Enforcing a consistent access control list

You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops.

Select the "Enforce a consistent Access Control List" setting on a replica whose server has Manager access to other replicas to keep the access control list the same across all server replicas of a database. If you select a replica whose server does not have Manager access to other replicas, replication will fail because the server has inadequate access to replicate the access control list.

If you replicate a database locally, the database ACL recognizes your access as it is known to the server. This happens automatically for local replication, regardless of whether "Enforce a consistent access control list" is enabled.

It should be noted that local replicas with "Enforce a consistent access control list" enabled attempt to honor the information in the ACL and determine who can do what accordingly. However, they have some limitations. One limitation is that group information is generated on the server, not at the local replica. When a database is replicated locally, information about the group membership of the person doing the replication is stored in the database for use in ACL checking. If a person/identity other than the one doing the replication accesses the local replica, there will be no group membership information available for that person, and the ACL can use only the person's identity, not group membership, to check access.

Additionally, enforcing a consistent access control list does not provide additional security for local replicas. To keep data in local replicas secure, encrypt the database.

If you change a local or remote server database replica's ACL when the "Enforce a consistent access control list across all replicas" option is selected, the database stops replicating. The log file records a message indicating that replication could not proceed because the program could not maintain a uniform access control list on replicas.

To enforce a consistent access control list

  1. Make sure that you have Manager access in the database ACL.
  2. Open the database.
  3. Click File > Application > Access Control.
  4. Click Advanced.
  5. Select "Enforce a consistent Access Control List across all replicas."

To disable a consistent access control list

  1. Make sure that you have Manager access in the database ACL.
  2. Open the database.
  3. Click File > Application > Access Control.
  4. Click Advanced.
  5. Deselect the option "Enforce a consistent Access Control List across all replicas."