#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Extract ACL information in all .nsf files in a domain.

By default you can view all the ACLs inside the catalog.nsf however it is not accurate because if a user is part of a "group" and that "group" is assigned explicitly in the .nsf ACL it does not reflect in the catalog.nsf.


This can be reproducible:

-Create a new .nsf (any template).

-Create a new group and add a test user.

-Modify the ACL of the created .nsf and add explicitly the group where test user belongs. Make sure that test user is not listed explicitly in the ACL.

-send the cosole command "load catalog"

-Open the catalog.nsf and go to Access Control List > By Name.

-Under this view locate the test user, you will not see the .nsf.

    In this view you will not see the applications/.nsf where the group of the user is explicitly listed.


Summary: In catalog.nsf > access control > By Name. you can only see the ACL of the user which he/she is explicitly added. You cannot see the ACL of the database where he/she is under a group and that group is explicitly listed.


This should be an enhancement request to also include in the view By Name all the applications where the user is part of a group.

  • Guest
  • Sep 18 2018
  • No Plans to Implement
  • Attach files
  • Guest commented
    14 Sep, 2019 01:46pm

    The HCL Notes tool below will generate a report to view all the apps in which the user has ACL access.  However, there is an extra cost, but it is loaded with features you can use in the future...  


    ACL Dominator for Notes - Administration reporting and management security tool
            • Report, manage, analyze, audit, export, update all Access Control Lists (ACLs) on an IBM Domino server
            • Fix security holes, optimize servers, prepare for a message migration. Report on DB properties, mailbox preferences, user activity
            • Reports include mailbox owner, delegation, out of office status, full-text index details, DAOS size, etc.
            • Nested groups report - explore & expand groups. Mailbox Rules (send) report. Primary, alias and forwarding address report


  • Guest commented
    19 Oct, 2018 10:24am

    You could use "Domino Explorer" from OpenNTF. It requires the ODA installed on your server to run, but it does exactly what you want: crawling all ACL entries and you can exam everything via a web interface. It's not a fiinal version though but it does the main job. You can also find empty or unused groups which sometimes is helpful to maintain. https://www.openntf.org/main.nsf/project.xsp?r=project/Domino%20Explorer

  • Guest commented
    12 Oct, 2018 08:34am

    Customer amey_manjrekar@greatship.com also requesting this feature

  • Guest commented
    18 Sep, 2018 10:08am

    Of course this is not a bug... its a missing feature ;)

    I have had this demand several times now (not very often). We implemented that ourselves with a small agent going recursively through all groups and databases.

    But I would think that this should be an option for the cataloger - knowing that this will demand a lot of resources and run a long time.

  • Admin
    Thomas Hampel commented
    18 Sep, 2018 09:46am

    This is not a bug - the catalog is supposed to display all ACL entries, but not supposed to resolve all members. in order to display this information, the catalog would have to reverse lookup all groups, nested groups, etc. and import it to the catalog.nsf. Especially for groups that are changed frequently, or groups that are not part of the Domino directory this would be an overhead