Renumbering with ACL-Friendly Role-Based Addressing or...?

Similar Messages

• What is the mean of using Portal with Role Based security as entry point

  Hi Experts we have requirement of integration of Portal and MDM
  I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
  1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
  2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
  Please give me the clarity of what is the meanin of second point
  Regards
  Vijay

  Hi
  It requires the entire land scape like EP server and MDM server both should be configured in SLD.
  Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
  Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
  Please go through this link
  http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
  You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
  The estimation involves as per your requirement clearly
  Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
  Regards
  Kalyan

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Reseeding cache for users with role based security

  I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

  I have created an ibot with the following:
  General - Normal Priority, Personalized (recipient's data visibility)
  Conditional Request - example_report
  Schedule - some schedule
  Recipients - Me(administrator) and User1
  Destinations - Oracle BI Server cache
  when the ibot runs 2 cache entries are created (for the 2 recipients).
  I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
  After the ibot runs:
  When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
  On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
  The User1 has a data level security.
  Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
  Thanks for your inputs.

• Role based session service setup on AM 7.1 with separate conf/user ldap

  AM 7.1 is installed with two separate LDAP instances used for AM config store and user repository.
  I want to setup different active session quota based on role assignment.
  The session service cos only existed on the AM config LDAP store.
  If I create the role and assigned and customize the session service to the role on the AM config LDAP store, the role cannot be assigned to user profile only existed on the user repository.
  If the role is created on the user repository, then the session service cannot assigned to the role on the user repository.
  I try created roles on both repository, assign session service to the role on AM config ldap and assign role of same name on the user repository to the user. The role based session is not effective.
  Would appreciate if any one can shed some light on how to setup role based session service on an AM installation with the AM config ldap and user repository being on 2 separate ldap instances.
  Thanks
  Mo

  AM 7.1 is installed with two separate LDAP instances used for AM config store and user repository.
  I want to setup different active session quota based on role assignment.
  The session service cos only existed on the AM config LDAP store.
  If I create the role and assigned and customize the session service to the role on the AM config LDAP store, the role cannot be assigned to user profile only existed on the user repository.
  If the role is created on the user repository, then the session service cannot assigned to the role on the user repository.
  I try created roles on both repository, assign session service to the role on AM config ldap and assign role of same name on the user repository to the user. The role based session is not effective.
  Would appreciate if any one can shed some light on how to setup role based session service on an AM installation with the AM config ldap and user repository being on 2 separate ldap instances.
  Thanks
  Mo

• Role-Based CLI Views with AAA method

  Hi,
  I'm configuring Role-Based CLI Views on a router for limiting access to users.
  My criteria:
  - There should be a local user account on the router that has the view 'service' attached to it
  - If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
  My configuration:
  aaa new-model
  enable secret 1234
  username service view service secret 1234
  aaa group server radius my_radius
  server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
  server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
  aaa authorization console
  aaa authentication login mgmt group my_radius local
  aaa authorization exec mgmt group my_radius local
  line con 0
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport input ssh
  The ERROR
  Now I want to go configure the cli view 'service'...
  # enable view
  Password: 1234
  *Jun  1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
  *Jun  1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
  The Questions
  Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
  Can you change this behaviour to always use the enable secret?
  The TEMP Solution
  If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
  aaa authentication login VIEW_CONFG local
  line vty 0 4
  login authentication VIEW_CONFG
  Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
  Thanks so much for the suggestions
  /JZN

  hi,
  You have the following configured:
  aaa  authentication login mgmt group my_radius local
  aaa authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  logging synchronous
  login  authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport  input ssh
  Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
  You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
  enable seceret will be locally defined. but you have the following configured:
  aaa  authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  line  vty 0 4
  authorization exec mgmt
  Hence exec mode will also be done via radius server.
  when you configure:
  aaa  authentication login VIEW_CONFG local
  line vty 0 4
  login  authentication VIEW_CONFG
  You are making the authentication local, hence it is working the way you want.
  In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Role based authorisations in the Integration Directory

  We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
  Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
  I created a role in the ID that allowed editing of any object.
  I assigned the role to my userid in NWA useradmin
  I am unable to edit ANY object in the ID
  When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
  So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
  IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
  IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
  IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
  IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
  Any advice you can offer would be appreciated

  Resolved this issue.
  The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation.

