------------------------------------------------------------------------------

                       IBEX ACL Manager - Demo version

                                 Quick Intro

------------------------------------------------------------------------------

Welcome to the world of managed, transparent Notes Access Control Lists!

You have received the ibex ACL Manager. Now that you have this tool available, 
and  probably already installed (the description of the installation is in 
READ.ME), you qwant to know what the product is all about:

Synopsis
--------
ACL Manager allows you to transfer your ACLs into a single database, and to 
manage the ACLs from within that database.

Algorithm
---------
We designed ACL Manager around the following model:

ACL manager builds a list of all databases on the server (file names: *.NS*, 
templates are not supported by this demo version). To avoid confusion, let's 
call them ServerDatabases, or SD's.

1. Initialization: If the SD is not found in the ACL management database 
   (AMDB), its ACL (including ACL entries, roles and a few administrative 
   settings) is dumped into the AMDB. It may be that a database with 
   the same replica ID and an identical ACL is found, which is on another 
   server. In that case, the current server is added to the list of 
   servers on which that database is available.
   
2. If the SD is found in the AMDB, then the two ACLs are compared (In this 
   demo version, we compare ACL entries and roles only - the administrative 
   settings are neither checked nor set). 
   
3. If the ACLs are different, then the ACL in AMDB is considered to be the 
   master and is therefore written back to the SD. The changes are logged to 
   the screen.
   
A few hints and quirks:
- The view "By Access Level" in AMDB is very enlightening: Here, you will 
  find all of those deadly sins like -Default- or some end users having 
  Manager access.
- The view "By ACL Entry" is a good way to find all those foreign subjects 
  who linger around in your ACLs.
- If you want to set the ACL in server X to be the same as the one in 
  on server Y for the same database, then proceed as follows: Delete the 
  database, ACL and Role documents belonging to the database on server X, 
  and enter server X in the server list of the database document for server 
  Y. The change will be implemented in the next run of ACLDEMO.
- databases are identified by their replica ID. If you have multiple 
  replicas of the same database in different paths on your server, then 
  the results are unpredictable.
- if you manage a server, and set ibex ACL Manager up to run daily, do 
  inform your users that ALL changes to the ACL have to be done through the 
  ACL manager database. Usually, this means through the administrator. 
  Nothing is more frustrating for the user if he does a complex change to 
  the ACLs of his application, only to find them rolled back next morning.

Running ibex ACL Manager
------------------------
ibex ACL Manager can be run from the OS/2 command line on a server, or from 
a program document in the Name & Address Book.

Its call format is

   ACLDEMO AMDB LogLevel
   
   where
      AMDB is the path and file name of the ACL Manager database either 
           relative to the Notes data directory or as an absolute path on 
           the server. It can also be a full Notes network path 
           (Port!!!Server!!Path), but that may stress your network - be
           careful to avoid standard operating hours when doing this.
           
      LogLevel is a number between 999 and 12000, default is 999. The higher
           the LogLevel the fewer messages are issued by ACLDEMO (their 
           level is the number to the left of each message).

You can run ACLDEMO on multiple servers using a replicating database - in 
fact, this is where the real benefits of the ibex DomainManager start to 
evolve.

You may pipe the screen output into a log file by appending a '>log.txt' to 
the command line specified above. There is no way, however, to return that 
file from a remote server to you - if you don't have ibex DomainManager's 
ExecuteTask (ET). This utility will allow you to store the program 
(ACLDEMO.EXE or any other OS/2 command line based program) in a database 
form, have ET retrieve it to the server, execute it, log its output and 
return the output either by mail or as a "normal" database document.
   
Resource requirements
---------------------
ACL manager needs at least 5 seconds processing time (on a 486/66) per 
database in each run. This depends largely on the complexity of your ACLs. It 
has been tested on servers with up to 400 databases, but we reckon that a 
average server has about 150 databases on it. 

We recommend that you have at least 24MB RAM in your servers, the more the 
better (even though Notes cannot use much more than 16MB for itself due to 
its 16bit programming model).

Feedback
--------
We are always interested in your feedback. You can reach us using the 
addresses indicated in READ.ME.


Now, have fun - and enjoy finally being in command of Notes.

                                    ******
