Question for Admin gurus

hcl-bot · January 25, 2008, 11:53am

I am developing an application where a subset of documents is replicated to the web facing server.

My problem is how to separate the Web server’s access from the rest of the internal servers, since they are all in the same domain. I came up with this solution which I have just tested:

The Readers field of all documents in the db contains the role [ReadAllDocs]
The Readers field of documents published to the web contains the roles [ReadAllDocs] and [ReadWebDocs]
Add LocalDomainServers to the ACL and make it a member of [ReadAllDocs]
Add the Web server to the ACL as a Server and make it a member of [ReadWebDocs]

Because the Server as an individual overrides the LocalDomainServers group, the Web server can only see the documents containing the [ReadWebDocs] role in the Readers field.

My question to you is what happens if the application is deployed on a cluster? If we put the Cluster name in the ACL, does this behave the same way as adding the server as an individual, or does it behave as another group, in which case the web cluster would also get the [ReadAllDocs] role … I don’t have the equipment to test this out …

Thanks in advance,

Mark.

hcl-bot · January 25, 2008, 11:57am

Subject: Question for Admin gurus

Unless you have requirements that you didn’t mention, readernames fields are definitely an overkill for your needs. There is a Replication formula in each database. Simply define a formula which collects the required docs. If necessary add a field to any docs that should go to this server to make it easy to select them.

hcl-bot · January 25, 2008, 12:01pm

Subject: RE: Question for Admin gurus

No it’s not overkill. Replication formula != Document security. There is some sensitive stuff we don’t want exposed on the web.