Access Control, finer control of standard options.....

Similar Messages

• MAC address access control

  Why does my airport express/time capsule show more wireless clients than I've authorized via the MAC address access control?

  Sorry, but I have to re-awaken this old thread.
  1. I recently purchased a new iPad.
  2. With a) a hidden SSID, b) a MAC address-based access control list and c) a WPA2 secured network, I am assuming that no new device should be able to access my WiFi network.
  3. When I got home with the new iPad on Friday evening, and started it, it was online without even asking me whether to connect, or what the WPA2 key was.
  I find this strange.
  Additional information:
  4. I also have an iPhone 4S.
  5. I used the personal hotspot feature of the iPhone 4S to connect the WiFi-only iPad to the Internet while on the road.
  6. That personal hotspot feature was still enabled when I got home with the iPhone and the new iPad.
  7. Home network setup:
  7a) Fritz.Box 7270 as DSL modem/router (WiFi disabled)
  7b) Apple Airport Extreme (v 7.6.4) connected via LAN to DSL router, (in bridge mode, create wireless network), Access control on this base station.
  7c) Apple Airport Express (v 7.6.4) connecte to Airport Extreme via WiFi (extend wireless network), Access control not an option on this base station.
  8. Native IPv6 enabled on all devices (and provided by ISP).
  Any suggestion and help is highly appreciated.

• NWBC no option "Access Control" - can't start working with GRC 10.0

  I have installed GRC AC 10.0 and have followed the post-installation documentation. All seems to be fine so far.
  But when I run NWBC, I do not get the Icon/Option "Access Control".
  What can go wrong? My user has sap_all and sap_grac_all, so it shouldn't be the access rights...what else can I check?

  I have installed GRC AC 10.0 and have followed the post-installation documentation. All seems to be fine so far.
  But when I run transaction NWBC, the web-browser (Iexplorer) opens the HTML-NWBC, but I do not get the Icon/Option "Access Management". I see this option however on the screenshots of the documentation. And it seems to be the only way to work with the application - or can I work directly within SAP-GUI ?
  I see however the Icons "Office", "Cross-Application Components", "Accounting", "Information Systems", "Tools" and I can well drill down into the submenus and use the fonctionality.
  What can go wrong? My user has sap_all and sap_grac_all assigned, so it shouldn't be the access rights...what else can I check? any ideas are welcome... - thanks in advance...

• DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-23
  DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)
  =====================================================================
  PURPOSE
  여러 사용자가 같은 테이블을 조회하더라도, 각 사용자마다 자신의 정보만을
  표시해 준다거나, 특정 시간 범위 내에서는 다른 조건의 데이타만 보여지는 등
  row level의 security및 context를 지정하는 것이 8i부터
  FGAC (Fine Graned Access Control)을 통해 가능해졌다.
  이것은 VPD (Virtual Private Database)라는 용어로도 언급되어지는대,
  dbms_rls pacakge를 통해 policy 및 predicate을 생성하여 사용되어진다.
  Explanation & Examples
  FGAC는 row level로 security 및 context를 부여하는 것으로 결국 tranparent하게
  수행하는 SQL문장에 where절 조건을 추가하는 것이다.
  이렇게 추가되는 where 조건을 predicate이라고 부른다.
  1. FGAC의 간단한 예제
  scott의 emp table에 대해서 login한 username과 같은 ename에 대한 정보만을
  보여주는 예제를 제시한다. super_user라는 role을 가진 user에 대해서는
  전체 emp table이 모두 display되는 방법도 첨부한다.
  (1) dbms_rls package에 대한 실행 권한을 scott에게 부여한다.
  SQL> grant execute on dbms_rls to scott;
  (2) emp table의 ename에 해당하는 user몇명을 생성하고 권한을 부여한다.
  SQL> create user king identified by king;
  SQL> create user adams identified by adams;
  SQL> grant connect to king, adams, james;
  SQL> connect scott/tiger
  SQL> grant select on emp to king, adams, james, eykim;
  (3) scott user에서 다음과 같이 predicate을 포함한 function을 생성한다.
  SQL> connect scott/tiger
  SQL> create or replace function predicate
  (obj_schema varchar2, obj_name varchar2)
  return varchar2 is d_predicate varchar2(2000);
  BEGIN
  d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
  RETURN d_predicate;
  END predicate;
  policy이 제대로 만들어졌는지 다음과 같이 scott user에서 확인한다.
  SQL> select predicate('dummy','dummy') from dual;
  PREDICATE('DUMMY','DUMMY')
  ename = sys_context ('USERENV', 'SESSION_USER')
  (4) 다음 문장을 system 혹은 scott user에서 실행한다.
  이때 parameter의 의미는, object_schema, object_name, policy_name,
  function_schema, policy_function 순이다. 이 외의 parameter가 더 있지만
  나머지는 default값을 이용한다.
  SQL> exec dbms_rls.add_policy('scott', 'emp', 'pol1', 'scott', 'predicate');
  기존의 같은 policy name이 존재하는 경우에는 다음과 같이 지우고 새로 생성할
  수 있다.
  SQL> exec dbms_rls.drop_policy( 'SCOTT', 'EMP', 'pol1' );
  (5) king/scott등 user로 접속하여 emp table을 조회해 본다.
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  SQL> connect scott/tiger
  SQL> select * from emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  (6) emp table의 ename에 속해있지 않은 user로 접속하여 조회해 본다.
  eykim user에 대해서 emp table의 select권한은 (2)번 단계에서 제공되었다.
  SQL> connect eykim/eykim
  SQL> select * from scott.emp;
  no rows selected
  (7) super_user라는 role을 생성하고 이 role을 가진 사용자는 모두 데이타가 조회
  가능하도록 policy function을 변경하여 본다.
  SQL> grant select on dba_role_privs to scott;
  SQL> create or replace function predicate (obj_schema varchar2, obj_name varchar2)
  return varchar2 is d_predicate varchar2(2000);
  counter number;
  begin
  select count(*) into counter
  from dba_role_privs
  where granted_role='SUPER_USER'
  and grantee = sys_context ('USERENV', 'SESSION_USER');
  if counter = 1 then
  d_predicate := '';
  else
  d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
  end if;
  return d_predicate;
  end predicate;
  (8) king user에게 super_user role을 부여한 후 (5)번과 어떻게 결과가 다르게
  나오는지 확인한다.
  SQL> create role super_user;
  SQL> grant super_user to king;
  SQL> connect king/king
  SQL> select * from emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7369 SMITH CLERK 7902 17-DEC-80 800
  20
  7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300
  30
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  7934 MILLER CLERK 7782 23-JAN-82 1300
  10
  14 rows selected.
  RELATED DOCUMENTS
  <Note 67977.1> Oracle8i Fine Grained Access Control - Working Examples

• FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-24
  FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
  =======================================================================
  PURPOSE
  row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
  <bul 23026>에 제시하였다.
  이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
  정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
  자세히 살펴보도록 한다.
  Explanation & Examples
  dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
  이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
  value를 주면 된다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  > object_schema => 'SCOTT', -
  > object_name => 'EMP', -
  > policy_name => 'POL1', -
  > function_schema => 'SYS', -
  > policy_function => 'PREDICATE', -
  > statement_types => 'SELECT', -
  > static_policy => false, -
  > policy_type => DBMS_RLS.DYNAMIC
  > long_predicate => false);
  1. FGAC의 version별 특징
  (1) sec_relevant_cols/sec_relevant_cols_opt : 10G
  위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
  parameter로 다음 두 parameter가 존재한다.
  이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
  것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
  및 예제를 확인 가능하다.
  - sec_relevant_cols
  - sec_relevant_cols_opt
  (2) long_predicate : 10G
  default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
  될 수 있다.
  (3) statement_types : 10G부터 INDEX type추가
  9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
  있었으나, 10g부터는 INDEX type도 지정 가능하다.
  index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
  자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
  확인할 수 있다.
  (4) EXEMPT ACCESS POLICY 권한 : 9i
  특정 user가 모든 fine-grained access control policy의 영향을 받지
  않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
  소개되었다.
  SQL> grant exempt access policy to scott;
  와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
  metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
  (5) synonym에 대한 policy설정 : 9.2
  synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
  것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
  조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
  (6) static_policy : 8.1.7.4
  static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
  반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
  즉, policy function이 매번 object를 access할때마다 실행된다.
  8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
  해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
  cache되어 있으면 재실행없이 그대로 사용된다.
  10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
  이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
  policy_type을 dbms_rls.static 으로 지정하면,
  9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
  (7) policy_type: 10g
  다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
  - STATIC
  policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
  않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
  경우에는 사용하면 사용하면 문제가 될 수 있다.
  static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
  이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
  결과를 그대로 사용한다.
  - SHARD_STATIC
  STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
  사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
  STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
  대해서만 cache된 값을 사용한다.
  - CONTEXT_SENSITIVE
  한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
  WAS(web application server)를 사용하는 경우 connection pooling방법을
  기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
  교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
  주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
  session_user등의 값을 다시 계산하게 되는것이다.
  jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
  <Note 110604.1>에서 확인가능하다.
  - SHARED_CONTEXT_SENSITIVE
  context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
  대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
  cache되어 있는지를 먼저 살펴본다.
  존재하면 session private application context가 변경되기 전까지 그 predicate의
  결과를 그대로 사용한다.
  - DYNAMIC
  이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
  영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
  재 실행하여 환경에 맞는 값을 return하여 준다.
  아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
  predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
  2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
  (a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
  (1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) 다음과 같이 predicate function을 scott user로 만들어둔다.
  SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
  2 return varchar2 is d_predicate varchar2(2000);
  3 begin
  4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
  5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
  6 else d_predicate := 'sal>=3000';
  7 end if;
  8 return d_predicate;
  9 end predicate;
  10 /
  (3) pol1을 새로 add시킨다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => TRUE, -
  policy_type => NULL);
  (4) adams user에서 scott.emp를 조회해 본다.
  단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
  SQL>grant select on emp to king;
  SQL>!date
  Thu Nov 24 14:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
  king user는 같은 값을 emp table에 대해서 return한다.
  SQL>!date
  Thu Nov 24 14:10:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  (b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
  (1) 기존의 policy를 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
  변경한다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => flase, -
  policy_type => dbms_rls.dynamic);
  (3) king user에서 조회해본다.
  predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
  즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
  SQL>!date
  Thu Nov 24 15:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분 이후가 되어 다시한번 king user에서 실행해본다.
  SQL>!date
  Thu Nov 24 15:10:13 EST 2005
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  RELATED DOCUMENTS
  <Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
  in DBMS_RLS.ADD_POLICY Procedure
  <Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
  to 10g

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Got ORA-00439:  feature not enabled: Fine-grained access control

  Trying to implement VPD, I've got ORA-00439 when implementing Fine-grained access control. Will this be available on XE?

  Hi,
  lewisc: Yes. I mean "persistent package variables" and I know this feature is available in any version of Oracle. But, I don't know how It works whith HTMLDB when using "HTMLDB Authentication Scheme".
  i.e.: when I connect to an HTMLDB Application, I can see a new session on
  V$SESSION with username=ANONYMOUS with SID=xxx and SERIAL#=yyyy.
  1.-Will HTMLDB use the same session until User Press "logout" link?
  2.-Will this particular Database session be exclusive or shared for any HTMLDB sessions?
  3.-If I Logout from HTMLDB App, then Login again, Will HTMLDB reuse the same session?
  or will create a new one?
  -About VPD.
  VPD is a Personal Edition feature too. All features of EE is
  available on Personal Edition except RAC and a few others
  specials features.
  After all:
  Maybe with these examples you can see my question.
  CREATE OR REPLACE VIEW myviewname
  AS
  SELECT *
  FROM mytablename
  WHERE somecolumn = V('Fxxx_HTMLDB_ITEM_NAME')
  CREATE OR REPLACE TRIGGER mytriggername
  BEFORE
  INSERT
  ON mytablename
  FOR EACH ROW
  BEGIN
  :new.mycolumn1 := V('Fxxx_HTMLDB_ITEM_NAME');
  END;
  Can these two examples work? If so, maybe there is something wrong in my applications.
  Thanks GaryM for your issues and I already know this can be done that way

