?
Solved

Prevent viewing fo Documents based on OU

Posted on 2006-04-04
29
Medium Priority
?
222 Views
Last Modified: 2013-12-18
Experts this is HOT!

In our homemade Portal we have an area where users post announcements, this is then workflowed to HR for approval, they can then make whatever changes needed to make the annoucement politically correct and publish it or not. The new requirement is that HR wants to be able to disallow certain Business Units from seeing announcements that are not pertinent to them. For instance we publish announcements on certain local events that our Costa Rica office really does not need to see. The "Portal" is currently opened to all the BU's for viewing, what I'd like to do is allow HR to select by virtue of a button or something) which BU's can see the announcements. So when the annoncement is "Published" only those chosen by HR can see the Document/Announcement. The portal is on a 6.5 client and is being replicated to the other BU's. I am open to whatever works quickest! Thanks
0
Comment
Question by:padillrr
  • 14
  • 8
  • 7
29 Comments
 
LVL 22

Expert Comment

by:mbonaci
ID: 16370936
Hi padillrr,
use one Readers field and one Author field on form.
In Author, Computed when composed, place the role [Admin] (someone who can see all - to avoid losing docs).
In Reader, Editable let creator enter who can see it (or compute it using @Name([OU]; @Username).

Hope this helps,
Marko
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 16370987
padillrr,
here is a good Reader / Author fields explanation (tool).

http://www-10.lotus.com/ldd/46dom.nsf/11a0b6a64ffb3d8d85256a4c004f1bbd/e0359d10a2307d1885256c61000707b7?OpenDocument

Hope this helps,
Marko
0
 

Author Comment

by:padillrr
ID: 16371006
I'm not understanding, help me out, I already have the author field, now how do I make it so that in the readers field HR PICKS the OU's the do or do not want to see the document/announcement??? your saying to use @Name([OU]; @Username but wouldn't they then have to pick names???? we have over 1500 folks that have access to this Portal, I need to make it as user friendly as possible, remember this IS for HR :-)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:mbonaci
ID: 16371083
padillrr,
if you have that large number of users I suggest you to use "location" roles (every OU has its role), then put the role in the Readers field and everyone who has that role will see the document, others wont.

Here you can find more details about Reader/Author fields:
http://www.experts-exchange.com/Applications/Email/Lotus_Notes_Domino/Q_21780556.html

Hope this helps,
Marko
0
 

Author Comment

by:padillrr
ID: 16371738
Marko,
I took a look at the posting and it looks good except we are not using the C (country) on the OU. This is how our names look, Ray Padilla/US/XXXXX, Joe Blow/CR/XXXXX, Jane Doe/EU/XXXXX how do I take advantage of this? Also How do I use Roles without having to create groups to assign the roles to? currently access is granted by virtue of */XXXXX which allows everyone access. I'd like to have a dialog list where HR just picks the Business units name then somehow in the background add those folks to the reader group.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 16371774
padillrr,

this came "like ordered":
http://www.experts-exchange.com/Applications/Email/Lotus_Notes_Domino/Q_20246782.html

Hope this helps,
Marko
0
 

Author Comment

by:padillrr
ID: 16371787
How about a dialog list with something like:

Costa Rica | CR
Europe | EU
Colombia | CO
Florida | US
etc etc.

Then a computed readers field that grams that grabs the initials and adds the remainder so that the readers fields will have something like this:

CR/XXXXX, CO/XXXXX

Would that work? and can I add the extension with Formula?
0
 

Author Comment

by:padillrr
ID: 16371844
I looked at the other post but that seems to be restricted based on who created the document, I want our HR to make the restriction....
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 16371864
padillrr,
I still suggest using Roles (every location has its role).

To let the creator assign the roles to the field use this option on the field's properties, second tab, Choices
    "Use access control list for choices"

Hope this helps,
Marko
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 16371888
have to go home...

I hope I was of some help...
Marko
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16373176
padillrr,  the reader's field can be editable, so that you have one field at the top of your form:  readersbase, that would = your HR and Admin roles. = readersbase, names, multivalue, maybe also the person who created the document

then you have an editable field that allows HR to select "who" can see the documents:
selectreaders, list, multivalue

Your selection formula has the "readable" and the real value:
Miami People|*/MIA/ORG
BBB Office|*/BBB/ORG

at the  bottom of your form is a computed READERS field, READERS, multivalue.
@Trim(@Unique(readersbase:selectreaders))

So your HR people can open the form, assign additional readers, and save the document.  (you can hide the editable field from all but your HR roles)

0
 

Author Comment

by:padillrr
ID: 16374047
This is what I did, I created an editable filed viewable only by HR, here they select the OU's:

Costa Rica | CR
Europe | EU
Colombia | CO
Florida | US

Then I created a computed reader field with this formula:

"*/" + viewers + "/" + "XXXXX" where XXXXX is the company

I've tested it out and it seems to populate the readers field with

CR/XXXXX; US/XXXXX

The problem is that no one can see the announcement, I am guessing it's the ACL. In the ACL access is granted with:
*/XXXXX

Does it need to reflect the OU in the ACL? such as:
US/XXXXX
CR/XXXXX
ASPAC/XXXXX

Will that make the difference ?

