Access Control List - use database?

hcl-bot · December 20, 2005, 1:44pm

Can a database be added to the Access Control to talk to another database? If so, do I just enter the path to the DB?Thank you

hcl-bot · December 20, 2005, 1:56pm

Subject: RE: Access Control List - use database?

No. The contolling factor is whether or not the signer or the user of the code has access to the other database (controlled by database ACLs, Server document settings, and ECLs locally). In the most general terms, your code-signing ID should have access to nearly everything, and whatever the individual cannot do can be accomplished by code running on the server (scheduled agents, agents invoked using RunOnServer, etc.).

WARNING – if you are not careful, it is possible to grant users access they should not have. RunOnServer is a deliberate end-run around the first level of security, and you need to keep that in mind. Don’t use it willy-nilly all over the place, and make sure that it never grants more access than you want it to.

hcl-bot · December 20, 2005, 2:09pm

Subject: RE: Access Control List - use database?

All of the sudden I am getting the errorERROR: You are not authorized to perform that operation

I has something to do with a view that was changed.

hcl-bot · December 20, 2005, 2:18pm

Subject: RE: Access Control List - use database?

Is this somehow related to the rest of the thread? If so, could you maybe fill in some of the missing details – like the whole story?

hcl-bot · December 20, 2005, 3:06pm

Subject: RE: Access Control List - use database?

Sorry about that. Here isn the story. One DB does a dblookup for the name and title of employees.

here is the code for the title field

@If(Employee!=“”;@DbLookup(“”:NOCACHE;“NOTESERV1”:“accounting\ACCTHuma.nsf”;“Employee \ Name and Title”;@Name([CN];Employee);“jobtitle”);“”)

here is the code for the name field

tmp := @Name([CN];Employee);

@Right(tmp;" ") + “, " + @Left(tmp;” ")

Now, when the persons record is opened in the ACCTHuma database, the error I wrote in the last post comes up.

Hope this helps, please let me know if you need further info and any help is appreciated

hcl-bot · December 20, 2005, 3:24pm

Subject: RE: Access Control List - use database?

So you aren’t (or, rather, the user isn’t) allowed to look up information in the HR database. And it IS a user issue. A job title is not normally something that comes under the “classified information” umbrella – why is the information only kept in a secure HR database?

hcl-bot · December 20, 2005, 3:44pm

Subject: RE: Access Control List - use database?

there is other info that should not be accessable to others

hcl-bot · December 20, 2005, 4:17pm

Subject: RE: Access Control List - use database?

I started to reply there is no way to do what you want, but then I took 2 mins to look at help for @dblookup:

+++++++

Consider the database containing @DbLookup the source database, and the database being accessed the target database.

When you use @DbLookup in an agent, it can access data in a target database that is running on either the same server as the one hosting the source database or another server. The agent signer must have at least Reader access to the target database.

Note Agents running on R5 or earlier servers can only access target databases stored on the same server as the source database. In addition, the agent signer must have at least Reader access to the target database. The use of a replica id in the acl is still supported in Release 6. If the agent signer is not available in the acl of a pre-Release 6 database and the replica id is, the replica id is used instead. (You grant access to the source database by adding the replica id of the source database, for example 85255CEB:0032AC04, to the ACL of the target database and assigning it Reader access or higher.)

Other agents and security

When @DbLookup is used in any other type of formula or agent, it has unlimited access to any target database stored on the user’s own workstation. If the target database is stored on another Domino server, @DbLookup’s access is determined by the agent signer’s access level (based on the user’s Notes ID).

@DbLookup is not subject to the Read Access list for a view; so long as it has Reader access to the target database, it can retrieve data from all shared views.

++++

If I read this right, you can perform your lookup in an agent and the signer’s rights will be used vs the users. So no need for the user or database to have access to the “target” database.

Also, it says you can add the Replica ID of the db to the acl but not real clear if that’s a supported feature. It’s probably not the best way to secure data or for maintenance purposes to do what you need to do.

I would test out the agent signer access as it seems like it allows the user to “run on behalf” (sort of).

Not sure if it works. Let us know.

hcl-bot · December 20, 2005, 9:24pm

Subject: ReplicaID has worked for me

I have successfully granted a ReplicaID access rights in the ACL of a database so that I could use @DbLookup in another database. Similar to this case. Think it was in R5 though.

HTH,

Bob

hcl-bot · December 20, 2005, 5:33pm

Subject: RE: Access Control List - use database?

That will work with an agent, but not for a computed field on a form (which will run with the user’s rights, not the server’s).

Gary, if you have information that needs to be publicly accessible, then make it publicly accessible. HR is going to have to live with the separation of confidential information from public information – you can’t keep the public stuff locked up in a database no-one can get to. (And there is at least one school of thought that would say that the information you are dealing with belongs in the Domino Directory, in the fields provided for exactly that purpose.) If that means running an agent to move the public info out of the HR database to a public database on a regular basis, then that’s what it means.