This is copy of the contents of a technote that does a good job of going over the Domino.Doc groups.
Pasted it here, as it is difficult to find when searching the IBM support site.
Technote Reference #:1090963
Problem
How can you troubleshoot errors in Domino.Doc that appear to be due to user access rights?
Solution
Domino.Doc maintains access control using a combination of Access Control Lists (ACLs), internally maintained Profile documents, and Domino.Doc groups stored in the Domino Directory. All maintenance of Domino.Doc access should be done through the Domino.Doc user interface. You should never modify the database ACLs directly.
Group documents
You should not edit the Domino.Doc groups in the Domino Directory, with the exception of the Domino.Doc Site Administrators and Domino.Doc Servers groups. The Domino.Doc reserved groups are as follows:
Domino.Doc Administrators
Domino.Doc Address Book Editors
Domino.Doc File Cabinet Creators
Domino.Doc Users, and
all groups that begin with those titles, such as Domino.Doc Administrators for My_Library.
(Exception: If Domino.Doc is not allowed to update the Domino Directory directly, an administrator must do this manually using the information sent in an email to the administrator by the Domino.Doc system.)
Profile documents
Library System Profile: At the library level, an administrator can set library-wide rights using the library's System Profile, accessed via Library Administration -> System Profile. These settings are as follows:
"Who can administer Domino.Doc?"
"Who can create file cabinets and document/binder types?"
The data entered in these fields is stored in the System Profile and added to the appropriate Domino.Doc groups in the Domino Directory. The ACL for a library uses only Domino.Doc groups to grant access to the library; no individual names should appear in the ACL of a library.
An example of an unmodified Domino.Doc Library ACL:
User/Group Name: -Default-
Access Level: No Access
Role(s): [None Assigned]
User/Group Name: OtherDomainServers
Access Level: No Access
Role(s): [None Assigned]
User/Group Name: Anonymous
Access Level: No Access
Role(s): [None Assigned]
User/Group Name: Domino.Doc Users for A_Library
Access Level: Author
Can Create Documents: Yes
Can Delete Documents: Yes
Role(s): [None Assigned]
User/Group Name: Domino.Doc File Cabinet Creators for A_Library
Access Level: Author
Can Create Documents: Yes
Can Delete Documents: Yes
Role(s): [AddressEditor], [FileCabCreator]
User/Group Name: Domino.Doc Administrators for A_Library
Access Level: Manager
Can Delete Documents: Yes
Role(s): [AddressEditor], [Administrator], [FileCabCreator]
User/Group Name: Domino.Doc Servers
Access Level: Manager
Can Delete Documents: Yes
Role(s): [Administrator]
User/Group Name: Domino.Doc Site Administrators
Access Level: Manager
Can Delete Documents: Yes
Role(s): [AddressEditor], [Administrator], [FileCabCreator]
File Cabinet Profile: Access at the file cabinet level is defined in the File Cabinet's Profile document, which is located in the library in the
Library Administration view. The "Access Control" action button on the Profile document permits an administrator to add and remove users from a library, and to set access levels of reader, author, and manager. When a user/group is added to a file cabinet in Domino.Doc, that information is stored in the library's File Cabinet Profile document, as well in the Global Profile document found in every binder and document database for that file cabinet. Domino.Doc groups in the Domino Directory are updated appropriately to add the user/group to the necessary Domino.Doc groups for the given access level also. Additionally, the ACL of every file cabinet database is updated with the user/group name set to the appropriate access level.
