Extended ACL target
You select a target to specify either a category of documents or a specific document to which you are controlling a subject's access. Selecting a category of documents as a target is recommended because you can set access to multiple documents at once and because the access applies to documents added to the category in the future.
You use the Target box in the Extended Access at target dialog box to select a target. You can set access for more than one subject at a target.
By default you can see the document categories in the Target box only and not individual documents. Deselect Show only containers to see the documents contained within categories.
How the Target box categorizes documents
The Target box
categorizes documents by their names. The highest-level category in
the Target box is /
(root).
Access set at /
(root) applies by default to all
documents in the directory, because, by default, documents contained
within /
(root) inherit the access level defined
at /
(root). The Target box
subcategorizes documents that have hierarchical names defined by a
FullName, ListName, or ServerName field within /
(root)
by their location in the directory name hierarchy. For example, the Target box
categorizes Person documents containing the names CN=Alan Jones/O=Renovations,
CN=Derek Malone/OU=East/O=Renovations, and CN=Karen Lessing/OU=West/O=Renovations
as follows:
- O=Renovations
- Alan Jones/Renovations
- OU=East
- Derek Malone/East/Renovations
- OU=West
- Karen Lessing/West/Renovations
For a document to be categorized subordinate to /
(root)
in the name hierarchy, its name must contain more than just one part.
For example a Person document whose name is defined by a certifier
is categorized subordinate to /
(root). In addition,
the name of the document must be stored in a field called FullName,
ListName, or ServerName. The ListName field
stores the names of Domino® Group
documents, the ServerName field stores the
names of Domino® Server documents,
and the FullName field stores the names of
other types of documents, for example Domino® Person,
Certifier, and Policy documents.
A document with a flat name
-- a name with only one part --, or a document with a name specified
in a field other than FullName, ListName, or Servername, is categorized
directly under /
(root). The Target box does not
show the documents under /
(root) that are named
through a field other than FullName, ListName, or ServerName. You
can set access to these types of documents through the /
(root)
target, but cannot set access to an individual one. For example, the
names of Holiday and Connection documents are not controlled through
a FullName, ListName, or ServerName field, so you cannot see or select
these documents under /
(root). However, when you
set access at /
(root), the access applies to the
documents.
Advantages to using categories rather than single documents as targets
You can select a specific document as a target at which to set a subject's access, however selecting a target category is recommended instead. When you select a target category, by default you are automatically setting access to all documents contained immediately within the selected category as well as to documents belonging to subcategories of the selected category. Developing an access scheme in this manner minimizes the number of times that subjects are listed in the extended ACL. For example, when you set a subject's access at the target O=Renovations, by default, that access automatically applies to all documents that belong to O=Renovations and also to documents that belong to organizational units contained by O=Renovations, such as OU=West and OU=East.
Domino® can verify a subject's directory access more quickly when there are fewer occurrences of the subject in an extended ACL than when there are many. In addition, when you use categories as targets it's easier to manage the extended ACL because there are fewer subjects to track.
To take full
advantage of using categories as targets, you may want to specify
hierarchical names for documents that have flat names in a FullName, ListName,
or ServerName field so the Target box
can subcategorize them within an appropriate level of the directory
name hierarchy. For example, because Group documents typically have
flat names, by default, the Target box automatically
categorizes them as belonging to /
(root). By modifying
the names of Group documents to reflect hierarchical relationships,
you can use category targeting to define access to them.
The following documents usually have hierarchical names
defined in a FullName, ListName,
or ServerName field and are therefore categorized
subordinate to /
(root) within the appropriate location
in the directory name hierarchy.
- Person documents
- Server documents
- Certifier documents
- Policy documents