Access Control Rules Queries

Similar Messages

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• Cannot display Access Control Rules page --- BUG REPORT

  iWS 4.1sp9 on Linux Admin GUI cannot display Access Control Rules page for Netscape browsers 4.7 and 6.2 or for IE 4.
  It does work for IE 5.5 (running this in Vmware).
  I'm reporting this bug here as I can't see anywhere else to put it.

  It could be a firmware bug, or it could be something else bugging out. If the router hasn't been factory reset and it's been through a few firmware upgrades, try resetting it to factory defaults. Take note of any custom settings you have, so you can go in and manually re-configure the router. I would avoid importing a backed up config file in case the config turns out to be the problem, but it doesn't hurt to download a copy of your config now.
  Give that a try. Others might have some more ideas.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• Access Control Rule Set deletion in GRC 10

  Greetings,
  Has anyone tried deleting rulesets or have experienced any issues while deleting rule sets in GRC 10. I have tried to delete them from SPRO as well as from Setup Tab in Access Control , however its not working for me . Even in SPRO , after chooseing the physical system and logical system infromation , it stays on that screen for ever and nothing happens.
  Any help or guidance here will be much appreciated.
  Thanks everyone for your valueable time.
  Vikas

  Hey ,
  There are no tricks or tips.  It was something stupid on my part.
  I Just had a look at the system again and found a function left in the system which was mapped to this Ruleset , so that was the only i was not able to delete the ruleset . As soon as i deleted that function , it worked .
  So i was able to delete the entire rule set after deleting all the risks and functions mapped to this rule set.
  Have a great day ahead ...
  Vikas

• Business Rules Framework (BRF) with Access Controll V10 (ERM and CUP)

  Hi Experts,
  where can I find some information about the usage of BRF with respect to Access Controll (especially ERM and CUP)?
  Thanks in advance and best regards,
  Marlen

  Hi Marlen,
  For ramp-up customers we have ramp-up knowledge transfer to be found here:
  http://service.sap.com/rkt
  If you are not participating in the AC 10.0 ramp-up you would need to wait until the product is general available.
  For general information on BRF have look here:
  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/43/8b85c9db2f614fe10000000a1553f7/frameset.htm
  Best,
  Frank

• How do I set up timed access control for a time past midnight

  I would like to set up timed access control for a number of my devices that would stretch past midnight...   An open network from 6AM to 2AM - effectively only blocking access from 2AM tp 6AM in the morning....
  Any notion on how to do this?  the timed factily does not like the setting to enable 6A to 2A, says the times are invalid. 
  Setting up timed access from 6AM to 11:59P, then doing another from 12A to 2A causes a service "hiccup" of 1 Minute.

  Set up each device as follows:
  Everyday........Between.......6:00 AM and 11:59 PM
  Add a second rule for each device that will state....
  Everyday.....Between.......12:00 AM and 2:00 AM
  You might think that there would be a one minute break between 11:59 PM and 12:00 AM, but that will not be the case, at least on every AirPort that I have ever programmed..  Reason.....11:59 is really 11:59:59:59 turning off at 12:00 AM.  But, you have a second rule to allow access at 12:00 AM, so the AirPort will be "on" at the same time the first rule ends, so there will be no break.
  If you really want the second rule to turn the AirPort "off" at 2:00 AM.......then set that time for 1:59 AM. If you set the rule for 2:00 AM, then AirPort will really turn off at 2:01 AM.

• Creating SOD matrix with the help of Access control default ruleset

  I am creating the SOD matrix for the existing roles of CRM and HR modules.  As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset.  We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
  For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll". 
  Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
  Maybe I am thinking the wrong way, please provide your inputs so I can work on it.  Any help appreciated.
  Thanks,
  Sanjay Desai

  The most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
  What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
  You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
  But the real challenge is to identify the risks as perceived/accepted by the business!
  Frank.

• Change in Access Control components on the Service Marketplace

  Hello GRC community:
  We would like to inform you that as of yesterday (5/30) the Access Control components for support messages/SAP Notes have been changed (they have actually been replaced so all messages/notes logged under the old component will be moved/replaced to the new).
  The main 4 components are now:
  New: GRC-SAC-ARA     Access Risk Management
  Old: GRC-SAC-SCC          Risk Analysis & Remediation (formerly Compliance Calibrator) 
  New: GRC-SAC-ARQ     Access Request
  Old: GRC-SAC-SAE          Compliant User Provisoning (formerly  Virsa Access Enforcer) 
  New: GRC-SAC-EAM     Emergency Access Management
  Old: GRC-SAC-SFF          Superuser Privilege Management (formerly Virsa Firefighter) 
  New: GRC-SAC-BRM     Business Role Management
  Old: GRC-SAC-SRE          Enterprise Role Management (formerly Virsa Role Expert)
  There are also NEW components specific to areas of functionality. If you are not sure of what component to log your message under, please use the main components above.
  GRC-SAC-ADS          Directory Services
  GRC-SAC-BI             Access Control BW
  GRC-SAC-CONF       Configuration
  GRC-SAC-DAS          Dashboard
  GRC-SAC-REP          Repository
  GRC-SAC-RPT          Reporting
  GRC-SAC-UAR          User Access Review
  GRC-SAC-UPG          Installation & Upgrade
  GRC-SAC-WF           Workflow
  Ramelyn Paredes
  AGS Primary Support

