Setting up agents for the DOLS subscription
Agents are small programs that perform actions in a subscription. Because they can be powerful tools, they must have permission from the server to perform their actions. Agents inherit the permissions of their signer. An agent's signer can be the user who created it, or a user or organization designated by an administrator. An administrator can also register a "dummy" user on the server and make it the signer of agents. This provides more control and security, because the dummy user will not do anything the administrator does not want done.
For an agent to perform actions on a server an administrator must add its signer, or a group the signer is in, to the Server document (
).Agents can perform both unrestricted actions and restricted actions. Restricted actions can potentially cause serious damage to the server, so administrators must be careful about the permissions of agents that perform restricted actions.
If a subscription contains triggered agents, do the following to make them work offline.
- If the subscription contains restricted agents, create a group called DOLS_Restricted_Agents in the Domino® Directory.
- Add the full names of the signers of the restricted agents to
the DOLS_Restricted_Agents group.
If an agent has been configured to run as a Web user (
), use the full name of its signer. Otherwise, use the full name of the signer who modified it last (for example, NewDevelopment/IBM). - If the subscription uses unrestricted agents, create a group called DOLS_Unrestricted_Agents in the Domino® Directory.
- Add the full names of the signers of the unrestricted agents
to the DOLS_Unrestricted_Agents group.
If an agent has been configured to run as a Web user (
), use the full name of its signer. Otherwise, use the full name of the signer who modified it last (for example, NewDevelopment/IBM). - In the Server document, on the Security tab
in the Agent Restrictions section, add the
following names:
- Add DOLS_Restricted_Agents to the Run restricted LotusScript/Java agents field.
- Add DOLS_Unrestricted_Agents to the Run unrestricted LotusScript/Java agents field.
- Make sure agent signers have at least Editor access in the ACLs of all databases where the agent runs.
- Use the DOLCERT.id (in the Domino® data directory) as the certifier ID to create cross-certificates for each user or organization you specified as being able to execute agents. DOLCERT.id creates cross-certificates issued by "O=DOLS." There may already be cross-certificates issued by the Domino® server for these names. You can use the ID file or public key for the agent user and organization to generate cross-certificates.