The execution control list
You use an execution control list (ECL) to set up workstation data security. An ECL protects user workstations against active content from unknown or suspect sources, and can be configured to limit the action of any active content that does run on workstations. The ECL determines whether the signer of the code is allowed to run the code on a given workstation, and defines the access that the code has to various workstation functions. For example, an ECL can prevent another person's code from running on a computer and damaging or erasing data.

"Active content" includes anything that can be run on a user workstation, including formulas; scripts; agents; design elements in databases and templates; documents with stored forms, actions, buttons, hot spots; as well as malicious code (such as viruses and so-called "Trojan horses").

There are two kinds of ECLs: the Administration ECL, which resides in the Domino Directory (NAMES.NSF), and the workstation ECL, which is stored in the user's Personal Address Book (NAMES.NSF). The Administration ECL is the template for all workstation ECLs. The workstation ECL is created when the Notes client is first installed. The Setup program copies the administration ECL from the Domino Directory to the Notes client to create the workstation ECL.

The workstation ECL

A workstation ECL lists the signatures of trusted authors of active content. "Trust" implies that the signature comes from a known and safe source. For example, every system and application template shipped with Domino or Notes contains the signature Lotus Notes Template Development. Likewise, every template and database that your organization designs should contain the signature of either the application developer or the administrator.

For each signature, the ECL contains settings that control the actions that active content signed with that signature can perform and the workstation system resources it can access.

For a description of ECL access options, see ECL security access options.

How the workstation ECL works

When active content runs on a user workstation and attempts a potentially harmful action -- for example, programmatically sending mail -- the following occurs:

1. Notes verifies that the active content is signed and looks up the signer of the code in the workstation ECL.

2. Notes checks the signer's ECL settings to determine whether the action is allowed.

3. One of the following occurs:

Note The administration ECL has a setting that prevents users from changing their workstation ECLs. If this setting is enabled, then the user's option to trust the signer is disabled.

See Also