Extended ACL target

You select a target to specify either a category of documents or a specific document to which you are controlling a subject's access. Selecting a category of documents as a target is recommended because you can set access to multiple documents at once and because the access applies to documents added to the category in the future.

You use the Target box in the Extended Access at target dialog box to select a target. You can set access for more than one subject at a target.

By default you can see the document categories in the Target box only and not individual documents. Deselect Show only containers to see the documents contained within categories.

How the Target box categorizes documents

The Target box categorizes documents by their names. The highest-level category in the Target box is / (root). Access set at / (root) applies by default to all documents in the directory, because, by default, documents contained within / (root) inherit the access level defined at / (root). The Target box subcategorizes documents that have hierarchical names defined by a FullName, ListName, or ServerName field within / (root) by their location in the directory name hierarchy. For example, the Target box categorizes Person documents containing the names CN=Alan Jones/O=Renovations, CN=Derek Malone/OU=East/O=Renovations, and CN=Karen Lessing/OU=West/O=Renovations as follows:

/ (root)
  • O=Renovations
    • Alan Jones/Renovations
    • OU=East
      • Derek Malone/East/Renovations
    • OU=West
      • Karen Lessing/West/Renovations

For a document to be categorized subordinate to / (root) in the name hierarchy, its name must contain more than just one part. For example a Person document whose name is defined by a certifier is categorized subordinate to / (root). In addition, the name of the document must be stored in a field called FullName, ListName, or ServerName. The ListName field stores the names of Domino® Group documents, the ServerName field stores the names of Domino® Server documents, and the FullName field stores the names of other types of documents, for example Domino® Person, Certifier, and Policy documents.

A document with a flat name -- a name with only one part --, or a document with a name specified in a field other than FullName, ListName, or Servername, is categorized directly under / (root). The Target box does not show the documents under / (root) that are named through a field other than FullName, ListName, or ServerName. You can set access to these types of documents through the / (root) target, but cannot set access to an individual one. For example, the names of Holiday and Connection documents are not controlled through a FullName, ListName, or ServerName field, so you cannot see or select these documents under / (root). However, when you set access at / (root), the access applies to the documents.

Advantages to using categories rather than single documents as targets

You can select a specific document as a target at which to set a subject's access, however selecting a target category is recommended instead. When you select a target category, by default you are automatically setting access to all documents contained immediately within the selected category as well as to documents belonging to subcategories of the selected category. Developing an access scheme in this manner minimizes the number of times that subjects are listed in the extended ACL. For example, when you set a subject's access at the target O=Renovations, by default, that access automatically applies to all documents that belong to O=Renovations and also to documents that belong to organizational units contained by O=Renovations, such as OU=West and OU=East.

Domino® can verify a subject's directory access more quickly when there are fewer occurrences of the subject in an extended ACL than when there are many. In addition, when you use categories as targets it's easier to manage the extended ACL because there are fewer subjects to track.

To take full advantage of using categories as targets, you may want to specify hierarchical names for documents that have flat names in a FullName, ListName, or ServerName field so the Target box can subcategorize them within an appropriate level of the directory name hierarchy. For example, because Group documents typically have flat names, by default, the Target box automatically categorizes them as belonging to / (root). By modifying the names of Group documents to reflect hierarchical relationships, you can use category targeting to define access to them.

The following documents usually have hierarchical names defined in a FullName, ListName, or ServerName field and are therefore categorized subordinate to / (root) within the appropriate location in the directory name hierarchy.

  • Person documents
  • Server documents
  • Certifier documents
  • Policy documents