0
 

Author Comment

by:padillrr
ID: 16374059
sorry I meant :
*/US/XXXXX
*/CR/XXXXX
*/ASPAC/XXXXX
and in the formula viewersis the name of the editable field..
0
 

Author Comment

by:padillrr
ID: 16375622
Marilyng,

I read here http://www.experts-exchange.com/Applications/Email/Lotus_Notes_Domino/Q_20246782.html , that readers field cannot have a wildcard, but I've done everything you suggested except create the readerbase field at the top of the form. on the computed readers field at the bottom the entries are separated by a ; (semi colon instead of a colon or comma
0
 

Author Comment

by:padillrr
ID: 16375737
it's almost there!!!!! I just need clearification on the ACL entry, if we are using */XXXXX instead of */US/XXXXX will this work or do we have to modify the entry and if I have to modify the entry must I delete the */XXXXX entry? Does it even make a difference? Can someone explain why it currently isn't working with just the entry */XXXXX
0
 

Author Comment

by:padillrr
ID: 16375751
By the way, I used the separator on the field to be a comma and that worked so now the entries are reflected  I THINK properly
0
 
LVL 18

Accepted Solution

by:
marilyng earned 2000 total points
ID: 16377043
Hi padillrr,

The note you reference in experts exchange is incorrect.  The readers and authors fields can contain wildcard ou, o, c, just as long as you specify them in canonical format: */ou=thisou/o=thiso

I was a bit sloppy on my syntax to you (apologies)

Change the computed DOCREADERS to: @Name([Canonicalize];@Trim(@Unique(AllReaders:SelectReaders)))
(Names, Multivalue, doesn't matter how its separated) Just make sure it's at the END of the form.

ALLREADERS field, names, multivalue (or text)
"[HR]":"[Admin]"

So, if you have: SELECTREADERS field (text, multivalue)
Shipping Department|*/Shipping/MyDomain
All of My Domain|*/MyDomain
Accounting|*/Accounting/MyDomain

In your dropdown list, multivalue, doesn't matter how its separated.

I would add a  source.refresh in the querysave event, also.
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16377051
BTW, I tested, and it does populate correctly with the wildcard, just make sure the drop down list is text.

Also, I added the wildcard values to the ACL, set the database to  "enforce a consistent ACL" and make sure there is an administration server listed.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 16378809
I also thought that the Readers field can't contain wildcards, good to know...

marilyng,
why it has to be at the end of the form?

Marko
0
 

Author Comment

by:padillrr
ID: 16382455
Well, I've changed the ACL to reflect */US/XXXXX, but it still does not work. I can read it as the author but nobody else sees it regardless of what OU I use it is not working. am I missing something?
0
 

Author Comment

by:padillrr
ID: 16382832
Marilyng, I am not using the Allreaders field, my authors field is set to change and add the Admin and HR roles once it has been submitted so I am only using the SelectReaders  field, I have therefore changed the formula to this:

@Name([Canonicalize];@Trim(@Unique(SelectReaders)))

That is not populating the readers field at all.

The SelectReaders field is a dialog list with the following:

Costa Rica | */CR/XXXXX
Europe | */EU/XXXXX
Colombia | */CO/XXXXX
Florida | */US/XXXXX


0
 
LVL 18

Expert Comment

by:marilyng
ID: 16383714
Of course not... padillrr, you must remember that when we suggest a method, it is for a reason,

you need to use the allreaders field - TEXT, multivalue
you need to use the selectreaders field - TEXT, multivalue

you then need to have a computed READERS field at the bottom of the form that has BOTH values concatenated.

then you need to be sure to do a source.refresh in the query save, ELSE YOUR READERS VALUES WILL NOT POPULATE.

0
 
LVL 18

Expert Comment

by:marilyng
ID: 16383745
sorry, that submitted before I was finished,
the reason is that your SelectReaders also needs to do a refresh fields on change, so that you force a calculation.

The reason for the ALL readers is in case people save without selecting something, then you don't have a bunch of forms that no one can get into, it is set when the form opens and populates the readers field with a default list, uh, so the SERVER can see the document, too, else it won't replicate.

0
 

Author Comment

by:padillrr
ID: 16384252
OK I am a dumba$$, as soon as I did exactly what you said it worked! One minor issue with ACL, we have changed our ACL and deleted the */XXXXX and replaced it with */US/XXXXX etc etc, what if I want everybody to see it? would adding an entry to the Slectviewers field of ALL Business Units | */XXXXX work? Even though that is not an entry in the ACL? If we added that entry to the ACL wouldn't it then allow all readers regardless?
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16388113
It will allow the readers access to the database, but not necessarily reader access to the document.

If */ABC = reader access, then they can open the database and read public forms, public views, but not any document where the readers field isn't set to */ABC.

Now, it gets a bit complicated, because if the reader= */ABC

Then */ABC only,  or */Accounts/ABC will have reader access to the document.

*/Accounts/ABC = ACL Reader will allow those users reader access to the database.  But not allow mary smith/ABC access.

I have many databases where I set the readers ACL  to */ABC, which allows ALL access, then done specific */Accounts/ABC for target documents and views.
0
 

Author Comment

by:padillrr
ID: 16391433
SO If I understand correctly, */US/XXXXX allows readers of the US certifier only whereby */XXXXX will allow all certifiers access, so If I use Global | */XXXXX as an option on the dialog list then all certifiers would be able to read the announcement. If I were to add then */XXXXX to the ACL I could still use */US/XXXXX to allow or deny readers access to an announcement. Am I correct in my understanding?
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16396843
If I understand what you're saying, yes.


*/XXXX to the DB ACL = with reader access will allow all to read only,
*/XXXX to the DB ACL = with author access + create new documents will allow all to create and edit documents they create.  

A document having a readers field set to:
*/O=XXXX will allow */OU=ABC/O=XXXX and */OU=BBB/O=XXXX to read the document.
*/OU=ABC/O=XXXX will allow */OU=ABC/O=XXXX and */O=XXXX to read the document but not */OU=BBB/O=XXXX
0
 

Author Comment

by:padillrr
ID: 16400408
Excellent! Thank you Marilyng, by  the way would this work on the web? Should I open another question!
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16405355
It should work.. :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Loops Section Overview
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question