This post describes defaults and best practices for Domino administrators responsible for rolling out Widgets and Live Text in conjunction with available policies and preferences controls.
We first discuss the defaults when not using policies and then present the recommended policy roll out based on user type.
If you do not use policies, each client will have the Widgets UI (My Widgets sidebar panel, Widgets toolbar, and Tools > Widgets top-bar menus) turned off. After enabling the UI (File > Preferences > Widgets and checkmark the "Show Widget Toolbar and the My Widgets Sidebar panel option), each user has the freedom to create, email, publish and install widgets. To restrict users from doing these types of actions, you can use policies or plugin_customization.ini file settings.
The Domino Administrator, if not using policies, can enable the Widgets UI or customize any of these same policy settings as part of the Notes install kit customization process. To restrict access using plugin_customization.ini file settings, see
in the Domino Administrator help.
The default Widget Desktop policy settings document for Domino 8.5.2 and lower is shown below:
In Domino 8.5.3, the defaults for Widget Policies were changed. The default Widget Desktop policy settings document for Domino 8.5.3 and higher is shown below:
When setting up policies for widgets, we recommend you start with strong restrictions for End users and less restrictions for Admin/Power users. Using the recommendations below, End users are pushed a set of widgets that are installed for them automatically (based on the user's category membership) but they but cannot manually install a widget from the catalog or from any other source. In this scenario, the End user cannot create, publish, or email widgets. Conversely, Admin/Power users can install widgets from any source and can also create, publish, and email widgets.
in the Domino Administrator help.
Widgets installed via policies are considered managed. These types of managed widgets cannot be modified or removed by a user. Widgets installed from the catalog manually by a user (for example, via drag and drop) are also managed. These types of managed widgets cannot be modified, but can be removed. All managed widgets are automatically updated (via replication/update) if an updates exists. Widgets installed via email or by any other method are not considered "managed" so a user can modify or remove them.
Policy | Default Value | Recommended Starting Value
For Admin and Power Users | Recommended Starting Value
For End Users |
Widget catalog server | | YourServeOrg
Choose to 'Set value and prevent changes' | YourServer/Org
Choose to 'Set value and prevent changes' |
Widget catalog application name | toolbox.nsf | widgets.nsf
Choose to 'Set value and prevent changes' | widgets.nsf
Choose to 'Set value and prevent changes' |
Widget catalog categories to install | | GroupCategory
This should be the comma separated list of categories you want to push out for the user this policy applies to.
i.e. 'Developers' category
@nowiki@1this setting is implicitly set to 'Set value and prevent changes'
** Admins should lock down the list of categories that are being pushed out to users, by using the ADMIN-Categories keyword to restrict ability to add widgets to a specific group of categories, to Adminstrators only. | GroupCategory
This should be the comma separated list of categories you want to push out for the user this policy applies to.
i.e. 'All End Users' category
@nowiki@3this setting is implicitly set to 'Set value and prevent changes'
** Admins should lock down the list of categories that are being pushed out to users, by using the ADMIN-Categories keyword to restrict ability to add widgets to a specific group of categories, to Adminstrators only. |
Enable Live Text | Enable
The user will be able to see Live Text and execute actions on the Live Text. The Live text preference page will be visible to the user. | Enable
The user will be able to see Live Text and execute actions on the Live Text. The Live text preference page will be visible to the user. | Enable
The user will be able to see Live Text and execute actions on the Live Text. The Live text preference page will be visible to the user. |
Show the My Widgets panel in the sidebar | No (Prior to 8.5.3)
This turns off all the Widgets UI (sidebar panel, menus, toolbars) but still allows Live Text actions to be visible and executable. Note that widgets can still be installed via policy when the My Widgets sidebar panel is hidden from the user.
Yes (Beginning with 8.5.3)
This turns on all of the Widgets UI (sidebar panel, menus, toolbars)
Starting in Notes 8.5.1, the Admin can also choose to hide the My Widgets sidebar panel, while still displaying the Widgets menus and toolbars. See Window Management Desktop Policy settings for more information. | Yes
This turns on all of the Widgets UI (sidebar panel, menus, toolbars)
Choose to 'Set value and prevent changes' | Yes
This turns on all of the Widgets UI (sidebar panel, menus, toolbars)
Choose to 'Set value and prevent changes' |
Restrict the addition of widgets to specific types
Note: this is really 'creation' not 'addition.' | Disable (Prior to 8.5.3)
Users can create any widget type(provider) using the widget wizards
Enable (Beginning in 8.5.3)
When applied with the empty provider list (you need to use '.' for policies to push the empty list) below, the user cannot create any widgets.
