I'm trying to prohibit write-access to the Domino directory. So users should only have read access. The only problem is, that they need to set/change their internet password. Therefore, i created an agent which is run from a database al users are having access to and is modifying the user's acces to author first, then writes the newly entered password to the Directory and after that changes the access back to reader.
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.
Where is my problem?