• Weblogic security & EJB role based access

  How does (or not) weblogic security tie into the EJB notion of role based
  control ? Can we create a 'custom' security mechanism for EJB (which
  basically uses the EJB facilities but extends it within the application) by
  using custom weblogic realms ?
  Thanks
  Raju

  Thanks !
  "Terry" <[email protected]> wrote in message
  news:[email protected]...
  comments inline
  r <[email protected]> wrote in message
  news:[email protected]...
  >>
  Here are some more specific questions around an 'example' scenario:
  The application has an entity bean 'Account' that can be accessed by the
  roles 'Bank Employee' and 'Customer'
  'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
  methods on the 'Account' bean
  'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
  methods on the 'Account' bean
  These permissions are set up through the deployment descriptor by
  mapping
  the 'Bank Employee' and 'Customer' roles
  to the particular bean methods that the role should be given access to.
  1. How does weblogic provide the facility to map the EJB deployment
  descriptor
  <security-role> to a particular weblogic principal (user orgroup)
  Or, should I say, how do I map the user or group to a
  deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
  an application role (in your case it is probably best to create 2 security
  roles - the bank employee role refering to the bank employee group (usethe
  'in role' checkboxes, and the customer role refering to the customergroup -
  there may at some point be use for an allUsers role, which includes both
  groups, maybe not. What I am saying is that a role is made of a one ormore
  of Principals - in our case groups)
  In the Account Bean select the method permissions item, and create amethod
  permission perm-0, select the perm-0 item that has just popped up in the
  left hand window, tick the box for placeOnHold(), and the boxes for<remote>
  and <home> one level deeper than this in the tree (as an aside, I have
  absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
  'bank employee' 'can invoke' tickbox
  Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
  methods, and the 'customer' tickbox
  I believe the documents say you would have to set up another permission to
  allow both groups access to the getBalance method, but in practive Ihaven't
  found this the case.
  The documentation for this is at
  http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
  (or
  search for 'Deploying EJBs with DeployerTool'
  2. Are there any administrative tools provided by weblogic to do
  this
  mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
  files
  3. How much effort & complexity is involved in creating a custom
  realm
  Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
  in half an hour or so (there is a problem with one of the RDBMSUser's
  methods - getUserType or something like that - the solution can be foundin
  the newsgroups if you search), the same is probably true of the LDAPRealm,
  NTRealm etc (although I have never used these).
  Which one you choose depends on what equipment you have available,although
  I would say that the RDBMSRealm canuse a lot of optimisation
  Thanks,Welcome
  Raju
  "Terry" <[email protected]> wrote in message
  news:[email protected]...
  The Principals (i.e. groups and users) from your custom realm are used
  to
  define application roles for the EJBs, but, as far as I am aware youcannot
  use a custom implementation for the ACLs for EJBs
  terry
  r <[email protected]> wrote in message
  news:[email protected]...
  How does (or not) weblogic security tie into the EJB notion of rolebased
  control ? Can we create a 'custom' security mechanism for EJB (which
  basically uses the EJB facilities but extends it within the
  application)
  by
  using custom weblogic realms ?
  Thanks
  Raju

