Monday, February 1, 1999

How to automatically build groups based on ACL roles

DEVELOPING AGENTS

By Tom Lowery

There is a dilemma that faces all Notes a and Domino developers at some point in their careers. Has this ever happened to you? You're building a large workflow application with lots of roles. Those roles can be filled by individuals and public NAB (Name and Address Book) groups alike. Now you want your application to send mail to everyone in a given role. What do you do? Do you now go to your local friendly system administrator and ask her to add still more groups to the public NAB to match your roles? What happens if you have twenty such applications? Your public NAB group list will soon look something like this, or worse:

HR-Directory-[ViewSalary]
HR-Directory-[ChangeSalary]
HR-Directory-[ViewHomeAddress]
AP-Invoices-[ViewVendorAddresses]
AP-Invoices-[PayInvoices]

This clutters the NAB group list and can be a pain to administer.

The problem lies in the way the Domino object model is constructed. There's no easy way for a LotusScript program to determine, for each role, which people and groups are members of that role. Going the other way is simple. The NotesACLEntry.roles property can be used to determine which roles are enabled for an ACL (Access Control List) entry.

A similar situation exists with documents and folders. In R4, there is no easy way to get a list of all the folders a document resides in. That situation is corrected in R5. However, it looks like the ACL role situation will not be changing anytime soon. While anything could happen before R5 goes gold, there appears to be no new functionality to help with role lookups as of Beta 2.

Creating group documents

If you're like me, you may have been tempted to create group documents, locally within the application database. These would match the roles you have defined. This approach is straightforward enough. Simply create a form called Group with two fields, ListName and Members. Both are text fields. Make sure that the Members field has the Allow Multi-values property turned on. You can see an example of this in Figure A.

FIGURE A

Try creating a simple form containing group name and members. (click for larger image)

Then, create a view called Groups with a single sorted column, GroupName, as shown in Figure B.

FIGURE B

Create a simple view with one column called GroupName. (click for larger image)

From there, you can use the following formula to pull the group members and send email to them:

@DbLookup (""; @DbName; "Groups"; roleName; "Members")

This approach keeps the public NAB clean. It also makes your system administrator happy since she doesn't have to keep adding new groups. The drawback, of course, is added work on your part. Every time you add someone to the ACL and give him a role, you must remember to also update the local group document that corresponds to that role.