• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

ECL without creators ID and/or privs

I want to change ECL on our domain but keep running into ECL security issues. The ellegged person who created the domain as it is , has left the organisation and has been deleted from the NAB. How can I change the permissions on running the ECL agent without his ID ( wich is rendered useless because it has expired as well . ) ???

Our domain consists of over 2000 notes users and over 40 Servers so installing a new NAB and creating a new domain are out of the question.
1 Solution
Switch to the current admin id, and Open the agent in designer then resave it. This should incorporate the current admin access and signatures.

I do not understand your problem.

Either this general ExecutionControlList allow agent run for agents signed by this "security hole" user :-) and you are lazy to change this fact,
or you do not know how to distribute your CommonName  as signer for agents and other design elements to all workstation ECLs.

At our installation we do not use person ids for application signing. We have special application signing id's for every block of applications which we release for production. Such one signer CommonName could be:

So your ECL can allow execution of all */App/CompanyOrg signed designs.

If you like to live with the security hole, then recreate the same CommonName, as the deleted one, for application signing purposes. Public key are not compared at ECL level.

Good luck,

Eric, one more about the questions...

I saw you have created your account today. I am happy we have you among us as an expert. But please keep in mind what our biggest problem in our EE community is: abandoned questions
And you have to know, as soon as a question is answered, none of other experts have much interest to involve until the "wrong" answer is rejected by questioner. Most of the questioner sit there and wait until right answer comes along. They do not much involve in their own questions :-)

You have answered on your first day also a question. This is for the first look an enthusiastic manner. But please keep this abandoned question problem in mind.

Thank you,
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Hi Eric, welcome!
I told you this would have a better response than notes.net!?

Eric is a collegue of mine: he's one of the  administrators, I'm one of the developers. He's not any lazier than any of us here!

I don't fully understand the problem. I only saw the symptoms briefly. Even though he owns admin id's etc., the ECL-checkboxes remain greyed out... and something needs to be altered badly!
I am lazy :-)

OK, where do you see this disabled (grayed) ECL checkbox?

Are you sure you are not talking about ACL :-)

Or are you talking about the names.nsf Action "EditAdministrationECL" in your domains names.nsf?

If you are really talking about your domains ECL, then make a local copy of your names.nsf and try to modify this ECL there. Stop the server and bring the names.nsf back to server (and hope that this will replicate to other servers names.nsf, I don't know :-)

If really in this AdministrationECL is not titled: ECLforAdministrator
but something like: ECLforJohnDoe/OU/Org
then create this dammed JohnDoe within same hierarchy and use this as I proposed in my first comment.

my assumption that AdministrationECL is not replicating seems to be a known problem to Lotus:

Anyway, best solution is to set it manualy at every server (when not greyed :-)

Another idea would be to create a new AdministrationECL with this command:

and distribute afterwards a mail with a button updating users workstation ECL like here described:

Hey Eric !
Welcome to the Forum.  
EricMDAuthor Commented:
Okay Guys here's the awnser . I got it from another Notes admin who I happen to run into. It worked like a charm:

create a new location document and remove the homeserver name from it.
Switch to that location and go to the ecl . press refresh. Since there is no server on wich the ECL is able to verify it will give you lacol control wich is full. now goto the addressbook and run the agent.

I tried it and it worked. is this a security bug in notes or just an undocumented feature :-)

thanks for all the help.

Still does not exact know what you are talking about.

Whether it is a security hole to change local ECL I also will never know, because in our installations we do not forbid changing private ECLs.

Anyway is the good final that you found your solution.

You have now two options: accept any comment as answer to keep your solution as foundation for next questioner,
or delete this question because of this all misunderstandings and reward your question points.

In any case thank you for the feedback :-) EE is full of abandoned questions where questioners found in any why their solutions and was too frustrated to close their questions.


EricMDAuthor Commented:
although it was not the awnser to the problem it did contain a link for creating the mail towards our users.
Thanks for the feedback and for the points :-)

Did you know that this B grading is not school grading; it is Expert points multiplicator.

Only for the future... <|:-)

So long,


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now