Prevent viewing fo Documents based on OU

Experts this is HOT!

In our homemade Portal we have an area where users post announcements, this is then workflowed to HR for approval, they can then make whatever changes needed to make the annoucement politically correct and publish it or not. The new requirement is that HR wants to be able to disallow certain Business Units from seeing announcements that are not pertinent to them. For instance we publish announcements on certain local events that our Costa Rica office really does not need to see. The "Portal" is currently opened to all the BU's for viewing, what I'd like to do is allow HR to select by virtue of a button or something) which BU's can see the announcements. So when the annoncement is "Published" only those chosen by HR can see the Document/Announcement. The portal is on a 6.5 client and is being replicated to the other BU's. I am open to whatever works quickest! Thanks
Ray PadillaIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mbonaciCommented:
Hi padillrr,
use one Readers field and one Author field on form.
In Author, Computed when composed, place the role [Admin] (someone who can see all - to avoid losing docs).
In Reader, Editable let creator enter who can see it (or compute it using @Name([OU]; @Username).

Hope this helps,
Marko
mbonaciCommented:
padillrr,
here is a good Reader / Author fields explanation (tool).

http://www-10.lotus.com/ldd/46dom.nsf/11a0b6a64ffb3d8d85256a4c004f1bbd/e0359d10a2307d1885256c61000707b7?OpenDocument

Hope this helps,
Marko
Ray PadillaIT  DirectorAuthor Commented:
I'm not understanding, help me out, I already have the author field, now how do I make it so that in the readers field HR PICKS the OU's the do or do not want to see the document/announcement??? your saying to use @Name([OU]; @Username but wouldn't they then have to pick names???? we have over 1500 folks that have access to this Portal, I need to make it as user friendly as possible, remember this IS for HR :-)
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

mbonaciCommented:
padillrr,
if you have that large number of users I suggest you to use "location" roles (every OU has its role), then put the role in the Readers field and everyone who has that role will see the document, others wont.

Here you can find more details about Reader/Author fields:
http://www.experts-exchange.com/Applications/Email/Lotus_Notes_Domino/Q_21780556.html

Hope this helps,
Marko
Ray PadillaIT  DirectorAuthor Commented:
Marko,
I took a look at the posting and it looks good except we are not using the C (country) on the OU. This is how our names look, Ray Padilla/US/XXXXX, Joe Blow/CR/XXXXX, Jane Doe/EU/XXXXX how do I take advantage of this? Also How do I use Roles without having to create groups to assign the roles to? currently access is granted by virtue of */XXXXX which allows everyone access. I'd like to have a dialog list where HR just picks the Business units name then somehow in the background add those folks to the reader group.
mbonaciCommented:
padillrr,

this came "like ordered":
http://www.experts-exchange.com/Applications/Email/Lotus_Notes_Domino/Q_20246782.html

Hope this helps,
Marko
Ray PadillaIT  DirectorAuthor Commented:
How about a dialog list with something like:

Costa Rica | CR
Europe | EU
Colombia | CO
Florida | US
etc etc.

Then a computed readers field that grams that grabs the initials and adds the remainder so that the readers fields will have something like this:

CR/XXXXX, CO/XXXXX

Would that work? and can I add the extension with Formula?
Ray PadillaIT  DirectorAuthor Commented:
I looked at the other post but that seems to be restricted based on who created the document, I want our HR to make the restriction....
mbonaciCommented:
padillrr,
I still suggest using Roles (every location has its role).

To let the creator assign the roles to the field use this option on the field's properties, second tab, Choices
    "Use access control list for choices"

Hope this helps,
Marko
mbonaciCommented:
have to go home...

I hope I was of some help...
Marko
marilyngCommented:
padillrr,  the reader's field can be editable, so that you have one field at the top of your form:  readersbase, that would = your HR and Admin roles. = readersbase, names, multivalue, maybe also the person who created the document

then you have an editable field that allows HR to select "who" can see the documents:
selectreaders, list, multivalue

Your selection formula has the "readable" and the real value:
Miami People|*/MIA/ORG
BBB Office|*/BBB/ORG

at the  bottom of your form is a computed READERS field, READERS, multivalue.
@Trim(@Unique(readersbase:selectreaders))

So your HR people can open the form, assign additional readers, and save the document.  (you can hide the editable field from all but your HR roles)

Ray PadillaIT  DirectorAuthor Commented:
This is what I did, I created an editable filed viewable only by HR, here they select the OU's:

Costa Rica | CR
Europe | EU
Colombia | CO
Florida | US

Then I created a computed reader field with this formula:

"*/" + viewers + "/" + "XXXXX" where XXXXX is the company

I've tested it out and it seems to populate the readers field with

CR/XXXXX; US/XXXXX

The problem is that no one can see the announcement, I am guessing it's the ACL. In the ACL access is granted with:
*/XXXXX

Does it need to reflect the OU in the ACL? such as:
US/XXXXX
CR/XXXXX
ASPAC/XXXXX

Will that make the difference ?