• Role-based view commands missing from config

  Hi All,
  I set up a 2960G with IOS 12.2(44)SE6 and created a role-based view to be used by our helpdesk.  One of the things they need to do is add rules to a MAC ACL on the switch.  I've successfully created a view for them and can include and exclude most commands, however, when I try to include the "commands mac-enacle include all permit" command, I get no syntax error, and there is no line in my configuration reflecting the change. As it stands, from the helpdesk view (named smco) I can get into mac acl configuration mode, but I can't issue any of the sub commands.
  Any advice would be greatly appreciated.  I tried upgraded to 12.2(55)SE and had the same result.
  The current configuration for the parser view is as follows:
  parser view smco
  secret 5 hashed_pw
  commands configure include mac access-list extended
  commands configure include all mac access-list
  commands configure include mac
  commands exec include configure terminal
  commands exec include configure

  After I issue the command "commands mac-enacl include all permit" there is no line in my startup or running configuration that says: "commands mac-enacl include all permit" or anything that closely resembles that.
  I've tested with multiple local accounts.  After authenticating, I issue the "enable view smco".

• Am I allowed to share my CC subscription with a friend?

  Please note that I do not have CC yet.
  I see that the programs can be installed on 2 computers but can another individual own the second install?

  I was just told in Adobe CC live chat, "You can install at any two systems with the email address was used to purchase the subscription. " I was also told it is not recommended to share account details where I then asked if it is in any user agreement. It is not. I am certain that I am at no risk of sharing my account details with this friend of mine.
  Since the live chat representative was unable to give me any definitive answers, the conversation was forwarded to another team and I should be getting an email in 2 - 3 business days.
  Though I'm guessing I should be good to go based off the answers I got in the chat?

