look at the security tab of the group document's properties (the one with the key on it). you can use it to control the readers of the document just like a readers field. same for person docs. not sure of how to get '*/domain1' into the list, but if you had a group that included all the users in domain1 you could restrict a document to only being readable by the users in domain1_group.

hope that helps!

That's an interesting angle with good possibilities but maintenance would be labor-intensive.  I looked at the NotesDocument class but didn't see anything that can change those values. Do you happen to know if it's possible to manipulate that tab with code?

It looks like the content from that tab is stored in a readers field called $Readers in both person and group documents.  You should be able to create & manipulate that with lotus script. 

p.s. - make sure to include relevant server and administrator names in the readers field!

You are going to have real trouble doing this using a single instance of Domino.  You need to look at partitioning and/or Domino in a hosted environment.

https://www.ibm.com/support/knowledgecenter/SSKTMJ_8.0.1/com.ibm.help.domino.admin.doc/DOC/H_SERVER_SETUP_OPTIONS_STEPS.html  

https://www.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_PARTITIONED_SERVERS_OVER.html

One slip-up and it is extremely tough to recover the document. I always customize the form to force a role onto the end, so I can recover if something unexpected is thrown into the field.

If the total number of people you would be supporting is small and relatively static, it would be possible to do as Stuart Bogom suggests. You are only hiding Person Records at the time you create them.  However, from a security point of view, I would deploy partitioned servers as D Porter suggested. 

Mike....remember that the 'full access administration' feature can be used to bypass the control of a $Reader field if you slip-up and get excluded from a document.

Thanks everyone for your suggestions.  Currently it is cost-prohibitive to convert to a partitioned configuration but that will likely be our direction as our customer (and therefore revenue) base grows.

I have tested the $Readers field in conjunction with a secondary directory and DA and it all works nicely.  Non-domain users cannot view the restricted group in the primary NAB nor person docs in the secondary NAB, and domain users can authenticate and open their dbs properly.

I had already automated the user registration process through Lotusscript from our internal support db, so it will be easy for me to manipulate the $Readers field safely by automatically including administrative groups to prevent lockout.

Thanks!

I haven't had occasion to try it recently. I noticed Administrator would let me "promote" myself to an admin, is that the path to get to see these documents? Or is there a way to actually see the docs within the Notes client itself if there's a lot of cleaning up to do?

Mike,

You can turn on 'full access administrator' from the administrator client (administration menu). You also need to have your name in the server config doc in 'full access admini' field on the security tab.

Once you activate it in domino administrator, you bypass reader field controls - all documents are visible to you even if you are not listed in the readers field. 

I'm pretty sure that, if you both the client and the administrator open, the full access applies in both once you turn it on.

hope that helps!