Public/Role Based Lists

Do you know if/how it is possible to create a new role based list and assign that list to multiple roles (keeping the same/identical name)?
For example I want to create a list named Open Opportuntiies. I want to use slightly different criteria and create the same named list for just roles 2 and 3 ... and assign the original one to role 1 only. Can this be done? Seems that the list name must be unique. Is that true?

Hi,
Yes the list name has to be unique. You'll need to create different list names here
Thanks
Oli @ Innoveer

Similar Messages

Columns multipling in Role based lists

This one is really wierd and I am surprised if no one noticed this before. Here it goes:
I create a list on a object ( say Opty) by refining all Opty and save this under name 'All Opty Test' and assign it to role Admin
Then I create another list on same object by refining all Opty and save this under name 'All Opty Test' again and assign it to role Sales Manager
System allows me to save new list with same name as old one. But I see only one list later.
This is not it , I go to 'All Opty Test' list then I see columns duplicated and when I export for visible columns then csv file has few duplicate columns with data value but no header.
If I repeat above step to create third list with same name then columns triplicate.
Anyone faced this before , Any workaround will be appreciated!
thanks
Manny

I would be tempted to put the "revoke" file in a table. If the list of non-readable tables will vary between type of users, then this table should also include a column for the user type. Then, as a sufficiently privileged user, you could create a stored procedure to grant select privileges on the schema objects you want to the roles. Something along the lines of (completely untested code here):
CREATE PROCEDURE granter (p_to_role     IN VARCHAR2,
                          p_table_owner IN VARCHAR2,
                          p_writable    IN VARCHAR2) AS
   l_sql VARCHAR2(4000);
BEGIN
   FOR r IN (SELECT object_name FROM dba_objects
             WHERE owner = p_table_owner and
                   object_type IN ('TABLE', 'VIEW')
             MINUS
             SELECT table_name FROM revoke_file
             WHERE user_type = p_to_role
             MINUS
             SELECT table_name FROM dba_tab_privs
             WHERE grantee = p_to_role) LOOP
      l_sql := 'GRANT SELECT';
      IF UPPER(p_writable) = 'Y' THEN
         l_sql := l_sql||',INSERT,UPDATE,DELETE';
      END IF;
      l_sql := l_sql||' ON '||p_table_owner||'.'||r.table_name||' TO '||p_to_role;
      EXECUTE IMMEDIATE l_sql;
   END LOOP;
END;You could easily modify this to revoke already granted privileges if a previoulsy allowed table is moved to the revoke file. This procedure would also need to be re-run any time new tables were added to the application
In order to see the text of stored procedures, the role would need select privileges on the dba_source view.
In terms of system privileges, the user (or the role) should only have CREATE SESSION privilege. This allows them to connect to the database but nothing else.
HTH
John

Role Based Access problem in forms

This would be a long reading.
I'm having a problem with forms Role Based Access.
We have two databases, one in London and one in Zurich. We have installed
application server and oracle forms on London database. We have implemented
Role Based Access to forms. For this we have created a database role (say ZUR_USER)
in both databases. The view FRM50_ENABLED_ROLES which is used by forms role based access control
is also created in both databases with a 'grant select to public'.
Our form system has a menu and forms under that menu. Both menu and the underlying forms have been
assigned Menu Security/Item Roles to the above mentioned ZUR_USER role and the role is assigned
to various users.
Now a Zurich user is trying to login to Zurich database using the URL for forms installation
in London server. He can login successfully and can see the menu heading in the main screen but
when he clicks the menu he doesn't see the underlying forms list.
When we try the same user id and database from London (using the same URL) we see all the forms.
Any idea what are we missing. The Menu Security is setup at menu level as well as the form level under
that menu. User can see the menu but not the form under that menu from Zurich. No such problem while
login from London.

I'm using the Forms 10g
and yes the only difference is between login from Zurich and London.
Problem definitely is due to Role Based Access setup.
The user in Zurich can see the Menu but not the items under that menu.
I have set the security set up at both menu and menu item(i.e. form name) level.

