Long story short, I have been out of the Notes world for 4 years, but my extensive LN development history has caught up to me and so I’m back. With this comes an application that needs to meet certain standards/requirements for security. Could a few of you help me out with the latest best practices for application development and security?
Scenario: DB currently has 50 individuals listed in the ACL with an role for each individual, plus an admin role. Not the most efficient way of doing security. Currently the Business partner manages the ACL, but they’re not allowed to do that anymore through the ACL. I can add groups and they can manage those groups, but I don’t want to add 50 groups as that isn’t very efficient either. Not to mention that the BP adds and removes roles on a regular basis depending on the data.
In my past life I would have created a security section in the database that the Business Partner would have been able to access. This section would manage individuals and roles through configuration documents. Now all the BP has to do is update the single NAB Group with the user to add and then add them in the security section of the DB and they have access. However, I wanted to know what the community thought, as R5 & R6 may have newer features that would make this easier than a security section in the DB.
Thank you for your help and suggestions!!!
Subject: Application Security - Best Practices
Something must be totally wrong in the logic if You ever need 50 roles in a single database!! I can’t imagine any scenario that this would be appropriate… And DEFINITLY not one role per listed user! (Or did I misunderstood Your description of the scenario?)
A role should be considered a cross-section of groups/people having the same need for reading/adding/editing/removing documents; surely You must be able to consolidate the roles to maybe 4-5, 10-12 at the most.
Then, only one or two specified persons listed in the ACL should be enough for most cases. All persons should be in a group that is listed in the ACL, and the group is given one or more roles.
It sounds that You have an extensive work to do with planning/designing before You can even get to the point of making changes in the database. Has the application got any workflow? Has the application been documented with the original spcification/demands? I wouldn’t be suprised if the initial work hasn’t been made or possible very poorly done. If the planning would have been correctly done, You wouldn’t have ended up with 50 roles…
Next step is “simple”; Let the BP add, remove and edit the security in standard notes-documents in the application database (just as You described that You’ve done before), and then have @Formulas, and LotusScript to make the necessary changes in the ACL and in the Names. If You need to add, edit and remove individual people as well, then look at the NotesRegistration class.
So, as far as I can read what You thought about it; You are on the right track.
just my $0.02…
Subject: RE: Application Security - Best Practices
In my opinion, the way you want to do it is still the best way.