Setting the Execution Control List

How to set an ECL

In R5.0.2 Lotus did a complete about-face on the Execution Control List (ECL). Prior to R5.0.2, the ECL was set to allow you complete control and access to your workstation. In R5.0.2, Lotus decided to change that policy to only allow the user and Lotus Development full access.

What does this mean to you?

Well, you and any of your users with fresh installs of R5.0.2 or higher may start seeing a lot of pop-up boxes indicating "Execution Security Alerts." This won't affect incrementally upgraded versions of Notes, only new installations. The ECL stays wide open from the prior install.

The Execution Security Alert box will state that "Notes has been asked to execute the following action which does not fit within your security profile:"

The box shows you what the action is, who signed it, and what in that action is not allowed by the ECL. It is then up to the user to choose from the following buttons: Abort, Execute Once, Trust Signer, or Help.

If the signer is either one of your servers, you, or Lotus, it is wise to trust the signer. However, if it is not signed by a recognized source, proceed with caution. Someone may be trying to harm your system! Prior to R5.0.2, this would have occurred without your true consent. In R5.0.2x, it must be set up as a trusted signer to do anything.

As an administrator, you need to decide on an ECL policy. The ECL is often overlooked because it never presented itself as an issue before R5.0.2. It was set to allow access and it wasn't noticed unless you went digging for it. However, it is something that should be set in any release.

It is accessible via File/Preference/User Preferences. It is under the Security Options button on the Basics tab. In 4.6, it is in the same place, but User Preferences are under File/Tools/User Preferences. Your ECL policy is going to be unique to your organizational needs, but a good starting point is to trust your servers to do anything other than modify the ECL, and let the user do the same. Only items signed by a Notes administrator should be allowed to change the ECL. This way you can maintain control over the user's ECL without affecting their normal usage of Notes.

For more information on the ECL see the Domino Administration Help database.

Michael Lazar is a SearchDomino advisor

This was first published in January 2000

Dig deeper on Lotus Notes Domino Antispam Software and Spam Filtering

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchDataCenter

SearchExchange

SearchContentManagement

Close