Privileges and Roles Based Views

Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
  removed
  quit
archive
log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!

DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
  2  AS
  3          PROCEDURE test_sequence;
  4  END definer_rights_test;
  5  /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
  2  AS
  3          PROCEDURE test_sequence
  4          AS
  5          BEGIN
  6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
  7          END;
  8  END definer_rights_test;
  9  /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
  2  AUTHID CURRENT_USER
  3  AS
  4          PROCEDURE test_sequence;
  5  END invoker_rights_test;
  6  /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
  2  AS
  3          PROCEDURE test_sequence
  4          AS
  5          BEGIN
  6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
  7          END;
  8  END invoker_rights_test;
  9  /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
             NEXTVAL
                   1

Similar Messages

  • Role-based view commands missing from config

    Hi All,
    I set up a 2960G with IOS 12.2(44)SE6 and created a role-based view to be used by our helpdesk.  One of the things they need to do is add rules to a MAC ACL on the switch.  I've successfully created a view for them and can include and exclude most commands, however, when I try to include the "commands mac-enacle include all permit" command, I get no syntax error, and there is no line in my configuration reflecting the change. As it stands, from the helpdesk view (named smco) I can get into mac acl configuration mode, but I can't issue any of the sub commands.
    Any advice would be greatly appreciated.  I tried upgraded to 12.2(55)SE and had the same result.
    The current configuration for the parser view is as follows:
    parser view smco
    secret 5 hashed_pw
    commands configure include mac access-list extended
    commands configure include all mac access-list
    commands configure include mac
    commands exec include configure terminal
    commands exec include configure

    After I issue the command "commands mac-enacl include all permit" there is no line in my startup or running configuration that says: "commands mac-enacl include all permit" or anything that closely resembles that.
    I've tested with multiple local accounts.  After authenticating, I issue the "enable view smco".

  • Portal and role based access

    We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
    We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
    -thanks

    1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
    2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
    3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
    4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
    I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
    You can have a darn strong access control using this mechanism.
    hope that helps!
    AMN

  • AAA and Role based access (NPS)

    Hi
    I authenticate all my cisco switches and routers with AAA + NPS + AD
    A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
    But I'd like configure role based with IOS view.
    When I issue the enable view command,  I get
    Password:
    I tried with my AD password, enable configurated password, and always gets
    % Authentication failed
    Mi line vty config
    line vty 0 4
    authorization exec VTY-AAA
    login authentication VTY-AAA
    transport input ssh

    Have you gone through the below listed parser view configuration example. Please check here
    View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
    AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
    In case you still have any issues, run debug parser view and share the output, I'll try to help.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • OBIEE SSO enabling and role based reporting

    Hi,
    I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
    I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
    Thanks,
    Meng

    have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf

  • Difference between ID and Role based Administration - Firefighter 5.3

    In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
    1. Firefighter Role based Administration
    2. Firefighter ID based Administration
    Can someone explain what is the difference between the two?
    I have read the documentation, but it does not have a clear description of the
    differences between the two.
    Please help.
    Thanks

    HI Prakash,
    Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
    1. Firefighter Role based Administration
    You identlfy a particular role as a firefighter role and give it to the user.
    2. Firefighter ID based Administration
    You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
    For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
    Regards,
    Hersh.

  • System Privileges, Object Privileges and Roles in Oracle 10g r2

    Hello,
    I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
    I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
    Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
    Thanks,
    R

    Rich V wrote:
    Hello,
    I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
    I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
    Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
    Thanks,
    RHi, you can use dba_role_privs,role_sys_privs views,for more information see
    http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
    http://www.cuddletech.com/articles/oracle/node36.html

  • ValidTo and ValidFrom for privileges and roles (since SP2) - no effect

    Hi IDM Community,
    has anybody tried the new functionality that you can enter validfrom and validto values for role assignments and privilege assignments in business roles?
    In my case I can define these values in a workflow but I don't see any effect. There are no values for these attributes written to the database. I think that normally there should be some MX_PENDING_VALUE objects created in which the validfrom, validto should be stored. But nothing happens. When I define a validfrom, validto value for a privilege in a business role and submit the change and view the details of the role again there is no validto or validfrom assigned for this privilege.
    Has anybody encountered the same problem?
    BR
    Jörn Kaplan

    Hello,
    I am testing the abap -- initial load (SP2)"WriteABAPUsersRolePrivilegeAssigments"-pass with the ValidTo and ValidFrom and the  "sap_getTimeDependentPrivilege"- Jscript. 
    There is always an error:
    "putNextEntry failed storingXXXXXXX
    Exception from Modify operation:java.lang.IllegalArgumentException: Entry does not exist - entry: XXXXXXX
    The logonuid XXXXXXX is stored in sap%$rep.$NAME%roleAssign and sap%$rep.$NAME%role.
    SP1 is running!
    But I dont want to lose TimeDependentPrivilege like in Initial Load (SP1)
    Who can help me?
    BR Chris

  • Users, privileges and roles problem!

