Names in IBM Domino - a warning!!

Ok, if you are like me you have worked with names in IBM Notes/Domino many, many times. And you may even have built your own directory solutions to put users into your application instead of in the central directory (like I have described in this article). If you have done the latter then you may have faced (or will in future) the dirty details of naming conventions in Domino...

I have this system where users can register themselves. I calculate a "full" name based on their name and a key that I create to ensure that the fullnames are unique. This is all well and works fine for login etc. etc. However, today I learned that you want to be careful with the naming. I only ever use the abbreviated name in this application. So I create an abbreviated name, say: "John Dalsgaard/12345/Org" and store this as the "FullName" in my user document (equivalent of the Person document in the Domino Directory). This all works well - apart from this situation:

If you have author access to the database and use an authors field to enforce the security model you have built into your logic - and you use a ROLE in the acl to give certain users access to delete documents created by other users - then you will find that these users will NOT be able to delete those documents although they have the role and the role is mentioned in the authors field!!

Ok, I use Java. So when I want to check for roles i use something like this:

getSession().getCurrentDatabase().queryAccessRoles("John Dalsgaard/12345/Org")

It returns the roles I would expect. So far so good. However, if I called:

NotesContext.getCurrent().isDocEditable(doc)

then that returns "false" - which reflects that the server is throwing errors at me! How can that be?

Next test is to try something simple:

getSession().evaluate("@UserRoles")

... no roles returned??? What on earth is going on? So I tried calling:

getSession().evaluate("@UserName").elementAt(0)

to ensure that I was who I thought I was!! It returned:

"John Dalsgaard/12345/Org"

and this is where some clever people who helped me (Paul Withers and Nathan Freemann) figured the problem was. It turns out that the FullName field of your user MUST be in the canonical format, i.e. the above SHOULD have been:

"CN=John Dalsgaard/OU=12345/O=Org"

When I changed my user document to have the full name in that format (and the same was reflected in the $Users view) then suddenly the roles were returned correctly from @UserRoles - and the delete worked! The odd thing that made it more difficult to track down was that the edit with a user that had his/her abbreviated name registered in the authors field actually WORKED. But please note that you should also ALWAYS use the canonical name in authors/readers fields - just to be safe!

You can read more about this on Paul Wither's blog in this article - please pay special attention to the quote about formatting names.