You need to understand that the effective user rights ('on behalf of' user) are not used to determine the operations the agent is permitted to perform; these are based on the agent signer (the agent owner).
This is what designer help says about this property:
Lets you specify the agent's effective user. Note that restricted signers can run agents only under the same authority as their own -- they can enter their own name only. Unrestricted signers and signers with rights to run "On Behalf of anyone" can run agents on behalf of anyone. Whoever you specify in this field must be included in the ACL of any application being accessed. If the agent sends mail or creates documents, the name specified here will be the mail sender or document author.
In order for agent to run on behalf of someone else (other then the one that caused it to run) it has to be on the server side (run on server). Otherwise the agent directly inherits access rights from the user that triggered it.
So I suggest:
- create new folder
- modify the code that user triggers so that it creates a "request document" which you'll fill with information and place in your new folder (you may create the Request form if you like, but it's not necessary)
- set your agent to run on schedule. It would check the folder periodically, and process documents (set addresses in NAB) and then remove documents from the folder or delete them completely from a db
That way the agent will run with your access rights (the access rights of the user that last saved it).