Solved

Run agent to change ACL

Posted on 2010-08-24
3
926 Views
Last Modified: 2013-12-18
I'm trying to prohibit write-access to the Domino directory. So users should only have read access. The only problem is, that they need to set/change their internet password. Therefore, i created an agent which is run from a database al users are having access to and is modifying the user's acces to author first, then writes the newly entered password to the Directory and after that changes the access back to reader.
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.

Where is my problem?
0
Comment
Question by:Klaus1955
3 Comments
 
LVL 22

Accepted Solution

by:
mbonaci earned 250 total points
ID: 33508685
You need to understand that the effective user rights ('on behalf of' user) are not used to determine the operations the agent is permitted to perform; these are based on the agent signer (the agent owner).

This is what designer help says about this property:
Lets you specify the agent's effective user. Note that restricted signers can run agents only under the same authority as their own -- they can enter their own name only. Unrestricted signers and signers with rights to run "On Behalf of anyone" can run agents on behalf of anyone. Whoever you specify in this field must be included in the ACL of any application being accessed. If the agent sends mail or creates documents, the name specified here will be the mail sender or document author.

In order for agent to run on behalf of someone else (other then the one that caused it to run) it has to be on the server side (run on server). Otherwise the agent directly inherits access rights from the user that triggered it.

So I suggest:
 - create new folder
 - modify the code that user triggers so that it creates a "request document" which you'll fill with information and place in your new folder (you may create the Request form if you like, but it's not necessary)
 - set your agent to run on schedule. It would check the folder periodically, and process documents (set addresses in NAB) and then remove documents from the folder or delete them completely from a db

That way the agent will run with your access rights (the access rights of the user that last saved it).
0
 
LVL 5

Expert Comment

by:iPinky
ID: 33509075
I think.. don't know why companies prevent this usually: giving the users Author rights in the names.nsf (without the right to create/delete documents and without any roles assigned) users can actually update their own person document (only specific fields though, and the internet password is one of them!!!)

that way you don't need the whole hassle of creating an agent or anything at all..

in case you worry that they tamper with the information they can edit with their author access: usually those fields they can edit are anyway maintained in another system (like an ERP or active directory), so feed those infos periodically back from this other system... which in the end leaves the user with basically only the possibility to change for good their internet password.

technical info: the person is on his own person document the "Owner" and the Owner field is an author field which is why users can edit their person document when they do have author rights
0
 

Author Closing Comment

by:Klaus1955
ID: 33509267
I need to follow the solution and develop two seperate agents
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
  In today’s Arena we can’t imagine our lives without Internet as we are highly used to of it. If we consider our life style just for only 2 min we found that face to face communication is swapped by e-communication.  Every Where from Works place to…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question