Duffbert's Random Musings

Document Number:  1114269

Problem
In Notes/Domino R5, in order for users to run their Out of Office agents, they have to be listed in the Agent Manager agent security setting for "Allowed to Run Restricted LotusScript Operations" because sending mail is a restricted operation.  This means that users can create any LotusScript agents using any restricted methods, and can conceivably create bad agents that could do harm (such as causing endless loops) to the Domino server.  Most users, however, do not create LotusScript agents, but instead create Simple Action or @Formula agents in their mail files.  Most users in Notes R5, who do not have Domino Designer clients installed on their workstations, also never change the default agent, so these agents are set to run as private agents.  In order to prevent these user-created private agents from running, the Notes/Domino Administrator in R5 can restrict who can run Private agents in the R5 server security settings.  This effectively blocks most user-created agents, but is not truly secure as a user-created shared agent will circumvent this security.

When customers upgrade to Notes/Domino 6.x, the upgrade path defined explains that they should upgrade their servers, then clients, then the client mail file designs.

Customers who were previously using the method described above of restricting private agents to limit who can run server agents in R5 find that when they upgrade their servers to Domino 6, these agents start running.  The reason is that there is no longer a setting to restrict who can run private agents, but there are additional settings for who can run simple action/formula agents.  The problem is that in the Domino agent security model, the agent restrictions are hierarchical.  So if users are allowed to run restricted LotusScript agents, they are automatically allowed to run Simple Action or Formula agents, as that is a lesser restriction.

The solution in Domino 6.x is to set the users' access level in the Access Control List (ACL) to their mail files to "Editor".  At that level, when they enable the Out of Office agent, a new function kicks in that enables it on behalf of them but it is actually run by someone else (by default this is Lotus Notes Template Development).  When done in this fashion, the users do not need to be given access to run restricted LotusScript agents, so they can be restricted from those operations and the simple action/formula agent operations.

Unfortunately, in order for this process to work, the users MUST be given Editor access and they MUST be using a Domino 6 mail template design (Mail60.ntf).  If the users have a higher access level, it will simply sign the Out of Office agent with their ID and they will need rights to run restricted LotusScript agents.  If the user is not using a Domino mail template design, the functionality that enables the "run on behalf" agent is not available.

For many customers, though, there may be a significant time difference between the time the servers are upgraded and the time the mail files are upgraded, because the Notes Clients must be upgraded during that time.  During that time, private Simple Action and Formula agents that were created by users that will not run on a Domino R5 Server will run on a Domino 6.x Server.

Content
This issue was reported to Lotus Software Quality Engineering, and was addressed in Notes/Domino 6.0.3 and 6.5 (Software Problem Report #SSHE5FNNBU).

With either of these releases (or higher) installed on a server, and the Notes.ini parameter, Enforce_Personal_Agents=1 is added to the server's Notes.ini, users must be specifically listed in the field called 'Run Simple Action/Formula Agents' of the Server document, in order to run those agents.  The hierarchical security restrictions will not flow to that field.

A common configuration in the Server document would then be:

Run Restricted LotusScript Agents:  */Organization

Run Simple Action/Formula Agents:  admingroup, devgroup

Individual users not listed in "admingroup" or "devgroup" would be allowed to run their Out of Office agent.  When they attempted to schedule any event or scheduled Simple Action or Formula agent, they would be informed that they did not have execution authority to run those agents.  Users could still schedule an run private and shared LotusScript agents that they create.

Related Documents:
Notes Does not Allow Users to Run Out Of Office Agent but Have No Rights To Run any Other Agents
Document #:  1085284


Related LDD Article: Decoding the New Notes/Domino 6 Agent Features:
http://www-10.lotus.com/ldd/today.nsf/62f62847467a8f78052568a80055b380/177bbe55c6848ae000256c44003aee17?OpenDocument&Highlight=0,julie,agent