names of users you want to allow to send mail to the group. When users omitted from the Readers field attempt to send mail to the group, the Router will not deliver the mail.