Protect Lotus Notes from malicious code with the Domino ECL

Read how Lotus Notes Domino execution control lists (ECLs) work and how to configure them to improve security and protect workstations from malicious code.

An execution control list (ECL) is an important piece of the Lotus Notes security puzzle, because it can stop rogue agents or applets from accessing confidential Domino data or possibly causing irreparable harm to user workstations. This tip explains how Lotus Notes Domino execution control lists work and how to configure them to protect user workstations against malicious code.
Related resources from SearchDomino.com:
Expert Advice: How does ECL work in Lotus Notes security?

Tip: Eliminate execution security alerts

Lotus Notes Domino Access, Permissions and Authentication Reference Center

A Lotus Notes Domino ECL is used to determine whether the signer of the code being executed is allowed to run that code from a particular workstation. Also, if the signer can run the code, then the Domino ECL defines the level of access that the code has to various workstation functions.

Basically, you can use a Domino ECL very effectively to restrict access to Lotus Notes database elements, the workstation's file system and the execution of certain operations. For example, it's possible to use an ECL to allow LotusScript programs to access the file system, but to simultaneously deny Java applets the same access.

When a Lotus Notes database is opened and programming logic is executed, the signature ID last used to sign an element is checked against the ECL to determine whether that Lotus Notes ID has been granted permission through the ECL to run. If permission has been granted, either implicitly (default) or explicitly (user named in the ECL) for a particular task, the action is allowed. If not, the action is disallowed.

A workstation can be configured to enable the Lotus Notes user to maintain the ECL, or the Domino administrator can maintain the ECL centrally. Follow these steps to configure a Lotus Notes Domino user-controlled ECL:

  1. Select File -> Security -> User Security from the main menu.
  2. Enter your password when prompted for it.
  3. Click on the "What Others Do" button, which will then open the dialog box. Now, expand the list of ECL options.
  4. Choose the type of ECL that you want to configure:

    • "Using workstation"
    • "Using applets"
    • or

    • "Using JavaScript"

  5. Choose an entry to configure in the "When Code Is Signed By" list or click the "Add" button to enter a new Lotus Notes user.
  6. Set the appropriate security options for the current entry.
  7. Click "OK" to update the ECL.
  8. Click "OK" to close the User Security dialog box.

Do you have comments on this tip? Let us know.

This tip was submitted to the SearchDomino.com tip library by member Jim Mck. Please let others know how useful it is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our monthly tip contest and you could win a prize.

This was last published in December 2007

Dig Deeper on Lotus Notes Domino Access, Permissions and Authentication

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchDataCenter

SearchExchange

SearchContentManagement

Close