Domain Search security
When a user performs a Domain Search on Domino® databases, Domain Search checks each result against the ACL of the database in which the result was found to verify that the user has access to read the document. To perform this check, the Domain Catalog contains a listing for all databases that includes each database's ACL. For Domino to include a link to a result document in a user's result set, the user must have the necessary access to read the document -- that is, have at least Reader access to the database that includes the document and be included in the Readers field, if the document has one.
The security check works as follows:
- Domino checks the -Default-
entry in the database access control list.
- If the -Default- entry has Reader access or greater, the user can read the document, and Domino returns the result in the result set.
- If the -Default- entry has less than Reader access, Domino checks whether the user has Reader access or greater in the ACL. If not, Domino does not include the document in the result set because the user is not authorized to read that document.
- If the user has Reader access or greater, Domino checks whether the result document
has a Readers field.
- If the result document does not have a Readers field, the user can read the document, and Domino returns the result in the result set.
- If the result document has a Readers field, Domino checks whether the user is included in the Readers field. If not, Domino does not include the document in the result set because the user is not authorized to read that document.
- If the user is included in the Readers field, the user can read the document, and Domino returns the result in the result set.
Search security and server access lists
If you use server access lists within a domain to limit access to information, you might need to check the ACLs of databases on those servers to ensure that results are filtered. Otherwise, a search might return a result to a user who cannot access the result document. In some cases, users might be able to discern confidential information from a search result.
For example, the Renovations corporation has two application servers, App-E/East/Renovations and App-W/West/Renovations. Renovations users are certified with one of two organizational unit certifiers: /East/Renovations or /West/Renovations. App-E/East/Renovations does not allow access to any user with a /West/Renovations certificate. Databases on the server have the -Default- setting in their ACLs set to Reader to ensure that /West/Renovations users cannot access those databases.
When Renovations implements Domain Search, /West/Renovations users who query Domain Search might receive search results that include links to and summaries of documents in databases on App-E/East/Renovations, because the ACLs of those databases do not prohibit /West/Renovations users from seeing those results. (On Microsoft™ Windows™ systems, document summaries are included in the search results if users select the Detailed Results option.) The server access lists continue to maintain database security in this environment, because /West/Renovations users cannot access documents from those links, but the mere existence of links and summaries could reveal confidential information to the /West/Renovations users.
To avoid this issue, check the ACLs for databases that are protected by server access lists to ensure that they are set to filter correctly. To do this, assume that the server access list does not exist. Change the ACL so that, in the absence of a server access list, the database would be secured appropriately. This ensures that when Domain Search checks the database ACL, it filters out results that users cannot access.
If you are running Domino on Windows and are not sure that you can properly
maintain database ACLs, you might want to prevent anyone from seeing
document summaries by setting the indexing server's NOTES.INI variable
to FTG_No_Summary=1
.