Enforce consistent ACL query

hcl-bot · May 17, 2008, 12:04am

Hi All ,

I heard this Enforce consistent ACL feature is used to keep the ACL consistent across the all replica of database …

But if admin want to change the ACL across all the replica

then would not be able to do so ? then how can we change the ACL … , is there any way out ?

Vikalp

hcl-bot · May 17, 2008, 8:37am

Subject: Enforce consistent ACL query

You can change the ACL if you enable full access administration mode

hcl-bot · May 17, 2008, 12:00pm

Subject: Enforce consistent ACL does not lock ACL…

merely restricts the changes to those done on permitted servers(and by permitted individuals)

Once a valid change is made there, it will replicate as the setup permits to all replicas whether server or local

hcl-bot · May 18, 2008, 11:14pm

Subject: RE: Enforce consistent ACL does not lock ACL…

Hi All ,

Yes , Agree we can change the ACL , but that change will replicate with other replica ?? if yes then what is the use of

Enforce consitent ACL ??

Thanks in advace

Vikalp

hcl-bot · May 19, 2008, 1:33am

Subject: Enforce Consistent ACL was primarily aimed at…

local replicas

i.e to stop users with the skills and tools available from making changes on their client that could replicate back up to the server with bad consequences for functionality

and above all security.

Howvere You should also be aware that Lotus also made the decision to require that Ensure Consistent ACL be ON for Roles to be available on a LOCAL replica. Thats why I nearly always have it enabled :={. (Personallly I think this dual purpose is a stupid decision but there … )

As to whether the ACL entries replicate between servers … well that can depend.

If an application is deployed in a single Notes Domain, perhaps a single organisation, then the developer usually wants ACL entries to replicate freely. So all the ACL is set up with all servers as Manager.

However in other circumstances … for example if an application is deployed in two domains …it can be different.

Lets say Organisation A creates an application that it wishes to use to share data with Organisation B.

However Organisation A (quite reasonably) need to keep control of both Design and ACL on its own servers

Conversely Organisation B will accept the design changes but needs to control the ACL of its own servers… not leqast because access will be controlled via groups in its own Domino Directory/NAB.

So in the ACL on A’s replica

A’s servers have Manager access

B’s have only Editor

but in the ACL on B’s replica

A’s server have designer access

B’s have Manager

Oncethe proper connection and cross certificates are set up, replication can happen

but since it is the ACL on the receiving server that determines what data is accepted

a) data can flows both ways

b) design can flow from A to B

but

cv) ACL moves in neither direction!

and getting back to our original point “Ensure consitent ACL” does not affect this

Though it would action within Organisation A and Organisation B … separately of course :=)

Hope this helps a bit

AJW

hcl-bot · May 19, 2008, 2:32am

Subject: RE: Enforce Consistent ACL was primarily aimed at…

Hi Alan ,

Thanks a lot for posting so nicely described scenerio.

Then what is Enforce consitent ACL is , just the how u define acess ( ACL ) on replica copies to replicate only those stuff which you want be it on server to local or server to server am i ryt ?

Thanks in advance

Vikalp