Extended ACL target

How the Target box categorizes documents

The Target box categorizes documents by their names. The highest-level category in the Target box is / (root). Access set at / (root) applies by default to all documents in the directory, because, by default, documents contained within / (root) inherit the access level defined at / (root). The Target box subcategorizes documents that have hierarchical names defined by a FullName, ListName, or ServerName field within / (root) by their location in the directory name hierarchy. For example, the Target box categorizes Person documents containing the names CN=Alan Jones/O=Renovations, CN=Derek Malone/OU=East/O=Renovations, and CN=Karen Lessing/OU=West/O=Renovations as follows:

For a document to be categorized subordinate to / (root) in the name hierarchy, its name must contain more than just one part. For example a Person document whose name is defined by a certifier is categorized subordinate to / (root). In addition, the name of the document must be stored in a field called FullName, ListName, or ServerName. The ListName field stores the names of Domino® Group documents, the ServerName field stores the names of Domino Server documents, and the FullName field stores the names of other types of documents, for example Domino Person, Certifier, and Policy documents.

A document with a flat name -- a name with only one part --, or a document with a name specified in a field other than FullName, ListName, or Servername, is categorized directly under / (root). The Target box does not show the documents under / (root) that are named through a field other than FullName, ListName, or ServerName. You can set access to these types of documents through the / (root) target, but cannot set access to an individual one. For example, the names of Holiday and Connection documents are not controlled through a FullName, ListName, or ServerName field, so you cannot see or select these documents under / (root). However, when you set access at / (root), the access applies to the documents.

Advantages to using categories rather than single documents as targets

You can select a specific document as a target at which to set a subject's access, however selecting a target category is recommended instead. When you select a target category, by default you are automatically setting access to all documents contained immediately within the selected category as well as to documents belonging to subcategories of the selected category. Developing an access scheme in this manner minimizes the number of times that subjects are listed in the extended ACL. For example, when you set a subject's access at the target O=Renovations, by default, that access automatically applies to all documents that belong to O=Renovations and also to documents that belong to organizational units contained by O=Renovations, such as OU=West and OU=East.

Domino can verify a subject's directory access more quickly when there are fewer occurrences of the subject in an extended ACL than when there are many. In addition, when you use categories as targets it's easier to manage the extended ACL because there are fewer subjects to track.

To take full advantage of using categories as targets, you may want to specify hierarchical names for documents that have flat names in a FullName, ListName, or ServerName field so the Target box can subcategorize them within an appropriate level of the directory name hierarchy. For example, because Group documents typically have flat names, by default, the Target box automatically categorizes them as belonging to / (root). By modifying the names of Group documents to reflect hierarchical relationships, you can use category targeting to define access to them.

The following documents usually have hierarchical names defined in a FullName, ListName, or ServerName field and are therefore categorized subordinate to / (root) within the appropriate location in the directory name hierarchy.

• Person documents
• Server documents
• Certifier documents
• Policy documents