The Role of the Domino Directory in Application Security
A Domino Directory ( names .nsf), formerly known as the Public Name and Address Book (or to we longtime Notes geeks , the NAB ), defines each Domino domain. The Directory is the single most important database in your Domino environment because it contains many documents that define every aspect of your Domino environment. Most of the capabilities of the Directory are beyond the scope of this book. (For a good book on this topic, see Rob Kirkland's Domino System Administration from New Riders.) This subsection focuses on the information developers need to know concerning the role of the Domino Directory in regard to application security, such as creating new databases, creating replica databases, and running agents .
Server Documents
Server documents define the servers in your Domino environment and control such things as server access, database creation, security, protocols and the like. There are several security aspects of the server document that can affect your development efforts.
Consequently, you should be familiar with them as a Domino developer.
NOTE
In many organizations, you won't have the authority to change these settings, but you need to be aware of them nevertheless.
Creating New Databases and New Replicas on a Server
To create databases on a server, your name must be explicitly listed or you must be a member of a group that's listed in Create New Databases field, which can be found in the Security tab of the Server document. Figure 23.9 shows this section.
Figure 23.9. The Security tab of a Domino Server document controls access to the server.
To create a replica database on a server, you must be named in the Create Replica Databases field, which is also found in the Security tab of the Server document.
Any time changes are made to these fields, the server must be restarted. To make it easy to grant this privilege to individual users, most administrators create groups such as Domino Administrators and Domino Developers, and place the group names in these two fields. Granting a privilege to an individual is then a simple matter of adding the individual to the appropriate group, thus avoiding the need to restart the server.
Running Agents on the Server
In the Security tab of the Server document, you'll also find settings that control the ability to run agents on the server. As a developer, you likely know that agents are the single most powerful development tool in your toolbox, and permission to run agents you develop is obviously necessary.
Generally speaking, developers should be listed in the Run Restricted LotusScript/Java Agents and the Run Unrestricted LotusScript/Java Agents fields in the Agent Restrictions Section. They should also be in the Run Restricted Java/JavaScript/COM and Run Unrestricted Java/JavaScript/COM fields so that they can run any agents that they develop.
Person Documents
The Person document is created every time a new user is registered and is ultimately used to authenticate both Web and Notes client users. When a user attempts to access resources on a server, the server searches the Person documents in the Directory in an attempt to authenticate the user. Among other things, it contains the user 's name, password, and certificates. Figure 23.10 shows the Basics tab of a Person document.
Figure 23.10. The Basics tab of a Person document contains all the possible names used to identify a user in the FullNames field.
Group Documents
Group documents are used to facilitate access for a related list of people and are the preferred way to grant access to databases. Figure 23.11 displays a Group document.
Figure 23.11. This Group document is used for Domino developers in my domain.