Q

Enforce consistent ACL on NAB

I would like to secure as much as possible the NAB of my company domain, especially in checking "enforce consistant

ACL". Could you tell me what are the good and the bad aspects of this feature ?


Good question. This feature is so commonly misunderstood that I hope to write a column about it sometime. Until then, below is the section of the Domino R5 Admin Help that pertains to the feature. You can see this (and more information) by going to the Admin Help file and selecting Contents / Security / The database access control list / Setting up a database ACL. Then scroll down until you see the link for Enforce Consistent.

Note the important point that this feature does not disable the ability of users to modify the ACL of a local copy of a database. A local user can still change an ACL and see parts of the database that you don't want them to. The feature does disallow such a local replica from replicating back to the server. In essence, Domino says "If you have modified the ACL of a local copy of the database, I don't trust that copy anymore."

So, to answer your question... This feature is a good security option and it definitely helps with overall Domino/Notes security. The drawback is that people often misunderstand the feature and think that it does more than it really does. It does NOT provide local security if a user can get a local copy of a database.

Enforcing a consistent access control list

You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops.

Select the "Enforce a consistent Access Control List" setting on a replica whose server has Manager access to other replicas to keep the access control list the same across all server replicas of a database. If you select a replica whose server does not have Manager access to other replicas, replication will fail because the server has inadequate access to replicate the access control list.

Enforcing a consistent access control list does not provide additional security for local replicas. To keep data in local replicas secure, encrypt the database.

Note: If a user changes a local or remote server database replica's ACL when the enforce a consistent access control list option is selected, the database stops replicating. The log file records a message indicating that replication could not proceed because the program could not maintain a uniform access control list on replicas.


This was first published in January 2002

Dig deeper on Domino Resources - Part 4

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.UK

Close