Extended ACL trivia
Did you know that the Extended ACL trumps type-ahead?
Not you, Miller, of course you knew.
But maybe somebody else will be as surprised as I was. We were trying to solve an issue where certain business users needed to be able to lookup certain email addresses, but *only* those business users should be able to - not the rest of the users (The Great Unwashed). I know, before you all write in to point it out, that this is a foolish and ultimately pointless exercise. It is, though, a little bit LESS pointless than it used to be, thanks to the Extended ACL.
Now, our admin staff traditionally did this sort of thing (years before I got here) by restricting access to the NAB entirely. Users could pick it from the drop-down list, but they'd be told they didn't have access to it. Now, we all know that users could avoid this 'security feature' (not my term for it) by simply starting to type in a name and hitting F9 or pausing for a few seconds, allowing type-ahead to look up the user for them. See, type-ahead ignores the user's access as granted in the NAB's ACL - it assumes that users are supposed to be able to send each other messages (what a concept...). So this has never been a very GOOD solution, but it looked like it did what the users wanted, and that kept them happy (yes, we have always explained that it wasn't a real solution - they didn't care).
Unfortunately, this technique had an unintended consequence that came to light in our testing: in environments using DA instead of old-fashioned cascaded address books, users who didn't have access to any given NAB and were trying to use calendaring to schedule resources, would get an error every time because they didn't have access to that NAB. Didn't matter that they weren't trying to access that NAB - the act of trying to schedule a resource in any other NAB would cause the mail client to try to access the restricted one. So, back to the old drawing board.
Obviously, the Extended ACL could solve this issue for us. We simply restrict access to certain types of documents, by form. So, unpriveleged users can't see Person or Group or Server (etc) documents, but they *can* see resources and rooms. Simple, easy to implement, works like a charm. Calendaring works again, and the restricted access works too. Better than the old technique, because now the users don't get an error when they choose the restricted NAB from the list, they simply don't see any entries.
But here's the kicker: type-ahead addressing respects the Extended ACL. Odd, hm? True, though. Our users can no longer user type-ahead to get around the intended address lookup restrictions. Pretty cool, how well it works. Really. [Stop. I know perfectly well that doesn't solve the real problem. That's not what we're talking about, ok? And, yeah, I know the Cool Kids don't call it a NAB anymore, but I've never been one of the Cool Kids before so why should I start now?]
Once I found out what was happening, I looked for some mention of this in the help or forums - didn't find it. Am I missing it somewhere obvious? Did everybody but me know about this?
| Permalink | 
- 
Comments
(this might explain why you dont see a lot of feedback on this particular feature..)
(Disclaimer for the M$ drones. Notes has *lots* of features, and it'd be impossiible to use them all. Hell, even half! So this isnt any sort of ding for Notes.. There's usually a number of different ways of achieving stuff in Domino...)
Encouraging stuff!
---* Bill
Posted by Wild Bill At 01:10:35 AM On 08/23/2005 | - Website - |
Posted by jonvon At 10:42:55 AM On 08/23/2005 | - Website - |
Posted by Chris Miller At 09:11:23 AM On 08/29/2005 | - Website - |