Access Control List (ACL) Freeze


This feature places a flag on the document or email's Modify Access dialog (shown below) which indicates the Access Control List (ACL) will be “frozen” so that implicit changes (inheritance, ethical walls, etc.) will not change the ACL of the document. The flag does not prevent the ACL from being changed manually; rather, it simply indicates that the ACL is immune to implicit access changes, such as access inheritance or profile-based security.  


This would typically be used for email messages that have been locked down to certain users. In case the email is moved to another location, its access will not change.

This option is generally used with the REST API to set the freeze flag on email messages as they are imported into the cabinet. It is currently not available through EMS Profiler, EMS Folders, or ndOffice. 

NOTE: Moving an item to a ShareSpace will not preserve the ACL, even if ACL Freeze is set for the item.

Users can ignore or honor the flag as they deem necessary when manually modifying the document's access list. Users need "A" rights to the document/email to set or remove the document-level ACL freeze flag.   

When modifying the access list of a document where the flag is not set, users will be prompted whether they wish to "freeze" the ACL after modifying it. 


NOTE: There is a flag in the Cabinet Administration page to enable/disable ACL freeze for all documents in a given cabinet. The default is to have the feature DISABLED. If you want the feature enabled, as the Administrator, you must ENABLE it in the Cabinet Administration page by selecting Yes for "Allow users to freeze ACL" in the Other section.


If disabled at the cabinet level, users will not see the document-level flag at all.

Searching for Documents with a Frozen ACL

You can search for documents that are either frozen or thawed by using the field identifier 52. This is not available as a standard field in the UI, but it can be used to create custom search criteria.

For example,

=52(frozen) will return documents/emails that have ACL Freeze set.

=52(thawed) will return documents/emails that do not have ACL Freeze set.

ACL Freeze does not need to be enabled in the cabinet to use this search field. In fact, it doesn’t need to be enabled in the cabinet to use ACL Freeze. All the cabinet-level option does is display the checkbox that allows a user to set ACL Freeze through the web UI. If the document is frozen by the REST API, ACL Freeze will be enforced even if the ACL Freeze flag is disabled on the cabinet.