Workstations (ECL)
Another component of the Notes security strategy is the Execution Control list (ECL) feature of the Notes client. The ECL is responsible for two basic things. The first is to determine whether the signer of the code being executed is allowed to run the code from a particular workstation. Second, if the signer can run the code, the ECL defines the level of access that the code has to various workstation functions. In particular, you can use the ECL to restrict access to database elements, the workstation's file system, and the execution of certain operations. For example, the ECL can be used to allow LotusScript programs to access the file system but to deny Java applets the same access.
When a database is opened and programming logic is executed, the signature ID last used to sign an element is checked against the ECL to determine whether that ID has been granted permission through the ECL to run. If permission has been granted either implicitly (default) or explicitly (user named in the ECL) for a particular task, the action is allowed. If not, the action is disallowed.
ECLs provide an important piece of the Notes security puzzle because they can stop rogue agents or applets from surreptitiously accessing confidential data or possibly causing irreparable harm to a user's workstation. Additionally, a workstation can be configured to enable the user to maintain the ECL, or the Domino Administrator can maintain the ECL centrally.
Configuring User-Controlled ECLs
To configure a user-controlled ECL, follow these steps:
1. | Select File, Security, User Security from the main menu which will prompt you for your password. |
2. | Enter your password. |
3. | Click the What Others Do button, which opens the dialog box shown in Figure 10.9 and expand the list of ECL options. |
4. | |
5. | Choose an entry to configure in the When Code Is Signed By list, or click the Add button to enter a new user. |
6. | Set the appropriate security options for the current entry. |
7. | Click OK to update the ECL. |
8. | Click OK to close the User Security dialog box. |