This will hide the actions that allow the user to launch the widget creation wizards. | Disable
Users can create any widget type(provider) using the widget wizards | Enable
When applied with the empty provider list (you need to use '.' for policies to push the empty list) below, the user cannot create any widgets.
This will hide the actions that allow the user to launch the widget creation wizards. |
Enable provider Ids for widget addition
Notes:
This is really 'creation' not 'addition.'
This is only displayed if the 'Restrict the addition of widgets to specific types' policy is Enabled. | Prior to 8.5.3
The list of providers has grown...
8.0.1+
com.ibm.rcp.toolbox.google.provider.internal.GooglePalleteProvider
com.ibm.rcp.toolbox.web.provider.WebServicesPalleteProvider
com.ibm.rcp.toolbox.feeds.FeedPalleteProvider
com.ibm.notes.toolbox.provider.NotesViewPalleteProvider
com.ibm.rcp.toolbox.prov.provider.ToolboxProvisioning
8.5.1+
com.ibm.notes.toolbox.provider.NotesFormPalleteProvider
com.ibm.rcp.toolbox.search.provider.SearchPalleteProvider
8.5.2+
com.ibm.rcp.toolbox.ca.provider.internal.CAActionPalleteProvider
Beginning in 8.5.3
See below for description of each provider
| NA | . |
Restrict provider Ids for installation/execution | Disable
Users can install/run any widget type/provider | Disable
Users can install/run any widget type/provider | Disable
Users can install/run any widget type/provider.
Since the other recommended policies will limit widget installation to only widgets the admin provides, you can assume the user can install all of those widgets. |
Enable provider Ids for installation/execution
Note: This is only displayed if the 'Restrict provider Ids for installation/execution' policy is Enabled. |
The list of providers has grown...
8.0.1+
com.ibm.rcp.toolbox.google.provider.internal.GooglePalleteProvider
com.ibm.rcp.toolbox.web.provider.WebServicesPalleteProvider
com.ibm.rcp.toolbox.feeds.FeedPalleteProvider
com.ibm.notes.toolbox.provider.NotesViewPalleteProvider
com.ibm.rcp.toolbox.prov.provider.ToolboxProvisioning
8.5.1+
com.ibm.notes.toolbox.provider.NotesFormPalleteProvider
com.ibm.rcp.toolbox.search.provider.SearchPalleteProvider
8.5.2+
com.ibm.rcp.toolbox.ca.provider.internal.CAActionPalleteProvider
9.0+
com.ibm.rcp.toolbox.opensocial.provider.internal.OpenSocialPalleteProvider
See below for description of each provider | NA | NA |
Restrict extension point Ids for installation/execution | Disable
All extension points from all widgets can be installed with a widget | Disable
All extension points from all widgets can be installed with a widget | Disable
All extension points from all widgets can be installed with a widget.
Since the other recommended policies will limit widget installation to only widgets the admin provides, you can assume the user can install all of the extensions from those widgets. |
Enable extension point Ids for installation/execution
Note: This is only displayed if the 'Restrict extension point Ids for installation/execution' policy is Enabled. | org.eclipse.ui.popupMenus
org.eclipse.ui.viewActions
org.eclipse.ui.views identifiers
com.ibm.rcp.ui.shelfViews
com.ibm.rcp.textanalyzer2.Dictionaries
com.ibm.rcp.search.engines.searchEngines
com.ibm.rcp.search.ui.searchBarSets
com.ibm.rcp.content.contentTypes
com.ibm.rcp.annotation.regex.regexTypes
These are the default values but there are many more extension points in the platform that you can restrict. | NA | NA |
Create and manage an action | Enable (Prior to 8.5.3)
This allows the user to create, edit, and delete widget actions.
Disable (Beginning in 8.5.3)
The user cannot create, edit, or delete widget actions. | Enable
This allows the user to create, edit, and delete widget actions. | Disable
The user cannot create, edit, or delete widget actions. |
Create and manage recognizers and content types | Yes (Prior to 8.5.3)
This allows the user to create and edit recognizers and content types. It allows users to use the Widget Management UI ('Managed Widgets, Content, Recognizers' action in the My Widgets sidebar panel) and the 'Recognize All Content' action in the My Widgets sidebar panel (used for new recognizer/content type development).
