Hi,
We are developers and are studying the effect of ‘Enforce consistent ACL across all replicas’ to make a change in an enterprise-wide application.
We find that ‘Enforce consistent ACL across all replicas’ seems has no effect on server replicas, both in terms of server-to-server replication and local-to-server replication. It seems it is meant only to control access to the local replicas.
Can you please confirm if our understanding is right?
Thanks.
Regards,
Sriram R.
Subject: Enforce consistent ACL.
To me Enforce consistent ACL means keep the ACL the same across all replicas of the database. (MY understanding - I don’t claim to be an expert)
In the simple case of a database that is on a server: it helps you protect the data in the database so that if someone makes a replica they cannot change the ACL on their local replica (unless they also have permission to make ACL changes on the server).
The samething would then be true server to server. If Server B has a replica copy of database that is on Server A. If Server A is the only “person/server” that has Manager Access, then you can only make ACL changes on Server A and not on Server B.
Overall, it means you’re defining the ACL accross all replicas of the database. When you set it, it blocks someone else from changing the ACL for their needs/interest.
An example we have is we have an application that replicates between two companies.
Company A - Server A (back and forth) Company A - Server E - External (back and forth) to Company B - Server F - External (back and forth) Company B - Server B.
Company A controls the design - therefore you don’t want LN admins on Company B to have Designer or Manager access.
Therefore you setup on Server A - the people who have manager / designer access. In particular you specify that Server E and F have editor access only,
This also means you control who in company B can see the data. This maybe important as maybe certain people in company Legally should not have access to that information.
Subject: RE: Enforce consistent ACL.
Also, in our company all Local domain servers have Manager access in the ACL of the database and they do not replicate with External domain servers. We do have local replicas created by employees for themselves. In this scenario, enabiling/disabling ‘Enforce consistent ACL’ will not have effect on server-to-server replication - am I correct?
Subject: RE: Enforce consistent ACL.
It all depends upon what you mean.
You state CURRENTLY all Servers have Manager access. We all know things change and the biggest mistake you can make is ASSUME it will never change.
By having Enforce Consistent ACL set it ensures that whatever rules someone setup in the ACL for whatever reasons will apply to all replica’s of that database. IMO, this is how you should always set things.
It does effect replication because part of that replication is the ACL itself. If you don’t have this set, it’s possible someone could be changing the ACL on another server and you not know about it.
Subject: RE: Enforce consistent ACL.
In your example, would servers A,E,F and B not have the same access even if ‘Enforce consistent ACL’ was not enabled? Wouldn’t controlling the access level in the ACL be sufficient?
Subject: RE: Enforce consistent ACL.
Maybe to start but ultimately NO.
For example, to start the Lotus Notes Admins for server F and B would need to have manager access to setup the database on the servers. If they have manager access, they could add groups / people on server F and B or changing roles. However, with the ACL set the way it is, this information would NOT replicate back to E and A. (As F does not have manager rights to E)
Therefore without Enforce Consistent ACL people could be making changes on their end and no one would know about it…
You making it so the ACL looks the same across all replicas.
Subject: Enforce consistent ACL.
Hi,
Yes you are correct it works only for local replica copies.
cheers
siddu
Subject: RE: Enforce consistent ACL.
Thanks for replying, Siddu.
Do you mean "Enforce consistent ACL’ being selected/deselected has no effect on
Server to Server replication
Local to Server replication
Thanks.
Subject: RE: Enforce consistent ACL.
Hi,
If you select “Enforce consistent ACL” then only it will work in local it doesnt have any impact if you select while you are working on server copies.It is especially to work roles on local copies.
cheers
siddu
Subject: RE: Enforce consistent ACL.
Your statement will remain incorrect, no matter how often you repeat it.
Subject: RE: Enforce consistent ACL.
Enforcing consistent ACL will apply to ALL replica’s, server AND local.
Subject: RE: Enforce consistent ACL.
No, You are not correct - Enforce Consistent ACL works on ALL replicas, regardless wheather they are locally or on a server. Please read Stephens answer to this discussion - he is right on the spot.