Security - Limiting users to use certain contexts

Similar Messages

• Allowing non-admin users to use certain programs without authenticating

  I would like to allow certain programs to be run by non-admin users without forcing them to authenticate as an admin. Here is my example: I'm running Parallels Desktop with a VM to Windows. I want to allow my children to use this VM to access Windows programs. But, when starting a VM, the Mac OS requires an administrator to authenticate. Needless to say, I don't want my children to be administrators on the machine. I've been assured that this is not an issue related to how Parallels works (from the support team at Parallels). Instead, this is an issue with the Mac. i'm not sure one way or the other, but it seams useful to be able to (in general) allow non-admin users to use certain programs without forcing them to authenicate as administrators.
  There is only one summary in the Mac help on allowing non-admin users to change the time zone settings by directly editing the /etc/authorization file. Does anybody know if this procedure would work for other programs?
  Thanks!

  If you know what the requested right is, that procedure can be applied to any right in an application with a graphic interface by duplicating and modifying entries. The contents of that file don't control usage of sudo in the Terminal.
  (25922)

• Limiting user activity using Oracle Profiles

  I am hoping to reduce the impact of a certain group of users on system performance. I can allocate a separate Oracle profile to them but when I set limits, what happens?
  Composite Limits - I'll leave alone, too much math required!
  Sessions/User - I can't limit that, they may feasibly and reasonably have several sessions
  CPU/Session - Ok, it's not a % of the CPU available but CPU seconds/100. What happens when that number is reached - is the sessions killed or what?
  CPU/Call - See above
  Logical Reads/Session - What happens when this limit is reached? Does the session die?
  Logical Reads/Call - See above
  Idle Time - Set to 300
  Connect Time - I do not wish to restrict this
  Private SGA - I am not sure about this (I don't even know if we are using multi-threaded server architecture!)
  So it seems to me, that none of these will meet my needs and consumer resource groups would be the correct thing... but can anyone please confirm?
  Thanks

  I've used CPU_per_call and logical_reads_per_call for our dynamic search. If user happens to enter such criteria that he cannot get at least a row back within certain limits he gets back certain oracle error and on the screen he gets something like "your query used too much resources, enter better criteria" :)
  The overall impact of such queries was limited because of totla rows limit for search typically 100. So at most users could use 100 * almost resource limit per one search.
  If your users can issue whatever statements they like then this is not usable because for example for aggregate queries logical_reads_per_call will be reached quickly and user won't get back result of quite normal statement.
  So probably you have to use resource groups indeed.
  Gints Plivna
  http://www.gplivna.eu

• Officejet pro 8500 a909g, limited user accounts can't use printing preferences

  The above discription explains most of it. I had install this 8500 printer, then shortly after, uninstalled the other two older  printers I was previously using. That is when the problem started. I can not access printing preferences from a document or from control panel\printer and faxes. But I am able to access from the administrater account. I did an online chat with HP help and what we did made sence, but did not work. We went into the security tab in properties and added the limited user account for all permissions and reboted the computer. Did not work!!!!    I have a dell laptop, windows xp pro, and the printer software is now uninstalled.    the window that pops up when I click on properties is: Function address 0x50085a97 caused a protection fault. (exception code 0x0000005) Some or all property pages may no be displayed. I don not have this problem as an administrater only as a limited user.

  I had this similar problem.  Installed this printer a few months back and for some time it was printing fine.  Recently, I changed the default preferences to black/white, draft, low ink etc etc.  Now if I click on the Properties I get this same window:
    *** (x50085a97 caused protection fault (exception code 9xc0000005 some or all property pages could not be displayed) ***. 
  Running XP on an Dell Intel Pentium and it happens irrespective of the application I am using - usually firefox or staroffice.  9 times out of 10 I can't change the properties, but occasionally it allows me too then reverts back.  So now I am stuck with everything printing black/white as that's the default I set!  Any suggestions welcome.