    Hi everyone,
    I am using oracle 10.2.0.
    I have a user (dba1) who is the owner of tables in my database. I have connected to sqlplus as sysdba and created the role <b>admin</b> and granted the admin all the privileges.
    SQL> grant all privileges to admin;
    Grant succeeded.
    SQL>Then I granted the <b>admin</b> role to the user dba1:
    SQL> grant admin to dba1;
    Grant succeeded.I have created another role, sel_role and given that role the privileges to select tables. For example:
    SQL> grant select on kund to sel_role;
    Grant succeeded.Now I have created another user, Anton, and have given that user the role sel_role:
    grant sel_role to Anton;
    Grant succeeded.Now when I try to log in as anton and try to use the select statement which is given to Anton by sysdba, using the sel_role, to select the table kund, I got an error:
    SQL> connect anton/oracle
    Connected.
    SQL> select * from kund;
    select * from kund
    ERROR at line 1:
    ORA-00942: table or view does not existWhat could be the solution to this problem?
    Thanks in advance

    Solomon Yakobson wrote:
    Connect as sysdba and issue:
    ALTER USER anton DEFAULT ROLE ALL;SY.Same problem!
    SQL> alter user anton default role all;
    User altered.
    SQL> connect anton/oracle
    Connected.
    SQL> select * from kund;
    select * from kund
    ERROR at line 1:
    ORA-00942: table or view does not exist

  • Privilege and roles Question

    Hi All
    I did a queries
    SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
    WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
    GRANTEE        PRIVILEGE       GRANTABLE
    USER1 SELECT NO
    USER1 INSERT NO
    USER1 DELETE NO
    USER1 UPDATE NO
    USER_ROLE SELECT YES
    USER_ROLE INSERT YES
    USER_ROLE DELETE YES
    USER_ROLE UPDATE YES
    SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
    TYP      GRANTEE   GRANTED_ROLE   ADMIN_OPTION
    ROLE USER1 CONNECT NO
    ROLE USER1 RESOURCE NO
    ROLE USER1 USER_ROLE NO
    My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
    Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..

    Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
    Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
    Try:
    grant insert on table1 to user1;

  • Privileges and role

    I use CS_ADMIN to login DB, querying its role
    select * from dba_role_privs where grantee = 'CS_ADMIN';
    GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
    CS_ADMIN RESOURCE NO YES
    CS_ADMIN CONNECT NO YES
    CS_ADMIN DBA NO YES
    Then I query the DBA'S privilege
    select * from role_sys_privs rsp WHERE rsp.privilege LIKE '%TABLESPACE%' AND rsp.role = 'DBA'
    ROLE PRIVILEGE
    DBA DROP TABLESPACE
    DBA ALTER TABLESPACE
    DBA CREATE TABLESPACE
    DBA MANAGE TABLESPACE
    Then, We can know that CS_ADMIN user has DBA role and DBA role can create tablespace
    But I use CS_ADMIN to create a procedure to run statement in the package
    EXECUTE IMMEDIATE ‘create tablesapce...’;
    The procedure will throw a error, ORA-01031 :insufficient privileges
    But I can directly run the ‘create tablesapce...’ statement in the command pattern.
    Why?
    Thanks.

