Solved

Run agent to change ACL

Posted on 2010-08-24
3
915 Views
Last Modified: 2013-12-18
I'm trying to prohibit write-access to the Domino directory. So users should only have read access. The only problem is, that they need to set/change their internet password. Therefore, i created an agent which is run from a database al users are having access to and is modifying the user's acces to author first, then writes the newly entered password to the Directory and after that changes the access back to reader.
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.

Where is my problem?
0
Comment
Question by:Klaus1955
3 Comments
 
LVL 22

Accepted Solution

by:
mbonaci earned 250 total points
ID: 33508685
You need to understand that the effective user rights ('on behalf of' user) are not used to determine the operations the agent is permitted to perform; these are based on the agent signer (the agent owner).

This is what designer help says about this property:
Lets you specify the agent's effective user. Note that restricted signers can run agents only under the same authority as their own -- they can enter their own name only. Unrestricted signers and signers with rights to run "On Behalf of anyone" can run agents on behalf of anyone. Whoever you specify in this field must be included in the ACL of any application being accessed. If the agent sends mail or creates documents, the name specified here will be the mail sender or document author.

In order for agent to run on behalf of someone else (other then the one that caused it to run) it has to be on the server side (run on server). Otherwise the agent directly inherits access rights from the user that triggered it.

So I suggest:
 - create new folder
 - modify the code that user triggers so that it creates a "request document" which you'll fill with information and place in your new folder (you may create the Request form if you like, but it's not necessary)
 - set your agent to run on schedule. It would check the folder periodically, and process documents (set addresses in NAB) and then remove documents from the folder or delete them completely from a db

That way the agent will run with your access rights (the access rights of the user that last saved it).
0
 
LVL 5

Expert Comment

by:iPinky
ID: 33509075
I think.. don't know why companies prevent this usually: giving the users Author rights in the names.nsf (without the right to create/delete documents and without any roles assigned) users can actually update their own person document (only specific fields though, and the internet password is one of them!!!)

that way you don't need the whole hassle of creating an agent or anything at all..

in case you worry that they tamper with the information they can edit with their author access: usually those fields they can edit are anyway maintained in another system (like an ERP or active directory), so feed those infos periodically back from this other system... which in the end leaves the user with basically only the possibility to change for good their internet password.

technical info: the person is on his own person document the "Owner" and the Owner field is an author field which is why users can edit their person document when they do have author rights
0
 

Author Closing Comment

by:Klaus1955
ID: 33509267
I need to follow the solution and develop two seperate agents
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now