Setting the Execution Control List

In R5.0.2 Lotus did a complete about-face on the Execution Control List (ECL). Prior to R5.0.2, the ECL was set to allow you complete control and access to your workstation. In R5.0.2, Lotus decided to change that policy to only allow the user and Lotus Development full access.

What does this mean to you?

Well, you and any of your users with fresh installs of R5.0.2 or higher may start seeing a lot of pop-up boxes indicating "Execution Security Alerts." This won't affect incrementally upgraded versions of Notes, only new installations. The ECL stays wide open from the prior install.

The Execution Security Alert box will state that "Notes has been asked to execute the following action which does not fit within your security profile:"

The box shows you what the action is, who signed it, and what in that action is not allowed by the ECL. It is then up to the user to choose from the following buttons: Abort, Execute Once, Trust Signer, or Help.

If the signer is either one of your servers, you, or Lotus, it is wise to trust the signer. However, if it is not signed by a recognized source, proceed with caution. Someone may be trying to harm your system! Prior to R5.0.2, this would have occurred without your true consent. In R5.0.2x, it must be set up as a trusted signer to do anything.

As an administrator, you need to decide on an ECL policy. The ECL is often overlooked because it never presented itself as an issue before R5.0.2. It was set to allow access and it wasn't noticed unless you went digging for it. However, it is something that should be set in any release.

It is accessible via File/Preference/User Preferences. It is under the Security Options button on the Basics tab. In 4.6, it is in the same place, but User Preferences are under File/Tools/User Preferences. Your ECL policy is going to be unique to your organizational needs, but a good starting point is to trust your servers to do anything other than modify the ECL, and let the user do the same. Only items signed by a Notes administrator should be allowed to change the ECL. This way you can maintain control over the user's ECL without affecting their normal usage of Notes.

For more information on the ECL see the Domino Administration Help database.

Michael Lazar is a SearchDomino advisor

This was first published in January 2000

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.