Authentication : SSO & WWV_CUSTOM-F_ security-group _ app_id
Hi,
In my application express application a user is authenticated by measn of single sign on.
So when a user goes to 'http://myhost/pls/apex/f?p=101:1' he is redirected to the SSO server and when validated is redirected to 'http://myhost/pls/apex/f?p=101:1:sessionid'
Now when the user clicks on a bookmark to a page to page 2 from the application; 'http://myhost/pls/apex/f?p=101:2' he will get redirected to the SSO server again.
and when validated he goes to 'http://myhost/pls/apex/f?p=101:2:othersessionid'
Is there a way to get the same sessionid for this second session as the first ?
I thought I could be a piece of code implemented in the page sentry function
with references to
- apex_custom_auth.get_session_id_from_cookie
and -apex_custom_auth.get_username
However, I know that the latter is not available so I can't use apex_custom_auth.post_login
The former should be available by means of the WWV_CUSTOM-F cookie, or is this even not the case ?
Thanks in advance
Art,
You might be able to use the Session Verification Function in the authentication scheme. I was thinking that this was unavailable for use when you use SSO, but you can try it.
Code it as a function like:declare l_session number;
begin
if apex_application.g_instance is null then
l_session := owa_cookie.get('COOKIE-NAME').vals(1);
apex_custom_auth.set_session_id(l_session);
end if;
return true;
end;[pre]
Good luck.
Scott
Similar Messages
-
SAML 2.0 and AD Security Group Membership
In ADFS 2.0, as a part of the token, I can pass the AD
security groups the user is in. Does SAP SSO have the ability to send and
receive SAML 2.0 tokens with AD security group membership?Hi Jeff,
SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
Regarding the receiving part:
In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
Regards,
Stefan -
How to read contents of files that do not fall under public security group?
Hi,
I need to read the contents of a WCM based xml file that does not fall under public security.
The process is like this:
First the user makes chnages to the content.
The workflow will be triggred based on the security group metadata that is associated with the content.
Once the content is finally approved our workflow calls a custom idoc script.
First we tried directly reading the xml contents from the idoc script which was still in the context of workflow. But since content item is still in workflow I was not able to read the changes. So I created a separate content publisher thread and read the DOC_INFO and checked for the dStatus value. If the value is RELEASED then I reading contents by calling ssIncludeXml idoc script.
This was working fine for public content. But now the requirement is that all content cannot be public. Content authors should not be able to edit the content that does not belong to their group, So we created security groups (and roles) and are associating that groups to the relavent content.
Beacuse of this change I am not not able to read the non public content. The call to DOC_INFO_BY_NAME service, which gives all the content files' metadata, is expecting the user to be logged in to give the details.
I tried calling the CHECKIN service with sysadmin and captured the cookies returned by that service and use cookies for the DOC_INFO_BY_NAME service call. But the service call was faling. It is throing the 401 forbidden error with the message that user needs to be logged in to get the details.
How to address this problem. Someone please help.
Note: I also tried using ridc for this. I was able to get it working but since it is executing in the context of server ridc api is changing server's environment properties like HTTP_HOST, HTTP_CGIPATHROOT etc. It also seemed like system was becoming non functional after using ridc. When I called check-in the system metadata values like security group are no more loading. Not sure if ridc is the culprit here but worried that it might be causing this issue.
Regards,
PratapSorry, I posted too much details while posting this question. I was saying "not able to read *non* public content".
Anyway, I was able to resolve the issue. I was able to authenticate with sysadmin credentials in the request to service using basic authentication and was able to read doc info with that credential.
But I realized there is more than option for reading secure content.
- I could set user name as sysadmin in the m_environment (if I am in the context of a service) and the call the DOC_INFO_BY_NAME service.
- I can post an HTTP request to DOC_INFO_BY_NAME service with sysadmin credentials and do basic authorization via the connection. (This is what i have done successfully as of now )
- I could add guest role to all security groups with R (read) privileges.
I will look into all options and implement the one which is more apt.
Regards,
Pratap -
User won't add to an AD security group
Hello,
I've been scouring around the last few days and I've come up empty handed with an issue I'm having on a personal domain and I'm hoping someone here can point me in the right direction.
I have a domain controller set up in a lab environment running Server 2012 RU with three computers and three users joined to the domain. I'm currently attempting to apply group policy via AD security groups but I've hit a dead
end. I've created the users and moved them to a nested OU, we'll call it SiteA>Users. I then created a global security group called Control Panel Restriction and placed it in a nested OU in SiteA>Groups, and joined one of the users to the
security group. I then created a group policy and configured it to restrict all access to the control panel and linked it to the SiteA OU. In security filtering I've removed the authenticated users group and added the Control Panel Restriction
group.
