Restricting access in Lotus Notes form

Question

I would like to be able to let all users to create a form (QCR) but then no one should be able to edit the form except me and one other user. I have been tinkering around with the ACL and Authors and Readers field but have no luck.

Some more background: 1. This form is created by clicking a button from a separate database because some of the information in this QCR form are inherited from that database. 2. Users in the All group should be able to create this form 3. The users should be able to read all the documents in the QCR database but not edit them 4. I and one other users should be able to to read and edit all the documents 5. There are some codes in the QuerySave event to compare the value before and after a documents is being edited

What I have tried: I created a group QCR_Access that has me and 1 other user as members. Then I created an Authors field, computed, with 'QCR_Access' as the Formula in the QCR Form. But no matter what kind of Access type that I gave to the All group (Depositor or Author), the application keeps giving me error whenever I tried to save a new document in the database with one of the user in the ALL group.

Below is the codes in the Querysave, might help give you some idea what I am doing.

Sub Querysave(Source As Notesuidocument, Continue As Variant)
' Compare the values in the form after it is saved with its original values when the document is not a new document.    
Dim doc As NotesDocument
Set doc = Source.Document

Dim session As New NotesSession
Dim user As String
user = session.CommonUserName

If newDoc Then
    doc.Log_Date = Cstr(Now())
    doc.Log_User = user
    doc.Log_Actions = "New document created."
Else        
    ' Load fields value to the array
    lastValues(0) = doc.QCR_Requestor(0)
    lastValues(1) = doc.QCR_No(0)
    ...
    lastValues(31) = doc.QCR_Tracking_Info(0)

' Compared each value in the array to see if there is any difference
    Dim i As Integer
    For i = 0 To 31
        If lastValues(i) <> originalValues(i) Then              
            Call UpdateLogFields(doc,user,i)
        End If
    Next
End If
End Sub

Sub UpdateLogFields (doc As NotesDocument, user As String, i As Integer)
Dim logDate As NotesItem
Dim logUser As NotesItem
Dim logActions As NotesItem

Set logDate = doc.GetFirstItem("Log_Date")
Set logUser = doc.GetFirstItem("Log_User")
Set logActions = doc.GetFirstItem("Log_Actions")

' a space is needed otherwise the appended text is right next to the border

Call logDate.AppendToTextList(" " & Cstr(Now()))
Call logUser.AppendToTextList(" " & user)

Select Case i
Case 0: Call logActions.AppendToTextList(" Requestor is changed.") 
Case 1: Call logActions.AppendToTextList(" QCR No is changed.")
    ...
  Case 30: Call logActions.AppendToTextList(" Follow Up information is changed.") 
Case 31: Call logActions.AppendToTextList(" Tracking information is changed.") 
End Select
End Sub

Answer 1

1. Create two ACL groups in the Domino Directory (e.g.):
   • QCR_Editors
   • QCR_Creators
2. Put everyone into QCR_Creators, put just yourself and the other editor into QCR_Editors.
3. In the database access control list (ACL):
   • Give QCR_Editors "Editor" access (with "Delete documents," if needed.)
   • Give QCR_Creators "Author" access (with "Create documents" only.)

Note:

• You do not need to use Authors or Readers fields on the form or documents.
• Creators will have only one oportunity to save the document. Once it is saved, they will be locked out from further edits.

If you need additional functionality (like permitting several saves until done,) let me know.

-- Grant

Answer 2

You could make the formula for your authors field look like this:

@If(@IsNewDoc;"All";"QCR_Access");

There is one problem with this, however. If a regular user creates the document, saves it but does not close it, then tries to make changes and save it again, the second save will fail. To deal with that, you could give the users Depositor access and having your querySave code check the Database.CurrentAccessLevel property to see if the current user has Depositor access and prompt the user to ask "Are you sure you want to save? You will not be able to make additional changes."

Answer 3

I think you must definitely use authors field here, your description fits exactly for purpose... I would recommend you to use a role in this case thought, because that way you can assign it to someone else in emergencies or if you leave the company...

If you ACL is correctly setup, the you only need to add the value of the role like this in your authors field "[role]" I have attached a link with an image that shows how should your field look like if you inspect it.

http://bp1.blogger.com/T-j3ZLqfNQ/RsQXnWk20uI/AAAAAAAAAic/RBRJdD-wVs4/s1600-h/0.gif

Also, consider that if you write names to an authors field, the you need to use the fully qualified name of the people, otherwise it wouldn't work

Answer 4

If I'm following correctly, the members of the ALL group that are having trouble saving the QCR form, are the ones that are not in the QCR_Access group, correct? That would make sense given that the computed Authors field on the QCR form is set to only allow QCR_Access editing access.

The fix, then, would be to update that document's author field after the user has saved it. You could do that with some sort of agent that runs under a higher-privileged user account. You could also perhaps "hide" the document from the user who creates it until that agent runs, using a reader field.

It's been a while, but I think I opted for a lower-security solution when I faced this, essentially using form events to prevent editing. In that case you can prevent editing when the document is not new, and when the user is not in a certain group. You have to handle the QueryOpen and QueryModeChange events and put the logic there. NOTE: This isn't real security. Authors and Readers fields are the recommended way to handle security for a document.

Hope this helps!