• Fine Grain Access Control gives ORA-02014

  Using Fine Grain Access Control on Oracle 8i 8.1.6, when a policy is enabled on a table then queries of the form "select * from table for update nowait" give "ORA-02014 cannot select FOR UPDATE from view with DISTINCT, GROUP BY, etc.".
  Similar queries without the "for update nowait" work OK.
  Does anyone have a fix or workaround?
  null

  I ran into this. If you're using a function to add to/add a where clause to your statement, when the where clause gets appended to the end and generates an error. You should be seeing trace files in the udump area of oracle that show you the actual sql line that is being created in error. I modified my function to add the FOR UPDATE NOWAIT in the correct place.

• Issue while enabling Access Control for a Coherence server node

  Hi
  Im trying to enable access control for a Coherence server node, using the default Keystore login method shipped with Coherence. When i start the server i get the error "java.security.AccessControlException: Unsufficient rights to perform the operation". Please see below for the sequence of steps I've followed to enable access control. I just need to be enable Authentication (not authorization) at this stage
  1. I have added the following entry in the Coherence Operational override file
  <security-config>
            <enabled system-property="tangosol.coherence.security">true</enabled>
            <login-module-name>Coherence</login-module-name>
            <access-controller>
                 <class-name>com.tangosol.net.security.DefaultController</class-name>
                 <init-params>
                      <init-param id="1">
                           <param-type>java.io.File</param-type>
                           <param-value>keystore.jks</param-value>
                      </init-param>
                      <init-param id="2">
                           <param-type>java.io.File</param-type>
                           <param-value>permissions.xml</param-value>
                      </init-param>
                 </init-params>
            </access-controller>
            <callback-handler>
                 <class-name>com.sun.security.auth.callback.TextCallbackHandler</class-name>
            </callback-handler>
       </security-config>
  2. The following is the entry in the Permissions.xml
  <?xml version='1.0'?>
  <permissions>
  <grant>
  <principal>
  <class>javax.security.auth.x500.X500Principal</class>
  <name>CN=admin,OU=Coherence,O=Oracle,C=US</name>
  </principal>
  <permission>
  <target>*</target>
  <action>all</action>
  </permission>
  </grant>
  </permissions>
  3. The following is the content of the Login configuration file "Coherence_Login.conf"
  Coherence {
  com.tangosol.security.KeystoreLogin required
  keyStorePath="keystore.jks";
  4. The following is the command line tag for starting the server
  java -server -showversion -Djava.security.auth.login.config=Coherence_Login.conf -Xms%memory% -Xmx%memory% -Dtangosol.coherence.cacheconfig=PROXY-cache-config.xml -Dtangosol.coherence.override=FOL-coherence-override.xml -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.authenticate=false -Dtangosol.coherence.security=true -cp "%coherence_home%\lib\coherence.jar" com.tangosol.net.DefaultCacheServer %1
  Following is the output on the Console when running the command. It asks for a username and password for the JKS store (If i provide the wrong password, it gives a different error, which shows that it is able to authenticate aganst the Keystore). After i put in the password, it throws the error as shown below "java.security.AccessControlException: Unsufficient rights to perform the operation"
  D:\Coherence\FOL_CacheServer>fol-cache-server
  java version "1.6.0_20"
  Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
  Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)
  Username:admin
  Password:
  Exception in thread "main" java.security.AccessControlException: Unsufficient ri
  ghts to perform the operation
  at com.tangosol.net.security.DefaultController.checkPermission(DefaultCo
  ntroller.java:153)
  at com.tangosol.coherence.component.net.security.Standard.checkPermissio
  n(Standard.CDB:32)
  at com.tangosol.coherence.component.net.Security.checkPermission(Securit
  y.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeC
  luster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startServic
  e(Connector.CDB:20)
  at com.tangosol.coherence.component.net.management.gateway.Remote.regist
  erLocalModel(Remote.CDB:10)
  at com.tangosol.coherence.component.net.management.gateway.Local.registe
  rLocalModel(Local.CDB:10)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gate
  way.CDB:6)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluste
  r(SafeCluster.CDB:46)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.C
  DB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:998)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureServiceInterna
  l(DefaultConfigurableCacheFactory.java:923)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(Defaul
  tConfigurableCacheFactory.java:892)
  at com.tangosol.net.DefaultCacheServer.startServices(DefaultCacheServer.
  java:81)
  at com.tangosol.net.DefaultCacheServer.intialStartServices(DefaultCacheS
  erver.java:250)
  at com.tangosol.net.DefaultCacheServer.startAndMonitor(DefaultCacheServe
  r.java:55)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:197)

