Lotus Domino Administrator 8.5 Help - Using administration roles in the Domino Directory ACL

DIRECTORY SERVICES

Using administration roles in the Domino Directory ACL
The IBM® Lotus® Domino® Directory ACL includes Creator and Modifier roles that you assign to administrators so they have the authority to create and edit specific types of documents. By assigning one or more roles along with general access levels, you can limit an administrator's access to some types of documents but allow greater access to other types of documents.

Roles are useful when groups of administrators have specialized responsibilities. If all of the administrators in your organization have identical administrative responsibilities, assign them to all roles.

The access defined in the ACL by a role never exceeds a general access level. For example, even if you give the UserCreator role to an administrator who has Reader access in the ACL, the administrator cannot use the Create menu to create Person documents.

Creator roles

Assign creator roles to control who can create documents in the Domino Directory. To create documents in the Domino Directory, administrators must have:

The "Create documents" privilege
The Creator role that corresponds to the type of document being created

The following table describes the available Creator roles.

Role	Allows
GroupCreator	Administrators to create Group documents
NetCreator	Administrators to create all documents except Person, Group, Policy, and Server documents
PolicyCreator	Administrators to create Policy documents
ServerCreator	Administrators to create Server documents
UserCreator	Administrators to create Person documents

Caution Assigning Creator roles does not provide true security because Domino sometimes ignores Creator roles when administrators add documents to the directory programmatically.

Modifier roles

Rather than assigning Editor access which allows administrators to modify all documents, assign administrators Author access along with one or more Modifier roles to control the types of documents they can edit. For example, assign the UserModifier role to administrators who are responsible for managing users. Unlike Creator roles, Modifier roles are a true security feature.

The following table describes the available Modifier roles.

Role Allows

GroupModifier Administrators to edit Group documents

NetModifier Administrators to edit all documents except Person, Group, Policy, and Server documents

PolicyModifier Administrators to edit Policy documents

ServerModifier Administrators to edit Server documents

UserModifier Administrators to edit Person documents

When using Modifier roles, keep in mind the following points:

An administrator with Author access and a Modifier role cannot edit fields assigned the security property "Must have at least Editor access to use."
To delete a document, an administrator must have Author access, the "Delete documents" privilege, and the appropriate Modifier role.
Modifier roles apply only to administrators who have Author access. Administrators who have Editor access or higher automatically can modify all documents.

Roles in the ACL

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Role	Allows
GroupModifier	Administrators to edit Group documents
NetModifier	Administrators to edit all documents except Person, Group, Policy, and Server documents
PolicyModifier	Administrators to edit Policy documents
ServerModifier	Administrators to edit Server documents
UserModifier	Administrators to edit Person documents