Make_It_Happen
asked on
Lotus Notes Agent - Run On Behalf Of
I have an agent running that runs using ToolsRunMacro; it deletes docs. The database resides on the server. It's invoked by people who have Author access in the ACL without delete privileges. I've set the agent to run On Behalf Of with an ID that DOES have delete rights as well as the proper access in the server document. In fact, when I run the agent using this ID it works fine. When I run the agent as a typical user, Author access/no deletes, the lotusscript errors on the exact line of code that does the doc remove. So, what am I missing? How can I set it up so the typical user can run this agent to delete documents?
Have you checked "Allow restricted operations" in agent properties?
Don't delete the documents, but mark documents as deleted, and create a scheduled agent to delete these marked documents. Small drawback: you'd have to exclude the documents marked for deleting from all views.
That's a good suggestion.
Sjef, have you ever considered this way of tackling the drawback you mentioned:
Since you generally don't wont any deleted document to be a part of "regular documents set", in any way (shown in views, calculated in statistics, included in reports,...) I solved this problem by simply appending the word "Deleted" to document's Form field.
And since the first thing you look for (when deciding which docs to process) is Form, this solution kills multiple birds with one stone :)
DeletedDocuments (RecycleBin) view simply shows all documents whose form field ends with the word "Deleted".
To undelete a document, simply remove that suffix from the form field and voila - everything is back to normal.
Sjef, have you ever considered this way of tackling the drawback you mentioned:
Since you generally don't wont any deleted document to be a part of "regular documents set", in any way (shown in views, calculated in statistics, included in reports,...) I solved this problem by simply appending the word "Deleted" to document's Form field.
And since the first thing you look for (when deciding which docs to process) is Form, this solution kills multiple birds with one stone :)
DeletedDocuments (RecycleBin) view simply shows all documents whose form field ends with the word "Deleted".
To undelete a document, simply remove that suffix from the form field and voila - everything is back to normal.
Not bad... not bad... :-) Sadly, I sometimes do have views that display ALL documents, no matter their Form value.
I also thought of Soft Deletions, but I assume that users without Delete permission aren't allowed to do soft deletions either.
I also thought of Soft Deletions, but I assume that users without Delete permission aren't allowed to do soft deletions either.
I generally use all_documents view only for Admins.
Luckily, in my experience, end-users rarely need those kind of views.
Luckily, in my experience, end-users rarely need those kind of views.
Hi,
As mentioned earlier you can create an hidden view and change the Form value which would be visible in that perticular hidden view, next for your all documents view exclude the "Deleted" form from view selection formula, which will address your problem os seeing deleted emails in all documents view. next write a scheduled agent which would work on notes view class and delete all document from the document collection within the hidden (deleted) view.
As mentioned earlier you can create an hidden view and change the Form value which would be visible in that perticular hidden view, next for your all documents view exclude the "Deleted" form from view selection formula, which will address your problem os seeing deleted emails in all documents view. next write a scheduled agent which would work on notes view class and delete all document from the document collection within the hidden (deleted) view.
Why would you delete documents from the recycle bin on schedule?
It's usually allowed to admins/power-users to hard-delete selected documents from the recycle bin, which is then logged in app log.
But if you want to automate the procedure somehow, then, IMHO, it is better to allow users to specify (in app settings) whether they want documents deleted when db is closed. Or something similar to that.
It's usually allowed to admins/power-users to hard-delete selected documents from the recycle bin, which is then logged in app log.
But if you want to automate the procedure somehow, then, IMHO, it is better to allow users to specify (in app settings) whether they want documents deleted when db is closed. Or something similar to that.
Yes that is possible whrn the user is having Deletion rights but as in this case the normal users are only having author access without deletion rights that would be challanging.
And that's why he's trying to use "Run On Behalf Of".
I think the problem may well be in the server's document, security tab.
From Administrator help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_RESTRICTING_AGENTS_ON_SERVERS_5644_STEPS.html):
Field named "Sign agents to run on behalf of someone else" should be filled with users who should be allowed to sign agents that will be executed on anyone else's behalf.
The default is blank, which means that no one can sign agents in this manner.
And that setting is what Designer help is referring to (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.designer.domino.main.doc/H_SETTING_UP_AGENT_SECURITY_USING_THE_SECURITY_TAB_OVER.html):
"Run on behalf of" - Note that restricted signers can run agents only under the same authority as their own (that is, the restricted signers enter only their own name or else the agent returns an error at run time). Unrestricted signers and signers with rights to run "On behalf of anyone" can run agents on behalf of anyone.
Notice the "error in run-time" part.
I think the problem may well be in the server's document, security tab.
From Administrator help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_RESTRICTING_AGENTS_ON_SERVERS_5644_STEPS.html):
Field named "Sign agents to run on behalf of someone else" should be filled with users who should be allowed to sign agents that will be executed on anyone else's behalf.
The default is blank, which means that no one can sign agents in this manner.
And that setting is what Designer help is referring to (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.designer.domino.main.doc/H_SETTING_UP_AGENT_SECURITY_USING_THE_SECURITY_TAB_OVER.html):
"Run on behalf of" - Note that restricted signers can run agents only under the same authority as their own (that is, the restricted signers enter only their own name or else the agent returns an error at run time). Unrestricted signers and signers with rights to run "On behalf of anyone" can run agents on behalf of anyone.
Notice the "error in run-time" part.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A regular user calls an agent (new one) whose whole purpose is to trigger your agent by calling agent.RunOnServer().
Have you tried that?
Have you tried that?
Have you checked server's document, security tab, as mentioned in my previous post?
Can you answer the questions?
ASKER
This is tricky to accomplish, but the only solution. The help documentation does elude to the feature not working locally. I ended up using two RunOnServer agents, one used to pass information and the other to delete the doc used for passing after everything was done.
Wasn't that my suggestion (34247270)?
In your server document, are all users allowed to run agents on behalf of ?