• I have recently transferred data from my old Mac to my new one. The result was good, but I have 2 users now, whose data I want to merge into 1 single user, so to avoid having to switch from one user to the other to view and use certain files. How to do it

  I have recently transferred data from my old Mac to my new one. The result was good, but I have 2 users now, whose data I want to merge into 1 single user, so to avoid having to switch from one user to the other to view and use certain files. How to do it?

  Here's an easy way:
  Pick the user that you want to eliminate (making sure that the remaining user has administrator privileges) and move all of the data that you want to keep into the Shared folder. Reboot or log out and login to the user you want to keep. Copy all the data from the Shared folder into your account - placing it neatly in folders (Documents, Music, Movies, etc.).
  Once the data is moved, log into the account you want to delete just once more to make certain that you've grabbed all the data you want to keep. Log out and log back into your admin account and go to System Preferences>Users & Groups and delete the 'old' user.
  That should do it.
  Clinton

• Within reason it would be better and more secure for user to have more latitude in Id and password security. We can make a tool so difficult that it loses its usefulness. the need to write down scores of passwords to make a control freak happy stinks

  The balance between security and ease of use is way out of control with Apple. Where does Security end and Controlfreak begin I have a very secure password that I use on many really high security programs and applications where peoples lives, safety and finances are at risk. There has never ever been a problem because I have chosen the usernames and passords  carefully, I use them all the time so I don't forget them. If I wrote different ones down so that I could access them from different locations that would be a huge violation of security.
  This policy is so extreme that it makes the tools that Apple makes available. I have used Apple as my music management system for years. This has become so impossible that I am going to have to convert to another system. This will cause me time and work. This is quite un-necessary. Control freaks are hard to deal with.I give up, I'm going to go away.

  I have no idea what your issue is, but if you want to comment to Apple, use their feedback page:
  http://www.apple.com/feedback/itunesapp.html
  Posting complaints here, and in particular threats to go to other products, where only we your fellow users will be likely to see them do no one any good. None of us here will really care if you decide that iTunes doesn't work for you and you have chosen to shift to some other product. That's you perogative as a consumer.
  Regards.

• Why don't java applets run when using Firefox 4.0 in a windows limited user account?

  Java applications will not run in Firefox 4.0 when the windows user/process only has limited user access rights. The systems, I see this behaviour on have Windows XP Pro SP3, Firefox 4.0 and JRE 1.6.0_24 installed. The java application will run when when full administrative rights are present. This issue did not occur with the 3.6 firefox version that was previously installed.

  The problem also exists with the newer Firefox 4.0.1 and Java 1.6.0_25 versions.
  Enabling administrative rights resolves the issue ... though this defeats the purpose of using a limited user.
  The underlying bug appears to be in the Firefox java plugin detection code. The issue is related to the detection code requiring write access to the HKLM\SOFTWARE\mozilla.org windows registry key. The limited user only has read access for this registry key. The behaviour was identified using the Sysinternals ProcessMonitor utility ... showed firefox calling an interface to create the registry key and getting an access denied response in the limited user case.
  A more targeted workaround for the issue is to grant the limited user write access on the HKLM\SOFTWARE\mozilla.org windows registry key. This avoids the need to grant administrative rights to the user and enables the java plugin to be detected. That is, it works on the 2 XP systems where the java plugin wasn't being detected in limited user accounts.

• How can you provide datalevel security on perticular user when using

  hi all
  how can we proved data level security for the single user when using external table authentication,
  again we have crated one more group in rpd and we have assigned user to that group,
  so ,is there any other way to do it????
  Thanks
  sreedhar

  Hi,
  If its is to restrict that user to view some data,then no need to place him in a separate group.Can achieve this...
  High priority is for restriction.
  Lets take group-Test with two users-test1,test2.These two users are under Test group.
  I applied data level security for only one user test1(restricted him to view market not equal to Central Region) but didn't apply data level security for test2.
  Now i added the group to presentation catalog and gave permission to dashboard showing Market report.
  When test1 logs in he can see all markets except Central Region,where as test2 logs in he can view all regions including Central Region.
  Here Test group is having full access so,test2 can view all regions but test1 user is restricted for some value and its working fine.
  If you want apply data level security to user to not view some data,then you can maintain that user in a group with many other users and achieve it.Above example shows it.
  If its is to restrict the whole group to view dashboard and make a single user in the group to view some data in the dashboard then its not possible(priority is for restriction) in this way,in this case its better to create that a new group to that user and assign him.
  Regards,
  Srikanth

