Mastership and oplog behavior of ACL-enabled VOBs
In a replicated environment, you can manage ACLs once per VOB family if you use fully-preserving-mode replication. However, if you use non-preserving or permissions-preserving replication, you must manage ACLs at every replica of the VOB family.
The following table lists the major differences in the mastership and oplogging behavior of ACLs operations in preserving and non-preserving replicas. The term "non-preserving" is used inclusively to mean both non-preserving and permissions-preserving replicas. The term "preserving" is used to mean identity- and permissions-preserving replicas.
| Task | ACLS operation | Mastership requirements in preserving replicas | Mastership requirements in nonpreserving replicas | oplog behavior if originator or importer is nonpreserving |
|---|---|---|---|---|
| Enable ACLS | protectvob -enable_acls | Must master the VOB object | none | Store oplog without playing it on import |
| Create a new policy | mkpolicy | none | none | Replace policy's IDs with those of user running import |
| Modify a policy | mkpolicy -replace | Must master policy being modified | none | Store oplog without playing it on import |
| Create a new rolemap | mkrolemap -policy | Must master policy being modified | Must master policy being modified | Replace policy's IDs with those of user running import |
| Modify a rolemap-policy binding | mkrolemap -replace -policy | Must master both policies being modified and the rolemap | Must master both policies being modified and the rolemap | Store oplog without playing it on import |
| Replace a rolemap definition or scope | mkrolemap -replace, mkrolemap -set | Must master the rolemap | none | Store oplog without playing it on import |
| Modify the contents of a policy | chpolicy | Must master the policy | none | Store oplog without playing it on import |
| Modify the contents of a rolemap | chrolemap | Must master the rolemap | none | Store oplog without playing it on import |
| Bind an element, rolemap, policy, or the VOB object to a different rolemap | protect -chrolemap | Must master object that is to be bound | none | Store oplog without playing it on import |
| Create element and bind it to a rolemap | mkelem -rolemap | none | none | Assign element to parent directory's rolemap in local replica |
| Delete a policy | rmpolicy | Must master the policy | Must master the policy | |
| Delete a rolemap | rmrolemap | Not allowed in replicated VOB | Not allowed in replicated VOB |