Domain Search security

When a user performs a Domain Search on Domino® databases, Domain Search checks each result against the ACL of the database in which the result was found to verify that the user has access to read the document. To perform this check, the Domain Catalog contains a listing for all databases that includes each database's ACL. For Domino® to include a link to a result document in a user's result set, the user must have the necessary access to read the document -- that is, have at least Reader access to the database that includes the document and be included in the Readers field, if the document has one.

The security check works as follows:

  1. Domino® checks the -Default- entry in the database access control list.
    • If the -Default- entry has Reader access or greater, the user can read the document, and Domino® returns the result in the result set.
    • If the -Default- entry has less than Reader access, Domino® checks whether the user has Reader access or greater in the ACL. If not, Domino® does not include the document in the result set because the user is not authorized to read that document.
  2. If the user has Reader access or greater, Domino® checks whether the result document has a Readers field.
    • If the result document does not have a Readers field, the user can read the document, and Domino® returns the result in the result set.
    • If the result document has a Readers field, Domino® checks whether the user is included in the Readers field. If not, Domino® does not include the document in the result set because the user is not authorized to read that document.
    • If the user is included in the Readers field, the user can read the document, and Domino® returns the result in the result set.
Note: The security checking works only for search results from Domino® databases. Results from file system searches depend on file system security -- users see the search result even if they are not authorized to view the document. Thus, users may not be able to access all search results or they might be able to discern confidential information from the existence of a particular search result. Be sure to set file system security properly and index only file systems for which security is not a high priority.
Note: If you want to index file systems for which security is a high priority, you can attach the files to Notes® client documents in a database selected for indexing.

Search security and server access lists

If you use server access lists within a domain to limit access to information, you might need to check the ACLs of databases on those servers to ensure that results are filtered. Otherwise, a search might return a result to a user who cannot access the result document. In some cases, users might be able to discern confidential information from a search result.

For example, the Renovations corporation has two application servers, App-E/East/Renovations and App-W/West/Renovations. Renovations users are certified with one of two organizational unit certifiers: /East/Renovations or /West/Renovations. App-E/East/Renovations does not allow access to any user with a /West/Renovations certificate. Databases on the server have the -Default- setting in their ACLs set to Reader to ensure that /West/Renovations users cannot access those databases.

When Renovations implements Domain Search, /West/Renovations users who query Domain Search might receive search results that include links to and summaries of documents in databases on App-E/East/Renovations, because the ACLs of those databases do not prohibit /West/Renovations users from seeing those results. (On Microsoft Windows systems, document summaries are included in the search results if users select the Detailed Results option.) The server access lists continue to maintain database security in this environment, because /West/Renovations users cannot access documents from those links, but the mere existence of links and summaries could reveal confidential information to the /West/Renovations users.

To avoid this issue, check the ACLs for databases that are protected by server access lists to ensure that they are set to filter correctly. To do this, assume that the server access list does not exist. Change the ACL so that, in the absence of a server access list, the database would be secured appropriately. This ensures that when Domain Search checks the database ACL, it filters out results that users cannot access.

If you are running Domino® on Windows and are not sure that you can properly maintain database ACLs, you might want to prevent anyone from seeing document summaries by setting the indexing server's NOTES.INI variable to FTG_No_Summary=1.

Note: This example assumes that the indexing server has a certificate that allows access to both App-E/East/Renovations and App-W/West/Renovations.