Access level questions -- need help

A book I am reading on Domino exam prep gives some access requirements which I don't understand.  I've listed examples below.  My comments are marked: //my comment

3-2 Necessary access to rename a user.

Database:                          Access Level:

Domino Directory               Editor, w/ create doc access & user modifier role
Certification Log               Author, w/ create doc access.

//seems correct but why mention the by default create doc priviledge
3-4 Necessary access to move a user in the Hierarchy.

Database:                          Access Level:

Domino Directory               Editor, w/ create doc access & user modifier role
Certification Log               Author, w/ create doc access.
Administration Requests          Editor
//why here do we need editor access for Admin Requests DB but don't in 3-2?
3-6 Necessary access to recertify a user.

Database:                          Access Level:

Domino Directory               Author, w/ create doc access & user modifier role
Certification Log               Author, w/ create doc access.

//why here do we need only author access (per domino dir) whereas in 3-2 we need editor access?

3-7  Necessary Access in order to Delete a User.

Database:                          Access Level:

Domino Directory               Author, w/ delete doc access & user modifier role or                          Editor access
Certification Log               Author, w/ create doc access.

If deleting the users mail file?

Domino Directory               Editor, with delete doc access
//why not author w/delete doc?
Administrations Requests          Editor, with Delete doc access  
//why delete doc access?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hey Taurus,

All your questions seem to have only one central explaination. And that is,

Whenever you are trying to perform any of the admin functions on the user, you are not just doing it on the Domino Directory, also, other few databases get affected like the certification log and the admin requests database.

You got to have access to these databases as well, and based on the task you are performing you may edit a document that is created by others, where you may be requiring author access / editor access again it depends on the task.

Or you may create a new document to post a request to be processed.

Or May be i am not following you in the right sense.

TaurusAuthor Commented:
Yes you need access to the databases that contain documents being edited or created in the database.  You use priviledges to refine the access further and you use roles to specify a databases "document specific" access.  

My questions are exam related.  The exam book that I have shows these tables I list above.  It also shows tables that show the requests happening for each of these items.  The requests for Renaming person are "exactly" the same as for "moving the persons name in the hierarchy".  So why does the latter require editor access to the admin db and the former does not?

Further for 3-6 why do we only need author access to the domino db?  Is it because we are only creating not editing a doc.  I need clarification that these answers are correct.  The author has made mistakes in this book and I'm not 100 % sure about these answers.  

Also I would like to be able to figure out for myself the access needed based on knowledge of what was being created and or modified in each respective db rather than rote memorization.  Again I ask specifically because I want to get the right answers on the clp exam.
Now this makes a lot of sense to me.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Hello Taurus,

me again <|;-)

OK, let me please explain two things you surely allready know, but simply to be stated.

1.) Author is same as Editor. The diference is: Editor may edit own AND foreign docs; Author is allowed only to edit own docs and to create and edit new one.

2.) Even with Manager access you are not allowed to delete docs if you do not have the apropreate checkbox checked. Authors need aditionaly the create-checkbox.

(When you like to confuse youreself, than look at Reader fields; not Reader access; this are things absolutely not recommanded, even for managers <|;-)) When your are Principal, then we can talk again about nice replication strategies with Reader fields...)

So, now step by step the answers...

3-2 Necessary access to rename a user.
//seems correct but why mention the by default create doc priviledge
++is not correct; Editor have allways create access; but for rename you do not create a doc in DD; Author need Create checkbox for creating docs in CL.

3-4 Necessary access to move a user in the Hierarchy.
//why here do we need editor access for Admin Requests DB but don't in 3-2?
++Your are right, for renaming like for moving in hierarchy you complete best with an AdminRequest.

3-6 Necessary access to recertify a user.
//why here do we need only author access (per domino dir) whereas in 3-2 we need editor access?
++Again you are right; with [UserModifier] you are facticaly Editor even with Author access. The only difference  is: with Author you can edit all present Person docs, but need the Create checkbox for creating new one. So in 3-2 you need not explicitly Editor.

3-7  Necessary Access in order to Delete a User.
//why not author w/delete doc?
++You are right; Author with Delete checkbox and  [UserModifier] is enough. If not a  [UserModifier], than you need to be in Owner or LocalAdmin field OR Editor AND Delete checkbox.

//why delete doc access?
++You are right, absolutly nonsense; Delete requests are not deleted by requestor :-)


I hope my statements helped you without to confuse. Mainly I am Principal Developer. So I look at the Author fields guarding this Editor accesses. They are for Person documents:
"DocumentAccess": [UserModifier]

I wish you good luck for your exam.

TaurusAuthor Commented:
Hi zvonko,

Sorry I haven't been responding.  I've been busy cramming for these exams and helping my wife who is just a little behind me in studying.  I passed the first one and now am on to the second.  

Per the access levels.  This is sort of how I've reasoned it.  Correct me if I error.  

First you have the 7 basic ACL levels (manager...No access).  Next you have privileges which apply/modify in ad hoc manner to one of the 7 basic ACL levels or a range in the 7.  For example create documents privilege applies to author and Delete documents privilege applies to the range author...manager.  

After privileges there are the roles which are equivalent to the privileges except they apply at the document level instead of the database level.  They?re also "ad hoc" in that the creator roles apply to all access levels of author and higher whereas modifier roles apply to author only.

