Klaus1955
asked on
Run agent to change ACL
I'm trying to prohibit write-access to the Domino directory. So users should only have read access. The only problem is, that they need to set/change their internet password. Therefore, i created an agent which is run from a database al users are having access to and is modifying the user's acces to author first, then writes the newly entered password to the Directory and after that changes the access back to reader.
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.
Where is my problem?
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.
Where is my problem?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I need to follow the solution and develop two seperate agents
that way you don't need the whole hassle of creating an agent or anything at all..
in case you worry that they tamper with the information they can edit with their author access: usually those fields they can edit are anyway maintained in another system (like an ERP or active directory), so feed those infos periodically back from this other system... which in the end leaves the user with basically only the possibility to change for good their internet password.
technical info: the person is on his own person document the "Owner" and the Owner field is an author field which is why users can edit their person document when they do have author rights