IBM®
Skip to main content
    Country/region select      Terms of use
 
 
   
     Home      Products      Services & solutions      Support & downloads      My account     
 
developerWorks
AIX and UNIX
Information Mgmt
Lotus
New to Lotus
Products
How to buy
Downloads
Live demos
Technical library
Training
Support
Forums & community
Events
Rational
Tivoli
WebSphere
Java™ technology
Linux
Open source
SOA and Web services
Web development
XML
My developerWorks
About dW
Submit content
Feedback



developerWorks  >  Lotus  >  Technical Library
developerWorks



[back to "Troubleshooting agents in Notes/Domino 5 and 6"]

Notes/Domino 6 agent security at a glance
Figuring out agent security is not easy because there are many different situations you need to consider while troubleshooting a problem. The following tables should help you identify when the agent security is enforced and whose rights are used to authenticate the access level. Note that these tables apply to personal and shared agents.

Agent security consists of two parts:
  • Agent restrictions control who can run the agent with what level of rights.
  • Database ACLs control the level of access to the data the agent’s effective user has.

Whether or not agent restrictions apply depends on how the agent is invoked. If invoked on the client, restrictions do not apply. If invoked on the server, agent restrictions do apply. Agent restrictions are always determined based on the agent signer:

Client
Server
How agent is invokedUser initiatedScheduledHTTP "run as Web user"HTTP "run as signer"Scheduled
RestrictionsN/AN/ASignerSignerSigner

Database ACLs always apply no matter how the agent is invoked. The identity used as the agent’s effective user depends on how the agent is invoked. If invoked on the client, the identity of the person logged on to the workstation is used as the effective user of the agent. If the agent is invoked from the Web and is set to run as Web user, the effective user is the Web user identity. For Notes/Domino 6 scheduled agents on the server and Notes/Domino 6 agents invoked from the Web running in "Run as agent signer" mode, the effective user is the "Run on behalf of" identify if this field is populated (and the signer has proper rights). Otherwise the effective user is the agent signer:

Client
Server
How agent is invokedUser initiatedScheduledHTTP "run as Web user"HTTP "run as signer"Scheduled
ACL checksInvokerInvokerInvoker"On behalf
of" signer		"On behalf of" signer

This table summarizes the rules for where R5 agents can access databases on other servers:

Type of agent/Where agent runs
Server
Workstation
Scheduled
yes
yes
User initiated
yes




        About IBM      Privacy      Contact