AAA and Role based access (NPS)
Hi
I authenticate all my cisco switches and routers with AAA + NPS + AD
A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
But I'd like configure role based with IOS view.
When I issue the enable view command, I get
Password:
I tried with my AD password, enable configurated password, and always gets
% Authentication failed
Mi line vty config
line vty 0 4
authorization exec VTY-AAA
login authentication VTY-AAA
transport input ssh
Have you gone through the below listed parser view configuration example. Please check here
View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
In case you still have any issues, run debug parser view and share the output, I'll try to help.
~BR
Jatin Katyal
**Do rate helpful posts**
Similar Messages
-
We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
-thanks1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
You can have a darn strong access control using this mechanism.
hope that helps!
AMN -
Role Based Access problem in forms
This would be a long reading.
I'm having a problem with forms Role Based Access.
We have two databases, one in London and one in Zurich. We have installed
application server and oracle forms on London database. We have implemented
Role Based Access to forms. For this we have created a database role (say ZUR_USER)
in both databases. The view FRM50_ENABLED_ROLES which is used by forms role based access control
is also created in both databases with a 'grant select to public'.
Our form system has a menu and forms under that menu. Both menu and the underlying forms have been
assigned Menu Security/Item Roles to the above mentioned ZUR_USER role and the role is assigned
to various users.
Now a Zurich user is trying to login to Zurich database using the URL for forms installation
in London server. He can login successfully and can see the menu heading in the main screen but
when he clicks the menu he doesn't see the underlying forms list.
When we try the same user id and database from London (using the same URL) we see all the forms.
Any idea what are we missing. The Menu Security is setup at menu level as well as the form level under
that menu. User can see the menu but not the form under that menu from Zurich. No such problem while
login from London.I'm using the Forms 10g
and yes the only difference is between login from Zurich and London.
Problem definitely is due to Role Based Access setup.
The user in Zurich can see the Menu but not the items under that menu.
I have set the security set up at both menu and menu item(i.e. form name) level. -
Role Based Access Control in Java
Hi,
we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
Does any1 have any comments on this? Thnx
DaveHi David,
Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
Rajesh -
ADF UIX Role Based Access Control Implementation
Hi,
Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
Thanks a lot.
SathyaBrenden,
I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
Two links that you might be interested in to read are:
http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
Frank -
Any best practice to apply role based access control?
Hi,
I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
Can you please share the best practices or any built-in feature in JSF to achieve my goal?
Regards,
FaysiHi,
The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
java package.
Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
This is according to Java EE 6 tutorial, section VII Security, page 471.
A group, role or user is created with an Identity Management application or by a custom application.
Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
I've been in situations where end users very strict about the functionality of the application.
If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
Each of these actions should have suggester, approver and implementor.
Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application. -
Importing a pkg with rely on server storage and roles for access control
Hi we run std 2008 r2. I'm reading documentation on prot levels during pkg import to catalog at
https://msdn.microsoft.com/en-us/library/ms141747(v=sql.105).aspx but unfortunately the definition of prot level "rely on server storage and roles for access control"
isn't clear. They used the prot level name to define it which didn't help me.
This option looks appealing but it isn't clear why I need to enter a pswd when choosing this option. Will my peers need to know that pswd when they export? Will the sql agent job need to present that pswd when running? If I just keep current
prot level "encrypt with user" will the agent job be able to run it? I'm sure it (agent) isn't running with my creds now. Also, how can I tell what prot level it was deployed with last? I rt clicked on the pkg in the catalog
and don't see anything obvious about that. I already understand that on export prot level is changed to encrypt with user.
I'm going to look at the sql agen job right now to see what creds it runs with.First thing to understand is that protection level is used for determining how package (dtsx) file have to be protected. Once package is deployed in server and executed from agent, the conventional way is to use method of configurations or parameters if
2012 to get required connection etc values and execute using it. It never uses the values that were set during the design time. So it doesnt matter what protection level was so far as its based on config
However if you're planning to export existing package to your system and do modification thats where protection level comes to play. If its set to any of ENcryptSensitive... type value then you'll to provide the value (either a passowrd or your userkey which
it takes automatically from login info) to see the sensitive info (connection info,passwords etc) The package will still open and so far as you manually type in missing values you will be able to execute the package. If protection level is set to one of ENcrptAll
then you will have no way to open package itself unless you provide password/ have correct userkey.