  Did you create the weblogic domain with the Oracle Webcenter Spaces option selected? This should install the relevant libraries into the domain that you will need to deploy your application. My experience is based off WC 11.1.1.0. If you haven't, you can extend your domain by re-running the Domain Config Wizard again (WLS_HOME/common/bin/config.sh)
  Cappa

• Access controll Logs and DNS entries

  Hello there,
  We have upgraded from Border Manager 3.5 to Border Manager 3.8 SP4 on
  new hardware. Everything runs fine except a little niggle. When we
  view the Access Control logs now all we see is IP addresses there are
  no host names. In real time monitoring we can click on DNS Host Name
  and get some of the names but most come back Unknown. Under the logs
  themselves the DNS host Name option is grayed out. Have I messed up
  the configuration in some manner?
  Dan

  Thanks Craig, We are indeed runing the transparent proxy. Is this a
  change between 3.5 and 3.8? When we ran the transparent Proxy under
  3.5 we were able to see the URL's.
  On Tue, 17 Jul 2007 21:36:53 GMT, Craig Johnson
  <[email protected]> wrote:
  >In article <[email protected]>, Dan Larson
  >wrote:
  >> When we
  >> view the Access Control logs now all we see is IP addresses there are
  >> no host names. In real time monitoring we can click on DNS Host Name
  >> and get some of the names but most come back Unknown. Under the logs
  >> themselves the DNS host Name option is grayed out. Have I messed up
  >> the configuration in some manner?
  >>
  >If you have transparent proxy working, you will get IP addresses of
  >hosts instead of URL's.
  >
  >If you are not using proxy authentication, you will get IP addresses of
  >user PC's instead of user names.
  >
  >Craig Johnson
  >Novell Support Connection SysOp
  >*** For a current patch list, tips, handy files and books on
  >BorderManager, go to http://www.craigjconsulting.com ***
  >

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• User management and Access Control in HCM Cloud

  Hello,
  Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
  - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
  The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
  Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
  - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
  I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
  I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
  Best regards,

  OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
  At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

• Where's iPhone's ID for MAC Access Control on Airport Express?

  I'm running Apple Express (NOT Extreme) base station v5.5.1, & require Access Control on 802.11g network. I have "Apple IDs" for all our computers using network, but I can't figure how to get ID #s for iPhone. As workaround, I temporarily opened my network to standard 128-WEP encrypt w/ password, disabling Access Control. But some hash-chart wizard in my apt complex keeps beating WEP & bogging down network, no matter how many times I change passwords. Note: I can't set up WPA w/o Airport Extreme, so that's not an option.
  Thanks in advance for any suggestions...

  Hello sportshark1. Welcome to the Apple Discussions!
  To find the iPhone's MAC address: Settings > General > About

• Where can I find iPhone "Apple ID" # for Access Control on Airport Express?