Error in Role Based security using weblogic 9

Hi All,
Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Success</web-resource-name>
          <url-pattern>/form.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
          <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myrealm</realm-name>
</login-config>
<security-role>
     <role-name>admin</role-name>
</security-role>
When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
So can any one provide me the solution for the above problem.
Thanks in advance.
By,
Sandip Pradhan

Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

Role-Based CLI Views with AAA method

Hi,
I'm configuring Role-Based CLI Views on a router for limiting access to users.
My criteria:
- There should be a local user account on the router that has the view 'service' attached to it
- If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
My configuration:
aaa new-model
enable secret 1234
username service view service secret 1234
aaa group server radius my_radius
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
aaa authorization console
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
The ERROR
Now I want to go configure the cli view 'service'...
# enable view
Password: 1234
*Jun 1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
*Jun 1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
The Questions
Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
Can you change this behaviour to always use the enable secret?
The TEMP Solution
If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
Thanks so much for the suggestions
/JZN

hi,
You have the following configured:
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login authentication mgmt".
You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
enable seceret will be locally defined. but you have the following configured:
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
line vty 0 4
authorization exec mgmt
Hence exec mode will also be done via radius server.
when you configure:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
You are making the authentication local, hence it is working the way you want.
In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Duet Enterprise 1.0 SP2 - SAP Role based authantication

Hi All,
We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
Can someone help me to tell what roles (template) need to assign for what operation.
Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
Thanks & Regards
Virender Solanki
09818316550

Hi Binson,
I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
So i want, according to given roles in backend system user is able to do operations at sharepoint.
Thanks & Regards
Virender Solanki

OIM 11.1.1.5 provisioning role based objectclasses and attributes

TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
Some background:
I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE. At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them. In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'. ie. Student, Employee, Guest, etc objectclasses. I have all of the roles identified in OIM and can map them to an objectclass in LDAP
My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations?
Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
Should I create a child form containing the objectclasses and try to provision them?
Can/should I create a child form for each set of attributes by role? Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc. Would prepop and the rest of the main form functions work the same?
Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
Any help will be greatly appreciated and thank you in advance

It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
There may be a smarter and more out of the box way to do it but this will work.
Martin

Does "Access Enforcer" only support "role" based SOD analyse?

Hi Expert,
In the demo script, when the user create the "Access Request Form", he can choose the "Role" he wanted from "Select roles" list, I'm just wondering whether each role here is corresponding to the role in the backend system? for example,
If I choose role "Z_AP_ACCOUNTANT" actualy at that time there is a role called "Z_AP_ACCOUNTANT" already in the backend system if the system is a SAP ECC system.
Another question is, if so, does that mean it can only support "Role" based SOD analyse? as you know, each role may contain several "authorization objects", can it be done from "authorization object" level?
Thanks and best regards.

Hi,
The Roles are normally determined based on the SOD.Using T/code:PFCG the roles are mapped to the system.These Roles are common to all the system,regardless of R3,Virsa etc.
The roles also can be determined without SOD [but this is not recommended.].
The SOD is only to ensure that there exist no internal control weaknesses while creating the Roles at an organizational level.Thus it is only an excercise outside the System,be it SAP,Virsa or else.
At the system level we map only the roles [ using :PFCG].We dont map SOD here.So,SOD or No SOD,the system supports the Roles.
Hope this helps.
Regards,
Ramesh.

Public role in Rooms

Hi everybody,
I want to know if the collaboration rooms works as it follows:
If you use the role public and you create a public room the user that gets in will have the initial role, however if the room is set full access the user will get the public role.
In short,
Room with Full Access = Public Role
Room without Full Access = Initial Role
Is this ok?
If this is correct, is there anyway to set full access automatically?programmatically?
Thanks in advance.

Hi,
don't confuse the room role named "public" with the room access type "public".
A public room works in this way: Everybody can enter the room and gets member of the room automatically. Automatically the initial room role (e.g. Member) is assigned to him.
With the room role pubic you define the public content of a room. This is content which can be accessed without being member of the room. Normally public room content only makes sense for restricted rooms. (because private rooms are not listed for non-members and public rooms are public anyway).
Regards,
Sascha

Xml form...editing on role based

Hi ,
I want to put edit button in show form which is generated by xml form builder. but the problem is , this button should work on role based. Is this possible....?
regadrs
Ram

Hi Ram,
> searched for proxy iview but couldnt find detail documentation
There is no "detailed documentation" (there is in the meantime, my slides from TechEd 2006; but these are not public, I think). Anyhow, you can find a short description more than one time here in the forum, I'll repeat it once again:
Implement an AbstractPortalComponent, implement an empty doContent method, overwrite doOnNodeReady, and at the end of this method call <i>request.redirect(...)</i> with the navigation component (com.sap.km.cm.navigation, you can get this from the KM URLGenerator) as the new target, passing the component parameters as URL parameter (so, among others, "rndLayoutSet=YourLayoutSet1" or the second, dependent on the role the user has got, which is the logic to be implemented in your method). The isloation level of the iView built out of this component must be URL isolated (otherwise the redirect does not work).
Hope it helps
Detlev
PS: Please consider rewarding points for helpful answers on SDN. Thanks in advance!

