The Domino security model consists of seven distinct levels: Domain, Server, Database, View, Document, Section, and Field. Think of it as the "Seven Layer Burrito of Security." The first two levels allow system administrators to restrict who can access a group of servers or an individual server. Database-level security is enforced through the ACL by system administrators, database managers, or application developers to limit access to a specific database. The last four levels are the exclusive realm of application developers. When designing a database, you can mark certain views, documents, document sections, or even specific fields off-limits to all but authorized individuals.

In this article, I will cover the lowest level, field security in detail. It's tempting to simply use hide-when formulas to hide fields on a form. You can hide a field when a user doesn't possess the needed role, or when the user's access level is less than a given minimum, like Editor access, for example. This technique is fine, as long as you understand it's not real security. Anyone who doesn't meet your criteria can still see the field contents by looking at the Document Properties window.

There's only one real field-level security feature in Domino: encryption. Encryption is also the only security feature that will protect your data even from those who have access to the server console. However, Domino encryption has some drawbacks. I'll talk about those as well.

Secret key vs. public key
Domino encryption comes in two basic flavors: secret key and public key. In a secret key setup, the key used to encrypt the data is also used to decrypt it. This works well if the data only needs to be read by the same person who encrypted it, or by a small, geographically close group. As the application developer, you can create secret keys through the Notes interface. If you want to share the data among several people, you need to be careful to distribute the key in a secure manner. For example, you wouldn't want to send the key through Internet mail. Key management issues aside, secret key encryption can still work well, even for large groups.

Public key encryption involves two keys. One is used to encrypt the data and another is used to decrypt it. The two keys are mathematically related to each other and are called a key pair, and each Domino user has a pair. The key used to encrypt the data is called the public key. It's listed in the Domino Directory. The key used to decrypt the data is called the private key. It's stored in the user's Notes ID file. Although the two keys are related, it's extremely difficult to figure out the private key even if you know its public sibling. If you have a spare supercomputer sitting in your basement, you might be able crack a Domino key pair before the 22nd Century rolls in. Public key encryption bypasses the key management issues present in the secret key method. Everyone already has the keys they need, so there's no need to figure out how to distribute them.