Managing Web access for user

hcl-bot · March 25, 2008, 12:51pm

Hi,

I’d like to design access rights for user in an application with Lotus Notes and web users. I know how manage user for Notes client, but I don’t know how proceed for web client.

For Notes client, I create a document with service name, and I register authorised users [for this service], so in QueryOpen I verify the rights of the user. It works fine.

How to do “the same” for web users… or something near that ?

Thanks by advance

Yves

hcl-bot · March 25, 2008, 2:18pm

Subject: Managing Web access for user

How are you going to identify your Web users? Will they have to log in or otherwise identify themselves? If so then you will have to define them either in the NAB or a secondary Directory and set access levels the same way. If you just want to to know that the user isn’t using a Notes client, then @clienttype will return “Notes” or “Web” and you can use that to identify the web users

hcl-bot · March 26, 2008, 2:05am

Subject: RE: Managing Web access for user

Web users are register in the NAB (without ID), they have not Notes client access, only Web access. They log in.

In the ACL, I define Global access such as Editor, but I need to manage access with more precision. In fact, a user have access (for modification) only on the document he create. A user belong to a Service, documents are attach to a Service, so only user that belong to a service can modify document that belongs to the same service.

So I create a document configuration for each service which contain the list of the authorised users.

I have to manage users evolution [one or more persone for a specific Service, documents are attach to a Service], so I can’t use only Author or reader fields, which need to register person or role in them. If the user change for a document, I modify the configuration document and he gets all the good rights on all the document he is concern by.

It works fine with Notes client… but with Web access, I can’t use QueryOpen to look for rigths…

If there is an another way to do the same, it’s ok for me …but how ?

Yves

hcl-bot · March 26, 2008, 2:59am

Subject: RE: Managing Web access for user

That is not how to do it – ever. If users have limted ability to edit documents, they should be Authors, not Editors, and the individual document permissions are managed with Authors-type fields, not with LotusScript. Notes and Domino has proper security built in. Use it.

hcl-bot · March 27, 2008, 2:21am

Subject: RE: Managing Web access for user

I know that, I still design an application with author and reader fields, but what I know too is when users change it is a pain to modify right access. Old users are register in author or reader fields, and you need to modify them… it is not an easy way to manage right.

it it possible to use OU or role in reader and author field, but sometime it is not accurate enougth…

So i use a document to refine the users rights…

hcl-bot · March 27, 2008, 5:42am

Subject: RE: Managing Web access for user

“Old users are register in author or reader fields, and you need to modify them…”

Adminp is your friend and does just that for you, if you tell him to. It’s just a matter of ACL configuration.

hcl-bot · March 27, 2008, 7:28am

Subject: RE: Managing Web access for user

I desagree with you… if the application set fields with names, and in the future you change your users (I mean append new users and not modify existing users), the new users don’t get automaticaly the rights of the existing user… until you set them in the field… Adminp don’t manage your application for you.

Adminp modify author or reader fields (only), when you rename a user, or when you change his OU… it is not my case. I want to append other user to the ACL, so they must get the right they should have.

If the right are manage by fields, I must set them in the fields…

If I manage via a configuration document, I put them in the right document… and that’s all… He get the right associated to this document…

In all the case you need to provide the ACL with the user, with the good right level, of course

hcl-bot · March 27, 2008, 10:06am

Subject: RE: Managing Web access for user

Right, if users change in the sense of old users go, new users come, you have to grant them proper access rights. Of course, adminp will not do that for you.

But by no means are you limited to using user names, groups or OUs into readers and authors fields. That’s exactly what roles are for. And you could write an admin interface to assign roles based on what you add to your config docs. There might (rarely) be cases, where the limit of 75 roles will prevent you from using roles and you might have to revert to groups. But I see absolutely no reason for adding individual names to readers fields.

hcl-bot · March 27, 2008, 3:07am

Subject: RE: Managing Web access for user

No, it’s not a pain – it’s the only right way to do it. Users can always get around your script in Notes – it’s VERY easy – but they can’t get around access fields.

hcl-bot · March 25, 2008, 5:15pm

Subject: RE: Managing Web access for user

You can also use @UserName = “Anonymous” to equate to an unauthenticated web user.

If your web users are people already in your NAB, you can just add them to your database ACL the same way you would Notes client users.