No (Beginning in 8.5.3)
The user cannot create or edit recognizers and content types. The user cannot get to the Widget Management UI and cannot use the development action 'Recognize All Content'. | Yes
This allows the user to create and edit recognizers and content types. It allows users to use the Widget Management UI ('Managed Widgets, Content, Recognizers' action in the My Widgets sidebar panel) and the 'Recognize All Content' action in the My Widgets sidebar panel (used for new recognizer/content type development). | No
The user cannot create or edit recognizers and content types. The user cannot get to the Widget Management UI and cannot use the development action 'Recognize All Content'. |
Enable default recognizers | Enable
This enables all of the recognizers that ship with the client (People, Addresses, Organizations) | Enable
This enables all of the recognizers that ship with the client (People, Addresses, Organizations) | Enable
This enables all of the recognizers that ship with the client (People, Addresses, Organizations) |
Send widgets using e-mail | Enable (Prior to 8.5.3)
This allows the user to right click on a widget thumbnail in the My Widgets sidear panel and select the 'Email to' action. This action exports the widget and attaches the xml into a new e-mail document.
This also allows the user to manually export a widget using the 'Export' action in the My Widgets sidebar panel's options menu.
Disable (Beginning in 8.5.3)
The user cannot email widgets to others and the user cannot export widgets | Enable
This allows the user to right click on a widget thumbnail in the My Widgets sidear panel and select the 'Email to' action. This action exports the widget and attaches the xml into a new e-mail document.
This also allows the user to manually export a widget using the 'Export' action in the My Widgets sidebar panel's options menu. | Disable
The user cannot email widgets to others and the user cannot export widgets. |
Install widgets from email or other | Enable (Prior to 8.5.3)
This allows the user to install widgets from an email, file system, web page or any Notes document that has a widget attachment (this includes installation from catalogs other than the catalog configured for the user).
Disable (Beginning in 8.5.3)
The user cannot install widgets from any notes documents that are not from the widget catalog. The user can only install widgets from the widget catalog. | Enable
This allows the user to drag and drop widgets for installation from an email or web page or any Notes document that has a widget attachment (this includes installation from catalogs other than the catalog configured for the user). | Disable
The user cannot install widgets from any notes documents that are not from the widget catalog. The user can only install widgets from the widget catalog. |
Install widgets from catalog | Enable (Prior to 8.5.3)
This allows the user to drag and drop widgets from the catalog into the My Widgets sidebar panel for installation.
This allows the user to be able to select additional widget catalog categories to install on the Widgets preference page.
Disable (Beginning in 8.5.3)
The user cannot manually install widgets from the catalog (i.e. drag and drop) and cannot select additional widget catalog categories to install on the Widgets preference page.
This way the admin has complete control over which widgets get installed into the end user system. | Enable
This allows the user to drag and drop widgets from the catalog into the My Widgets sidebar panel for installation.
This allows the user to be able to select additional widget catalog categories to install on the Widgets preference page. | Disable
The user cannot manually install widgets from the catalog (i.e. drag and drop) and cannot select additional widget catalog categories to install on the Widgets preference page.
This way the admin has complete control over which widgets get installed into the end user system. |
Publish to catalog so others can browse (subject to catalog ACLs) | Enable (Prior to 8.5.3)
This allows the user to right click on the widget and select Publish to Catalog. The widget will be exported and the export result will be attached to the new widget document created in the Widget Catalog configured for the user.
Disable (Beginning in 8.5.3)
The user cannot publish a widget to the catalog.
Note: Default ACLs on the catalog set everyone as Author. | Enable
This allows the user to right click on the widget and select Publish to Catalog. The widget will be exported and the export result will be attached to the new widget document created in the Widget Catalog configured for the user.
See note below on review process. | Disable
The user cannot publish a widget to the catalog. |
Gadget Server URL |
Used in OpenSocial component deployments. Introduced in 9.0. |
|
|
Gadget Cache URL |
Used in OpenSocial component deployments. Introduced in 9.0. |
|
|
com.ibm.rcp.toolbox.opensocial.provider.internal.OpenSocialPalleteProvider -> OpenSocial Widgets
We have recommended you allow Admin/Power users to publish to the catalog and prevent end user from publishing. You may want to lock down one more layer and setup a review process before allowing all employees to be able to install something that was just published.
A webcast presentation on architecture, deployment, security and more around plug-ins and widgets in Lotus Notes and Sametime.