One of my clients ran into a problem today. It took me only a few minutes to figure what was going on, but I've been mulling the question of why for hours now. I've just filed a bug report in the Lotus Partner Forum, even though there's actually a technote that fully describes what is happening and indicates that it is correct behavior. There's also a thread on LDD that touches on this. Actually, it was almost a year and half from the time the problem was first posted until the connection to the ACL setting was made. It seems most people are considering it a feature, albeit a bad one. I disagree with the technote, and with the forum. It's not a feature. It's a design flaw. If it were a feature, the ACL checkbox that is actually labeled 'Replicate or copy documents' would need to be labled 'Replicate or copy documents except for the ones created by people who can't replicate or copy documents'

Here is what the technote says:

If the creator of a document has author access or above in the ACL of a particular database, however the 'Replicate or copy documents' permission is not selected for that user, then whenever that user creates a document, the $KeepPrivate field will be created and its value will be set to "1".

The $KeepPrivate item prevents users from copying, forwarding or printing the document that contains it. All users. The fact that this item is set because the creator of the document doesn't have the 'Replicate or copy documents' permission selected in the ACL makes no sense.

Consider User A and User B. User A has Manager rights to a database, with 'Replicate or Copy Documents' permission. User B has Author rights, without that permission. User B creates a document. User A, who does have the permission selected can't copy User B's document! Huh? Try it yourself! Work through some scenarios, and you'll see I'm right. The connection between the ACL and $KeepPrivate is a design flaw. .

(And btw: if you make yourself a little test database and you don't have a couple of IDs to switch between and try to fake it by changing your permissions in the ACL of a database in between operations, be sure to close out of the database in both the Notes client and Designer after each ACL change, otherwise you can easily have cached permissions mess up your tests. And also btw... it really helps to have full access administration permission available for test scenarios like this, so dropping yourself to Author rights in the ACL doesn't lock you out of making the next round of changes. Thanks for that one, IBM!)

The design flaw is this: User B's lower permissions are permanently applied to a document that he saves via the addition of a $KeepPrivate item, so even when User A accesses those documents it is User B's lower rights that are being enforced. That's the wrong way around. The restriction on User B's rights due to the lack of the checkbox in the ACL should be enforced when User B tries to copy or replicate data. Nothing User B does while legally creating or editing documents should have a side-effect that reduces User A's rights to do things with those documents.

The problem manifests in (at least) the following ways:

• User A tries to copy the text of a field in edit mode from the doc created by User B. This fails even though User A has the permission in the ACL.

• User A tries to copy the text of the doc created by User B while in read mode. This fails even though User A has the permission in the ACL.

• User A tries to forward the doc created by User B. This fails even though User A has the permission in the ACL.

• User A tries to copy the doc created by User B to the clipboard while in the view. This fails, even though User A has the permission in the ACL.

Interestingly, the $KeepPrivate item does not prevent User A from replicating the document. It was never designed to prevent replication, so that makes sense. Still, it's interesting because it illustrates the inconsistency in behavior. User A is supposed to be able to copy and replicate documents, but User A can only replicate User B's documents, not copy them.

1. Chris Linfoot12/02/2005 07:58:17 AM
Homepage: http://chris-linfoot.net

Nice write-up and, FWIW, I think you are correct.

2. Vince Schuurman12/02/2005 08:45:25 AM
Homepage: http://blog.vinceschuurman.com

Hehe, try remove the flag for anonymous users
http://codestore.net/store.nsf/unid/BLOG-20030925?OpenDocument&count=-1
Allthough I think they fixed that one in 6.0.3.

3. Richard Schwartz12/02/2005 09:56:04 AM
Homepage: http://www.rhs.com/poweroftheschwartz

@Vince: Slightly different issue there, but similar. I had forgotten about that one, however. Thanks for reminding me.

@Chris: Thanks

4. Bernd Vollmer05/24/2007 02:23:40 AM

If you are allowed to change the design of the database, then you may add the $KeepPrivate item with a value of "0" (e.g. as a hidden computed-when-composed field) to the form. This avoids, that this item is set to "1", if the creator of the document doesn't have the 'Replicate or copy documents' permission selected in the ACL.