Lotus Domino Designer 8.5 Help - Security for agents on servers and the Web

APPLICATION DESIGN

Security for agents on servers and the Web
For agents created and run in Notes databases stored on servers or run from the Web, you can set up several levels of security controls to prevent unauthorized operations.

Who can create agents?

To control who can create agents that run on servers, use database ACLs.

Note Web users cannot create agents.

To create	Access needed
Private agents	Reader access or higher and must have "Create private agents" enabled in the ACL
Private agents using LotusScript and Java	Reader access or higher and must have "Create private agents" and "Create LotusScript/Java agents" enabled in the ACL
Shared agents using simple actions and formulas	Designer access or higher
Shared agents using LotusScript or Java agents	Designer access or higher and must have "Create LotusScript/Java agents" enabled in the ACL

Who can run agents?

To control who can run agents on servers, use the Server document in the IBM® Lotus® Domino(TM) Directory and database ACLs. See the topic "Controlling agents that run on a server" in the Lotus Domino Administrator Help for more information.

Private agents

To control who can run private agents, open the Server document in the Address Book and click the Security tab. In the Programmability Restrictions section:

If everyone who can access the server can run private agents, leave "Run private agents" blank.
If only specific users can run private agents, specify their names in "Run private agents."

Web users cannot run private agents.

Shared agents

To control who can run shared agents, use the database ACL. Users with Reader access or higher can run shared agents.

If users are allowed to run shared agents, assign them Reader access or higher.
If users are not allowed to run shared agents, do not list them in the ACL or assign them Depositor access.

LotusScript/Java agents

LotusScript and Java include operations that have full access to the server’s system and can manipulate system time, file I/O, and operating system commands. Users or groups with unrestricted access can run an agent that includes any of these operations in the LotusScript and Java components. Users or groups with restricted access can include most operations. The only restricted commands are those that allow access to the server’s system.

Caution Unrestricted Java and LotusScript agents can potentially violate security. Only a limited number of trusted users should have unrestricted rights.

Where can agents run?

To control whether agents are allowed to run on servers, use the Server document in the Address Book. Click the Security tab. In the Server Access section:

If everyone running an agent that accesses the server is allowed to access the server, leave "Access server" blank.
If you don’t want users accessing the server either directly or through agents, specify the user names in "Access server." Then, if a user who is not specified attempts to run an agent that accesses the server, the agent is not run. You can also specify user names in "Not access server."
Note These restrictions apply to agents running from other servers or from a client. Agents that are already scheduled to run on the server will not be affected by the Server Access section.

What operations can agents run?

To control which documents agents can process, IBM® Lotus® Domino(TM) checks the ACL of the database where the documents are stored, as follows:

For agents that use simple actions, LotusScript, and Java, Domino checks the user’s ACL.
For agents that use formulas, Domino checks the replica ID of the database in which the agents were created. Therefore, to ensure that agents using formulas can access documents in other databases, you must list the database replica ID in each database the agent will access.

To control whether agents are allowed to create databases, use the Server document in the Address Book. Click the Security tab. In the Server Access Section:

If everyone is allowed to create databases, leave "Create new databases" blank. Then, anyone running an agent that creates new databases can do so on the server.
If you don’t want users creating databases, specify the user names of people allowed to create databases in "Create new databases." Then, if a user who is not specified runs an agent that creates a database, an error is reported and the database is not created.

When are restrictions checked?

Domino checks the security restrictions differently depending on whether the agent is running:

Locally or on the server
In the foreground or background
If the agent is started from the Web or the IBM® Lotus® Notes® client

Locally on Notes

An agent runs locally when:

It runs within a Notes client database.
You choose "Local" from the "Run on" list for a scheduled agent.
A user starts the agent from the Actions menu in the Notes client, from the Agent - Run menu in IBM® Lotus® Domino(TM) Designer, from the "When documents Have Been Pasted" trigger, or from calling the agent by agent.run.

When an agent runs locally, Notes does not check security restrictions, unless you have set the Enforce ACL option. (To set the Enforce ACL option, choose File - Database - Access Control and then click the Advanced icon.)

On the server

An agent runs on the server when it is running in a database stored on a server and it is started by one of the following:

Before new mail arrives
After new mail arrives
If documents have been created or updated
On schedule more than once a day
On schedule daily
On schedule weekly
On schedule monthly
Called by an agent via agent.runonserver (the agent being called must reside on the server)

If the agent is running on a server, Domino checks all security restrictions.

Foreground or background

An agent runs in the foreground when a user starts it from the Notes Actions menu, selects it from the Designer Agents list, or clicks an Action button. When agents run in the foreground, security restrictions are not checked.

An agent runs in the background when it is scheduled or it is triggered by an event (for example, when documents are modified) or when it is called by agent.runonserver. When agents run in the background, Domino checks security restrictions.

From the Notes client or the Web

Agents run in the Notes client or on the Web based on the effective user. The effective user is the user under whose authority the agent runs. The effective user depends on the environment in which the agent runs.

Agent type	Effective user
Notes client agent	Current user ID
Web agent	One of the following: Current Web user Agent signer (agent owner) On behalf of (set in the Security tab of the Agent Properties box).
Scheduled agent	Either: Agent signer (agent owner) On behalf of (set in the Security tab of the Agent Properties box).

When a user runs an agent from the Notes client, the agent runs with the rights of the effective user, which is the current User ID.
When a Web user runs an agent, the agent also runs using the rights of the effective user and Domino checks the effective user's rights to access the database. However, you can set up the agent so that Domino checks the invoker’s rights to access the database instead of the effective user’s rights. Checking the invoker’s rights can provide more security.

To specify that Domino verify the invoker's access to the database, follow these steps:

1. Double-click an agent name in the agent list.

2. Click the Security tab.

3. Check "Run as Web user."

When "Run as Web user" is checked, Domino prompts Web users for their name and password when they attempt to run the agent. Domino uses the login information to check for the invoker’s rights in the database ACL.

Security controls for agents that are called by agents

When agents call other agents, Domino checks the security restrictions for each agent. However, when the agent signers are different, Domino checks security as follows:

If the first agent uses simple actions or formulas:
Domino checks all agents that are called against the rights of the signer of the first agent.
If the first agent uses LotusScript or Java:
Domino checks each agent that is called against the rights of the signer of each agent.

See Also

Creating an agent

Setting up agent security using the Security tab

Troubleshooting agents

Actions and agents names

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary