SECURITY


Controlling agents that run on a server
To control the types of agents users can run on a server, set up restrictions for server agents. The fields in this section are organized hierarchically with regard to privileges. "Run unrestricted methods and operations" has the highest level of privilege and "Run Simple and Formula agents" has the lowest. A user or group name in one list will automatically receive the rights of the lists beneath. Therefore a name has to be entered in only one list, which then gives that user the highest rights.

Tip Create a group for each class of users to be used in every category.

For a list of restricted LotusScript and Java features and information about agents, see IBM® Lotus® Domino™ Designer 8 Help.

For information on creating groups, see Creating and modifying groups.

1. From the IBM® Lotus® Domino™ Administrator, click Configuration, and open the Server document.

2. Click the Security tab.

3. In the Programmability Restrictions section, complete one or more of these fields, and then save the document:
FieldAction
Run unrestricted methods and operationsEnter the names of users and groups who are allowed to select, on a per agent basis, one of three levels of access for agents signed with their ID. Users with this privilege select one of these access levels when they are using Domino Designer to build an agent:
  • restricted mode
  • unrestricted mode
  • unrestricted mode with full administration rights.
Only users who have this access can choose an option other than "do not allow restricted operations." This access is enabled by default for the current server and IBM® Lotus® Notes® Template developers.

If users in this list are also listed as a database administrator in the Server document, they are allowed to perform database operations without having to be listed explicitly in the database ACL. (for example, they can delete databases without being listed in the ACL of those databases).

Note To have the ability to run agents in unrestricted mode with full administration rights, the agent signer should be listed in this field, or in the Full Access Administrator field, as well as have this mode selected in the Agent Builder. Being listed in Full Access Administrator list alone is not sufficient to run agents in this mode.

Sign agents to run on behalf of someone elseEnter the names of users and groups who are allowed to sign agents that will be executed on anyone else's behalf. The default is blank, which means that no one can sign agents in this manner.

Note This privilege should be used with caution, as the name for whom the agent is signed on behalf of is used to check ACL access.

Sign agents to run on behalf of the invoker of the agentEnter the names of users and groups who are allowed to sign agents that will be executed on behalf of the invoker, when the invoker is different from the agent signer. This setting is ignored if the agent signer and the invoker are the same. This is used currently only for Web agents. The default is blank, which means that everyone can sign agents invoked in this manner (this is for backwards compatability).
Run restricted LotusScript/Java agentsEnter the names of users and groups allowed to run agents created LotusScript and Java features, but excluding privileged methods and operations, such as reading and writing to the file system. Leave the field blank to deny access to all users and groups.
Run simple and formula agentsEnter the names of users and groups allowed to run to run simple and formula agents, both private and shared. Leave the field blank to allow all users and groups to run simple and formula agents, both private and shared.
Sign script libraries to run on behalf of someone elseEnter the names of users and groups who are allowed to sign script libraries in agents executed by someone else. For the purposes of backwards compatibility, the default value is to leave the field empty, to allow all.
See also