Question : Run agent to change ACL

I'm trying to prohibit write-access to the Domino directory. So users should only have read access. The only problem is, that they need to set/change their internet password. Therefore, i created an agent which is run from a database al users are having access to and is modifying the user's acces to author first, then writes the newly entered password to the Directory and after that changes the access back to reader.
This works great: As long as you have manager access to the atabase(only once).
To enable it also for readers, i tried the agent to "Run-on-behalf" of another ID, which has the permission to run and sign unrestricted methods or operations as well as sign agents which run on behalf of another ID. I tried at first to use the server's, then my own ID, but every time i start the agent under an ID which has only reader access i receive the error that the user isn't permitted to change the ACL(i checked it using the debugger.

Where is my problem?

Related Solutions: SCHEDULED AGENT does not run if it is "RUN ON BEHALF OF"

Answer : Run agent to change ACL

You need to understand that the effective user rights ('on behalf of' user) are not used to determine the operations the agent is permitted to perform; these are based on the agent signer (the agent owner).

This is what designer help says about this property:
Lets you specify the agent's effective user. Note that restricted signers can run agents only under the same authority as their own -- they can enter their own name only. Unrestricted signers and signers with rights to run "On Behalf of anyone" can run agents on behalf of anyone. Whoever you specify in this field must be included in the ACL of any application being accessed. If the agent sends mail or creates documents, the name specified here will be the mail sender or document author.

In order for agent to run on behalf of someone else (other then the one that caused it to run) it has to be on the server side (run on server). Otherwise the agent directly inherits access rights from the user that triggered it.

So I suggest:
- create new folder
- modify the code that user triggers so that it creates a "request document" which you'll fill with information and place in your new folder (you may create the Request form if you like, but it's not necessary)
- set your agent to run on schedule. It would check the folder periodically, and process documents (set addresses in NAB) and then remove documents from the folder or delete them completely from a db

That way the agent will run with your access rights (the access rights of the user that last saved it).

Random Solutions

service restart after logrotate

Relative Size Pivot Table Macro

Deploying local user policies, non-domain

Microsoft PKI Design

Shared calendar does not show appointments until refreshed

CISCO UC520 - IP Phones & Computers on different ip ranges.

SSIS Package Hangs in SQL Job

PHP 5.3.2 installation problem on Vista IIS7

PL/SQL Export table data to .csv file and save; launch Excel inside PL/SQL and load saved .csv file

Should Sys Admins (Domain Admins) also have user accounts?