On Wednesday 31 October 2001 02:40, NGSSoftware Insight Security Research wrote: > A Lotus Notes database contains documents which are organized into views. to be more correct, the database contains documents which *can* be organized into views. That's not to be pedantic, but it's crucial in understanding the relationship between the data and the design of the database. > Access control lists can be applied to the database itself, views and > documents. If a user has been denied access to a view, NISR have discovered > that it is possible to by-pass the permissions set on that view and access > the documents one would expect it to protect. views do not, nor are they intended to protect the documents they 'contain', they are merely a convenience. Hiding the view or restricting its access to certain users is simply an extension of that convenience. Data (ie documents) are correctly protected by readers fields, document encryption or field level encryption. From the online help of the Domino Designer client.. ".. Users who are excluded from the access list will no longer see the view or folder in the View menu. A view or folder read access list is not a true security measure." D
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 20:31:32 PST