Domino Connection


Database access control

Domino offers a complex and effective access control system. There are multi-level security mechanisms associated to databases and servers as well as to user-ids. Using VisualAge Smalltalk Domino Connection does not compromise security. There are some features in the Notes client which can be circumvented using an API program like Domino Connection, but no real security breach can happen.

Principles

There are two levels of security that can be manipulated using Domino Connection:

Server security

Server security is granted by user ID certification, server access lists, and certain entries in a server's names and address book. Domino Connection enables you to operate on the names and address book and you sure can edit the notes.ini file from within VisualAge Smalltalk. See your Domino administrator documentation to find out about security, server access lists, and address book entries.

ID handling and the certification process is not supported by Domino Connection.

Database security

Database security is supported with classes that model the essential security devices: access control lists and access roles. Each database has its own ACL which defines the users and their access privileges. The following chapter explains how to read and write ACLs and how to administrate access roles.

Smalltalk Classes

There are several classes involved in modeling database security: AbtLnAccessControlList, AbtLnACLEntry, AbtLnACLLevel, and AbtLnDatabase. The function of these classes is explained in the following chapter.

The model

Each instance of AbtLnDatabase has a lazy initializing access control list. If you use the accessControlList method, the ACL will be initialized on the fly. Any changes to the ACL will only become persistent if you send the store message to the AbtLnAccessControlList instance. The class AbtLnAccessControlList essentially controls two ordered collections to handle ACL entries and to maintain valid role names.

Send the entries message to an AbtLnAccessControlList instance to receive the collection of all AbtLnACLEntry objects for a database. AbtLnACLEntry is a class that models the access rights for a person, group, or server. Besides methods to set and read all regular access levels (like Manager or Designer) there is a variety of messages to add further restrictions. Use the roles method to find out about defined roles for a database and use the addRole: protocol to create new roles. Access roles are referenced by their names.

Here is a step-by-step example showing how to manipulate the access control list in one of the demo databases supplied with Domino Connection.

Note:Be aware that changing access control settings on a database located on a server might cause problems when you change your own access level.
| localConnection database acl |
"Startup runtime system"
AbtLnEnvironment startUp.
 
"Open a connection to local databases"
localConnection := AbtLnConnection local.
 
"Open one of the sample databases provided with the feature"
database := localConnection openDatabase: 'VASAMPLE\VASAMPLE'.
 
"Read the sample database's access control list"
acl := database accessControlList.
 
"Display some properties of each ACL entry on the Transcript window"
acl entries do: [ :entry |
Transcript nextPutAll: entry printString; cr.
Transcript nextPutAll: entry accessLevelName; cr.
Transcript nextPutAll: 'canCreateDocuments: ', entry canCreateDocuments
printString; cr.
Transcript nextPutAll: 'canDeleteDocuments: ', entry canDeleteDocuments
printString; cr.
].
 
"Add an new entry to the ACL"
acl addNewEntryNamed: 'TestUser'.
 
"Set the new entry's access level to 'No Access'"
(acl entryNamed: 'TestUser') setToNoAccess.
 
"Store the ACL"
acl store.
 
"Close the database"
database close.
 
"Shutdown runtime system"
AbtLnEnvironment shutDown.


[ Top of Page | Previous Page | Next Page | Table of Contents ]