I’m a bit perplexed at this one. I need to change roaming databases from manager to editor to comply with our internal security policy (non-admin users should not have manager access to any database). I created a script that executes but sets the “-Default-” ACL entry to editor from the default no access.
Some context… I am using WEND to loop through person documents to procure user’s hierarchical name, roaming server, and roaming databases. See snippet below… the exact same code is used for the other roaming databases. Another issue that needs to be addressed is that some users have journal databases, for example, and some don’t. When the current scripr hits a “” value, it throws an error since the database cannot be opened. Should I use an on error (and #) or an IF statement to handle this? Obviously, I want to resume the script.
Dim entry As NotesACLEntry
…
'set aclname using the “DisplayName” field in the person document
aclname = ndoc.GetItemValue (“DisplayName”)(0)
…
'get roaming server and path+roaming address book from person document
Set db = ns.GetDatabase(roamserver,roamab)
Set ACL = db.ACL
Set entry = acl.GetEntry (aclname)
entry.Level=4
entry.CanDeleteDocuments=True
entry.CanCreateSharedFolder=True
entry.CanCreatePersonalFolder=True
entry.CanCreatePersonalAgent=True
entry.CanCreateLSOrJavaAgent=True
Call acl.Save
What am I missing? How could “entry.Level=4” be updating “-Default-” to editor? Thanks for any assistance. Have a great day.
Subject: try this
Not sure why the first name in the fullname field on the person doc is not cannonical. the code below will find the first name with a / and insure it is a notes name for you to use when changing the acl
try this
dim nam as notesname
for i = 0 to ubound (doc.fullname)
if instr(doc.fullname(i),“/” then
Set nam = session.CreateName(doc.fullname(i))
i = 999
end if
next i
use
nam.cannonical as the entry to change in the acl.
Subject: I’m going to guess getentry is returning null
and that the name you are passing is not a match
From the help:
“The ACL entry that matches the name. If name is not in the ACL, returns null.”
So I’m going to guess using a null value sets it to default.
Try using CreateACLEntry first to create the entry for aclname
Also I don’t think you want to use display name for your ACL entry, but the users full hierarchical name.
Subject: Name
You change the acls entry using the canonical name name. I would suggest using the display name and look up in the names.nsf
($users) view and then change the acl using the person doc fullname(0)
The other would be to loop thru the acl and change all acl entries that contain a canonical name
Subject: Thanks Barry
Update #2: I ended up changing from aclname = ndoc.GetItemValue (“Fullname”)(0) to aclname = ndoc.Fullname(0) and it worked! I have have encountered this issue in the past. The (0) returns the first value (always hierarchical unless changed, certainly possible) in the array. I ran the scrip on our test server and it worked 100%.
***update: I just inserted and am getting an unexpected THEN on the If instr(… line.
Barry, thanks for the script snippet. I’m testing now and will update. I was wondering about string vs. variant (hadn’t considered notesname) but was thrown off by the aclowner = “CN=John Doe/O=TEST” working. If I’m interpreting your instructions correctly, I would do something similar to the following.
dim nam as notesname
for i = 0 to ubound (doc.fullname)
if instr(doc.fullname(i),“/” then
Set nam = session.CreateName(doc.fullname(i))
i = 999
end if
next i
…
Set entry = acl.GetEntry (nam)
entry.Level=4
…
****So I would use your code to cycle through fullname (because of multiple possible values, with slash and without), set nam = to that value (abbreviated canonical), then proceed with script and use Set entry = … to change. Am I on track? Thanks again Barry.
Subject: Cannot get hierarchical name from person document (Lotusscript)
Barry/Carl, thanks for the support.
I have consumed way too much time on this one. I’m hoping someone can set me straight here. I created a script to update users’ roaming databases to “Editor.” The script loops through each person document (names.nsf) and secures the roaming database names, path, server, etc… For exampe, the 1st lines below work fine. My print statements show the values, as expected, and the ACL is changed when testing with a static value for aclowner (aclowner = “CN=John Doe/O=TEST”) but not using one of the 2 options below.
***Examples of other fields that work
roamserver = ndoc.GetItemValue (“RoamSrvr”)(0)
roamstatus = ndoc.GetItemValue (“RoamingUser”)(0)
***Have tried Evaluate and normal GetItemValue. With evaluate, I even set aclowner to a variant vs. string. Is there a better field to use in the person document?
'aclowner = ndoc.GetItemValue (“MailServer”)(0)
'aclowner = Evaluate(“@Subset(Fullname;1)”, ndoc)
***Since we;re performing on both 8.5 and 9.x servers, the same request http://www-10.lotus.com/ldd/nd85forum.nsf/ShowMyTopicsAllFlatweb/b1f88300ffae892585257cd30016dabd?OpenDocument is posted on the 8.5x forum.
Subject: RE: NotesACLEntry & Unwanted -Default- Setting
Thanks for your response Carl. I wonder if aclname = ndoc.GetItemValue (“DisplayName”)(0) is returning a null value. If so, interesting that null would force a -Default- setting of Editor instead of the default No Access. In my opinion, for security reasons, -Default- (or any other) should not be set unless explicitly named in the script. I’ll test with "aclname = “Test User/Testco”. This brings up another point… is NotesACLEntry seeking an abbreviated hierarchical name (e.g. Test User/Testco) or a canonical one like CN=Test User/O=Testco? I know DisplayName (in person document) is abbreviated. I’ll post back results here.
***Since the ACL entry is already present, would CreateACLEntry be required? I thought GetEntry gets a specific entry then allows level (e.g. entry.level) to modify the ACL setting. This is interesting… if GetEntry doesn’t locate an entry in the ACL, does the entry.level still set -Default- (since aclname is null). Wow, could have some unintended consequences re: security.
“GetEntry can find people, groups, or servers in an ACL. If a person is not listed explicitly in the ACL, but is a member of a group that’s listed in the ACL, GetEntry does not find that person’s name.” - Designer Help