AAA, different groups, different roles, same equipment

Hello,
I have a tricky authentication case to submit:
My users are on Active Directory in two groups
- VPN Users
- Network admins
The groups are mirrored (binded) in the ACS,
I have a PIX configured as a VPN server. Both the VPN users and the network admins are authenticated by ACS (Radius for VPN, and TACACS+ or Radius for admins).
I only want my network admins to be able to log on my PIX, and only my VPN users to be able to connect by VPN.
Here's the question:
how to you segregate those two groups so they only have access to whats permitted for them. NAR doesn't work because only the PIX does the requests....
Right now, as configured above, both groups can do everything.
thanks for you help
Antoine

Hi
Try this. In the vpn group create an IP based NAR that doesnt permit anything. This will get applied to any TACACS+ device admin type authentication.
In the admin users group, create a cli/dnis NAR that doesnt allow anything.
Generally, IP NARs get applied to TACACS+ and DNIS/CLI to RADIUS.
In theory a T+ login from a vpn user will get filtered and a RADIUS login from an admin user will get filtered.
The possible stumbling point is how ACS applies the NAR to RADIUS VPN authentications. It uses some tortuous logic, but generally:
if ip address in authen rq ---> apply ip filter
if no ip address ----> apply dnis/cli filter
fingers x'd the vpn auths dont include framed-ip-address!!
Dont think even ACS v4.0 helps a huge amount, because network access profiles (NAP) are RADIUS only.
Darran

Similar Messages

  • AAA server group tag

    is the "AAA server group tag" the same as the proxy distribution entry.
    trying to setup my asa for tacacs+
    cisco# aaa-server ?
    WORD < 17 char Enter a AAA server group tag

    I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
    Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
    Regards
    Farrukh

  • System needs to approve automatically when the same user has different role

    Hi Gurus,
    My issue relates to approval in Shopping cart.
    Say this is my Issue.
    This is the Approval detemined by the system.
    1 - X
    2 - Y
    3-  Z
    4-  X
    5- Y
    X & Y are the Same user but with different role in the Approvals.
    First time 'X' would get the cart to approve it manually but second time system should automatically approve it. Same should happen for 'Y' as well. So now both X & Y needs to approve the cart only once.
    Please advice me how to approach this issue or If anyone experience the same kind of issue please let me know how to resolve.
    Thanks for your time to spend on it.
    Thanks,
    SNMPkumar

    Hi,
    You can handle it with N-Step BADI Workflow.
    Regards,
    Masa

  • Urgent ! Assigning (or Linking ) the same workbook into two different roles

    Hi Gurus,
    Coul you tell how to link the same workbook to two different roles.
    I am assigning the same workbook to two different roles, but in the second role the workbook is displaying with different structure than in the first role. I want the workbook should be displayed with same structure in both the roles.
    This is Urgernt.
    Thanks in advance.
    Best regards
    Hari

    Hello hari,
    Both the roles should diplay the same layout for a single workbook.
    please ensure that both the users(with these 2 roles) have similar (all the other)authorisations.
    it's possible that one of the users may have further restrictions in authorisations. check out for z-authorisation objects if any.
    hope it helps..
    thanks,
    (*Don't forget to Assign points on SDN)

  • Creating Equipment With Same Equipment No. In Different Maintenance Plant

    Dear Gurus,
    Is it possible to create equipment with same equipment No. (external Numbering) in different maintenance plant of same company code?
    We have 2 plants, plant 1000 & plant 1100 & the geographlocal locations are different. These 2 manufacturing plants belong to same company code. We have implemented plant maintenance system for plant 1000 & now want to roll out the same system at plant 1100. In plant 1000 we have equipment with equipment No. M323 (External Number). Now we want to create equipment with same no. in plant 1100. How can this be done? or is it necessary to have different no.? please advice.
    Regards,
    Abhijit Khandekar

    Dear Friend
    As Equipment master data is client specific, you cannot have the same equipment number for same category of equipment, though plants are different.
    Yes, you can do it if equipment categories are different.
    I hope this will resolve your query if not let me know.
    Regards
    Makarand Gurjar
    SAP PM consultant

  • Same user different roles within different organizations

    Hello All,
    We have requirement where Same user has to have different roles within different organizations.
    What will be the solution to handle this situation using SUN IDM ?
    Any inputs are greatly appreciated.
    Thanks,
    Akeel

    Let me simplify this,
    We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
    Say a user works for two organizations Say Org1 and Org2.
    The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
    Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
    Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
    Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
    How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
    I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
    Regards,
    Akeel

  • *How to Delet one same object from different roles*

    I need to delete one auth object from different roles, Couls any one please advise me how can i do this and if there will be any complications involved with tis.
    Best regards:
    Maq

    In PFCG, it may be that you have added some objects manually. To remove them you will have to go to pfcg.
    Even if you first remove the objects from su24, you will have to go to all the roles through pfcg to generate them in expert mode by selecting the third option (edit old status and merge with new data)

  • Different role types. Was: "Hi sap gurus"

    define and differentiate the following types of roles
    1.single role
    2.composite role
    3.derived role
    4.child role
    5.parent role
    Message was edited by: Moderator
    Please use meaningfull thread subject titles.