• Restrict regular users to use only certain ldm command options

  I would like to restrict regular users to use only certain ldm command options, for example only list, bind/unbind, stop/start
  What is the best practice to do it?
  Thanks

  Solution provided by one of my colleagues:
  Installing sudo and configure sudoers file "User privilege specification" section similar to the following example:
  # User privilege specification
  root ALL=(ALL) ALL
  user1 host1 = /opt/SUNWldm/bin/ldm ls *
  user1 host1 = /opt/SUNWldm/bin/ldm stop *
  user1 host1 = /opt/SUNWldm/bin/ldm stop -f *
  user1 host1 = /opt/SUNWldm/bin/ldm start *
  user1 host1 = /opt/SUNWldm/bin/ldm bind *
  user1 host1 = /opt/SUNWldm/bin/ldm unbind *
  **Note*: asterisk should be at the end of each row. They are not displayed in the posted message...*

• How to authorize users to use only certain tax codes not all

  After creating tax codes uasing FTXP, is there any way we can control the use of it by assigning only few to users to use ant all.
  Any help.
  Regards
  Robert

  We can restrict user based on:-
  Organizational Levels in Transaction code PFCG
  Accounting Number & Cost Center in Transaction code SU01
  Edited by: G K Raja on Nov 4, 2009 12:02 PM

• How do I block limited users from downloading or installing files?

  Hello and greetings from the Sooner state!  I am embarrassingly seeking your advice and guidance on a topic I should have a solution for given my background as a certified A+ Technician and Cyber Security Technician in the United
  States Air Force.  The issue is this, I have a user (my son) who continues to find ways to download and install malware via video online games or uncommon search engines (Vosteran), something else he has managed to do…   To this date I have
  ensured that he is logging on to his Windows 7 computer utilizing a Limited User Account, I have locked down his machine utilizing a combination of iolo System Mechanic,  Microsoft Family Safety (my primary parental control software),  Microsoft
  Security Essentials none of which block the installation of software at the Limited User level.   If you look at the Top 3 Parental Control suite of software there is nothing that includes such a utility as part of their software package that prohibits
  or bars your kids from installing software on their own.  I know that a Limited User is supposed to be restricted from installing any software but this isn’t the case with my Son.  What would your best advice be for me in this situation?  Again,
  I should have this info down pat yet I do not (that’s what retirement does to you, LOL)…   Many thanks in advance for your help!  Peace!!

  Hi Doc Bryan,
  If you are using consumer versions of win7 (higher than home premium), you could use the Group policy to impose various restrictions on installing and running software and those will apply on standard users.
  To prevent Installation of software by using windows installer.
  Run gpedit.msc to open group policy editor.
  Navigate to Computer configuration/Administrator Templates/Windows Components/Windows installer/Prohibit User Installs
  Enable this policy and change the “User Install Behavior” option value to “Hide User Install”.
  To prevent downloading files from Internet Explorer
  Navigate to User configuration/Administrator Templates/Windows Components/Internet Explorer/Internet Control Penal/Security Page/Internet Zone/Allow file downloads
  Enable this policy and change the “Allow file downloads” option value to “Disable”.
  Note: Since for Windows it is hard to define that which exe file is installation or execution of the program, there is always some way can walk around this Group policy such as hard disk copy program or using third party Internet browsers
  to download.
  So you also need Parental Controls feature(also apply to home edition)
  and you can find it in control panel, choose the standard account to which you want to apply the control. Now click ‘Allow and Block Specific Programs’ link and choose ‘[User] can only use the programs I allow’ option.
  After analyzing, it will show you the list of all programs installed on the system which can be used by the standard user. Hit the Check All button to allow all programs, then find and uncheck Chrome and other apps that you want to restrict. When done, hit
  OK.
  If your kids want to use a certain software and you find it safe to use. Log inside your Administrator account and install it from there. While installing, please select “Install for All Users” when prompted. Doing this will install the software for all
  users.
  Regards

• Is it possible for multiple users to use a "generic" account simultaneously without screen sharing?

