#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add "Anonymous" with "No Access" as default for new database ACL

Domino's great strength has always been security. But according to latest tests, Anonymous is not added automatically when creating a new database.

Adding Anonymous with "No Access" as default for new applications will cause no backwards-compatibility issues. But it will promote best practice and ensure "opt in" vs "opt out" security - developers and admins have to specifically allow Anonymous to access the applications rather than specifically revoke Anonymous access.

This promotes best practice amongst existing admins / developers and minimises security risks through ignorance from those new to the platform.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 16 2019
  • Likely to implement
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    24 Jul 16:19

    Maybe HCL could update the ACL's of the standard application templates to demonstrate existing functionality ==> http://www.matnewman.com/webs/personal/matblog.nsf/dx/tip-of-the-day-automatically-populate-acls-of-new-databases-by-changing-the-templates-acl?opendocument&comments

    If you add an "[Anonymous]" entry (with the applicable settings) to the ACL of your templates, then as another commenter said, at least all new applications based off those templates will get an "Anonymous" ACL entry automatically.

    One of the best ways to demonstrate/advertise standard product functionality is for the "out of the box" standard templates to use it .

    Regards.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    08 Jan 21:15

    Daniel's response is technically correct. However, I too had a couple big clients get dinged by regulatory compliance audits for not having a separate entry for Anonymous. Yes, you can add it for new templates manually with [Anonymous] and add it for apps w/o templates, of course. But in larger corps creating lots of apps, there is typically one or two falling through the change-management cracks. If this defaulted, it would help Domino to "look better" on the audits so it doesn't have "stupid dings".

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    December 19, 2019 20:52

    This is long overdue. While in theory -Default- applies to both, in practice -Default- is what people use for the Notes client which is inherently more locked down as somebody needs a Notes ID to access it. Anonymous is for the Web client which could be anybody anywhere.  Even if I decide to set -Default- to Reader, starting with Anonymous as No access is absolutely a best practice, and should be done from the beginning.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    December 19, 2019 20:01

    We recently went thru a security audit and got hit on this one!  While we have it as a development standard to add Anonymous = No Access, our business devs haven't grasped the concept yet and we still end up trying to catch this prior to moving to prod. 

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    July 17, 2019 22:18

    Is no Anonymous is presen, Default is used. My test in the Notes client did result in "NoAccess" as default.

    Why do you need Anonymous?

    Daniel Nashed [ http://blog.nashcom.de ]