Hey Jake,
Forget about a separate address book (although that may work too). There's no need with Extended ACLs in Domino 6.
You can lock down portions of a NAB from one group of users or another. Basically meant for an ASP or something, so that each group they host would appear to have their own NAB. xACL allows an admin to further refine the ACL down to categories of documents within the NAB. The categorization is based on the hierarchical portion of the relevant document (for a person doc, that would be the User Name field).
Note, it doesn't bypass the ACL, it refines it, giving a whole new level of granularity to NAB settings That said, the ACL still sets the ceiling.
So, for this example, we'll go with:
- /webusers for the 'external' web people. Note that the /webusers version of their name must be the first one listed in the "User Name" field in the server's NAB
- /Insiders for the employees
| Single Domino Directory |  | |
| Users | Current Situation | Desired scenario |
| Road Runner/webuser Neo/webuser | n/a | n/a |
| W.Coyote/Insider Agent Smith/Insider | All four names are in the address dialogue | /webuser names are not listed |
Your goal is that W. Coyote and Agent Smith wouldn't be able to send email to Road Runner and Neo. More importantly, that type-ahead addressing wouldn't pick up their names. A simple xACL rule accomplishes that:
First, select your 'target category':
(ok, I used /Web instead of /webusers...sue me ;-)
Next is the Access List. This is analogous to where names/groups are entered in the standard ACL. In this example, */Insider could be a choice.
Then comes the "Attributes":
That's the simple way of setting that up. Another way--and depending on the situation, probably a better way--is to set the "root" rules to 'deny'...and then allow each group to see their own stuff (something like that would be appropriate for an ASP I think).
Only hitch so far is that the /webusers were still viewable in the "Person" view. Perhaps tweaking those rules further would prevent that as well (it was only a quick test for me, so I didn't go the full route of testing for that too...call me lazy ;-)
Anyway, with xACL enabled on the server's NAB, you can assign prevent /Insiders from seeing the /webusers when addressing an email (among other things too). Check out the admin help
. It doesn't mention the address dialogue specifically, so I had to try it out. Works like a charm.Again, check the admin help--there's a couple warnings in there (e.g. the conversion to xACL can apparently be a lengthy process with a 'large' NAB). Also, xACL and anonymous LDAP don't get along too well...unless you don't mind anonymous access to your NAB...
Hope that helps.
Rod
Return to top
. . Extended ACL should do the trick (r... (~Richard Rerebu... 10.Jul.03) 
Print this page