The first time the user is joined to a security group it seems to work fine. If I remove the user from the group and run gpupdate /force, the user can once again access the control panel. From that point going forward,
however, it's as if the user is never added to a security group again. I can add the user directly to the security filtering section of the GPO and it works, but it's like security group membership will not update anymore for that user.
Troubleshooting: I've verified the permissions of the security group for the GPO and made sure it has read and apply group policy access, I've created a test user and placed it in the Control Panel Restriction security group
and policy applied successfully (once), so I know the group works. I ran a gpresult /r for the user and found the group policy IS being applied, but it's being denied through security filtering. In the group membership section of the gpresult report
it indicates the user is only a member of the default security groups in AD, not the custom made security group, even though a quick inspection of AD proves otherwise.
Any advice?After you add, or remove, a user from a group, ensure that the changes have replicated/propagated across the DC's (waiting for your replication cycle time is usually enough), then, ensure that the user logs off, and then log the user on again.
The logoff/logon cycle is typically important, since the user's security token is constructed at logon, and the token is constructed based on group memberships at the time of logon.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
GPO Security Group filtering not working
Hello all,
DC: 2008R2 w SP1
Client: W7 SP1
Objective: Disable Removable Storage
I can filter by individual user but not a security group (global). (linked to both users and computers OU). I check and make sure the user (me) belong to the group using the command whoami /groups. I check the Delegation setting and make sure that the security
group has the read and "apply" gpo checked. Also the Authenticated Users group has "read" allow.
Any clues?
ThanksGlad to hear this.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
DirectAccess Installation Errors Involving Security Group
So I've read that it's best practice to filter DirectAccess GPO Affects to a single Security group instead of the "All Commputers" Group in AD. So I've done this. I created a group called 'DirectAccess' and set that as the target. When I attempt
to generate the GPO in the DirectAccess Wizard, I recieve this error:
"Security Group MyDomain\DirectAccess cannot be found"
"The Operation Failed. All of the Specified Security Groups are invalid."
So it looks like the group is invisible to my Server? The only thing I can think of is my AD Structure is sitting on some 2008 R2 boxes and this server is 2012 R2 box. Is there a requirement for AD to be at 2012 Operational Level for DirectAccess to work
in 2012 server R2?
--AaronUpdate: I had this closed a while ago. Microsoft was finally able to set it up in my environment. I will post the Closure email they sent me detailing the steps needed to successfully install DirectAccess: **Note I have changed all my Server/AD
information to match M$'s Contoso dummy domain
Issue:
Unable to configure Direct Access Server (DA_EDGE). Error: Security group CONTOSO\DirectAccess Clients cannot be found..
Troubleshooting:
We collected logs from the Direct Access server while configuring Direct Access.
logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 –ets
logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff –ets
Configured Direct Access
logman stop ETWTrace -ets
We could not find information which could give us clue about the cause of the issue. We found that it was not able to find the group.
2464: 04: 2014-06-24 11:56:18.627 VERBOSE: Validating security group (CONTOSO\dagroup1) in the domain...
2464: 04: 2014-06-24 11:56:18.707 NTE: Security group CONTOSO\dagroup1 cannot be found.
We Collected Network Capture but could not find anything in LDAP Search Request Packet about the same.
We found that DC has 2 NIC and both were getting Domain Profile.
We removed the DMZ NIC and kept only NIC connected to LAN.
We again tried to configure Direct Access however it still came up with error.
We involved Directory Services team to take a look at the issue however in logs we were not able to find anything.
We collected Process Monitor and got it analyzed by the on the Direct Access Server and found that we were not able to create GPO. However it does not give clue as to how its failing.
11:58:51.6421023 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:58:51.6446131 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:58:51.6472327 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a
11:58:51.6500318 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Delete, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read,
Write, Delete, AllocationSize: n/a
We did research internally and decided to configure Direct Access with Domain Computers Security Group (Using PowerShell command) and change it from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated
Group Policy on Direct Access Server.
Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
-ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
We Also configured Certificate Authentication, and Exception for “EDGE.contoso.com'” in NRPT ising poweshell.
Add-DAClientDnsConfiguration -DnsSuffix 'EDGE.contoso.com' -Verbose -ComputerName 'DA_EDGE.contoso.com'
Set-DAClient -Downlevel 'Enabled' -Verbose -ComputerName 'DA_EDGE.contoso.com'
Once Direct Access got configured we were able to update GPO and connect client from outside.
On Windows 7 client machine we found IP Helper Service disabled and after enabling the service we were able to connect on that as well.
Resolution:
We configured Direct Access with Domain Computers Security Group (using PowerShell command) and changed the security group from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct
Access Server.
Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
-ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
Commands for troubleshooting Direct Access Clients connectivity:
To check client status:
netsh dns show state
To check effective NRPT on the client:
netsh name show eff
To Check status of IPHTPS Interface:
netsh int http show int
To Check status of Teredo Interface:
netsh int teredo show state
To Check Windows Firewall Profile on the client:
netsh advf show cu
To Check IPSec Main Mode Security Association:
netsh advf mon show mmsa
To Check IPSec Quick Mode Security Association:
netsh advf mon show qmsa
Related Articles:
Manage DirectAccess Clients Remotely
http://technet.microsoft.com/library/jj574200.aspx
Remote Access
http://technet.microsoft.com/en-US/network/dd420463
Remote Access (DirectAccess, Routing and Remote Access) Overview
http://technet.microsoft.com/en-us/library/hh831416
Remote Access (DirectAccess) Prerequisites
http://technet.microsoft.com/en-us/library/dn464273.aspx
DirectAccess Offline Domain Join
http://technet.microsoft.com/en-us/library/jj574150.aspx
Plan the DirectAccess Infrastructure
http://technet.microsoft.com/en-us/library/jj574101.aspx
Configure the DirectAccess Server
http://technet.microsoft.com/en-us/library/jj574180.aspx
Configuring and Implementing DirectAccess with Windows Server 2012
http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx -
NAC authentication SSO crashed after update fixes in Win Server2K3
NAC 4.7(2) authentication SSO with Active Directory on WinServer2k3 crashed after update the next fixes:
KB2478971 KERBEROS WEAK HASHING ALGORITHMS
This update addresses the vulnerabilities by preventing the use of weak hashing algorithms in both Windows Kerberos and Windows KDC and by preventing the client from downgrading the encryption standard to DES for Kerberos communication between client and server.
http://www.microsoft.com/technet/security/bulletin/MS11-013.mspx
KB2478953 ACTIVE DIRECTORY DoS
The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability.
http://www.microsoft.com/technet/security/bulletin/MS11-005.mspx
The NAC solution was working fine for a year, but since my costumer installed those fixes we have troubles to auth users in NAC, CAM can't read LDAP tree and CAS neither. I requested my customer to remove those fixes, they did it but they don´t have a snapshot or checkpoint previous to restore the servers.
We have followed the Cisco's tshoot guides but the problem continues...
Any suggestion?Could you please retpye ktpass on Win2003 server.You said CAM crashed, Do you find any message on support log.
If you need a quickly support . please open a tac support case for this issue .
SongL -
Using WMI Filter to apply group policy to users on computers in a security group
Hello all,
I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
Cheers> I've got a bunch of computers that I want to apply some user side
> polices that affect all users that log on to these specific computers
> (they are used for exams).
That's what "Loopback" initially was designed for. Nowadays, we can use
some other tricks :)
http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Sync Project Online Security Group to SharePoint Security Groups
Hi,
Is there any way to sync prject server security group(Custom) into SharePoint Security Groups.
My scenario is: I created a document library, I want to apply project server security on it, based on project server security groups, for that currently I created a custom group in sharepoint and manualy added the users into that group. That doesn't looks
good, because if my project online group will change, than manually I have to change sharepoint group too. So what I want is, that sharepoint group is automatically synced with project online group.
Or is there any other way to assign project online security in document library?
Thanks
PSNNo there is no workaround other then creating a group on Office 365 server.
SharePoint Online lets you create security groups via the Admin Overview page
http://technet.microsoft.com/en-us/magazine/hh395478.aspx
Just found a 3rd part. check if it can help
http://en.share-gate.com/blog/migrate-to-office-365-configure-sharepoint-to-use-active-directory
Active Directory Synchronization: Allows you to sync your Active Directory Objects such as users and groups to your Office 365 account. This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes
will appear on Office 365 SharePoint. However, authentication and passwords are still managed by Office 365. It will be required for Password Sync and Single Sign On (see below).
If this helped you resolve your issue, please mark it Answered -
ORA-20001: Unauthorized access (security group package variable not set).
I'm creating an app that uses APEX authentication and features self-registration (working) and forgot password (not working) forms.
My forgot password is public (requires no authentication). The user provides username and secret answer, which are validated, then provides the new password. I attempt to use htmldb_util.reset_pw to reset the user's password, but it's not working.
I have a process on the new password page calling a PL/SQL anonymous block that looks like this (see below), where P16_ITEM1 = username and P18_ITEM1 = new password.
BEGIN
apex_040000.htmldb_util.reset_pw( V('P16_ITEM1'), V('P18_ITEM1') );
END;
I also don't know how to send accurate success/failure messages from such PL/SQL block back to APEX, but that's a separate issue I guess.
Anyway, when testing via SQL Developer as the user with APEX_ADMINISTRATOR_ROLE, I get the following error:
ORA-20001: Unauthorized access (security group package variable not set).
