Planning directory access control
Use the database ACL to control the general access that users and IBM® Domino® servers have to the Domino® Directory. Optionally, use an extended ACL to refine the general database ACL and further restrict access to specific portions of the directory. An extended ACL is available for only a Domino® Directory and an extended directory catalog.
Some of the questions to ask when planning directory access control include:
- Do you want to assign administrators to specific administration roles in the Domino® Directory?
- If administrators in your company have specialized administrative duties, consider assigning the administrators only to the administration roles in the ACL that correspond to their duties. If your company administrators do all administrative tasks, assign them to all of the roles.
- Do you want to use an extended ACL?
- One of the reasons to use an extended ACL is to limit cross-organizational access to a directory that contains information for multiple organizations or organizational units.
- Do you want to allow Anonymous access to the directory?
- By default, you use the domain configuration settings document
in the Domino® Directory to
control anonymous LDAP search access. By default, anonymous LDAP users
have Read access to a specific list of attributes.
The Anonymous entry in the directory database ACL by default is set to No Access and controls anonymous access for all users other than LDAP users. If you use an extended ACL, then the Anonymous entry in database ACL, and the extended ACL, then also control anonymous LDAP access. Typically you give the Anonymous entry no more than Reader access.