  I'm running Apple Express (NOT Extreme) base station v5.5.1, & require Access Control on 802.11g network. I have "Apple IDs" for all our computers using network, but I can't figure how to get ID #s for iPhone. As workaround, I temporarily opened my network to standard 128-WEP encrypt w/ password, disabling Access Control. But some hash-chart wizard in my apt complex keeps beating WEP & bogging down network, no matter how many times I change passwords. Note: I can't set up WPA w/o Airport Extreme, so that's not an option.
  Thanks in advance for any suggestions...

  Yeah, this kinda had me going as well...at first I couldn't figure out where in the world was the MAC address for this iPhone! I check the iPhone, the box, online everything everywhere! I just happened to be in the Settings and went to About this iPhone...and Blam! there it was!!! Be sure and use the ID for WiFi. MAC Access Control is a great safeguard, though many say people can "spoof" MAC IDs. I haven't seen it and am not sure how it would be done.

• ESYU: R12 - Order Management를 위한 Multi Org Access Control(MOAC) setup 방법

  Purpose
  Oracle Order Management - Version: 12.0 to 12.0
  Information in this document applies to any platform.
  R12의 Order Management에 대핸 Multi Org Access Control(MOAC) setup 방법에 대해 알아본다.
  Solution
  일반적인 MOAC Setup:
  1. HRMS에서 Security Profile을 정의:
  a. HRMS Management responsibility 선택
  b. HRMS Manager> Security> Profile로 이동
  c. Security Profile이 정의되어 있는지 확인 (OM responsibility 혹은 Site level로)
  d. 만일 아직 setup 되어져 있지 않다면 Operating Units를 입력
  e. 저장
  Note: 만일 위 d step과 같이 새로운 security profile을 생성하였다면 concurrent program 'Security List Maintenance'를 꼭 실행해야 한다.
  그렇지 않으면 multiple operating units가 OM forms의 LOV에 나타나지 않을 것이다.
  이 program은 multi-org access를 validating 하기 위해 사용하는 table에 data를 생성한다.
  Navigation: HRMS Management> HRMS Manager> Processes & Reports> Submit Process & Report> Security List Maintenance
  2. MO Profile Options setup:
  a. MO: Security Profile - 이 profile setting은 MOAC functionality를 활성화 한다.
  b. MO: Default Operating Unit - 이 Operating Unit는 OM forms과 report에서 default가 될 것이며, 이를 clear 하거나 변경하기 위해 LOV를 사용할 수 있다.
  Keep the MO profiles in sync:
  MO: Security Profile은 site와 responsibility level로 setting 할 수 있다.
  MO: Default Operating Unit은 site, responsibility, user level로 setting 할 수 있다.
  Application이 원하는대로 동작되지 않는것을 발견하면 이 profile options의 setting 값을 확인한다.
  3. OM setup:
  R12 upgrade 시 OM Profile에서 migrate 된 새로운 OM System Parameters를 확인:
  Order Management Super User> Setup> System Parameters> Values
  (See <<NOTE 393646.1>>-R12 Readiness Cheat Sheet: Migrated OM Profile Options)
  4. Form에서 hidden field 'Operatin Unit'를 활성화시키고 default folder로 저장:
  Sales Order and Order Organizer forms
  Quick Sales order and Organizer forms
  Sales Agreement forms
  Pricing and Availability form
  Other forms
  Note: Sales Order form에서 hidden field 'Operating Unit'를 'Show' 하기 전에 fotm안에 이 field를 위한 공간을 만들어 놓아야 한다.
  예를 들면 Customer Number field를 짧게 하거나 Operating Unit field로 이 field를 덮어씌울수 있다.
  Reference
  Note 393634.1

  Hi Larry,
  Have you considered adding the exec apps.mo_global.set_policy_context call to your connection's start-up script?
  Tools -> Preferences -> Database -> Filename for connection startup scriptNot the most flexible approach, so I'm not sure if it is appropriate for your application, but just a thought. You might create distinct connection names with different start-up scripts for each org_id.
  Regards,
  Gary
  SQL Developer Team