  Hey and thanks for checking out the thread.
  I am wondering if it is possible to have users use a generic account at the same time without any sort of screen sharing.
  I have set up a generic user account (for example useraccount, password 1234) for users to use in the time before I can set up a custom user name for them. However, I have run into some issues with this.
  When multiple users log on using this generic account, their applications seem to be shared on each screen. In the room with multiple Mac workstations, if someone starts working on Photoshop, Photoshop will open on every one elses screen who is logged on under that generic account.
  Is it possible for users to log on using a generic network account and have their own isolated work environment or is this sort of sharing a feature? I am new to Mac servers and am not sure.
  Thanks for reading the thread.

  That shared-account approach seems impractical for the various reasons you've identified, as well as the inevitable issue of cleaning up the detritus that'll inevitably build up in a shared account, and for the lack of accountability for activities occuring under the shared account for both auditing and security, and sharing directories would tend to introduce obscure conflicts around which-file-version-wins file updates when the same file is used in several places, and would probably be contrary to any per-user application software licensing agreements that might be involved.
  Put another way, get unique accounts created for folks, and work toward the ability to create accounts for arriving folks, and — if it's applicable here — talk to management about getting any per-user software licensing issues sorted out, whether that's having spare copies purchased and ahead or some advanced notice on accounts, or establishing group software licensing where that's available.
  AFAIK, there are tools around which can automate account creation, too.  Either generic, a tool such as Passenger, or it's certainly feasible to script the account creation sequence.
  Trying this shared-access generic-account approach just looks like it can create more work and more hassles and more effort to me...

• Database Access in limited user account

  I have made an application in which I am communicating with database. 
  Let me explain about my application first.
  1. Application starts and it asks for user name and password
  2. After successful login data reading or writing from /to database.
  All this information whether its data or user name or password, I am storing in same database but in different tables
  Now If I login from limited user then I am able to login by entering user name and password but later I am not able to read/ write to database, but If I login from admin accout then everything runs smoothly.
  This happened recently and I am sure this is permision issue..
  Kudos are always welcome if you got solution to some extent.
  I need my difficulties because they are necessary to enjoy my success.
  --Ranjeet

  SQL?? MySQL, MS SQL Server, Oracle SQL, PostgreSQL, SQLLite, .......
  ADO driver you use?
  versions of SQL server and ADO drivers?
  There is obviously some security! If there wasn't any you would not get andy trouble to connect to your server with a normal user account.
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

• SOAP Basic Authentication - How to create a limited user access

  Hello
  I have a lots of scenarios that use XI´s WebService for integration. For the 3rd party systems be able to use the WebServices, they need an authentication in Web Application Server.
  The question is: How can I create a user with LIMITED access to ONLY ONE Webservice in XI ?
  For example, I want a user called webservice1 that can access only http://myserver:50100/XISOAPAdapter/MessageServlet?channel=:SERVICE:SOAP_Sender_CC.
  I don´t wanna use HTTPS because the 3rd party systems are very limited and they don´t have HTTPS support.
  Thanks

  Yes, I have up the user in the Send Agreement. My SOAP Adapter Communication Chanel is configured there.
  I´m using the correct user in webservice authentication. Its the same I created in SU01.
  Without those authentication configurations (when All users can use the webservice), I can log in with this user. But when I restrict by doing the configurations, it doesn´t work.
  I just made a test by restricting the service for another user and the error message is different.
  When I log with a different user than the configured one, the error is:
  java.security.AccessControlException: USER has no permission for accessing party service :SYSTEM_TEST...
  When I log with the configured user authentication, the error is:
  com.sap.aii.af.ra.ms.api.DeliveryException: XIServer:NO_EXEC_PERMISSION:....
  Seems there´s still some missing configuration.
  Thanks

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.