Welcome to the #dominoforever Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated jointly by the IBM & HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino page.

Extract ACL information in all .nsf files in a domain.

By default you can view all the ACLs inside the catalog.nsf however it is not accurate because if a user is part of a "group" and that "group" is assigned explicitly in the .nsf ACL it does not reflect in the catalog.nsf.


This can be reproducible:

-Create a new .nsf (any template).

-Create a new group and add a test user.

-Modify the ACL of the created .nsf and add explicitly the group where test user belongs. Make sure that test user is not listed explicitly in the ACL.

-send the cosole command "load catalog"

-Open the catalog.nsf and go to Access Control List > By Name.

-Under this view locate the test user, you will not see the .nsf.

    In this view you will not see the applications/.nsf where the group of the user is explicitly listed.


Summary: In catalog.nsf > access control > By Name. you can only see the ACL of the user which he/she is explicitly added. You cannot see the ACL of the database where he/she is under a group and that group is explicitly listed.


This should be an enhancement request to also include in the view By Name all the applications where the user is part of a group.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Sep 18 2018
  • Will not implement
  • Attach files
  • Admin
    Thomas Hampel commented
    September 18, 2018 09:46

    This is not a bug - the catalog is supposed to display all ACL entries, but not supposed to resolve all members. in order to display this information, the catalog would have to reverse lookup all groups, nested groups, etc. and import it to the catalog.nsf. Especially for groups that are changed frequently, or groups that are not part of the Domino directory this would be an overhead

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    September 18, 2018 10:08

    Of course this is not a bug... its a missing feature ;)

    I have had this demand several times now (not very often). We implemented that ourselves with a small agent going recursively through all groups and databases.

    But I would think that this should be an option for the cataloger - knowing that this will demand a lot of resources and run a long time.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 12, 2018 08:34

    Customer amey_manjrekar@greatship.com also requesting this feature

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 19, 2018 10:24

    You could use "Domino Explorer" from OpenNTF. It requires the ODA installed on your server to run, but it does exactly what you want: crawling all ACL entries and you can exam everything via a web interface. It's not a fiinal version though but it does the main job. You can also find empty or unused groups which sometimes is helpful to maintain. https://www.openntf.org/main.nsf/project.xsp?r=project/Domino%20Explorer