Link to home
Start Free TrialLog in
Avatar of Klaus1955
Klaus1955

asked on

Run agent to change ACL

I'm trying to prohibit write-access to the Domino directory. So users should only have read access. The only problem is, that they need to set/change their internet password. Therefore, i created an agent which is run from a database al users are having access to and is modifying the user's acces to author first, then writes the newly entered password to the Directory and after that changes the access back to reader.
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.

Where is my problem?
ASKER CERTIFIED SOLUTION
Avatar of mbonaci
mbonaci
Flag of Croatia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of iPinky
iPinky
Flag of Switzerland image
I think.. don't know why companies prevent this usually: giving the users Author rights in the names.nsf (without the right to create/delete documents and without any roles assigned) users can actually update their own person document (only specific fields though, and the internet password is one of them!!!)

that way you don't need the whole hassle of creating an agent or anything at all..

in case you worry that they tamper with the information they can edit with their author access: usually those fields they can edit are anyway maintained in another system (like an ERP or active directory), so feed those infos periodically back from this other system... which in the end leaves the user with basically only the possibility to change for good their internet password.

technical info: the person is on his own person document the "Owner" and the Owner field is an author field which is why users can edit their person document when they do have author rights
Avatar of Klaus1955
Klaus1955

ASKER

I need to follow the solution and develop two seperate agents