ECL alerts in Notes when a mailfile has delegate users
A customer had questions about how ECL alerts work after finding they were prompted with ECL alerts when they did not expect to be, for example in the following conditions:
1) If a user creates a folder in his mail database using iNotes, the folder is signed by the Domino mail server's ID where the mail database resides.
If subsequently this user opens this folder in the Lotus Notes client (instead of via iNotes), ECL alerts are triggered for the following 2 actions, only in cases where the server is not already listed in the user's ECL with the right to execute these actions):
2) If a delegate user creates a folder in the user's mail database using a Notes Client, the folder is signed by the delegate.
If subsequently the owner of the mail database, opens this folder in Lotus Notes, ECL alerts are triggered for the following 2 actions, where the delegate is not already listed in the user's ECL with the right to execute these actions:
3) In a mail-in database used by several users, each folder created by a user is signed with his own ID.
If subsequently other users of the mail-in database opens this folder in the Notes client, ECL alerts are triggered for the following 2 actions, where the creator of the folder is not already listed in the users ECL with the right to execute these actions:
Statement from Lotus development
IBM confirms that in the 3 scenarios referenced above, the product is working as designed.
An ECL protects user workstations against active content from unknown or suspect sources, and can be configured to limit the action of any active content that does run on workstations. The ECL determines whether the signer of the code is allowed to run the code on a given workstation, and defines the access that the code has to various workstation functions.
By design, the iNotes product relies heavily on the Domino server, which results in folders of a mail database being signed by the server instead of the user. IBM will investigate the implications of modifying this behaviour in a future release of iNotes, as it has already been changed on our SaaS offering (LotusLive Notes). Development have confirmed they cannot modify the current 8.5.x versions behaviour for architectural reasons. The fact that a user is presented with ECL alerts that a folder has been created by somebody else in a mail database is a requested security feature used worldwide by IBM Customers. Modifying this feature would have dramatic ramifications for our Customers relying on it and therefore, IBM does not plan to change it at this time.
IBM recommends that end users be educated to understand which of the following actions they need to choose when receiving an ECL alert:
1) Do not execute the action "Deny the signer access to perform the specified action".
2) "Allow execution of the action this one time" to allow the signer access to perform the action only once. The ESA will appear again if the same action is attempted in the future. This option does not permanently modify the user's ECL.
3) "Trust the signer to execute this action for this Lotus Notes session" to allow the signer access to perform the action for the duration of the user's Lotus Notes session, until the user logs out of Lotus Notes or switches to another Lotus Notes ID. This option does not permanently modify the ECL.
4) "Start trusting the signer to execute this action" to allow the action to be performed and modify the ECL configuration to add the signature of the active content to the ECL. This grants permission permanently for the signer to execute the specific action any time on that workstation. They will not be prompted again.
5) "More Info" to display a dialog box that provides information about the design type, design name, Lotus Notes ID, signature status, and parent database of the code that caused the ESA. For example, locally scheduled agents, as well as manual agents, can generate ESAs. Click "More Info" to get information about the agent that generated the alert.
The product documentation indicates ways for administrators to set the ECL of users and/or lock their ability to modify the ECL. You can refer to the entry with the title "The execution control list" in the Lotus Domino Administrator help file:
Other security features described in the help of the Notes and Domino products should also be in place to protect sensitive data, like for example : ACLs, Reader fields, Encryption (this list is not exhaustive).
The appropriate use of the combination of all the security features included in Notes and Domino will provide a high level of protection for your data. Each company should decide on their own policies in terms of security and provide appropriate training to the users in this regard.