    Hi
    There are 5 types of Roles:
    1)     Single Role.
    2)     Composite Role. (Max 164 Single Roles can be attached to one Composite Role)
    3)     Derived Roles.
    4)     Orphans Role.
    5)     Reference Roles.
    <b>Composite roles </b>
    A composite role is a container with several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
    Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.
    The menu tree of a composite role is, in the simplest case, a combination of the menus of the roles contained. When you create a new composite role, the initial menu tree is empty at first. You can set up the menu tree by choosing Read menu to add the menus of all roles included. This merging may lead to certain menu items being listed more than once. For example, a transaction or path contained in role 1 and role 2 would appear twice. If the set of roles contained in a composite role changes, the menu tree is also affected. In such a case, you can completely rebuild the menu tree or process only the changes. If you choose the latter option, the Profile Generator removes all items from the menu, which are not contained in any of the roles referenced. It is possible (and often necessary) to change the menu of a composite role at any time. You adjust these menus in the same way as the menus for roles.
    <b>Derived roles </b>
    Derived roles refer to roles that already exist.  The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced.  A role can only inherit menus and functions if no transaction codes have been assigned to it before.
    The higher-level role passes on its authorizations to the derived role as default values, which can be changed afterwards.  Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.
    The menus passed on cannot be changed in the derived roles.  Menu maintenance takes place exclusively in the role that passes on its values. Any changes immediately affect all inheriting roles. You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normal role. Once a relationship is removed, it cannot be established again.
    In real time scenario Roles and Authorizations are primarily based on Company codes in many cases and in some scenarios are also based on Cost centers or divisions etc. IN such scenario, a Master role is created and many child roles are created with relevant Organizational levels added to the same. So any change to the master role would be drilled down to Child roles and hence it would avoid a lot of Maintenance overhead.
    E.g.: Master Role -- Z_SAP_FI_BUYER_000
    Child Role1 -- Z_SAP_FI_BUYER_CC1
    Child Role 2 -- Z_SAP_FI_BUYER_CC2
    Child Role 3 -- Z_SAP_FI_BUYER_CC3
    <b>Orphans Role</b>
    Orphans Roles are Stand-alone roles and are many a times required for IS uses/. So a System Admin role, a Security Auditor role and many other special roles mainly not used in Business side are created as ORPHANS. This role limits the user to a particular organization.
    <b>Reference Role</b>
    They are SAP standard Roles.
    Reward points if helpful

  • 1 workbook in 2 different roles in BI7.0

    Is it possible to publish the same workbook in 2 different roles in BI7 ?
    I would like that all modification done on the workbook in the first role would be automatically done on the workbook in the second role (because it's not a copy but just a publication).
    Please, give me a solution in NetWeaver ?

    HI Srikumar,
    Yes I understood your requirement. We cannot use Static ID.
    My method should work.
    You have to create two buttons for 2 different regions.
    and use the button requests in your MRU process as mentioned above.
    So if Administrators log in and click the button in region X, it will call the MRU process.
    If end-Users log in and click the button in region Y, it will also call the MRU process.
    You dont need two processes.
    Sreenithi

  • Different material- same valuation class-same movement type - but should hi

    dear all,
    Different material- same valuation class-same movement type - but should hit different gl account.
    the requirement is the materials are different but having same valuation class. Now during issue certain gl account are hitting because of val grp code, account modifier and account determination in mov type. Now my question is can i use same movement type and hit different gl account for materials having same val class???
    It is possible??

    Hi,
    In OBYC, we maintain G/L account for the transaction key (for ex: GBB) for the combination of Val. grouping code, Valuation class & account modifier (ex: VBR - determined via mov.type).
    As per your requirement, Materials have the same valuation class and you are using the same mov.type for Goods Issue, so only option is to use different val.grouping code (which is assigned to a valuation area).
    So in short, you can trigger different G/L for the different materials with same val class, mov.type only if the Plant - valuation area is different.
    If the Plant is same then system will always determine the same G/L even though materials are different.
    Hope it is clear.
    Thanks & Regards,

  • How to create different roles into a single profile

    Hi All,
    I would like to create different roles and add all them to a single pofile. But when I try, it is asking for a profile name for every role that I create.
    I have also tried to give the same profile name while creating a second role, but it is giving me error that the profile name already exists.
    Can someone help to get some clarity on this?
    Thanks
    Vijay

    Hi,
    I agree with you. But, whenever I try to create a single role, it is asking for a profile name that has to be assigned to that particular single role. I cannot go further until I give a profile name.
    How can I create a single role without creating a profile?
    Thanks
    Vijay