ORA-06512: at "APEX_040000.WWV_FLOW_FND_USER_API", line 22
ORA-06512: at "APEX_040000.WWV_FLOW_FND_USER_API", line 1220
ORA-06512: at "APEX_040000.HTMLDB_UTIL", line 1253
ORA-06512: at line 8
I've searched previous threads and tried different suggestions with no luck.
I'm on Oracle DB XE 11g and APEX 4.x.
Any help will be appreciated. Thanks,
Alex.Anyway, when testing via SQL Developer as the user with APEX_ADMINISTRATOR_ROLE, I get the following error:
ORA-20001: Unauthorized access (security group package variable not set).When running code outside Apex that depends on the Apex security group being set, run the following before your own code:
wwv_flow_api.set_security_group_id(apex_util.find_security_group_id('YOUR_SCHEMA_NAME'));Google "wwv_flow_api.set_security_group_id" for more details, such as this blog post:
http://www.easyapex.com/index.php?p=502
- Morten
http://ora-00001.blogspot.com -
Too many AD security groups for ACS 4.1
We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.
The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx
On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.
At the same time on the DC errors can be found in the CSWinAgent.log file.
CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user [email protected] certificates
CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.
So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?
Thanks
StuartHi Stuart,
We are hitting a bug here.
CSCse49827 Bug Details
ACS Remote Agent fails users with too many goups
Symptom:
Windows External Database authentication fails on the ACS 4.0 SE if a user is a member of
too many Windows groups.
Conditions:
This is specific to the ACS SE running 4.0.1(42) or earlier using Windows Domain Authentication
to the ACS Remote Agent.
Workaround:
Reduce the number of group memberships the user is part of or reduce the lenght of
the group names the user is a part of.
Further Problem Description:
If a user ia a part of enough windows groups that the number of characters total of all the groups
exceed 1024 bytes the authentication of that user will fail. All other users should still authenticate
without any trouble
Please upgrade ACS to 4.1.4 and that should fix it.
First you need to upgrade it to 4.1.1 and then 4.1.4
Regards,
~JG
Do rate helpful posts -
Hi
I have a few security groups which initially can be use in Sharepoint 2010 but after a few months it seems that this groups cant be used anymore. the users in the groups could not access Sharepoint.
TIAFor the users to access sharepoint site, it is required that they need to be present in any of the below groups.
Owners Group -> Full control of the site
Members group -> Contribute access to the site
Visitors group -> Read access to the site
Designers group -> contribute + design access to the site
Also if you add the NT Authority\Authenticated users to any of the above groups then all the authenticated users of the active directory will have the rights to access the site as per the groups they are assigned to.
Hope this helps.
Amalaraja Fernando,
SharePoint Architect - HP
e-Mail: [email protected]
[email protected]
This post is provided "AS IS" with no warrenties and confers no rights.
Hi,
Will try this way out. Thanks
Regards,
Jarvis -
Is there a way for an end user to see who has membership in a security group
Windows Server 2008 R2
Active Directory Domain
Windows 7 workstations
I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
Is that possible? Any drawbacks or concerns?Hi Tod,
Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
More information for you:
Viewing the Direct Members of a Group
http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
Net group
http://technet.microsoft.com/en-us/library/cc754051.aspx
Best Regards,
Amy -
not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
Any idea?after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
hope this helps who stuck like me!! :-) -
I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
groups on the project site upon publishing/syncing:
<Project Name> Members
<Project Name> Owners
<Project Name> Visitors
<Project Name> Project Managers (Project Web App Synchronized)
<Project Name> Team Members (Project Web App Synchronized)
Web Administrators (Project Web App Synchronized)
Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
and add a whole list of users in the Site Permissions list without groups.
Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
or publishing.
How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
Thanks in advance.Paul,
Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies.
Maybe you are looking for
-
This menu appeared on the screen somehow and i can't get rid of it, It is taking up a lot of my screen space. I used to have the word Bookmarks at the upper right that gave me a drop down menu when clicked.
-
Transferring entire iTunes library from a Windows PC to a Mac.
Can someone please leave a simple, step by step guide to help me move my iTunes library from a Windows PC to a Mac? I want an identical library on my Mac with play counts, playlists, device backups and all of that stuff. I don't care if it takes a l
-
Hi. A report has been created via KE30 in our test system. Rather than transporting it i'd like to create it in our prod system. The listing of characteristics are different tho. For example, Posting Date is available in test but not prod. Is there
-
Previews not automatically saving in EPS files
Hi Just got Illustrator CS5 yesterday and immediately noticed that when saving a new EPS file it doesn't automatically include a preview, you have to choose it. In all past versions i have used this defaulted to 8-bit tiff with transparency. This wou
-
Problems with CS6 after installation with Migration Assistant.
I just used Mac OS Migration assistant to get CS6 into a new computer. Everything was hunky dory on the first computer and I already deactivated CS6 on my older second computer. But I am now having CS6 issues on the new one. InDesign won't start up