An example of an unmodified File Cabinet ACL:
User/Group Name: -Default-
Access Level: No Access
Role(s): [None Assigned]
User/Group Name: CN=Al Powerful/O=ICBM
Access Level: Manager
Can Delete Documents: Yes
Role(s): [Administrator], [Author]
User/Group Name: OtherDomainServers
Access Level: No Access
Role(s): [None Assigned]
User/Group Name: Anonymous
Access Level: No Access
Role(s): [None Assigned]
User/Group Name: Domino.Doc Administrators for A_Library
Access Level: Manager
Can Delete Documents: Yes
Role(s): [Administrator], [Author]
User/Group Name: Domino.Doc Servers
Access Level: Manager
Can Delete Documents: Yes
Role(s): [Administrator], [Author]
User/Group Name: Domino.Doc Site Administrators
Access Level: Manager
Can Delete Documents: Yes
Role(s): [Administrator], [Author]
User/Group Name: CN=Justin Editor/O=ICBM
Access Level: Author
Can Create Documents: Yes
Can Delete Documents: Yes
Role(s): [Author]
User/Group Name: CN=Webb Yuser/O=ICBM
Access Level: Reader
Role(s): [None Assigned]
Binder and Document: Access at the Binder and Document level is controlled by fields in the Binder and Document documents stored in the file cabinets. The fields used by the system to maintain access rights are as follows:
DocAuthor
DocReaders
DocAuthors
DocManagers
ComputedAuthors
ComputedReaders
ComputedManagers
Causes of access problems
Because of the necessity for all components of Domino.Doc security to work together seamlessly, it is imperative that all updates be made through the Domino.Doc administrative interface. Access errors are often the result of a modification of security that is done outside of Domino.Doc. This outside change results in the other parts of security failing to be updated, and subsequently the Domino.Doc security system stops functioning correctly. Some frequent causes of access problems in Domino.Doc are as follows:
Domino.Doc database ACLs have been modified.
ACL roles have been modified.
Domino.Doc reserved groups in the Domino Directory have been edited or removed.
A Domino.Doc reserved group is selected when setting security for a file cabinet or library. This selection creates a recursive (that is, circular) reference, as the group name selected is added as a member of itself by the system. For more details, refer to technote # 177724 .
Domino.Doc Site Administrators and/or the Domino.Doc server is missing from the "Run Unrestricted LotusScript/Java agents" field in the Security section of the Server document in the Domino Directory.
Troubleshooting errors
To troubleshoot errors with Domino.Doc security, it is helpful to collect the following information:
1. Obtain a summary of the Access Control List for all affected databases. To do so, open the database and select File - Database - Design Synopsis from the menu. Next, select the Database Information tab, check "General Information" and "Access List", and click OK. This option produces a document that summarizes that database's ACL. You can forward this summary document in an email. You should collect an ACL summary for all binder and document databases in any file cabinet with access problems, and for the library where the file cabinet resides.
2. Obtain copies of the Global Profile Document from the file cabinet, and the File Cabinet Profile and the System Profile documents from the library, and place them in a database. For further details, refer to the following technotes:
"Troubleshooting Domino.Doc Problems Related to Domino.Doc Profile Documents" (#193501 )
"Capturing Domino.Doc Profile Data for Troubleshooting" (#193505 )
3. Obtain the Group documents for all groups that begin with the words "Domino.Doc" in the Domino Directory. These documents can be added to the same database used to transfer the documents from Step 2.
4. If access problems appear to be at the Binder or Document level, obtain a copy of some Binder or Document documents with the issue. These can be copied from the File Cabinet Maintenance view to the database used to transfer the documents from Step 2.
Supporting Information:
Related Documents:
Error: "Someone Else May Be Configuring Security on Your System" in Domino.Doc
Document #: 180580
About Group Ownership Differences in Domino.Doc 3.1; How to Upgrade or Keep the Old System
Document #: 186959
Default ACL Settings for Domino.Doc 3.1 Templates
Document #: 188884
Unable to set up or invite users to new library in Domino.Doc 3.1
Document #: 191377
Domino.Doc Error: "The Access Control List for the File Cabinet Could Not Be Updated"
Document #: 177724
Error: "ACL Could Not Be Updated - Object Variable Not Set" When Inviting User to File Cabinet
Document #: 180577
Error: "The ACL for the File Cabinet Could Not Be Updated" Inviting Users to New File Cabinet
Document #: 187222
previous page
|