We have an unusual situation where we need to host users from multiple domains on a single Domino server. That’s actually easy but the big requirement is that users from one domain should not be able to see the Person or Group docs for any domain other than their own in the Domino Directory.
I’ve tried moving the Person and Group docs for a domain into a secondary directory and using Directory Assistance, but only one DA document can have the Group Authorization field set to Yes (a “privileged” domain). As a result, if a user is not in the privileged domain they can sometimes authenticate but they cannot access databases because the group membership lookup fails.
Without modifying the directory design, I do not see a Readers field on a Person or Group doc so I can’t control access that way. I played with the Extended Directory Catalog but that still aggregates the Person docs from all domains into a directory so I’m back where I started.
Subject: Re: Restrict doc access for multiple organizations in Domino Directory
If the total number of people you would be supporting is small and relatively static, it would be possible to do as Stuart Bogom suggests. You are only hiding Person Records at the time you create them. However, from a security point of view, I would deploy partitioned servers as D Porter suggested.
You are going to have real trouble doing this using a single instance of Domino. You need to look at partitioning and/or Domino in a hosted environment.
That’s an interesting angle with good possibilities but maintenance would be labor-intensive. I looked at the NotesDocument class but didn’t see anything that can change those values. Do you happen to know if it’s possible to manipulate that tab with code?
Thanks everyone for your suggestions. Currently it is cost-prohibitive to convert to a partitioned configuration but that will likely be our direction as our customer (and therefore revenue) base grows.
I have tested the $Readers field in conjunction with a secondary directory and DA and it all works nicely. Non-domain users cannot view the restricted group in the primary NAB nor person docs in the secondary NAB, and domain users can authenticate and open their dbs properly.
I had already automated the user registration process through Lotusscript from our internal support db, so it will be easy for me to manipulate the $Readers field safely by automatically including administrative groups to prevent lockout.
look at the security tab of the group document’s properties (the one with the key on it). you can use it to control the readers of the document just like a readers field. same for person docs. not sure of how to get ‘*/domain1’ into the list, but if you had a group that included all the users in domain1 you could restrict a document to only being readable by the users in domain1_group.
Subject: And groups & roles can be included in $Readers. But be careful.
One slip-up and it is extremely tough to recover the document. I always customize the form to force a role onto the end, so I can recover if something unexpected is thrown into the field.
It looks like the content from that tab is stored in a readers field called $Readers in both person and group documents. You should be able to create & manipulate that with lotus script.
p.s. - make sure to include relevant server and administrator names in the readers field!
I haven’t had occasion to try it recently. I noticed Administrator would let me “promote” myself to an admin, is that the path to get to see these documents? Or is there a way to actually see the docs within the Notes client itself if there’s a lot of cleaning up to do?
Mike…remember that the ‘full access administration’ feature can be used to bypass the control of a $Reader field if you slip-up and get excluded from a document.
You can turn on ‘full access administrator’ from the administrator client (administration menu). You also need to have your name in the server config doc in ‘full access admini’ field on the security tab.
Once you activate it in domino administrator, you bypass reader field controls - all documents are visible to you even if you are not listed in the readers field.
I’m pretty sure that, if you both the client and the administrator open, the full access applies in both once you turn it on.