Role-based view commands missing from config

Hi All,
I set up a 2960G with IOS 12.2(44)SE6 and created a role-based view to be used by our helpdesk. One of the things they need to do is add rules to a MAC ACL on the switch. I've successfully created a view for them and can include and exclude most commands, however, when I try to include the "commands mac-enacle include all permit" command, I get no syntax error, and there is no line in my configuration reflecting the change. As it stands, from the helpdesk view (named smco) I can get into mac acl configuration mode, but I can't issue any of the sub commands.
Any advice would be greatly appreciated. I tried upgraded to 12.2(55)SE and had the same result.
The current configuration for the parser view is as follows:
parser view smco
secret 5 hashed_pw
commands configure include mac access-list extended
commands configure include all mac access-list
commands configure include mac
commands exec include configure terminal
commands exec include configure

After I issue the command "commands mac-enacl include all permit" there is no line in my startup or running configuration that says: "commands mac-enacl include all permit" or anything that closely resembles that.
I've tested with multiple local accounts. After authenticating, I issue the "enable view smco".

RoleEntityACL|Role Access List | no values, guest and authenticated not shown

All,
I enabled RoleEntityACL from configuration manager. Role access list field shows up, but when I type **, there are no values at all. Not even guest and authenticated, OOTB values.
I added UseEntitySecurity=true, I am able to see add Users and Groups when i type ** in the input field.
Any pointers here?
Thanks
~

Srinath,
I need to see the guest and authenticated values by default after enabling the "RoleEntityACL". Am i missing something here. I have Roles text box enabled, but it is not giving any values even if type **, g or a.
If i get those values, i can go to configuration manager applet and then add more values.
However, I did all those u mentioned. Added a new role in ExternalRoleView, Published Schema and Schema Base. Restarted UCM server. But i see null results.
In General Configuration:
UseEntitySecurity=true
SpecialAuthGroups=TestGroup,Public
In Advanced Component Manager:
Enabled RoleEntityACL.
I am able to add users and groups(aliases) in the access control list at the folder level. but not any roles. Am i missing something here?

Privileges and Roles Based Views

Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great. I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view. I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!! fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers. I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
removed
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!

DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
2 AS
3          PROCEDURE test_sequence;
4 END definer_rights_test;
5 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
2 AS
3          PROCEDURE test_sequence
4          AS
5          BEGIN
6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7          END;
8 END definer_rights_test;
9 /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
2 AUTHID CURRENT_USER
3 AS
4          PROCEDURE test_sequence;
5 END invoker_rights_test;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
2 AS
3          PROCEDURE test_sequence
4          AS
5          BEGIN
6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7          END;
8 END invoker_rights_test;
9 /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
             NEXTVAL
                   1

AAA and Role based access (NPS)

Hi
I authenticate all my cisco switches and routers with AAA + NPS + AD
A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
But I'd like configure role based with IOS view.
When I issue the enable view command, I get
Password:
I tried with my AD password, enable configurated password, and always gets
% Authentication failed
Mi line vty config
line vty 0 4
authorization exec VTY-AAA
login authentication VTY-AAA
transport input ssh

Have you gone through the below listed parser view configuration example. Please check here
View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
In case you still have any issues, run debug parser view and share the output, I'll try to help.
~BR
Jatin Katyal
**Do rate helpful posts**

To run OHS at port 80 using solaris role based access control

Hi.
I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
/etc/user_attr:
oracle::::type=normal;defaultpriv=basic,net_privaddr
Change OHS httpd.conf Listen from port 8888 to port 80.
However, opmnctl startproc process-type=OHS
failed as below with nothing showing in the diag logs:
opmnctl startproc: starting opmn managed processes...
================================================================================
opmn id=truffle:6701
0 of 1 processes started.
ias-instance id=asinst_1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ias-component/process-type/process-set:
ohs1/OHS/OHS/
Error
--> Process (index=1,uid=187636255,pid=25563)
failed to start a managed process after the maximum retry limit
Thx,
Ken

Just to add my two cents here.
The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
# usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
Restart the opmnctl daemond.
After that OHS/Apache user can bind to lower TCP ports.
Regards.
Edited by: Tuelho on Oct 9, 2012 6:05 AM

Public/Role Based Lists

Similar Messages

Maybe you are looking for