Solved

Lotus Notes Agent - Run On Behalf Of

Posted on 2010-11-23
16
2,907 Views
Last Modified: 2013-12-18
I have an agent running that runs using ToolsRunMacro; it deletes docs.  The database resides on the server.  It's invoked by people who have Author access in the ACL without delete privileges.  I've set the agent to run On Behalf Of with an ID that DOES have delete rights as well as the proper access in the server document.  In fact, when I run the agent using this ID it works fine.  When I run the agent as a typical user, Author access/no deletes, the lotusscript errors on the exact line of code that does the doc remove.  So, what am I missing?  How can I set it up so the typical user can run this agent to delete documents?
0
Comment
Question by:Make_It_Happen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 2
  • 2
  • +2
16 Comments
 
LVL 5

Expert Comment

by:RonaldZaal
ID: 34203241
Maybe it's only a setting;
In your server document, are all users allowed to run agents on behalf of ?
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34203405
Have you checked "Allow restricted operations" in agent properties?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 34205039
Don't delete the documents, but mark documents as deleted, and create a scheduled agent to delete these marked documents. Small drawback: you'd have to exclude the documents marked for deleting from all views.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:mbonaci
ID: 34205254
That's a good suggestion.
Sjef, have you ever considered this way of tackling the drawback you mentioned:

Since you generally don't wont any deleted document to be a part of "regular documents set", in any way (shown in views, calculated in statistics, included in reports,...) I solved this problem by simply appending the word "Deleted" to document's Form field.
And since the first thing you look for (when deciding which docs to process) is Form, this solution kills multiple birds with one stone :)

DeletedDocuments (RecycleBin) view simply shows all documents whose form field ends with the word "Deleted".
To undelete a document, simply remove that suffix from the form field and voila - everything is back to normal.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 34205365
Not bad... not bad... :-) Sadly, I sometimes do have views that display ALL documents, no matter their Form value.

I also thought of Soft Deletions, but I assume that users without Delete permission aren't allowed to do soft deletions either.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34205762
I generally use all_documents view only for Admins.
Luckily, in my experience, end-users rarely need those kind of views.
0
 
LVL 1

Expert Comment

by:nilanjansaha
ID: 34212549
Hi,

As mentioned earlier you can create an hidden view and change the Form value which would be visible in that perticular hidden view, next for your all documents view exclude the "Deleted" form from view selection formula, which will address your problem os seeing deleted emails in all documents view. next write a scheduled agent which would work on notes view class and delete all document from the document collection within the hidden (deleted) view.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34212607
Why would you delete documents from the recycle bin on schedule?
It's usually allowed to admins/power-users to hard-delete selected documents from the recycle bin, which is then logged in app log.

But if you want to automate the procedure somehow, then, IMHO, it is better to allow users to specify (in app settings) whether they want documents deleted when db is closed. Or something similar to that.
0
 
LVL 1

Expert Comment

by:nilanjansaha
ID: 34215824
Yes that is possible whrn the user is having Deletion rights but as in this case the normal users are only having author access without deletion rights that would be challanging.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34216482
And that's why he's trying to use "Run On Behalf Of".

I think the problem may well be in the server's document, security tab.
From Administrator help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_RESTRICTING_AGENTS_ON_SERVERS_5644_STEPS.html):
Field named "Sign agents to run on behalf of someone else" should be filled with users who should be allowed to sign agents that will be executed on anyone else's behalf.
The default is blank, which means that no one can sign agents in this manner.


And that setting is what Designer help is referring to (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.designer.domino.main.doc/H_SETTING_UP_AGENT_SECURITY_USING_THE_SECURITY_TAB_OVER.html):
"Run on behalf of" - Note that restricted signers can run agents only under the same authority as their own (that is, the restricted signers enter only their own name or else the agent returns an error at run time). Unrestricted signers and signers with rights to run "On behalf of anyone" can run agents on behalf of anyone.

Notice the "error in run-time" part.
0
 

Accepted Solution

by:
Make_It_Happen earned 0 total points
ID: 34232541
Turns out that if the agent is invoked locally, the 'On Behalf Of' feature takes on the security of the person doing the clicking.  Even if the database resides on the server, there just isn't enough security information accessible for the 'On Behalf Of' to work locally.  So, you have to call a RunOnServer agent that takes advantage of the security information available on the server.  The RunOnServer agent can run 'On Behalf Of' an ID that has delete privileges.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34247270
A regular user calls an agent (new one) whose whole purpose is to trigger your agent by calling agent.RunOnServer().

Have you tried that?
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34247278
Have you checked server's document, security tab, as mentioned in my previous post?
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34255435
Can you answer the questions?
0
 

Author Closing Comment

by:Make_It_Happen
ID: 34281091
This is tricky to accomplish, but the only solution.  The help documentation does elude to the feature not working locally.  I ended up using two RunOnServer agents, one used to pass information and the other to delete the doc used for passing after everything was done.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34281379
Wasn't that my suggestion (34247270)?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Why won't this building block macro run? 6 293
Lotus Notes 8.5 1 163
How do I delete a user in IBM Lotus Notes 2 210
Adding a named anchor in a Lotus Notes Form 6 100
Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question