Setting up agents for the DOLS subscription

Agents are small programs that perform actions in a subscription. Because they can be powerful tools, they must have permission from the server to perform their actions. Agents inherit the permissions of their signer. An agent's signer can be the user who created it, or a user or organization designated by an administrator. An administrator can also register a "dummy" user on the server and make it the signer of agents. This provides more control and security, because the dummy user will not do anything the administrator does not want done.

For an agent to perform actions on a server an administrator must add its signer, or a group the signer is in, to the Server document (Security > Agent Restrictions).

Agents can perform both unrestricted actions and restricted actions. Restricted actions can potentially cause serious damage to the server, so administrators must be careful about the permissions of agents that perform restricted actions.

Note: There are also two kinds of agents: triggered and scheduled. Triggered agents are activated by a user action, like clicking a button or selecting a menu item. Scheduled agents run automatically, on a schedule, or when events happen inside a database, such as a new mail document arriving. Only triggered agents work offline.

If a subscription contains triggered agents, do the following to make them work offline.

  1. If the subscription contains restricted agents, create a group called DOLS_Restricted_Agents in the Domino® Directory.
  2. Add the full names of the signers of the restricted agents to the DOLS_Restricted_Agents group.

    If an agent has been configured to run as a Web user (Agent Properties > Design tab > Run as Web user), use the full name of its signer. Otherwise, use the full name of the signer who modified it last (for example, NewDevelopment/IBM).

  3. If the subscription uses unrestricted agents, create a group called DOLS_Unrestricted_Agents in the Domino® Directory.
  4. Add the full names of the signers of the unrestricted agents to the DOLS_Unrestricted_Agents group.

    If an agent has been configured to run as a Web user (Agent Properties > Design tab > Run as Web user), use the full name of its signer. Otherwise, use the full name of the signer who modified it last (for example, NewDevelopment/IBM).

  5. In the Server document, on the Security tab in the Agent Restrictions section, add the following names:
    • Add DOLS_Restricted_Agents to the Run restricted LotusScript/Java agents field.
    • Add DOLS_Unrestricted_Agents to the Run unrestricted LotusScript/Java agents field.
  6. Make sure agent signers have at least Editor access in the ACLs of all databases where the agent runs.
  7. Use the DOLCERT.id (in the Domino® data directory) as the certifier ID to create cross-certificates for each user or organization you specified as being able to execute agents. DOLCERT.id creates cross-certificates issued by "O=DOLS." There may already be cross-certificates issued by the Domino® server for these names. You can use the ID file or public key for the agent user and organization to generate cross-certificates.
Note: If a database uses agents, make sure they're all signed and that the server's CERT.ID is cross-certified with the DOLCERT.ID.