In an entry-balancing deployment, access control instructions (ACIs) are still configured in the backend Directory Server data. When defining access controls in an entry-balancing deployment, you need to ensure that the data used by the access control rule is available for evaluation on all datasets.

If you use groups for access control and a group contains users from different data sets, then that group must exist on each dataset. For a single ACI to be applicable to entries in all datasets, it must be specified above the entry-balancing point. For example, if an ACI allows access to modify users that are part of group 1, then two things must exist on both data sets:
  • Group 1 must exist in the ou=groups branch of both datasets.
  • The ACI referencing group 1 must exist in the ou=people branch or above. The ou=people branch entry itself is part of the common data.

The Directory Proxy Server ensures that any changes to entries within the scope of the entry-balancing request processor, but outside the balancing point, are applied to all backend server sets. Any ACI stored at the entry-balancing point will be kept in sync if changes are made through the Directory Proxy Server.