    I recommend before you post you always search for the error.
    There have been questions in this forum on this very error really more than a million times, just because most people don't like to put effort in resolving their own issues.
    That said, the cause is always the same: roles are disabled during compilation of pl/sql.
    However, I think creating a tablespace in pl/sql is fundamentally evil, as it makes you loose control over the database.
    Sybrand Bakker
    Senior Oracle DBA

  • Advanced Group Policy Management - On privileges and roles

    Hello!
    We are rolling out AGPM 4.0 SP2.  Seems to work well enough.
    We currently have more than one set of standard permissions.  For example, our Citrix team controls GPOs for Citrix, our Desktop team controls GPOs for desktops, etc.
    Is there no way to delineate this in AGPM?
    My first thought was that I could use PowerShell to rapidly set, and regularly audit and auto-correct these privileges.  True to Group Policy form, there is limited PowerShell support - in this case, none at all.
    My second thought was that templates might include AGPM roles.  So I could say 'Group X has privileges to Template A,' 'Group Y and Z have privileges to Template B,' and so forth.  When I create a template, it would include those permissions.
     Nope.
    I'm all for opening up access, but this might be a tough sell.  Am I the only one who has disparate security boundaries around group policies?  Am I overlooking a solution to this?
    Thanks!
    RCM

    Have you thought about multiple AGPM Servers, one for each group? Each AGPM store could utilize separate standard permissions and control the subset of policies which are within the scope of the
    group. You can even
    use Group Policy itself to manage a multiple AGPM Server environment.
    Brandon
    MDOP on the Springboard Series on TechNet

  • Cisco Role based views

    Hello,
    I want to set up the following - a CLI view that will restrict different users when they login using telent or ssh.
    Now for this i have enable AAA, and also create two views one for Guest and one for ADMIN.
    I then have set up secret passwords for each view. Now i want user name adam to access view GUEST and username DON to access ADMIN view.
    Is this possible?
    Thanks,                  

    hi,
    You have the following configured:
    aaa  authentication login mgmt group my_radius local
    aaa authorization  exec mgmt group my_radius local
    line  con 0
    authorization exec mgmt
    logging synchronous
    login  authentication mgmt
    line vty 0 4
    authorization exec mgmt
    logging synchronous
    login authentication mgmt
    transport  input ssh
    Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
    You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
    enable seceret will be locally defined. but you have the following configured:
    aaa  authorization  exec mgmt group my_radius local
    line  con 0
    authorization exec mgmt
    line  vty 0 4
    authorization exec mgmt
    Hence exec mode will also be done via radius server.
    when you configure:
    aaa  authentication login VIEW_CONFG local
    line vty 0 4
    login  authentication VIEW_CONFG
    You are making the authentication local, hence it is working the way you want.
    In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • NxOS and Role Based Authorization

    Guys,
    Basic setup - using default default user admin I login and no problems - commands such as show mod and config changes, no problem: role =
    network-admin
    I create a user account with the same role as the admin user and I cannot issue the same commands - permission denied?
    Stumped - any ideas what's missing here?
    Thanks

    Out of desperation, I tried combinations of shorter usernames, similar to the admin username
    The result - for whatever reason it seems (I cannot confirm as such) if you use usernames for authentication locally in excess of 8 characters you cannot get full network-admin role privilidges
    even though when you do a show user-account, it displays your full username and the correct role.
    It seems almost as if the authenticaion element works, but the the role categorisation seems to fail for whatever reason (what I would call authorisation).
    Feels like a bug to me, anyway putting it on tacacs tomorrow hopefully with different results
    I am running 4.2(1)SV1(4) on an nexus 1000v.  I hope this saves you some time.
    Apologies if this is a known issue or "feature" - but I was not aware of it. 

  • XWS-Security, JAAS and role-based authorization

    What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
    A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
    Thanks in advance.

    Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

Maybe you are looking for

  • Getting GL account error during goods receipt

    Hi Experts Have done configurational settings for CIN, later while doing goods receipt, getting error message: The GL account 11 doesnot exist in Chart of Account CAIN. Regards Ajay

  • Why can't I import a PDF into Flash?

    I already submitted a feature request on this, so you don't need to tell me to do that. Does anyone know of a logical reason why Flash can't import a specific page of PDFs like Photoshop and Illustrator can? Thanks!

  • Is anyone else having this issue with iMessages?

    Hey there, Is anybody else having the issue with iMessages or text messages, when you go back to the list of contacts- The search bar for messages shows it halfway every time? The search bar shows up half way :/

  • Error creating a requisition for a finished product

    Hello, I am having the following error message while trying to order a finished product(FERT): "Material not subj. to inventory mgmt. in plant XXX (Pl. check your input)". I have maintained the plant/storage location view for that plant. But I'm stil

  • EP50 SP6 : Recent notifications - Items to review

    Hi there, one of our customers requested an installation of EP50 SP6 recently. Their old EP50 SP5 KM database had to be attached, which went fine. The cm configuration files have been merged into the new SP6 system. One problem still occurs : in the