The blank database that can be created using the new ODA APIs has Manager access enabled and no specific settings. But even with an existing database or one created from a template, you may need to manage the ACL and settings that can be enabled from the ACL. Existing core APIs are available for this.
Database.getACL() will give access to the ACL. On the ACL there are two specific settings that are worthy of careful attention.
ACL.setUniformAccess()relates to the "Ensure consistent ACL across all replicas" checkbox. This is needed to ensure Role access works locally and also ensures a local replica / copy respects ACL access and prevent any Notes ID being able to open it.
ACL.setInternetLevel()relates to the maximum internet access. This overrides any ACL settings for XPages access. (I am unsure if this is respected for all access via HTTP, so prevents anything above this level of access from OSGi plugins.
ACL.setAdministrationServer()relates to the administration server for the database, used for managing some admin processes.
Once these settings are set as required, standard APIs in the ACL class enable adding / deleting roles and creating / getting / removing ACL entries. NOTE: Don't forget to set an ACL entry for "Anonymous".
This enables managing access if using standard Domino access to the database. If you're using a custom REST service with ODA, the access may be managed via ODA or mapped accordingly to Notes IDs.