I'm adding security around some buttons in an app I built long ago. The way I implemented this security feature is that I created a a role in the database's ACL. I do a check in the button's hide-when formula and expose the button if the role is there. That role is assigned to a security group in the Domino Directory. That security group contains a collection of other groups. These 2ndary groups contain people's names. Those names are retrieved from a Postgres database -- I have a LotusScript agent that pulls the names from that database. The problem I'm seeing is that even tho a name is in the 2ndary group, Notes doesn't recognize it. Here's an example. This user are in these groups:
however, he should also be in all of these:
How can I debug where the problem is?
thanks
clem
I think the problem is that for one group in particular, there are 2 copies of the group document. I didn't see that b/c in the main group view it doesn't show up. But when I was in the process of assigning a child group to a parent group, I can see the duplicate listed. I suspect this is the source of the problem. Will confirm.
thanks
clem
Make sure the members of the 2ndary groups contain names in fully qualified format that matches the first entry of their FullName in the person document. EG "John Smith" should be "CN=John Smith/O=LabWare" or something like that.
You can see what groups and roles the system recognizes a user in by double clicking on the security icon on the status bar in the Notes Client (bottom 3rd from the right) after you have opened the database.
Related
A user is not able to edit a form. The user had editor access and i've tried to replicate the issue using a test user and providing the same access as the user, but to no avail. I came across a link which told me that there is something called as additional ACL control in Lotus Administrator. I'm not sure if this actually can influence the editing privileges. I don't think that could be the problem. Anyway, please let me know if you can figure out the problem.
Additional info:
The user is a part of a distribution list(multipurpose group) and the group has editor access.
The default access to the form is Author, with a authors field in the form.
The user has 2 names mentioned in the names.nsf person document. An old name and a new name.
The required user roles are assigned to the group.
Let me know if you need additional info.
With Editor rights she should be able to edit. Please check her rights by placing a Computed Text with #UserAccess on the form.
Or if she is using a Notes client she can simply click the "Security" icon in the bottom toolbar of the Notes, near the right corner. It will open a dialog box telling what is her access level to the database.
A few things to check:
is the user listed explicitly in the ACL? If so, those rights will take precedence over any groups she's in.
check the authors field carefully. Best option is to look at the properties of the doc she's editing via the Notes client and examine the authors field in the dialog. That will let you see if any code altered the list of allowed authors. If she's an editor this shouldn't matter but based on the behavior you are seeing it sounds like she's acting as an author.
Make sure that the names in the authors fields are being stored in the canonical format and are not abbreviated or in common name. EG: using Herny Newberry/MyOrg does not work while using CN=Henry Newberry/O=MyOrg does.
The issue is solved. There was some problem with the user configuration. Thats the reason she was getting author access even though she was an editor. After reconfiguration of her Notes client, she'd able to edit the form now. Thanks to all of you for your help.
Although already answered and a solution found, it should be noted that user-names listed in the 'fullname' field of the NAB person record should list the current or 'newname' first as other names may not be recognized.
What I need
I have a custom Entity with that with multiple fields. Admin Role has "god" access. All other roles except for one have read only. The one non admin role with update access, should only be able to update a single field.
What I believe to be true
I believe I have three main options to implement this requirement:
Enable Update Access to the role for that entity then write Javascript to disable all fields on the form for that role, except for the one that I want that role to be able to edit
Enable Update Access to the role for that entity then create a new form that disables all fields on the form for that role, except for the one that I want that role to be able to edit.
Enable Update Access to the role for that entity then turn on field security for each field, disabling access using the field security, for each field except for the one I want them to edit.
What's the Best Practice?
What options should I choose?
If I go with options 1 or 2, will the user be able to edit the field on the bulk edit form?
From a user perspective, I think it's confusing when a form opens up with things enabled, then they get locked down. Plus someone could possibly get data in there before the fields get locked. I'd say you'd have to combine this with a plugin to prevent changing fields you don't want changed.
I like this option better, although again, the field can be unlocked if someone knows what they're doing, so a plugin to double check would be nice.
This would avoid having to double check in a plugin, but you also have to rely on the admin correctly setting up security for new fields going forward. If that's not a concern, this might be best.
Bulk edit is a global privilege, so they'd have bulk edit for all entities. Also, the bulk edit form does not load scripts, so that knocks out option 1. I'd say if it's just this one field, I might leave the privilege locked down and provide my own Bulk edit button on the grid that would show a custom page that just has that one field on it, then handle the updates though script.
2 is most likely best, or as an alternative put the fields in the header or footer rather than as read-only fields on the form.
This also means the fields won't be available to bulk edit, but other methods such as data import or workflows would let users get round this if they know how and have rights to do such things.
3 Field Security is the most robust and works for all scenarios
Possible option 4: create another entity to contain those fields and apply different security to that entity. If created as a child, show the record in a grid on the form with the values included in the view. If it is a parent then you could use methods such as showing the values via an HTML webresource page included on the form.
It is possible to define in bugzilla the own list with assgined to users? In out company we have a lot of customers but when the customer assigned to one product he visible on all products on "assigned to" field. Can I change my assigned to select?
Look at Security Groups - http://www.bugzilla.org/docs/4.2/en/html/groups.html
Then navigate to the group security page.
Administration -> Parameters -> Group Security
Find the setting makeproductgroups and ensure that is is On.
Next find the usevisibilitygroups setting and ensure that it is On. This setting prevents someone in group A from seeing the people in group B. This is especially important if you are letting multiple clients view and/or edit their bugs.
Finally find the strict_isolation setting and ensure it is On.
Now create your groups and assign them to products and users.
I am using the PublishingWebControls:SummaryLinkFieldControl and would like to add another field for the Group Description (In addition to the Group Name).
The default field available is the Group Name and Group Items. I really need an option to to hold the Group Description as well.
Is this possible without customisation?
You'll definitely need to customise to a certain extent!
I know you can create create new item screen by modifying CmsSlwpAddEditLink.aspx (search for it)
Though it seems like what you're after is modifying the creation of the Group.
Rough guess: Figure out which content type the list of fields is based on. Add your field in. Find the .aspx which fires when creating a new group (google it) , drop the field syntax into that and see if that works.
Let us know if you find a solution.
As MSDN states, then WriteSecurity has 1 of 3 states possible:
1 — All users can modify all items.
2 — Users can modify only items that
they create.
4 — Users cannot modify any list
item.
But if I want behavour nr. 2 plus users can modify items that are assigned to them? Well if I grant a user full permissions (put in owners group) for list, then those can edit any item (not good). So why wouldn't it work by setting item level permission "full control" just for AssignedTo user (good)? I did, but that didn't help - access denied.
I want exactly the functionality as stated in question "Automatically set list item permission, after new item is created", quoting:
Every users (Supervisor and team members) can see any tasks.
Supervisors can edit any tasks
Team members can only edit their own tasks (tasks that were assigned to them, or created by them)
but although answer has been accepted, the solution does not provide a way for users to edit items assigned to them or items created by user.
Help is appreciated, thank You!
Your only way to do this is using Item-Based Permissions. E.g. have a Workflow or Event Handler change the permission on each file/object based on your requirements.
The solution you quote from the other task is simply setting 2 for SPList.WriteSecurity which still doesn't give users the possibility to edit something they have not created, but were assigned to - in this case you will need to give these users permission, e.g. by listening on the "Assigned To" field with an Event Handler (OnItemUpdated) and give the respective person the needed permission.
Furthermore the solution talks about just setting higher permissions for the users who should always be able to edit items (managers), which is a solution, but you do not have the granularity you usually want in situations like these.