Using Roles
Roles are a very powerful and useful feature that can be used to further refine a database ACL. Roles are actually created in the ACL through the Roles tab, which is shown in Figure 23.15.
Figure 23.15. The Roles tab of the ACL is where database managers can add and delete roles.
Just like groups, people are assigned to roles. What's different about roles is that groups can also be assigned to a role. In fact, any entry in the ACL can be assigned to a role. However, this is also the major flaw in using roles. Only those entities listed in the ACL can be assigned to a role. Therefore, if you use group names in the ACL and you want only some of the people in that group specified in a particular role, you couldn't do it unless you explicitly place those users' names in the ACL.
To create a new role in a database, follow these steps:
- Open the ACL for the database.
- Click the Roles button.
- Click the Add button.
- Type the name of the new role and click OK.
- Click OK to close the ACL window.
Clicking the Add button brings up a simple window to add a new role. Type the name of the role and click OK. The new role appears enclosed in brackets in the Role window. Roles also appear in the Roles window in the lower-right corner of the Basics tab of the ACL. Up to 75 roles can be added to a database. Role names can contain numbers , characters , and spaces. Lotus recommends (and I agree) that it's best to exclude spaces when naming roles.
After a role is added to the database, it can be used to limit access to design features of the database. Both forms and views have a Security tab on the properties box where roles can be used. This is useful if you have certain documents that store values that only specific groups of people should update, such as lists that are used in keyword fields. You can limit create access to the form that stores the lists and read access to the view that displays the form to that group of individuals. The values in the forms can still be accessed by using @DbColumn or @DbLookup against a hidden view. The returned list can then be used in a keyword field. Roles can also be used to limit access to documents. To limit access to a form using a role, follow these steps:
- Open the form in Design mode.
- Open the form's properties box and click the Security tab (the tab with the key).
- Deselect All Authors and Above from the Who Can Create Documents with This Form section in the middle of the properties box.
- Click the role in the list box.
Similarly, read access to documents created by the form can be limited by deselecting All Readers and Above at the top of the properties box under Default Read Access for Documents Created with This Form and choosing an appropriate role. In both cases, make sure that groups and individuals have the role selected in the Basics tab of the ACL. This is accomplished very easily by selecting the group or individual in the ACL and clicking the appropriate role in the Roles list box. A check mark appears beside the role. Figure 23.16 shows an example of assigning a role to an individual.
Figure 23.16. The NewsEditor role is assigned to individuals and groups by placing a check mark beside the role.
Using roles in view security is similar to form security. To use a role to limit access to views:
- Open the view in Design mode.
- Open the View properties box and switch to the Security tab.
- Deselect All Readers and Above under May Be Used By.
- Click the role and save the view.
Remember that roles are not the only means of limiting access to forms and viewsgroups and individuals can also be named in these lists. Furthermore, this technique does not override the ACL. If a user has Reader access to a database, he can only read documents in that database. Even assigning create access for a form to that user does not allow the user to create a document with a form. You should always think of this technique as a refinement of the ACL.
Roles can also be used to limit read and edit access to specific documents. Adding a role to a Readers or Authors field will quickly and easily accomplish this. The role must be enclosed within quotes and square brackets as in the following example: "[ReardenSteel]".