We still have a security problem regarding local replicas, although "Enforce a consistent acl" is set.
IBM Technote on consistent acl says:
"A user may try to promote their access level on the local replica by creating a group in their Personal Address Book with the same name of a group defined in the ACL with a high level of access, such as Manager. This attempt to bypass the ACL security does not work. The "cached" credentials, explicit ACL listings, or the Default access settings control local replica access when the "Enforce a Consistent Access Control List... " option is enabled. Furthermore, this advanced ACL option prevents users from bypassing ACL security by creating a local replica and disabling the option to "Copy Access Control List" (enabled by default). Under these conditions, the advanced option does not allow a replica to fully initialize, preventing any access to the local replica."
... but this doesn't seem to be true?. The user can still edit sections he shouldn't be able to edit (Controlled Access sections).
Is there, for example in Notes 7, any way to completely deny replication from local replicas? (The database in question exists on several servers, so the replication setting might have to be set separately for each replica.)