Solved

Lotus Notes Agent - Run On Behalf Of

Posted on 2010-11-23
16
2,778 Views
Last Modified: 2013-12-18
I have an agent running that runs using ToolsRunMacro; it deletes docs.  The database resides on the server.  It's invoked by people who have Author access in the ACL without delete privileges.  I've set the agent to run On Behalf Of with an ID that DOES have delete rights as well as the proper access in the server document.  In fact, when I run the agent using this ID it works fine.  When I run the agent as a typical user, Author access/no deletes, the lotusscript errors on the exact line of code that does the doc remove.  So, what am I missing?  How can I set it up so the typical user can run this agent to delete documents?
0
Comment
Question by:Make_It_Happen
  • 9
  • 2
  • 2
  • +2
16 Comments
 
LVL 5

Expert Comment

by:RonaldZaal
Comment Utility
Maybe it's only a setting;
In your server document, are all users allowed to run agents on behalf of ?
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
Have you checked "Allow restricted operations" in agent properties?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
Comment Utility
Don't delete the documents, but mark documents as deleted, and create a scheduled agent to delete these marked documents. Small drawback: you'd have to exclude the documents marked for deleting from all views.
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
That's a good suggestion.
Sjef, have you ever considered this way of tackling the drawback you mentioned:

Since you generally don't wont any deleted document to be a part of "regular documents set", in any way (shown in views, calculated in statistics, included in reports,...) I solved this problem by simply appending the word "Deleted" to document's Form field.
And since the first thing you look for (when deciding which docs to process) is Form, this solution kills multiple birds with one stone :)

DeletedDocuments (RecycleBin) view simply shows all documents whose form field ends with the word "Deleted".
To undelete a document, simply remove that suffix from the form field and voila - everything is back to normal.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
Comment Utility
Not bad... not bad... :-) Sadly, I sometimes do have views that display ALL documents, no matter their Form value.

I also thought of Soft Deletions, but I assume that users without Delete permission aren't allowed to do soft deletions either.
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
I generally use all_documents view only for Admins.
Luckily, in my experience, end-users rarely need those kind of views.
0
 
LVL 1

Expert Comment

by:nilanjansaha
Comment Utility
Hi,

As mentioned earlier you can create an hidden view and change the Form value which would be visible in that perticular hidden view, next for your all documents view exclude the "Deleted" form from view selection formula, which will address your problem os seeing deleted emails in all documents view. next write a scheduled agent which would work on notes view class and delete all document from the document collection within the hidden (deleted) view.
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
Why would you delete documents from the recycle bin on schedule?
It's usually allowed to admins/power-users to hard-delete selected documents from the recycle bin, which is then logged in app log.

But if you want to automate the procedure somehow, then, IMHO, it is better to allow users to specify (in app settings) whether they want documents deleted when db is closed. Or something similar to that.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Expert Comment

by:nilanjansaha
Comment Utility
Yes that is possible whrn the user is having Deletion rights but as in this case the normal users are only having author access without deletion rights that would be challanging.
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
And that's why he's trying to use "Run On Behalf Of".

I think the problem may well be in the server's document, security tab.
From Administrator help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_RESTRICTING_AGENTS_ON_SERVERS_5644_STEPS.html):
Field named "Sign agents to run on behalf of someone else" should be filled with users who should be allowed to sign agents that will be executed on anyone else's behalf.
The default is blank, which means that no one can sign agents in this manner.


And that setting is what Designer help is referring to (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.designer.domino.main.doc/H_SETTING_UP_AGENT_SECURITY_USING_THE_SECURITY_TAB_OVER.html):
"Run on behalf of" - Note that restricted signers can run agents only under the same authority as their own (that is, the restricted signers enter only their own name or else the agent returns an error at run time). Unrestricted signers and signers with rights to run "On behalf of anyone" can run agents on behalf of anyone.

Notice the "error in run-time" part.
0
 

Accepted Solution

by:
Make_It_Happen earned 0 total points
Comment Utility
Turns out that if the agent is invoked locally, the 'On Behalf Of' feature takes on the security of the person doing the clicking.  Even if the database resides on the server, there just isn't enough security information accessible for the 'On Behalf Of' to work locally.  So, you have to call a RunOnServer agent that takes advantage of the security information available on the server.  The RunOnServer agent can run 'On Behalf Of' an ID that has delete privileges.
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
A regular user calls an agent (new one) whose whole purpose is to trigger your agent by calling agent.RunOnServer().

Have you tried that?
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
Have you checked server's document, security tab, as mentioned in my previous post?
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
Can you answer the questions?
0
 

Author Closing Comment

by:Make_It_Happen
Comment Utility
This is tricky to accomplish, but the only solution.  The help documentation does elude to the feature not working locally.  I ended up using two RunOnServer agents, one used to pass information and the other to delete the doc used for passing after everything was done.
0
 
LVL 22

Expert Comment

by:mbonaci
Comment Utility
Wasn't that my suggestion (34247270)?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now