I would like to secure as much as possible the NAB of my company domain, especially in checking "enforce consistant ACL". Could you tell me what are the good and the bad aspects of this feature ?
Good question. This feature is so commonly misunderstood that I hope to write a column about it sometime. Until then, below is the section of the Domino R5 Admin Help that pertains to the feature. You can see this (and more information) by going to the Admin Help file and selecting Contents / Security / The database access control list / Setting up a database ACL. Then scroll down until you see the link for Enforce Consistent.
Note the important point that this feature does not disable the ability of users to modify the ACL of a local copy of a database. A local user can still change an ACL and see parts of the database that you don't want them to. The feature does disallow such a local replica from replicating back to the server. In essence, Domino says "If you have modified the ACL of a local copy of the database, I don't trust that copy anymore."
So, to answer your question... This feature is a good security option and it definitely helps with overall Domino/Notes security. The drawback is that people often misunderstand the feature and think that it does more than it really does. It does NOT provide local security if a user can get a local copy of a database.
Enforcing a consistent access control list
You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops.
Select the "Enforce a consistent Access Control List" setting on a replica whose server has Manager access to other replicas to keep the access control list the same across all server replicas of a database. If you select a replica whose server does not have Manager access to other replicas, replication will fail because the server has inadequate access to replicate the access control list.
Enforcing a consistent access control list does not provide additional security for local replicas. To keep data in local replicas secure, encrypt the database.
Note: If a user changes a local or remote server database replica's ACL when the enforce a consistent access control list option is selected, the database stops replicating. The log file records a message indicating that replication could not proceed because the program could not maintain a uniform access control list on replicas.
Dig Deeper on Domino Resources - Part 4
Related Q&A from Chuck Connell
Is it possible to encrypt a user's name before sending an email? SearchDomino.com expert Chuck Connell weighs in. Continue Reading
Learn how to change authentication timeout interval for Domino Web Access logins. Continue Reading
SearchDomino.com expert Chuck Connell provides a resource for a Lotus Notes administrator who wants to filter out email containing the word "spam," ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.