Keeping contractors from accessing databases

zdima used Ask the Experts™
I have a group of contractors from another company that will be working with us
for about three months that need me to generate Notes ID files for them so that they
can share data in a Notes database.  If I register them as a user,
they would also have access to databases that have Reader access as a default in the ACL.
However, I don't want them to access any database on the Domino server except for that
one database that they will be working on.  What's the easiest way of doing this?
Adding their group name to have No Access on every database would be cumbersome.
I'm running R5.0.10 on a W2K server.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Add a new Domino server -- it can be a partition on the same box -- that has only that database.  Otherwise, you could have to touch all the ACLs, there's no two ways arond it.

For the future, you might want to have all databases with Default=No Access.  You can grant all your users access by adding */XYZYZ to the ACL instead of Default, where XYZYZ is your company's root (O/Org) certifier name.  Contractors could then be certified using a completely separate certifier, which would not match XYZYZ.

Aren't you being a bit paranoid though?  WOuld you block a new employee from accessing other databases?
Just I am supposed to type Qwaletee.
U had this also.

>> Just I am supposed to type Qwaletee.
>> U had this also.

Huh?  What does that mean?
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

By the way, assuming you end up adding a no access group to the ACL, you can remove some, but not all of the tedium as follows:

Use the administrator client
Go to the FILES tab
Select multiple files (i.e., all file)
You can then manage multiple ACLS together, and make the change once to all selected files
Repeat for each subdirectory (and sub-subdirectory, etc.)

At least you won;t have to open the ACL window separately for each database in each directory.

Another way:

You can write a script that goes to each database, and adds the no access group.  Most startup-effort of all solutions, but once you get it running, BAM it does everything for you.
Mean I log in to give response to this thread, and ur answer is there.

U had this also means, last time within a fraction of minute, u replied before me for a lot of questions. This time also u are the winner.

Qwaletee, u r rocking EE.

Along the lines of:

Dim dbs as New NotesDbDirectory ( "Your serevr name" )
Dim db as notesDatabase
Set db = dbs.getFirstDatabase (TEMPLATE_CANDIDATE )
do until db is nothing

Dim acl as NotesACL
Set acl = db.acl
Dim entry as notesACLEntry
Set entry = acl.getEntry ( group )
if entry is nothing then
  acl.createEntry group , ACLLEVEL_NOACCESS
end if
Set db = dbs.getNextDatabase


An asset should not be questioned.. ;-)


So, which way did you go?


Well, just setting up another Domino server was out of the question so we went with
adding No Access for the default on all the databases.  This setup would benefit us in
the future anyway for any other situations like this.


And you added */... instead?


Actually, I changed my mind with changing the default access after I posted my comment above.  
I ended up leaving the default access to whatever the databases were set to.  Instead, I created a
new certifier like */Contractor/MyCompany and added that to all the database ACLs with No Access.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial