Access level privileges in the ACL

Create documents

Select this privilege for all users with Author access. If you deselect this privilege to prevent Authors from adding any more documents, they can continue to read and edit documents they've already created.

Delete documents

If a user has Author access to the application either by being explicitly named in the application's ACL or a member of a group, they can edit a document only if it contains an Authors field that lists them, or that lists a group or role to which they belong.

To grant authors access, the field value has to be stored on disk before the user tries to open or edit the document. For instance, a "computed for display" Authors field doesn't grant anyone access because no value is stored on disk. A "computed" field that uses @Username will not let any user edit a document, because the formula is not calculated until the document is already in edit mode. It contains the name of the last user to edit the document, not necessarily the new user.

Authors have access to edit the documents they created only if the developer has provided for it by adding an appropriate Authors field to the form. It would be a "Computed when composed" field with formula @Username. Sometimes users should not be allowed to edit documents they created. For example, if they submit it to a workflow process where it's not supposed to be modified by the author after submission.

Create private agents

A user can run private agents that perform tasks allowed by the user's assigned access level in the ACL. Since private agents on server databases take up disk space and processing time on the server, you may want to deselect this privilege if performance is a concern.

A server administrator can further restrict a user's ability to run agents in the Agent Restrictions section of the Server document in the Domino® Directory. Therefore, even if you grant a user the "Create LotusScript/Java agents" access level in a database ACL, the Server document controls whether or not the user can run an agent on a particular server.

Create personal folders/views

Personal folders and views created on a server are more secure than those created locally, and they can be made available on multiple servers. Also, administrative agents can operate only on folders and views stored on a server. If server space is a concern, deselect the "Create personal folders/views" option. Users will still be able to create personal folders and views on their local workstation.

Create shared folders/views

Deselect this privilege to maintain tighter control over database design and to prevent users from creating folders and views that are visible to others. A user assigned this privilege can create folders and views that are visible to others.

Create LotusScript/Java agents

Since LotusScript® and Java™ agents on server databases can take up significant server processing time, you may want to restrict which users can run them.

Whether or not a user can run agents depends on the access set by the Domino® administrator in the Agent Restrictions section of the Server document in the Domino® Directory. Even if you select "Create LotusScript/Java agents" for a name in the ACL, the Server document still controls whether or not the user can run the agent on the server. Work with your server administrator to set access rights for users to run agents on a server.

Read public documents

Select this privilege to allow users who have No Access or Depositor access to read documents and to see views and folders with the property "Available to Public Access users." A form must contain a text field named "$PublicAccess" with an assigned field value of one. Documents created from that form are public document.

Write public documents

Select this privilege to allow users to create/edit specific documents that are controlled by forms having the property "Available to Public Access users."

Replicate or copy documents

Select this privilege to allow users to:

• create a new local replica or local copy of a database;
• copy, print, or forward documents in the database, or parts of these documents; and
• select all text in a document opened in read mode.

The Notes-generated field $KeepPrivate captures whether the current user has replicate or copy privileges for the document. This setting applies only to Notes® clients.

Usage

If documents are created by an agent, the document will not contain an Authors field just because there's one on the form. The agent doesn't know anything about the form and will only set the fields you explicitly assign. Also, read about the IsAuthors property in LotusScript® and Java™ -- a text item doesn't allow access to the document, even if it has the same name as an Authors field on the form. It has to be a true Authors type. Also remember to use canonical usernames, for example, "CN=Dan Fox/0=ZBS" instead of "Dan Fox/ZBS". If your field is to contain multiple values, set them as a multivalue rather than a delimited string, for example, the string "CN=Dan Fox/0=ZBS, AdManagent" allows nobody access. instead you must assign the field from a two-element array, or in Java™, a java.util.Vector, containing the two names in separate elements.

Your agent can use the NotesDocument.ComputeWithForm method to calculate values for computed fields and formulas. However, depending how the agent is run, the value of @Username and other functions may not be the same as if a user were editing the document manually. Authors fields are complicated; test carefully.