Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

142 VOTE
Status Assessment
Workspace Domino
Categories Security
Created by Guest
Created on Jul 16, 2019

Add "Anonymous" with "No Access" as default for new database ACL

Domino's great strength has always been security. But according to latest tests, Anonymous is not added automatically when creating a new database.

Adding Anonymous with "No Access" as default for new applications will cause no backwards-compatibility issues. But it will promote best practice and ensure "opt in" vs "opt out" security - developers and admins have to specifically allow Anonymous to access the applications rather than specifically revoke Anonymous access.

This promotes best practice amongst existing admins / developers and minimises security risks through ignorance from those new to the platform.

  • Attach files
  • Guest
    Reply
    |
    Jul 24, 2020

    Maybe HCL could update the ACL's of the standard application templates to demonstrate existing functionality ==> http://www.matnewman.com/webs/personal/matblog.nsf/dx/tip-of-the-day-automatically-populate-acls-of-new-databases-by-changing-the-templates-acl?opendocument&comments

    If you add an "[Anonymous]" entry (with the applicable settings) to the ACL of your templates, then as another commenter said, at least all new applications based off those templates will get an "Anonymous" ACL entry automatically.

    One of the best ways to demonstrate/advertise standard product functionality is for the "out of the box" standard templates to use it .

    Regards.

  • Guest
    Reply
    |
    Jan 8, 2020

    Daniel's response is technically correct. However, I too had a couple big clients get dinged by regulatory compliance audits for not having a separate entry for Anonymous. Yes, you can add it for new templates manually with [Anonymous] and add it for apps w/o templates, of course. But in larger corps creating lots of apps, there is typically one or two falling through the change-management cracks. If this defaulted, it would help Domino to "look better" on the audits so it doesn't have "stupid dings".

  • Guest
    Reply
    |
    Dec 19, 2019

    This is long overdue. While in theory -Default- applies to both, in practice -Default- is what people use for the Notes client which is inherently more locked down as somebody needs a Notes ID to access it. Anonymous is for the Web client which could be anybody anywhere.  Even if I decide to set -Default- to Reader, starting with Anonymous as No access is absolutely a best practice, and should be done from the beginning.

  • Guest
    Reply
    |
    Dec 19, 2019

    We recently went thru a security audit and got hit on this one!  While we have it as a development standard to add Anonymous = No Access, our business devs haven't grasped the concept yet and we still end up trying to catch this prior to moving to prod. 

  • Guest
    Reply
    |
    Jul 17, 2019

    Is no Anonymous is presen, Default is used. My test in the Notes client did result in "NoAccess" as default.

    Why do you need Anonymous?

    Daniel Nashed [ http://blog.nashcom.de ]