Search

Mobile tag

Reference

  1. Learn XPages
  2. Upgrade cheat sheet
  3. How does an ideal Notes Client deployment look like
  4. Chat IBMers and Lotus Experts using Sametime
  5. Use XSL:FO in Domino
  6. XPages books on Amazon

About Me

I am the "IBM Collaboration & Productivity Advisor" for IBM Asia Pacific. I'm based in Singapore.
Reach out to me via:
Follow notessensei on Twitter
(posts)
Skype
Sametime
IBM
Facebook
LinkedIn
XING
Amazon Store
Amazon Kindle

Twitter

Domino Upgrade

VersionSupport end
5.0
6.0
6.5
7.0
Upgrade to 8.5x now!
(see the full Lotus lifcyle) To make your upgrade a success use the Upgrade Cheat Sheet.
Contemplating to replace Notes? You have to read this! (also available on Slideshare)

Category

Languages

Other languages on request.

Archive

Visitors

The country of your IP access Visitors to wissel.net

Useful Tools

Get Firefox
Use OpenDNS
The support for Windows XP is coming to an end and has . Time to consider an alternative to move on. sounds like a lot of time, but, like an object in a mirror, it is closer than you think.

« Address Dialog on stereoids | Main| Reader fields for large user populations (Extreme Edition 2.0) »

NoReader and NoAuthor Fields

QuickImage Access control in Lotus Notes and Domino is build around the concept of positive identification, meaning you specify who can read or edit by naming them explicitly or implicitely as members of a role or group. What you can't do is to say: Everybody except these people (or all members of group A but not when they are members of group B). We don't have PreventReader or PreventAuthor fields (which would come in handy from time to time). The only construct is the the -No Access- setting in the ACL which has the highest priority.
For web applications there is actually a way how you can implement a PreventReader form (must be web only). You have to be clear that is is NOT a watertight method and can be compromised given enough effort. However it is good enough for most requirements (It doesn't work in Notes clients). These are the steps:
  1. Create a Names field that will hold the entries that can't read an entry (call it PreventReader)
  2. Design all your views to only contain hidden columns
  3. Create $$ViewTemplates for [ViewNames] form with no embedded view, no $$ViewBody fields, but a Body RichText field and a SaveOptions field, Computed, Formula "0"
  4. Create a webqueryopen agent (with a little creativity you can get away with one agent and one form) that prints the columns you want to display into the BODY field. The logic that prints the lines needs to be extended to skip printing when the @UsersNamesList contains a value from the PreventReader field. Since the view columns are otherwise hidden even ?ReadViewEntries wouldn't reveal a thing.
However a user could open a direct link to the document. So there are a few additional steps required:
  1. Create one subform per form. Call them sf[OriginalFormName]. Cut & Paste the whole content short of the PreventReader field into the subform.
  2. Create one subform sfUnauthorizedAccessAttempt that has a nice message or throws the user back to the start-page and/or logs the attempt
  3. In the now almost empty main forms add a computed subform with the formula @if(@isNotMember(ReventReader;@UserNamesList;"sf"+form;"sfUnauthorizedAccessAttempt")
Now if a user gets a direct link (e.g. forwarded by an authorized user), the subform "sfUnauthorizedAccessAttempt" will load instead of the subform with the real data, so our excluded user has nothing to see.
As usual: YMMV.

Posted by On 15/04/2009, Category | | Clip to Evernote Share

Comments

Gravatar Image1 - Wow very slickery. :)

Elijah

Posted by Elijah Lapson At 04:05:57 On 04/16/2009 | - Website - |


Gravatar Image2 - You say "What you can't do is to say: Everybody except these people". What about having -=Default=-: Author, Group X: No Access. Or Joe Bloggs: No Access? When your name is explicitly mentioned, you get that level of access, no matter what your other group memberships...

Regards
Tim

Posted by Tim Rattray At 14:55:55 On 04/17/2009 | - Website - |


Gravatar Image3 - I had a similar requirement in Notes (allow author access or a group, but not for one person in that group: four eyes principle) and I used something similar: using @UserNamesList and setting continue to false in edit event...

Also not watertight, but someone who is able to work around it might be "intelligent" enought to know why there is such a rule Emoticon

Posted by Jan Schulz At 01:32:57 On 04/17/2009 | - Website - |


Gravatar Image4 - @Tim: That works for the ACL for all document. What I meant was "except these people" on a document by document basis.

Posted by Stephan H. Wissel At 00:06:50 On 04/19/2009 | - Website - |


Post A Comment

Please note: Comments without a valid and working eMail address will be removed. This is my site, so I decide what stays here and what goes.

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::rolleyes:;-)

Disclaimer

This site is in no way affiliated, endorsed, sanctioned, supported, nor enlightened by Lotus Software nor IBM Corporation. I may be an employee, but the opinions, theories, facts, etc. presented here are my own and are in now way given in any official capacity. In short, these are my words and this is my site, not IBM's - and don't even begin to think otherwise. (Disclaimer shamelessly plugged from Rocky Oliver)
© 2003 - 2013 Stephan H. Wissel - some rights reserved as listed here: Creative Commons License
Unless otherwise labeled by its originating author, the content found on this site is made available under the terms of an Attribution/NonCommercial/ShareAlike Creative Commons License, with the exception that no rights are granted -- since they are not mine to grant -- in any logo, graphic design, trademarks or trade names of any type. Code samples and code downloads on this site are, unless otherwise labeled, made available under an Apache 2.0 license. Other license models are available on written request and written confirmation.