Ray PadillaIT  DirectorAuthor Commented:
sorry I meant :
*/US/XXXXX
*/CR/XXXXX
*/ASPAC/XXXXX
and in the formula viewersis the name of the editable field..
Ray PadillaIT  DirectorAuthor Commented:
Marilyng,

I read here http://www.experts-exchange.com/Applications/Email/Lotus_Notes_Domino/Q_20246782.html , that readers field cannot have a wildcard, but I've done everything you suggested except create the readerbase field at the top of the form. on the computed readers field at the bottom the entries are separated by a ; (semi colon instead of a colon or comma
Ray PadillaIT  DirectorAuthor Commented:
it's almost there!!!!! I just need clearification on the ACL entry, if we are using */XXXXX instead of */US/XXXXX will this work or do we have to modify the entry and if I have to modify the entry must I delete the */XXXXX entry? Does it even make a difference? Can someone explain why it currently isn't working with just the entry */XXXXX
Ray PadillaIT  DirectorAuthor Commented:
By the way, I used the separator on the field to be a comma and that worked so now the entries are reflected  I THINK properly
marilyngCommented:
Hi padillrr,

The note you reference in experts exchange is incorrect.  The readers and authors fields can contain wildcard ou, o, c, just as long as you specify them in canonical format: */ou=thisou/o=thiso

I was a bit sloppy on my syntax to you (apologies)

Change the computed DOCREADERS to: @Name([Canonicalize];@Trim(@Unique(AllReaders:SelectReaders)))
(Names, Multivalue, doesn't matter how its separated) Just make sure it's at the END of the form.

ALLREADERS field, names, multivalue (or text)
"[HR]":"[Admin]"

So, if you have: SELECTREADERS field (text, multivalue)
Shipping Department|*/Shipping/MyDomain
All of My Domain|*/MyDomain
Accounting|*/Accounting/MyDomain

In your dropdown list, multivalue, doesn't matter how its separated.

I would add a  source.refresh in the querysave event, also.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marilyngCommented:
BTW, I tested, and it does populate correctly with the wildcard, just make sure the drop down list is text.

Also, I added the wildcard values to the ACL, set the database to  "enforce a consistent ACL" and make sure there is an administration server listed.
mbonaciCommented:
I also thought that the Readers field can't contain wildcards, good to know...

marilyng,
why it has to be at the end of the form?

Marko
Ray PadillaIT  DirectorAuthor Commented:
Well, I've changed the ACL to reflect */US/XXXXX, but it still does not work. I can read it as the author but nobody else sees it regardless of what OU I use it is not working. am I missing something?
Ray PadillaIT  DirectorAuthor Commented:
Marilyng, I am not using the Allreaders field, my authors field is set to change and add the Admin and HR roles once it has been submitted so I am only using the SelectReaders  field, I have therefore changed the formula to this:

@Name([Canonicalize];@Trim(@Unique(SelectReaders)))

That is not populating the readers field at all.

The SelectReaders field is a dialog list with the following:

Costa Rica | */CR/XXXXX
Europe | */EU/XXXXX
Colombia | */CO/XXXXX
Florida | */US/XXXXX


marilyngCommented:
Of course not... padillrr, you must remember that when we suggest a method, it is for a reason,

you need to use the allreaders field - TEXT, multivalue
you need to use the selectreaders field - TEXT, multivalue

you then need to have a computed READERS field at the bottom of the form that has BOTH values concatenated.

then you need to be sure to do a source.refresh in the query save, ELSE YOUR READERS VALUES WILL NOT POPULATE.

marilyngCommented:
sorry, that submitted before I was finished,
the reason is that your SelectReaders also needs to do a refresh fields on change, so that you force a calculation.

The reason for the ALL readers is in case people save without selecting something, then you don't have a bunch of forms that no one can get into, it is set when the form opens and populates the readers field with a default list, uh, so the SERVER can see the document, too, else it won't replicate.

Ray PadillaIT  DirectorAuthor Commented:
OK I am a dumba$$, as soon as I did exactly what you said it worked! One minor issue with ACL, we have changed our ACL and deleted the */XXXXX and replaced it with */US/XXXXX etc etc, what if I want everybody to see it? would adding an entry to the Slectviewers field of ALL Business Units | */XXXXX work? Even though that is not an entry in the ACL? If we added that entry to the ACL wouldn't it then allow all readers regardless?
marilyngCommented:
It will allow the readers access to the database, but not necessarily reader access to the document.

If */ABC = reader access, then they can open the database and read public forms, public views, but not any document where the readers field isn't set to */ABC.

Now, it gets a bit complicated, because if the reader= */ABC

Then */ABC only,  or */Accounts/ABC will have reader access to the document.

*/Accounts/ABC = ACL Reader will allow those users reader access to the database.  But not allow mary smith/ABC access.

I have many databases where I set the readers ACL  to */ABC, which allows ALL access, then done specific */Accounts/ABC for target documents and views.
Ray PadillaIT  DirectorAuthor Commented:
SO If I understand correctly, */US/XXXXX allows readers of the US certifier only whereby */XXXXX will allow all certifiers access, so If I use Global | */XXXXX as an option on the dialog list then all certifiers would be able to read the announcement. If I were to add then */XXXXX to the ACL I could still use */US/XXXXX to allow or deny readers access to an announcement. Am I correct in my understanding?
marilyngCommented:
If I understand what you're saying, yes.


*/XXXX to the DB ACL = with reader access will allow all to read only,
*/XXXX to the DB ACL = with author access + create new documents will allow all to create and edit documents they create.  

A document having a readers field set to:
*/O=XXXX will allow */OU=ABC/O=XXXX and */OU=BBB/O=XXXX to read the document.
*/OU=ABC/O=XXXX will allow */OU=ABC/O=XXXX and */O=XXXX to read the document but not */OU=BBB/O=XXXX
Ray PadillaIT  DirectorAuthor Commented:
Excellent! Thank you Marilyng, by  the way would this work on the web? Should I open another question!
marilyngCommented:
It should work.. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.