The rely on server storage option uses sql server security context itself ie it doesnt do any encryption within package by itself but will assume values based on sqlserver security. This is used when you store package itself in SQLServer itself (MSDB)
Please Mark This As Answer if it solved your issue
Please Vote This As Helpful if it helps to solve your issue
Visakh
My Wiki User Page
My MSDN Page
My Personal Blog
My Facebook Page -
To run OHS at port 80 using solaris role based access control
Hi.
I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
/etc/user_attr:
oracle::::type=normal;defaultpriv=basic,net_privaddr
Change OHS httpd.conf Listen from port 8888 to port 80.
However, opmnctl startproc process-type=OHS
failed as below with nothing showing in the diag logs:
opmnctl startproc: starting opmn managed processes...
================================================================================
opmn id=truffle:6701
0 of 1 processes started.
ias-instance id=asinst_1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ias-component/process-type/process-set:
ohs1/OHS/OHS/
Error
--> Process (index=1,uid=187636255,pid=25563)
failed to start a managed process after the maximum retry limit
Thx,
KenJust to add my two cents here.
The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
# usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
Restart the opmnctl daemond.
After that OHS/Apache user can bind to lower TCP ports.
Regards.
Edited by: Tuelho on Oct 9, 2012 6:05 AM -
Hi,
I wanted to know how to include Role Based Access in my Struts application.
Does Struts provide any mechanism to accomplish it?
If yes then,how can it be done
Thanks
kurtHi Velu,
Yes, this is exactly what Access Manager (now called OpenSSO, btw) can do.
In your first use case, you would simply create two policies. The first one would allow only users in the admin group access to the admin application (e.g. https://someserver.example.com/admin/*). The second would allow users in the employee group access to the remaining two applications (e.g. https://someserver.example.com/app1/*, https://someotherserver.example.com/app2/*).
In your second use case, the policies would be similar - first policy would allow users in the admin group to access https://someserver.example.com/app3/*, second policy would allow users in the employee group to access only https://someserver.example.com/app3/employees/*.
Cheers,
Pat -
Privileges and Roles Based Views
Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great. I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view. I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!! fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers. I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
removed
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
2 AS
3 PROCEDURE test_sequence;
4 END definer_rights_test;
5 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END definer_rights_test;
9 /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
2 AUTHID CURRENT_USER
3 AS
4 PROCEDURE test_sequence;
5 END invoker_rights_test;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END invoker_rights_test;
9 /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
NEXTVAL
1 -
Difference between ID and Role based Administration - Firefighter 5.3
In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
1. Firefighter Role based Administration
2. Firefighter ID based Administration
Can someone explain what is the difference between the two?
I have read the documentation, but it does not have a clear description of the
differences between the two.
Please help.
ThanksHI Prakash,
Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
1. Firefighter Role based Administration
You identlfy a particular role as a firefighter role and give it to the user.
2. Firefighter ID based Administration
You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
Regards,
Hersh. -
Weblogic security & EJB role based access
How does (or not) weblogic security tie into the EJB notion of role based
control ? Can we create a 'custom' security mechanism for EJB (which
basically uses the EJB facilities but extends it within the application) by
using custom weblogic realms ?
Thanks
RajuThanks !
"Terry" <[email protected]> wrote in message
news:[email protected]...
comments inline
r <[email protected]> wrote in message
news:[email protected]...
>>
Here are some more specific questions around an 'example' scenario:
The application has an entity bean 'Account' that can be accessed by the
roles 'Bank Employee' and 'Customer'
'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
methods on the 'Account' bean
'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
methods on the 'Account' bean
These permissions are set up through the deployment descriptor by
mapping
the 'Bank Employee' and 'Customer' roles
to the particular bean methods that the role should be given access to.
