Enforcing a consistent access control list

You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops.

About this task

Select the Enforce a consistent Access Control List setting on a replica whose server has Manager access to other replicas to keep the access control list the same across all server replicas of a database. If you select a replica whose server does not have Manager access to other replicas, replication fails because the server has inadequate access to replicate the ACL.

If a user replicates a database locally, the database ACL recognizes that user's access as it is known to the server. This happens automatically for local replication, regardless of whether Enforce a consistent Access Control List is enabled.

It should be noted that local replicas with Enforce a consistent Access Control List enabled attempt to honor the information in the ACL and determine who can do what accordingly. However, they have some limitations. One limitation is that group information is generated on the server, not at the local replica. When a database is replicated locally, information about the group membership of the person doing the replication is stored in the database for use in ACL checking. If a person/identity other than the one doing the replication accesses the local replica, there will be no group membership information available for that person, and the ACL can use only the person's identity, not group membership, to check access.

Additionally, enforcing a consistent access control list does not provide additional security for local replicas. To keep data in local replicas secure, encrypt the database.

Note: If a user changes a local or remote server database replica's ACL when the Enforce a consistent Access Control List option is selected, the database stops replicating. The log (LOG.NSF) records a message indicating that replication could not proceed because the program could not maintain a uniform ACL on replicas.

Procedure

  1. Make sure that you have Manager access in all the database ACLs you select.
  2. From the Domino® Administrator Server pane, select a server that has Manager access to the databases on which you want to enforce a consistent ACL.
  3. Click Files, and select one or more databases from the Domino® data directory.
  4. Click Tools > Database > Manage ACL.
  5. Click Advanced.
  6. Select the option Modify Consistent ACL setting.
    • To enforce a consistent ACL, select Enforce a consistent Access Control List across all replicas of this database.
    • To disable a consistent ACL, select Do not enforce a consistent ACL.
  7. Click OK.