• Privileges and Roles Based Views

  Hello,
  I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
  Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
  How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
  I hope someone can help with the config:
  Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
  Priv3 radius user settings
  cisco av-pair cli-view-name=priv3
  Priv 15 or root user settings
  cisco av-pair shell:priv-lvl=15
  cisco av-pair shell:cli-view-name=root
  Config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 3750
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  logging console informational
  logging monitor informational
  enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
  username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
  username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default line
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  system mtu routing 1500
  udld aggressive
  no ip domain-lookup
  ip domain-name CB-DI
  login on-failure log
  login on-success log
  crypto pki trustpoint TP-self-signed-3817403392
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3817403392
  revocation-check none
  rsakeypair TP-self-signed-3817403392
  crypto pki certificate chain TP-self-signed-3817403392
  certificate self-signed 01
    removed
    quit
  archive
  log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
  spanning-tree mode rapid-pvst
  spanning-tree extend system-id
  spanning-tree vlan 10 priority 8192
  vlan internal allocation policy ascending
  ip ssh version 2
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/24
  interface Vlan1
  description ***Default VLAN not to be used***
  no ip address
  no ip route-cache
  no ip mroute-cache
  shutdown
  interface Vlan10
  description ****
  ip address 10.10.150.11 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  ip default-gateway 10.10.150.1
  ip classless
  no ip http server
  ip http secure-server
  logging trap notifications
  logging facility local4
  logging source-interface Vlan10
  logging 10.10.21.8
  logging 172.23.1.3
  access-list 23 permit 10.10.1.65
  snmp-server community transm1t! RO
  snmp-server trap-source Vlan10
  radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
  radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  exec-timeout 60 0
  logging synchronous
  line vty 0 4
  access-class 23 in
  exec-timeout 60 0
  logging synchronous
  transport input ssh
  line vty 5 14
  access-class 23 in
  no exec
  transport input ssh
  parser view priv3
  secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
  ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
  commands interface include shutdown
  commands interface include no shutdown
  commands interface include no
  commands configure include interface
  commands exec include configure terminal
  commands exec include configure
  commands exec include show ip interface brief
  commands exec include show ip interface
  commands exec include show ip
  commands exec include show arp
  commands exec include show privilege
  commands exec include show interfaces status
  commands exec include show interfaces Vlan10 status
  commands exec include show interfaces Vlan1 status
  commands exec include show interfaces GigabitEthernet2/0/12 status
  commands exec include show interfaces GigabitEthernet2/0/11 status
  commands exec include show interfaces GigabitEthernet2/0/10 status
  commands exec include show interfaces GigabitEthernet2/0/9 status
  commands exec include show interfaces GigabitEthernet2/0/8 status
  commands exec include show interfaces GigabitEthernet2/0/7 status
  commands exec include show interfaces GigabitEthernet2/0/6 status
  commands exec include show interfaces GigabitEthernet2/0/5 status
  commands exec include show interfaces GigabitEthernet2/0/4 status
  commands exec include show interfaces GigabitEthernet2/0/3 status
  commands exec include show interfaces GigabitEthernet2/0/2 status
  commands exec include show interfaces GigabitEthernet2/0/1 status
  commands exec include show interfaces GigabitEthernet1/0/12 status
  commands exec include show interfaces GigabitEthernet1/0/11 status
  commands exec include show interfaces GigabitEthernet1/0/10 status
  commands exec include show interfaces GigabitEthernet1/0/9 status
  commands exec include show interfaces GigabitEthernet1/0/8 status
  commands exec include show interfaces GigabitEthernet1/0/7 status
  commands exec include show interfaces GigabitEthernet1/0/6 status
  commands exec include show interfaces GigabitEthernet1/0/5 status
  commands exec include show interfaces GigabitEthernet1/0/4 status
  commands exec include show interfaces GigabitEthernet1/0/3 status
  commands exec include show interfaces GigabitEthernet1/0/2 status
  commands exec include show interfaces GigabitEthernet1/0/1 status
  commands exec include show interfaces Null0 status
  commands exec include show interfaces
  commands exec include show configuration
  commands exec include show
  commands configure include interface GigabitEthernet1/0/1
  commands configure include interface GigabitEthernet1/0/2
  commands configure include interface GigabitEthernet1/0/3
  commands configure include interface GigabitEthernet1/0/4
  commands configure include interface GigabitEthernet1/0/5
  commands configure include interface GigabitEthernet1/0/6
  commands configure include interface GigabitEthernet1/0/7
  commands configure include interface GigabitEthernet1/0/8
  commands configure include interface GigabitEthernet1/0/9
  commands configure include interface GigabitEthernet1/0/10
  commands configure include interface GigabitEthernet1/0/11
  commands configure include interface GigabitEthernet1/0/12
  commands configure include interface GigabitEthernet2/0/1
  commands configure include interface GigabitEthernet2/0/2
  commands configure include interface GigabitEthernet2/0/3
  commands configure include interface GigabitEthernet2/0/4
  commands configure include interface GigabitEthernet2/0/5
  commands configure include interface GigabitEthernet2/0/6
  commands configure include interface GigabitEthernet2/0/7
  commands configure include interface GigabitEthernet2/0/8
  commands configure include interface GigabitEthernet2/0/9
  commands configure include interface GigabitEthernet2/0/10
  commands configure include interface GigabitEthernet2/0/11
  commands configure include interface GigabitEthernet2/0/12
  ntp logging
  ntp clock-period 36028961
  ntp server 10.10.1.33
  ntp server 10.10.1.34
  end
  Thanks!!!!

  DBelt --
  Hopefully this example suffices.
  Setup
  SQL> CREATE USER test IDENTIFIED BY test;
  User created.
  SQL> GRANT CREATE SESSION TO test;
  Grant succeeded.
  SQL> GRANT CREATE PROCEDURE TO test;
  Grant succeeded.
  SQL> CREATE ROLE test_role;
  Role created.
  SQL> GRANT CREATE SEQUENCE TO test_role;
  Grant succeeded.
  SQL> GRANT test_role TO test;
  logged on as Test
  SQL> CREATE OR REPLACE PACKAGE definer_rights_test
    2  AS
    3          PROCEDURE test_sequence;
    4  END definer_rights_test;
    5  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END definer_rights_test;
    9  /
  Package body created.
  SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
    2  AUTHID CURRENT_USER
    3  AS
    4          PROCEDURE test_sequence;
    5  END invoker_rights_test;
    6  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END invoker_rights_test;
    9  /
  Package body created.
  SQL> EXEC definer_rights_test.test_sequence;
  BEGIN definer_rights_test.test_sequence; END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
  ORA-06512: at line 1
  SQL> EXEC invoker_rights_test.test_sequence;
  PL/SQL procedure successfully completed.
  SQL> SELECT test_seq.NEXTVAL from dual;
               NEXTVAL
                     1

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• I have an Apple ID with a single  e mail address. I want to set multiple addresses in the same ID. Can I? If so how?