1. How does weblogic provide the facility to map the EJB deployment
descriptor
<security-role> to a particular weblogic principal (user orgroup)
Or, should I say, how do I map the user or group to a
deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
an application role (in your case it is probably best to create 2 security
roles - the bank employee role refering to the bank employee group (usethe
'in role' checkboxes, and the customer role refering to the customergroup -
there may at some point be use for an allUsers role, which includes both
groups, maybe not. What I am saying is that a role is made of a one ormore
of Principals - in our case groups)
In the Account Bean select the method permissions item, and create amethod
permission perm-0, select the perm-0 item that has just popped up in the
left hand window, tick the box for placeOnHold(), and the boxes for<remote>
and <home> one level deeper than this in the tree (as an aside, I have
absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
'bank employee' 'can invoke' tickbox
Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
methods, and the 'customer' tickbox
I believe the documents say you would have to set up another permission to
allow both groups access to the getBalance method, but in practive Ihaven't
found this the case.
The documentation for this is at
http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
(or
search for 'Deploying EJBs with DeployerTool'
2. Are there any administrative tools provided by weblogic to do
this
mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
files
3. How much effort & complexity is involved in creating a custom
realm
Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
in half an hour or so (there is a problem with one of the RDBMSUser's
methods - getUserType or something like that - the solution can be foundin
the newsgroups if you search), the same is probably true of the LDAPRealm,
NTRealm etc (although I have never used these).
Which one you choose depends on what equipment you have available,although
I would say that the RDBMSRealm canuse a lot of optimisation
Thanks,Welcome
Raju
"Terry" <[email protected]> wrote in message
news:[email protected]...
The Principals (i.e. groups and users) from your custom realm are used
to
define application roles for the EJBs, but, as far as I am aware youcannot
use a custom implementation for the ACLs for EJBs
terry
r <[email protected]> wrote in message
news:[email protected]...
How does (or not) weblogic security tie into the EJB notion of rolebased
control ? Can we create a 'custom' security mechanism for EJB (which
basically uses the EJB facilities but extends it within the
application)
by
using custom weblogic realms ?
Thanks
Raju -
OBIEE SSO enabling and role based reporting
Hi,
I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
Thanks,
Menghave a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf
-
We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
ThanksHi CrankyMonkey,
9.4 image includes new features for SSLTLS that might be impacting your certificate authentication.
"Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
As workaround you can try to use the following cipher configuration and check if works.
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA"
Reference link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
Rate if helps.
-Randy -
Role Based Access Control and FIM
Hi,
Would these statements about RBAC and FIM (not BHOLD) be true:
RBAC in FIM Sync is essentially governed by the built-in FIM Groups (e.g. FIMSyncAdmins, etc)
RBAC in FIM Portal is essentially governed by FIM Portal Sets & MPRs
Thanks,
SK
PS. not looking at BHOLD above, just FIMThis can be true in a narrow sense. If we are just thinking of access to FIM and not on the managed organizational resources.
FIM Synch:-
Through FIM Synch groups, we are just controlling the access to FIM Synch service. We are not separating access based on roles(say organizational role).
For FIM Portal, again it can be true if we are thinking of access to FIM Portal only and not the managed organizational resources.
Thanks,
Mann
Maybe you are looking for
-
Dump by running 0Orgunit_attr Datasource in R/3
Hi Gurus, i am facing a problem by executing 0Orgunit_attr in the quality system. In D System evry thing is ok. By executing the 0Orgunit_ATTR extractor in RSA3 in R/3, i had a dump. The Error is as follow: Runtime Errors ITAB_DUPLICATE_KEY Date and
-
Why I will no longer be a customer of Creative.
/ I am the president of a web development firm who uses Skype and a Creative webcam to communicate with our clients around the world. This morning, we had to re-load our computers' OS because of some issues we were having, and when I went to look for
-
HP Laserjet M1522nf Won't Scan
Info: HP Laserjet M1522nf, Windows 8.1 Laptop, Connected through USB Hey guys, I recently got a new laptop windows 8.1. I connected and then downloaded and installed the driver and everything went smoothly. Printing to the printer works fine howev
-
Boolean Checkboxes in Advanced Search
Hi all, I'm trying to use a checkbox in the "Advanced Search Area", but appearantly, you can't use a Java type 'Boolean' in the "Advanced Search Area". What's the reason for that? And is there a workaround? If you make the checkbox any other type tha
-
How to convert Oracle Report Output to Excel Spread Sheet..
Hello Sir, How to convert Oracle Report Output to Excel Spread Sheet.. Thanks..