Extended ACL - example 2

The Renovations company uses one Domino® domain. The directory name hierarchy within the Domino® Directory is comprised of the organization O=Renovations, which contains two subordinate organizational units, OU=West and OU=East.

About this task

The Renovations Domino® Directory includes three groups of administrators:

The Admins/Renovations group, responsible for managing documents throughout the directory.
The Admins/West/Renovations group, responsible for managing documents that fall under OU=West and that have names ending in West/Renovations.
The Admins/East/Renovations group, responsible for managing documents that fall under OU=East and that have names ending in East/Renovations.

To establish security, Renovations has these goals:

Allow members of the Admins/Renovations group to:
- Have full access to all documents in the directory
- Manage access at any target in the extended ACL
Allow members of the Admins/West/Renovations group to:
- Read all fields in all documents in the directory
- Create, modify, and delete only documents that fall under OU=West
- Manage the extended ACL at the OU=West target
Allow members of the the Admins/East/Renovations group to
- Read all fields in all documents in the directory
- Create, modify, and delete only documents that fall under the OU=East
- Manage the extended ACL for the OU=East target.
Allow authenticated users not in any of the administration groups to browse and read only Person, Group, and Resource documents throughout the database but not other documents, and prevent these users from creating, deleting, and modifying any documents
Prevent anonymous users from accessing the directory.

The following tables describe how Renovations sets up the Domino® Directory database ACL and the extended ACL to accomplish its security goals.

Table 1. Database ACL
Subject	Access	Description
-Default-	Reader	Required to allow non-administrators to browse and read Person, Group, and Resource documents
Admins/Renovations group	Manager Delete All administration roles	Allows members of Admins/Renovations to manage all documents and the entire extended ACL -- no extended ACL settings needed
Admins/West/Renovations group	Editor Create, Delete All administration roles	Required to allow members of Admins/West/Renovations to create, modify, delete, and manage the extended ACL for West/Renovations documents
Admins/East/Renovations group	Editor Create, Delete All administration roles	Required to allow members Admins/East/Renovations to create, modify, delete, and manage the extended ACL for East/Renovations documents
Anonymous	No Access	Prevents anonymous users from accessing any information in the directory. No extended ACL settings needed

Table 2. Using / (root) target in extended ACL
Subject	Access	This container and all descendants?	Description
-Default-	Default: Deny all Person, Group, and Resources: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Allows non-administrators to read only Person, Group, and Resource documents
Admins/West/Renovations group	Default: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Prevents members of the Admins/West/Renovations group from modifying documents at the / (root) and O=Renovations targets
Admins/East/Renovations group	Default: Allow: Browse, Read Deny: Create, Delete, Write, Administer	Yes	Prevents members of the Admins/East/Renovations group from modifying documents at the / (root) and O=Renovations targets

Table 3. OU=West target in extended ACL
Subject	Access	This container and all descendants?	Description
Admins/West/Renovations group	Default: Allow All	Yes	Allows members of Admins/West/Renovations to have full access to documents under OU=West

Table 4. OU=East target in extended ACL
Subject	Access	This container and all descendants?	Description
Admins/East/Renovations group	Default: Allow All	Yes	Allows members of Admins/East/Renovations to have full access to documents under OU=East