  Hello COmmunity,
  To Summarise in Short: New features introduced to V10.0 : GRC 10.0 is ABAP based, so extraction of data from users is fast & analysis as well.
  As usual, the names for the Access control tool has been changed
  A. Access Risk Analysis (RAR)
  1. USOBT & object information will be automatically updated with GRC rather than manual upload (earlier version)
  2. Mass Users can be imported from .CSV file for risk analysis, Role analysis etc.,
  3. Variant creation / reuse for any report analysis
  4. Option of having multiple rule sets & simulating users across multiple rule sets at same time
  5. Risk analysis for CUA, Composite roles
  6. Mitigation by system, risk id, mass mitigation for users, audit trail etc.,
  7. Risk analysis for HR objects
  B. Emergency Access Management (SPM)
  1. Mass reporting for all FF users, Ids, Executions
  2. Centrally maintained for all systems rather than individual ERPs.
  C. User Access Management (CUP)
  1. Customizable Access request forms
  2. HR based role assignment for position, org unit
  3. IDM integration using GRC Web services
  D. Business Role Management (ERM)
  1. Concept of Business role mapping for Technical roles.
  2. Audit Trails & PFCG Change history.
  Finally, the look, reporting format has been changed to provide additional information for analysis.
  More important - GRC V5.3 support is till 2015 & SAP has planned to push the customers to upgrade to 10.0. Eventually SAP is also planning to release GRC 11.0 by mid next year. So we have to wait & watch the show

• Data Access control in J2EE technologies/apps

  Hi Guys,
  I am working on a project that requires that i implement a mechanism for controlling data access to the content that is displayed on the pages of a Struts based web application.
  First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.
  I am intersted to know of the different approaches/frameworks out there to implementing "data access" control. Is there a framework out there for this kind of thing?
  Im thinking to do this the controls/privileges need to be configured (i.e. data access categories, users etc) somewhere probably in the database. The rules can get quite complicated so im wondering whether there is already a framework that i can use to accomplish this rather than implementing it from scratch.
  Thinking about how it will work, the rules the govern the access are very specific to our business domain so i am not really sure whether it is possible if there is any third party framework that i can use that is very generic and will allow the rules to be configured.
  Thanks

  you are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
  In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
  [http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
  Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
  Its a chore to test, but quite easy to maintain and to read IMO.

• Access Control with Custom Groups

  I am rather new to APEX. I am trying to implement access control/authorization using custom groups (not the built-in View, Edit, and Administrator groups). I did search the discussion forums and the web in general but so far I have come up empty. I was hoping someone could point me into the right direction as to how to get started. Are there stored procedures that need to be customized/implemented? Where do I store the user groups? Can I use the built-in tables or should I create custom security group tables? Those are just some of the questions I am trying to figure out and any help would be much appreciated.
  And BTW, due to client requirements, we are currently using version 3.2. Not sure if there are any significant changes between that version and the latest version.
  Thank you all!
  Mischa

  Custom authentication is fairly easy to set up with your own tables, here is an example
  http://djmein.blogspot.com.au/2007/07/custom-authentication-authorisation.html
  This leads on to authorisation, again using your own tables. You need to look into using authorization schemes
  http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/sec_authorization.htm#BABEDFGB
  This can simply be queries on your own group tables, which presumably would control membership by username.
  You ask the question about using built-in tables, yet don't want to the built-in administrator groups?
  Plenty of significant changes, but none that should affect you in regard to authentication/authorisation.
  Scott

• GRC Access Control 5.3 Organizational Levels - logical AND - OR changed

  Hello GRC Community,
  We are working with Access Control 5.3 SP 12 and we are setting up organization levels for the risk analysis.
  The setup is loaded with a flat file, and the configurations seems to be loaded in the right way.
  Doing the configuration on the RAR portal, openning the tab "rule architect" then "organization rules" and "create", we have this information:
  Organization Rule: Z001
  Description: TEST
  Risk             Organization Level     from            to             search type     Status
  F001*     BUKRS               PRE0                  AND                  Enabled
  F001*     EKORG               PR00                 OR                  Enabled
  F001*     EKORG               PR01                 OR                  Enabled
  F001*     EKORG               RP00                 AND                  Enabled
  F001*     VKORG               RP00                 OR                  Enabled
  F001*     VKORG               RP01                 OR                  Enabled
  F001*     VKORG               RP02                 AND                  Enabled
  F001*     WERKS               SV00                 OR                  Enabled
  F001*     WERKS               VS00                 OR                  Enabled
  Finally save button.
  When we want to edit an organization rule or add new one with the screen of organization rules, after saving we have the next result when load the rule again:
  In the case of the same organization rule (Z001), the RAR returns this info:
  Organization Rule: Z001
  Description: TEST
  Risk             Organization Level     from            to             search type     Status
  F001*     BUKRS               PRE0                  AND                  Enabled
  F001*     EKORG               PR00                 OR                  Enabled
  F001*     EKORG               PR01                 OR                  Enabled
  F001*     EKORG               RP00                 OR                  Enabled
  F001*     VKORG               RP00                 OR                  Enabled
  F001*     VKORG               RP01                 OR                  Enabled
  F001*     VKORG               RP02                 OR                  Enabled
  F001*     WERKS               SV00                 OR                  Enabled
  F001*     WERKS               VS00                 OR                  Enabled
  So the RAR has changed the logical AND for OR.
  Why is it happening?  This effect doesnt happen if i made an upload from a ftlat file of organizational rules.
  We already tryed this symptom doing the same exercise with RAR SP 14 with the same issue.
  Thanks in advance for all your comments
  Regards,
  Alejandro
  Edited by: Alejandro Acuña Acosta on Jun 3, 2011 8:53 AM

