USER AND SERVER CONFIGURATION


Domain Search security
When a user performs a Domain Search on IBM® Lotus® Domino® databases, Domain Search checks each result against the ACL of the database in which the result was found to verify that the user has access to read the document. To perform this check, the Domain Catalog contains a listing for all databases that includes each database's ACL. For Domino to include a link to a result document in a user's result set, the user must have the necessary access to read the document -- that is, have at least Reader access to the database that includes the document and be included in the Readers field, if the document has one. The security check works as follows:

1. Domino checks the -Default- entry in the database access control list.

2. If the user has Reader access or greater, Domino checks whether the result document has a Readers field. Caution The security checking works only for search results from Domino databases. Results from file system searches depend on file system security -- users see the search result even if they are not authorized to view the document. Thus, users may not be able to access all search results or they might be able to discern confidential information from the existence of a particular search result. Be sure to set file system security properly and index only file systems for which security is not a high priority.

Tip If you want to index file systems for which security is a high priority, you can attach the files to IBM® Lotus® Notes® client documents in a database selected for indexing.

Search security and server access lists

If you use server access lists within a domain to limit access to information, you might need to check the ACLs of databases on those servers to ensure that results are filtered. Otherwise, a search might return a result to a user who cannot access the result document. In some cases, users might be able to discern confidential information from a search result.

For example, the Acme corporation has two application servers, App-E/East/Acme and App-W/West/Acme. Acme users are certified with one of two organizational unit certifiers: /East/Acme or /West/Acme. App-E/East/Acme does not allow access to any user with a /West/Acme certificate. Databases on the server have the -Default- setting in their ACLs set to Reader to ensure that /West/Acme users cannot access those databases.

When Acme implements Domain Search, /West/Acme users who query Domain Search might receive search results that include links to and summaries of documents in databases on App-E/East/Acme, because the ACLs of those databases do not prohibit /West/Acme users from seeing those results. (On Microsoft® Windows® systems, document summaries are included in the search results if users select the Detailed Results option.) The server access lists continue to maintain database security in this environment, because /West/Acme users cannot access documents from those links, but the mere existence of links and summaries could reveal confidential information to the /West/Acme users.

To avoid this issue, check the ACLs for databases that are protected by server access lists to ensure that they are set to filter correctly. To do this, assume that the server access list does not exist. Change the ACL so that, in the absence of a server access list, the database would be secured appropriately. This ensures that when Domain Search checks the database ACL, it filters out results that users cannot access.

If you are running Domino on Windows and are not sure that you can properly maintain database ACLs, you might want to prevent anyone from seeing document summaries by setting the indexing server's NOTES.INI variable to FTG_No_Summary=1.

Note This example assumes that the indexing server has a certificate that allows access to both App-E/East/Acme and App-W/West/Acme.

Related topics