Protect Lotus Notes from malicious code with the Domino ECL

Read how Lotus Notes Domino execution control lists (ECLs) work and how to configure them to improve security and protect workstations from malicious code.

An execution control list (ECL) is an important piece of the Lotus Notes security puzzle, because it can stop rogue agents or applets from accessing confidential Domino data or possibly causing irreparable harm to user workstations. This tip explains how Lotus Notes Domino execution control lists work and how to configure them to protect user workstations against malicious code.
Related resources from
Expert Advice: How does ECL work in Lotus Notes security?

Tip: Eliminate execution security alerts

Lotus Notes Domino Access, Permissions and Authentication Reference Center

A Lotus Notes Domino ECL is used to determine whether the signer of the code being executed is allowed to run that code from a particular workstation. Also, if the signer can run the code, then the Domino ECL defines the level of access that the code has to various workstation functions.

Basically, you can use a Domino ECL very effectively to restrict access to Lotus Notes database elements, the workstation's file system and the execution of certain operations. For example, it's possible to use an ECL to allow LotusScript programs to access the file system, but to simultaneously deny Java applets the same access.

When a Lotus Notes database is opened and programming logic is executed, the signature ID last used to sign an element is checked against the ECL to determine whether that Lotus Notes ID has been granted permission through the ECL to run. If permission has been granted, either implicitly (default) or explicitly (user named in the ECL) for a particular task, the action is allowed. If not, the action is disallowed.

A workstation can be configured to enable the Lotus Notes user to maintain the ECL, or the Domino administrator can maintain the ECL centrally. Follow these steps to configure a Lotus Notes Domino user-controlled ECL:

  1. Select File -> Security -> User Security from the main menu.
  2. Enter your password when prompted for it.
  3. Click on the "What Others Do" button, which will then open the dialog box. Now, expand the list of ECL options.
  4. Choose the type of ECL that you want to configure:

    • "Using workstation"
    • "Using applets"
    • or

    • "Using JavaScript"

  5. Choose an entry to configure in the "When Code Is Signed By" list or click the "Add" button to enter a new Lotus Notes user.
  6. Set the appropriate security options for the current entry.
  7. Click "OK" to update the ECL.
  8. Click "OK" to close the User Security dialog box.

Do you have comments on this tip? Let us know.

This tip was submitted to the tip library by member Jim Mck. Please let others know how useful it is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our monthly tip contest and you could win a prize.

Dig Deeper on Lotus Notes Domino Access, Permissions and Authentication

  • Favorite iSeries cheat sheets

    Here you'll find a collection of valuable cheat sheets gathered from across the iSeries/ community. These cheat ...