Troubleshooting agents in Notes/Domino 5 and 6 (Notes/Domino 5 agent security at a glance sidebar)

Country/region select

developerWorks

AIX and UNIX
Information Mgmt
Lotus
	New to Lotus
	Products
	How to buy
	Downloads
	Live demos
	Technical library
	Training
	Support
	Forums & community
	Events
Rational
Tivoli
WebSphere

Java™ technology
Linux
Open source
SOA and Web services
Web development
XML

My developerWorks
About dW
Submit content
Feedback

developerWorks > Lotus > Technical Library

Printer-friendly

[back to "Troubleshooting agents in Notes/Domino 5 and 6"]

Notes/Domino 5 agent security at a glance
Figuring out agent security is not easy because there are many different situations you need to consider while troubleshooting a problem. The following tables should help you identify when the agent security is enforced and whose rights are used to authenticate the access level. Note that these tables apply to personal and shared agents.

Agent security consists of two parts:

Agent restrictions control who can run the agent with what level of rights.
Database ACLs control the level of access to the data the agent’s effective user has.

Whether or not agent restrictions apply depends on how the agent is invoked. If invoked on the client, restrictions do not apply. If invoked on the server, agent restrictions do apply. Agent restrictions are always determined based on the agent signer:

	Client			Server
How agent is invoked	User initiated	Scheduled	HTTP "run as Web user"	HTTP "run as signer"	Scheduled
Restrictions	N/A	N/A	Signer	Signer	Signer

Database ACLs always apply no matter how the agent is invoked. The identity used as the agent’s effective user depends on how the agent is invoked. If invoked on the client, the identity of the person logged on to the workstation is used as the effective user of the agent. If the agent is invoked from the Web and is set to run as Web user, the effective user is the Web user identity. For R5 scheduled agents on the server and agents invoked from the Web running in Run as agent signer mode, the effective user is the agent signer:

	Client			Server
How agent is invoked	User initiated	Scheduled	HTTP "run as Web user"	HTTP "run as signer"	Scheduled
ACL checks	Invoker	Invoker	Invoker	Signer	Signer

This table summarizes the rules for where R5 agents can access databases on other servers.

Type of agent/Where agent runs	Server	Workstation
Scheduled	Only via CORBA*	yes
User initiated	—	yes

*Accessing databases on other Domino servers is possible using CORBA-remoted Java back-end classes and DIIOP.

About IBM

Privacy

Contact