DIRECTORY SERVICES


Extended ACL subject
An extended ACL subject is a name for which you are setting access to a selected extended ACL target. To add a subject to an extended ACL, you select the target and then click Add below the People, Servers, Groups box in the "Extended Access at target" dialog box.

The following figure shows an example of the -Default- subject selected at the / (root) target.

Example of subject in an extended ACL

You can specify any of the following as subjects in an extended ACL:

With the exception of Self, these are the same types of entries that are acceptable in a database ACL.

You specify more than one subject at a target to give each subject its own access to the target. For example the group Admins/West/Acme and the group Admins/East/Acme might each have access set at the / (root) target. You can also add the same subject at multiple targets, to give the subject different access to each target.

If the database ACL and an extended ACL both list a particular subject, Administration Process requests can rename or delete the subject in the extended ACL, as well as in the database ACL.

Anonymous as subject

As in the database ACL, the subject Anonymous controls the access of all users and servers that access a server without first authenticating. Anonymous access applies to access via all the supported protocols.

Self as a subject

The subject Self is available only for an extended ACL and not the database ACL. At a target category only, you can use Self to define the access that all users have to their own documents that fall under the target category. A user's own document is one with a distinguished name that matches a distinguished name presented by the user. Use Self so that you can use one subject to control all users' access to their own documents at a target category.

-Default- as a subject

Adding and setting access for the -Default- subject at a target is optional. If you set access for -Default- at a target, all users and servers whose access is not determined by another subject at the selected target get the access set for -Default-. If you add the -Default- subject to a target and you want some users to have different access to the target than the -Default- access, add a subject or subjects that represent those users to the target with the desired access.

Lotus Domino servers as subjects

In general an extended ACL can't restrict the access of a IBM® Lotus® Domino® 6 server. The exception is granting a later-release Domino server Administer access to a target category that represents a particular location in the directory name hierarchy. Doing so allows the server to be an extended administration server that can carry out Administration Process requests for documents under the selected target category.

Advantages to using subjects that represent a group of users

When possible use subjects that represent groups of users -- -Default-, Self, groups, wildcard subjects -- rather than use individual users as subjects. For example, set access for the group Admins/Acme, rather than setting access for Acme administrators individually. When you use subjects that represent groups of users you minimize the number of subjects in the extended ACL to add and manage and you optimize access-checking performance.

Related topics