I'm trying to find a way to save the complete user list access privileges for a specific lotus notes document.
I know I can get database-level ACL's from catalog.nsf, but not document-level access. Also the Author field of the document -I believe- won't list read-only access users.
Does anyone know how to obtain the complete ACL of every user for a specific document?
Any help is appreciated, thanks!
Edit: spelling.
Simon is correct. It is non-trivial. Even though I would skip his suggestion of reading the Forms, it is still non-trivial. Even for checking just a single document as per your question, it is non-trivial. I know auditors sometimes want exactly this type of information, but Domino's security system wasn't designed with that in mind, and there's no built-in API to get the info.
In Java, you need to use the Document.getItems() method to retrieve a vector of all Items. Then you have to look through the Items. You need to check Item.getType() to determine if it is a Item.READERS or Item.AUTHORS. If it is, then you need to do Item.getValues() to retrieve the vector of values, and you have to loop through the vector check to see if each value is a role. If it is a role, you have to use Database.getACL() and iterate through the ACLEntries to determine which ones have the role and whether they are Person entries or Group entries. And if they are group entries you have to look up the group members in the Domino Directory -- which might require expanding nested groups. For any values in the Item that are not roles, you have check that value against the Domino Directory to see if it is a valid Person or Group -- and again expand the group until you finally get to the People. For the lookups in the Domino Directory you have to worry about the fact that Directory Assistance may be configured in which case there can be multiple Domino Directory databases to check, but this is somewhat easier if you can use Notes/Domino 8 because there is a Directory class that takes care of that for you.
What you are asking for is somewhat non-trival.
Database ACL. You need to determine the following.
Next you need to read every document in the database. In order to do this you will need the access rights to do so. So that would be reader access at least (if set on the document) as well as access to encrypted fields (again if set).
You can use the NotesNoteCollection class to iterate through design + documents.
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.designer.domino.main.doc/H_NOTESNOTECOLLECTION_CLASS.html
Checking the design will allow you to read the Forms and see if they have a readers field and what values are set. After that you can check documents if the setting is not static for the related Form.
On a side point. If you are trying to diagnose a particular user against an application, you can use the following notes.ini settings.
DEBUG_THREADID=1
DEBUG_SERVERACL=2
This will print out on the Domino console everytime an ACL request is made. It will print Who is requesting, what level they requesting, what levels they have and what access they were given.
The debug is very verbose though so should only be used for diagnosing an issue and disabling when done.