  Hi,
  >
  > 1. The Addons HR and NonHR are installed on the erp?
  >
  Yes.
  > 2. The GRC could be an stand alone java server?
  >
  It should be on separate server.
  > 3.  The Spro config for process control is configured on the ERP or the grc server?
  >
  ERP server.
  Thanks
  Sunny

• Home Hub 3 Access Control not working

  Not sure if anyone can help with this, but here goes!
  I have access control enabled on my HomeHub 3 which should stop my daughter from using the Internet between 9:00pm and 3:00pm - it seems to be working in as much as she isn't able to access the internet from her laptop from the time she gets up until 3:00pm, but it doesn't stop her using the internet at 9:00pm, in fact she can still quite happily access the internet up until 10:30 or even later.
  I have tried restarting the hub, switching access control off and back on and delting and re-instating the device block but none of these seem to work properly, so any advice would be gratefully received.
  I'm also having problems with wireless connectivity, but I've put that in a different post as I think it probably needs different expertise

  It could be because the time on the hub is an hour slow because it has not updated to BST. This is a known problem which BT were going to sort out within a few days! See here and elsewhere in these forums: http://community.bt.com/t5/Other-BB-Queries/Clocks-Forward/td-p/448429.
  Pending resolution of the problem, putting the Access Control times back an hour might do it. (It has been reported that the alternative of setting the time manually can result in the hub not keeping time very well.)  
  You can click the white star next to this message if you think it was helpful.

• Http proxy View access control log

  Access control log is broken. I get BMON window...operation cannot be
  completed.
  Tried TID 10026035 which did not work at all.
  Jerry Gunn

  If that is the only way, I guess it OK. Do you have a procedure to
  follow?
  Also... why doesn't TID 10026035 work? If its a usless TID who do I
  contact to get it removed or fixed?
  Thanks for your help.
  Jerry Gunn
  > If you're ready to throw away the access rules logs, you can start from
  > scratch by disabling all the components using btrieve (for instance,
  not
  > loading BM at the server startup, removing logging for the VPN, as
  > well), then disable all the logs in CSAUDIT, delete the contents of the
  > CSAUDIT directory and re-enable everything.
  >
  > --
  > Cat
  > NSC Volunteer Sysop

• Disable include statements to access control

  Hi,
  include statements (@include, not include actions) can include any
  resource and are not subject to declarative or programmatic access
  control. So access control works for the including JSP but not for the
  included resource.
  Is there a way to restrict include statements (@include, not include
  actions) to mitigate this risk?
  Tag library validators don't work because they just get a byte stream
  of the XML view of the JSP with expanded include statements.
  Security manager policies are difficult because the servlet container
  needs access to all resources and FilePermissions paths are not
  expressive enough. Something like
  grant the jsp engine {
  permission java.io.FilePermission "/some-root/-.jsp" "read";
  permission java.io.FilePermission "/some-root/-.jspx" "read";
  seems not possible.
  Do you have any idea how to restruct include statements?
  Thanks
  Hannes

  Hi Private_frazer,
  Welcome to the forum, that does sound a bit frustrating. I can get this look into for you. Please could you send me in your details using the link found in the "About Me" section of my profile.
  Thanks
  Paddy,
  BTCare Community Mod
  If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
  We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)

• UWL Integration - Process Control & Access Control

  Hello Community,
  Has anyone worked on UWL integration of Access Control 5.3 & Process Control 3.0?
  Is this feasible by developing UWL custom connectors? Any hints?
  (NW2004s - EP7.0)
  Thanks!
  Dhanz

  Hi
  Even though you set risk analysis to be done at single in RAR , it will automatically consider  following type if done from CUP
  1. SOD conflict
  2.Critical action
  3. Critical Permission
  If you want to have only SOD risk analysis ,then deactivate all critical action rules in RAR OR create a new ruleset and assign all SOD risk to it and use with CUP .
  Thanks & Regards
  Asheesh