  I have an Apple ID with a single  e mail address. I want to set multiple addresses in the same ID. Can I? If so how?

  Howdy there johnzcarp,
  As I understand it you want to have more than 1 email address under your Apple ID. You can have what are called Alternate Email addresses associated with your Apple ID and this article will help you get those setup:
  Manage your Apple ID primary, rescue, alternate, and notification email addresses
  Alternate email address
  You can add one or more alternate email addresses for use with Apple services such as Game Center, FaceTime, Find My Friends, iMessage, and OS X notifications.
  Go to My Apple ID (appleid.apple.com).
  Select “Manage your Apple ID” and sign in.
  Add an alternate address:
  Select Add Email Address, then enter your alternate address. Apple will send a verification email to that address. Didn't receive the email?
  Follow the instructions in the email to verify the address.
  Edit an alternate address:
  Select Edit next to the address, then enter the new address. Apple will send a verification email to that address. Didn't receive the email?
  Follow the instructions in the email to verify the address.
  Delete an alternate address: Select Delete next to the address.
  Thank you for using Apple Support Communities.
  Take care,
  Sterling

• Video works with one friend but not another?? please HELP!

  my ichat video isn't connecting with my friend christina. we've taken turns calling each other and my computer keeps saying "no data has been received in 10 seconds" i can hear the ringing and then when we go to connect thats when the message comes up and cancels the call. at the same exact time my other friend sam was online so to test out my video chat i called her. & it worked. christina also connected with sam separately & that worked. then we tried a conference where all 3 of us could chat, and sam started it and invited both of us. it worked and we could all talk & see each other. however for some reason i can't connect to just christina. what's going on?

  Hi,
  Welcome to the    Discussions
  iChat can have several messages on a failed chat.
  The "No Data for 10 Secs" one only appears on chats that connect (even if you don't see the Video)
  Basically it point to an issues between iChat at the Internet.
  The same Result can be achieved by pulling the Ethernet cable out or turning the Airport card off or powering down the modem or router.
  So we have to look at what can produce a similar break in the Internet connection without the drastic steps above.
  Some modem and router have "protection" features that will do this.
  Denial of Service (DoS) tries to make sure any data that come to your Computer does so at a rate it can handle.
  It was originally designed to protect Web Servers from "attacks" where too many requests coming to frequently used to bring servers and their Internet connections to halt.
  So Dos is threshold based,. It will cut any port that it thinks there is an "Attack" on.
  Video chats can send lots of data.
  These thresholds that are preset in the device tend to be set at Web page streaming speeds (allowing for multiple requests on popular servers) - but also at older Internet Speeds.
  Modern Speeds and things like iChat Streaming two way Video can mean that certain Buddies can send you data faster than the threshold is set for particularly with iChat 5.
  Stateful Packet Inspection (SPI) works differently but can only process a certain amount of data and will cut the port that is causing it to be overloaded making it Threshold based as well.
  There is no way to change the thresholds involved so the best course of action is to Disable the feature.
  So the Speed Sam has to send you Video may be lower than that of Christine and not bump into the threshold.
  If Sam is the Host then it the Speed of that Internet Connection that governs how fast Data is sent to you.
  One solution is to cap iChat in iChat > Preferences > Audio/Video Menu to 500kbps on the all Buddies involved.
  If this solve the issue between you and Christine then you can move on to your Modem or router.
  8:16 PM Sunday; June 6, 2010
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
  Message was edited by: Ralph Johns (UK)