Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

enforce a consistent acl across all replicas of this database

Status
Not open for further replies.
gessick

gessick

IS-IT--Management
Sep 8, 2005
1
US
I need feedback from Domino Adminostrators on this issue. I am getting massive pushback from the Domino administrators in my company on "enabling enforce a consistent acl across all replicas" on system databases and mailfiles.

I have explained that this feature prevents a local user from having a higher local access level than they have on the server and that it prevents the accidental replication of changes to databases like the domino directory. The critical issue here is that a user can make a change to the domino directory and impact our production environment.

I am a former Lotus Sr. consultant, but am new to the present company. Please weigh-in on this issue ASAP. Thanks!
 
Sort by date Sort by votes
Sorry to say, but I'm going to start by raining on your parade a bit. In truth, what happens locally does not have any importance on the integrity of the server databases. If a user does inappropriate things in databases he replicates locally, he can always replicate back : he will not be able to replicate changes to the server if he is not allowed to make the same changes on the server. Second, when replicating, a user only copies locally the documents that his server access allows him to see. So a local replica will not contain any document that the user cannot consult on the server.

That said, there is a rational to enforcing the ACL : the user could very well make changes to a document he has access to, even though on the server those changes would not be allowed due to role considerations. Indeed, without an enforced ACL, there are no roles taken into account locally. And roles are a central part of Notes functionality - they allow a much greater range of control on which user can do what in a document, and at what state the user can do them. A user could very well be editor of a document, but the status of the doc would, on the server, prevent him from accomplishing a given task. Locally, without Enforced ACL, that user could concievably make changes. And since he is editor of the document, the server would gladly take those changes and update the document.
That is a bad scenario for data integrity.
There is also a word to be said about general security. Indeed, an enforced ACL means that locally, any Notes client is going to enforce the same security as the server. In other words, if the laptop is stolen, criminal users will have a harder time accessing the data - even if they have another Notes client and ID available.
That could be a decisive argument, I think. Of course, there are tools to remove the importance of the ACL, so a really determined crook would not be deterred for long. But it's better to have a padlock than nothing at all, right ?

Pascal.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MDGarcia
  • Locked
  • Question
Error msg: Network operation did not complete in a reasonable amount of time; please retry
Replies
5
Views
3K
MDGarcia
MDGarcia
P
  • Locked
  • Question
How to run an SPSS syntax from command line?
Replies
0
Views
3K
paulus62
P
KK_
  • Locked
  • Question
Lotus approach
Replies
0
Views
3K
KK_
KK_
KK_
  • Locked
  • Question
Is there any way to get machine ID
Replies
1
Views
3K
pmonett
pmonett
jackjohnsmith
  • Locked
  • Question
import nsf to office365
Replies
1
Views
3K
pmonett
pmonett

Part and Inventory Search

Sponsor

Back
Top