[back to "
Troubleshooting agents in Notes/Domino 5 and 6
"]
Notes/Domino 5 agent security at a glance
Figuring out agent security is not easy because there are many different situations you need to consider while troubleshooting a problem. The following tables should help you identify when the agent security is enforced and whose rights are used to authenticate the access level. Note that these tables apply to personal and shared agents.
Agent security consists of two parts:
Agent restrictions control who can run the agent with what level of rights.
Database ACLs control the level of access to the data the agent’s effective user has.
Whether or not agent restrictions apply depends on how the agent is invoked. If invoked on the client, restrictions do not apply. If invoked on the server, agent restrictions do apply. Agent restrictions are always determined based on the agent signer:
Client
Server
How agent is invoked
User initiated
Scheduled
HTTP "run as Web user"
HTTP "run as signer"
Scheduled
Restrictions
N/A
N/A
Signer
Signer
Signer
Database ACLs always apply no matter how the agent is invoked. The identity used as the agent’s effective user depends on how the agent is invoked. If invoked on the client, the identity of the person logged on to the workstation is used as the effective user of the agent. If the agent is invoked from the Web and is set to run as Web user, the effective user is the Web user identity. For R5 scheduled agents on the server and agents invoked from the Web running in Run as agent signer mode, the effective user is the agent signer:
Client
Server
How agent is invoked
User initiated
Scheduled
HTTP "run as Web user"
HTTP "run as signer"
Scheduled
ACL checks
Invoker
Invoker
Invoker
Signer
Signer
This table summarizes the rules for where R5 agents can access databases on other servers.
Type of agent/Where agent runs
Server
Workstation
Scheduled
Only via CORBA*
yes
User initiated
—
yes
*Accessing databases on other Domino servers is possible using CORBA-remoted Java back-end classes and DIIOP.