  • Multiple UWL for the single user with different Role

    Dear SAP Gurs,
    We have one critical requirement on the Universal worklist, as a functional requirement like some Approvers will play different roles as approver, needs to track saperately the approver inboxes for the same person.
    For Example :
    Approver A - is an Purchase Exicutive(Role)
    Approver B - Is an Purchase Manager(Role)
    Every time Apporver A has to access his approval requests seperately ( Belongs to Approver A) and take action, as well Approver A has to see Approver B's actions items seperatly and take action.
    currently we have 4 levels available and single person has to take action on based on the 4 different Approves(Role)
    Is there any work around for the abobe requirement.
    Thanks in advance,
    Vinod
    Edited by: Vinod Malagi on Jul 20, 2010 3:33 PM

    Hi Karri,
    The same requirement i want to tweak in by adding one more column in the UWL by enhancing the BOR.
    i have try with below , can you please suggenst can be done by Virtual attributes.
    Once data is comming in the UWL i will put 3 custome filters
    We need to add a new column in UWL, which is present as a Table SWWORGTASK, in this we have to pass WI_ID and get ORG_OBJ populate it as a column in UWL.
    Please suggent how can we impliment this ? do we needs to create virtual ttribute in the BOR from the same.
    as we have reffered the below link, we are not able to implimant the same. Kindly suggest.
    http://www.erpgenie.com/sap/abap/bor.htm
    Thanks in advance
    Vinod

  • Avoid to have several different Roles to maintain

    Hi ,
    I'm new to the portal admin/development. Until now when we have a new "functionality" we copy a existent portal role and remove or add "pages"/"i-views" to it . So we have many roles which are very similar and that become challenging to be maintained .
    Is there another solution (Portal framework) to hide or allow some "pages"/"i-views" to users without having to create and assign different roles .
    For the moment role A can have pages 1,2,3,4,5,6,7 role B will = role A without page 7 .
    Any presentations or information will be welcome .
    Regard's

    This seems to be a design related problem, Think about your deign carefully. You can group the users in Groups and assign roles to the Groups.
    I won't call it a solution, because it will have very high  performance impact but you can keep a role with common content, and then at runtime you can add iView/Page.
    regards
    Prashant

  • Transactions available to different roles

    Hi all,
    I've been asked to do some research on the transactions available to different roles and would greatly appreciate any help anyone can give.
    What I am looking for is a full list of transactions/rights attached to
    SAP_CA_AUDITOR_SYSTEM user
    SAP* user
    DDIC user
    If anyone could point me in the right direction that'd be great

    As far as i know...T.Code --> SUIM should give you your desired results.
    I am working on 4.6 B so change the nomanclature of Authorization Group as Roles in your system.
    Just follow the path
    SUIM --> Activity Groups --> By Activity Group Name --> enter your activity group "SAP_CA_AUDITOR_SYSTEM" --> Execute (F8) -->  then click on "User Assignment" option.
    Reward Points if it helps,
    Regards,
    N

  • I set up my new computer using the apple ID i always use, and then later migrated all my files from my old mac book to the same new one, but under a different user (same ID). how do i consolidate the two users on my new mac book?

    i set up my new computer using the apple ID i always use, and then later migrated all my files from my old mac book to the same new one, but under a different user (same apple ID). how do i consolidate the two users on my new mac book?

    Well if you use the Finder Go menu to Computer, a window opens up double click on your boot drive and then on Users folder, open the other user folder and open Public and drop your files into DropBox
    When you do this it will copy them and change the permissions and user assigned to it, so log into the other user and place them into your respective normal folders.
    Once you have all your files over and don't need the old user, use System Preferences > Accounts to delete it if you wish, however it's good two Admin accounts on the machine in case something bad happens in the other. Some people for security reasons on use a Standard account for most uses and a emergency Admin account.
    One can still do most Admin things in Standard user.

Maybe you are looking for

  • Can someone help me modify a script file?

    Hi Everyone! I am working on a couple videos in AE that need subtitles. I found this script that would work for me really well: // Subtitle generator by !Rocky // modified by Colin Harman ( http://colinharman.com/ ) to work on a Mac // Save this code

  • Getting a copy of Cold Fusion 6

    Hi All, I've got a client who needs support for his CF 6 app. He doesn't want to upgrade to CF 8 right now, but that makes troubleshooting and development work a bit difficult, because I don't have a CF 6 license anywhere. I know you can download fre

  • When I convert video files to iPod format in iTunes, it lost audio. Why? :(

    I right clicked the video in iTunes and hit convert to iPod format. It converted but the audio disappeared. Can anyone tell me why?

  • My indesign  won't let me save my document

    My indesign does not let me save: the save, save as, save as copy and the undo and redo options are blank. I can not press them therefore will not let me press to save my work??

  • Not able to find proper OSS note for an issue araised in patching

    Hi All, Our client is having ECC 6.0 system and recently done patching. there is an error occuring after patching in a standard program. How to find the OSS note available if any for the same? i am searching in service market place with search term a