So I figure that one just has to memorize how these privileges and roles map to the 7 ACL levels because they don't seem to  be derivable.  Only the ACL levels that privileges and roles "map to" are explicitly affected by them.  For example the modifier role (per the domino dir)has no defined meaning or affect other than to those assigned author access.  (Note there is also no corresponding privilege.) Whereas the creator roles affect ACL levels author...manager and for author there is the corresponding create documents privilege. (I suppose you could say that create docs privilege applies to editor and above but since you can't uncheck it why even show it?)  

It all seems pretty inconsistent (or I'm not seeing the pattern).  For example, the modifier roles apply to only authors (I assume for the reason that editors and above can modify docs by default).  However creator roles apply to all levels above author which have the create doc privilege set.  Why doesn't the modifier roles apply above author level if the creator roles do?

Are the creator roles a requirement for editors...managers?  In other words if I want to have user tom (with editor access)create person docs do I have to assign him the [UserCreator] role?  I assume the answer is yes but I'm not getting the logic as to why?  I say this because if I want to have Tom modify person docs I don't have to assign him the [UserModifier] role because it only applies to author level.  

What also has been confusing is that the author of my exam book has stated explicitly that "roles refine the ACL but they cannot expand it".    I would say the adding the modifier roles to an author is expanding his basic access.

Finally, it appears that author fields override roles with respect to author level?  Correct?

Best Regards,

Hey man, this all get to complex ;-))

First of all, congratulation to your CLS examen.

Your question start to become such complicated like your TCP/IP question...

ACL is the central point in workflow systems like Notes.

Generaly, I understand Notes as a system working on files (databases)  which are compound storage.
In this compound storage are documents; Notes calls a document a note.
An ACL object is also a note.
This ACL document controls the user access level to the database.
ACL documents can only be edited by users holding Manager level.
As you stated, there are seven general access levels for a user or a group.
If a user is listed with his name in the ACL and also is a member of a listed group, than the user entry is valid.
If the user is more then one time defined in the  ACL, than he get the lowest defined acces.
If the user is more then one time member in groups defined in the ACL, than he get the highest access.
But for membership are all user entries and group entries cumulated to a UserNamesList.
This UserNamesList holds also all roles which are defined in this ACL and given to the user trough name or group entries.
One important point about the roles is: they define no access rights.
The roles are, simply sopken, groups, not defined in names.nsf but in the ACL.
Exactly as the group name does not define an access level (SuperTrouperSpecialGroup can have reader access to a database), so do not role names define the access privileges. For example, the above role [UserModifier] is only a string in the ACL of the database names.nsf . The fact to be UserModifier is given first when placing this string into an Authors field. Authors fields grant edit access to everyone listed in all Authors fields in this particular document either as single user name, group name or role name. That's all. Of corse can this Authors field not grant edit access to someone whos highest access right is reader to a database. Nor does somebody need this edit access when he is allready designer in a database.

So let us summerize.
There are seven access levels; from Manager to NoAccess
There are nine privileges which can be given to an entry. Here a list of them:
And thera are roles which can be used in Readers and Authors fields.
Of corse you are right, that some of the privileges does not make sanse when given, cose they are included in the access level. But the full matrix of combination does make sense first when you use them and have fallen in the pitfalls when learning. So as everybody do...

For my usage I have writen one application to store this ACL settings in a database and maintain them. I placed it at sandbox, so you can look at it if you have spare time. Here the URL:
Even with this depth of understanding I can not give you a  matrix of rules which would not confuse you. Sorry.

So I hope not confused you, but given you some hints in the right direction.

Good luck for your examens.

Oh, I have not answered none of your questions above. Please ask single questions again and not to much at once. For example: there does not existe a CreatorRole. Roles does not allow nothing. They are simply strings which an ACL entry can obtain. This string (role) get access rights first when used in Authors field. Without this it has no use.

And so on...

Especialy confusing is when questions itermix AdminTask requirements and standard application ACL usage.

So please ask again.

So long,
Hello Taurus,

have you passed your exam's?

...and wath about my points <|;-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TaurusAuthor Commented:
Two exams down, one to go.  I have had a three week lapse due to vacation, family medical emergency in Colorado, & WTC tragedy which kept me in CO longer than anticipated -my flight back to CA on United was cancelled as it was to depart the eve of Sept. 11th.  I rented a car later in the week and drove back.
I am located in Munich, Germany. Be shure that people around me here have deep empathy with all Americans suffering this terror attack.
My biggest hope is that your great nation will show the world that it is a great nation.

By the way; I am not german, I am makedonian.

Thank you for the points and good luck for the next exam (you take the admin track, I suppose; wath is the last exam?).

TaurusAuthor Commented:
Thanks for the kind words,

Its very good to know that America does not stand alone.  I for one want friends around the globe, not enemies!  

By the way, I took my 3rd exam today, and passed:} so I'm finished for now.  I don't know that I mentioned this before but my reason for learning Domino was to enable me to commercially host (re-sell) Lotus SameTime and QuickPlace.  To commercially host required being an IBM Partnerworld for Software, Partner, at the Advanced Level. The Advanced level requires one CLP person be on staff.  Now that this is achieved I may or may not study & take the application programming exams.  I'm a programmer by profession so that would be more in line with my interests.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.