Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)
Previous Next

OK, let me explain a bit more...

OK, let me explain a bit more...

I have an agent that does secure stuff, like retrieving a user's password by sending the username. Obviously, I don't want everybody to call this agent. This agent should be called only by non-Domino, in-house applications (in SSL). So I supplied those applications with a username/password (a real account in a Domino Directory).

This agent runs as the agent signer, with has absolute rights to everything, so this agent is doing what it has to do. I just want to prevent everybody from running it by restricting access to only the accounts I created. That will also give me a small log of who retrieved a password.

So, instead of checking the "All Readers and above" option in the agent properties (which is by default), I selected a single role only, let's say "[AccessAgent]". In my ACL, I added all the accounts (only 2) that should access this agent and checked the "[AccessAgent]" role.

Now, those accounts are "Person" in the ACL and I want to give them the lowest possible access to the database (cause there's other stuff in there I don't want them to access at all, like documents). I tried to give them "No Access" with "Read public documents" and "Write public documents" and then checked the "Allow Public access users to view and run this agent" option in the agent properties... but it doesn't work. The user doesn't have access and I don't understand why as I think it should have worked.

I have to give them "Depositor" or "Reader" access which is too high... (and unnecessary). Depositors could create documents from other forms and Readers could read documents that doesn't have Readers field (like my log documents).

So here's what I'm trying to do... it works well except that I would have liked to use "No Access" with "Reader public documents" and "Write public documents" for all the accounts that should run this agent.

Is it more clear?
I definitely think it makes sense but I might be missing something.

Thanks for your help!

BTW, agent callers (non-Domino) are using this technique to generate a valid LtpaToken to authenticate:
http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/4d797d0e866be63385257157006c23c2?OpenDocument


Feedback response number WEBB8F9SAR created by ~Denise Prehipi on 03/24/2011

How to restrict Agent access to a s... (~Denise Prehipi... 18.Mar.11)
. . Run on behalf of (~Evelyn Desjumi... 18.Mar.11)
. . . . Agent is not running as the current... (~Denise Prehipi... 18.Mar.11)
. . . . . . Behalf of (~Evelyn Desjumi... 18.Mar.11)
. . . . . . . . It's a web agent... (~Denise Prehipi... 21.Mar.11)
. . . . . . . . . . Ahh (~Evelyn Desjumi... 22.Mar.11)
. . . . . . . . . . . . I think I can't (~Denise Prehipi... 22.Mar.11)
. . . . . . . . . . . . . . makes no sense to me (~Phil Nonhipige... 22.Mar.11)
. . . . . . . . . . . . . . . . what are you doing in your agent? (~Kirk Lopkimanf... 24.Mar.11)
. . . . . . . . . . . . . . . . OK, let me explain a bit more... (~Denise Prehipi... 24.Mar.11)
. . . . . . . . . . . . . . Roles are not good security mechani... (~Cheryl Opfreet... 24.Mar.11)
. . . . . . . . . . . . . . . . Why are roles no good for security?... (~Denise Prehipi... 25.Mar.11)
. . . . . . . . . . . . . . . . . . hummm... I think I made it (~Denise Prehipi... 28.Mar.11)




Printer-friendly

Search this forum

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS