APPLICATION DESIGN


Security for agents on servers and the Web
For agents created and run in Notes databases stored on servers or run from the Web, you can set up several levels of security controls to prevent unauthorized operations.

Who can create agents?

To control who can create agents that run on servers, use database ACLs.

Note Web users cannot create agents.
To createAccess needed
Private agentsReader access or higher and must have "Create private agents" enabled in the ACL
Private agents using LotusScript and JavaReader access or higher and must have "Create private agents" and "Create LotusScript/Java agents" enabled in the ACL
Shared agents using simple actions and formulasDesigner access or higher
Shared agents using LotusScript or Java agentsDesigner access or higher and must have "Create LotusScript/Java agents" enabled in the ACL

Who can run agents?

To control who can run agents on servers, use the Server document in the IBMR LotusR Domino(TM) Directory and database ACLs. See the topic "Controlling agents that run on a server" in the Lotus Domino Administrator Help for more information.

Private agents

To control who can run private agents, open the Server document in the Address Book and click the Security tab. In the Programmability Restrictions section:


Web users cannot run private agents.

Shared agents

To control who can run shared agents, use the database ACL. Users with Reader access or higher can run shared agents.


LotusScript/Java agents

LotusScript and Java include operations that have full access to the serverfs system and can manipulate system time, file I/O, and operating system commands. Users or groups with unrestricted access can run an agent that includes any of these operations in the LotusScript and Java components. Users or groups with restricted access can include most operations. The only restricted commands are those that allow access to the serverfs system.

Caution Unrestricted Java and LotusScript agents can potentially violate security. Only a limited number of trusted users should have unrestricted rights.

Where can agents run?

To control whether agents are allowed to run on servers, use the Server document in the Address Book. Click the Security tab. In the Server Access section:


What operations can agents run?

To control which documents agents can process, IBMR LotusR Domino(TM) checks the ACL of the database where the documents are stored, as follows:


To control whether agents are allowed to create databases, use the Server document in the Address Book. Click the Security tab. In the Server Access Section:
When are restrictions checked?

Domino checks the security restrictions differently depending on whether the agent is running:


Locally on Notes

An agent runs locally when:


When an agent runs locally, Notes does not check security restrictions, unless you have set the Enforce ACL option. (To set the Enforce ACL option, choose File - Database - Access Control and then click the Advanced icon.)

On the server

An agent runs on the server when it is running in a database stored on a server and it is started by one of the following:


If the agent is running on a server, Domino checks all security restrictions.

Foreground or background

An agent runs in the foreground when a user starts it from the Notes Actions menu, selects it from the Designer Agents list, or clicks an Action button. When agents run in the foreground, security restrictions are not checked.

An agent runs in the background when it is scheduled or it is triggered by an event (for example, when documents are modified) or when it is called by agent.runonserver. When agents run in the background, Domino checks security restrictions.

From the Notes client or the Web

Agents run in the Notes client or on the Web based on the effective user. The effective user is the user under whose authority the agent runs. The effective user depends on the environment in which the agent runs.
Agent typeEffective user
Notes client agentCurrent user ID
Web agentOne of the following:
  • Current Web user
  • Agent signer (agent owner)
  • On behalf of (set in the Security tab of the Agent Properties box).
Scheduled agentEither:
  • Agent signer (agent owner)
  • On behalf of (set in the Security tab of the Agent Properties box).
When a user runs an agent from the Notes client, the agent runs with the rights of the effective user, which is the current User ID.
When a Web user runs an agent, the agent also runs using the rights of the effective user and Domino checks the effective user's rights to access the database. However, you can set up the agent so that Domino checks the invokerfs rights to access the database instead of the effective userfs rights. Checking the invokerfs rights can provide more security.

To specify that Domino verify the invoker's access to the database, follow these steps:

1. Double-click an agent name in the agent list.

2. Click the Security tab.

3. Check "Run as Web user."

When "Run as Web user" is checked, Domino prompts Web users for their name and password when they attempt to run the agent. Domino uses the login information to check for the invokerfs rights in the database ACL.

Security controls for agents that are called by agents

When agents call other agents, Domino checks the security restrictions for each agent. However, when the agent signers are different, Domino checks security as follows:


See Also