Managing rolemaps and policies: identity- and permissions-preserving replicas
Various considerations affect the administration of policies and rolemaps in fully preserving replicas.
Among identity- and permissions-preserving replicas of a VOB family, every policy and rolemap is replicated in its entirety. The bindings between controlled objects and their rolemap are also replicated. Thus, the same access controls are enforced for all replicas in the family.
You can manage policies and rolemaps at one replica, then replicate the changes to other replicas. Assignments of controlled objects to their rolemaps are fully replicated within the preserving set of replicas. To manage policies and rolemaps at multiple replicas, you must transfer mastership of each policy and rolemap to the replica at which it is to be managed.
If you are creating a new preserving replica, you must create the replica export packet from an existing preserving replica. You cannot create a preserving replica from a non-preserving replica because the latter does not have the same permissions settings of a preserving replica.
If a currently unreplicated VOB is non-preserving, you can use the chreplica command to make it fully preserving.
In replicated VOB families, you cannot modify a non-preserving replica to become fully preserving if any member of the VOB family is known to be fully preserving. If the local replica believes that all members of the VOB family are non-preserving, you may make it fully preserving only if it masters the VOB object.