?
Solved

Lotus Notes Agent - Run On Behalf Of

Posted on 2010-11-23
16
Medium Priority
?
3,170 Views
Last Modified: 2013-12-18
I have an agent running that runs using ToolsRunMacro; it deletes docs.  The database resides on the server.  It's invoked by people who have Author access in the ACL without delete privileges.  I've set the agent to run On Behalf Of with an ID that DOES have delete rights as well as the proper access in the server document.  In fact, when I run the agent using this ID it works fine.  When I run the agent as a typical user, Author access/no deletes, the lotusscript errors on the exact line of code that does the doc remove.  So, what am I missing?  How can I set it up so the typical user can run this agent to delete documents?
0
Comment
Question by:Make_It_Happen
  • 9
  • 2
  • 2
  • +2
16 Comments
 
LVL 5

Expert Comment

by:RonaldZaal
ID: 34203241
Maybe it's only a setting;
In your server document, are all users allowed to run agents on behalf of ?
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34203405
Have you checked "Allow restricted operations" in agent properties?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 34205039
Don't delete the documents, but mark documents as deleted, and create a scheduled agent to delete these marked documents. Small drawback: you'd have to exclude the documents marked for deleting from all views.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 22

Expert Comment

by:mbonaci
ID: 34205254
That's a good suggestion.
Sjef, have you ever considered this way of tackling the drawback you mentioned:

Since you generally don't wont any deleted document to be a part of "regular documents set", in any way (shown in views, calculated in statistics, included in reports,...) I solved this problem by simply appending the word "Deleted" to document's Form field.
And since the first thing you look for (when deciding which docs to process) is Form, this solution kills multiple birds with one stone :)

DeletedDocuments (RecycleBin) view simply shows all documents whose form field ends with the word "Deleted".
To undelete a document, simply remove that suffix from the form field and voila - everything is back to normal.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 34205365
Not bad... not bad... :-) Sadly, I sometimes do have views that display ALL documents, no matter their Form value.

I also thought of Soft Deletions, but I assume that users without Delete permission aren't allowed to do soft deletions either.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34205762
I generally use all_documents view only for Admins.
Luckily, in my experience, end-users rarely need those kind of views.
0
 
LVL 1

Expert Comment

by:nilanjansaha
ID: 34212549
Hi,

As mentioned earlier you can create an hidden view and change the Form value which would be visible in that perticular hidden view, next for your all documents view exclude the "Deleted" form from view selection formula, which will address your problem os seeing deleted emails in all documents view. next write a scheduled agent which would work on notes view class and delete all document from the document collection within the hidden (deleted) view.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34212607
Why would you delete documents from the recycle bin on schedule?
It's usually allowed to admins/power-users to hard-delete selected documents from the recycle bin, which is then logged in app log.

But if you want to automate the procedure somehow, then, IMHO, it is better to allow users to specify (in app settings) whether they want documents deleted when db is closed. Or something similar to that.
0
 
LVL 1

Expert Comment

by:nilanjansaha
ID: 34215824
Yes that is possible whrn the user is having Deletion rights but as in this case the normal users are only having author access without deletion rights that would be challanging.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34216482
And that's why he's trying to use "Run On Behalf Of".

I think the problem may well be in the server's document, security tab.
From Administrator help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_RESTRICTING_AGENTS_ON_SERVERS_5644_STEPS.html):
Field named "Sign agents to run on behalf of someone else" should be filled with users who should be allowed to sign agents that will be executed on anyone else's behalf.
The default is blank, which means that no one can sign agents in this manner.


And that setting is what Designer help is referring to (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.designer.domino.main.doc/H_SETTING_UP_AGENT_SECURITY_USING_THE_SECURITY_TAB_OVER.html):
"Run on behalf of" - Note that restricted signers can run agents only under the same authority as their own (that is, the restricted signers enter only their own name or else the agent returns an error at run time). Unrestricted signers and signers with rights to run "On behalf of anyone" can run agents on behalf of anyone.

Notice the "error in run-time" part.
0
 

Accepted Solution

by:
Make_It_Happen earned 0 total points
ID: 34232541
Turns out that if the agent is invoked locally, the 'On Behalf Of' feature takes on the security of the person doing the clicking.  Even if the database resides on the server, there just isn't enough security information accessible for the 'On Behalf Of' to work locally.  So, you have to call a RunOnServer agent that takes advantage of the security information available on the server.  The RunOnServer agent can run 'On Behalf Of' an ID that has delete privileges.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34247270
A regular user calls an agent (new one) whose whole purpose is to trigger your agent by calling agent.RunOnServer().

Have you tried that?
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34247278
Have you checked server's document, security tab, as mentioned in my previous post?
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34255435
Can you answer the questions?
0
 

Author Closing Comment

by:Make_It_Happen
ID: 34281091
This is tricky to accomplish, but the only solution.  The help documentation does elude to the feature not working locally.  I ended up using two RunOnServer agents, one used to pass information and the other to delete the doc used for passing after everything was done.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 34281379
Wasn't that my suggestion (34247270)?
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

  In today’s Arena we can’t imagine our lives without Internet as we are highly used to of it. If we consider our life style just for only 2 min we found that face to face communication is swapped by e-communication.  Every Where from Works place to…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question