Access violation - access list by code

Similar Messages

• Accurate t-code access list

  I am trying to retrieve a user access list for the following t-codes:
  Financial Reporting:
  FS00 u2013 general ledger accounts
  OB52 u2013 Close accounting periods
  Fixed Assets:
  AS01
  AS02
  ABZON
  ABAVN
  If we run it just by t-code, the access list is incorrect. Can anyone suggest a a different way to retrieve a correct user list such as what authorization objects, etc. I should specify when running each t-code?
  Thanks
  Raja

  you can check table AGR_1251 with object S_TCODE...
  In field" value" enter t-codes.
  This works as long as you havent defined a "from to" authorisation for S_tcode in your roles
  Edited by: Markus Roth on Nov 1, 2011 7:53 PM

• Unrestricted access for transaction codes

  Hi,
  We had set Production Client settings in SCC4 as "No chnages allowed"
  for client specific objects and
  "No changes to cross client & repository objects" in cross-client
  settings.
  As a part of regular job Finance users needs access to below
  transaction codes when the client is in non modifible Mode.
  I would like to give access to below listed transcation codes for
  selected users Without opening client everytime , I have assigned
  SAP_ALL profile for two users but still they are not able to perform
  their activity using below transcation codes when the client
  is "Nonmodifiable" state
  Transaction Codes List :
  S_BCE_68000174 - Enter Translation Rates
  S_ALR_87003642 - Open and Close Posting Periods
  S_ALR_87002510 - Enter Time Interest Terms
  S_ALR_87002678 - Enter Referance Interest Values
  FTXP - Tax Codes
  Please suggest us how to provide full (display, create, change,
  generate) access to specific listed users for specific transcation
  codes when production client is in "Nonmodifiable" & No changes allowed
  mode.
  Thanku

  Hello,
  Usually it depends on some points of customizing, that allow you to choose how SAP treats those transactions. I mean, you can choose if they should be treated as business transactions or customizing. In your case, the application is configured to use those transactions as customizing. Depending on the business area, you have to ask OSS support to change the configuration of these transactions.
  Hope it helps
  Best Regards
  Francisco

• IP address is not on the target's allowable access list.

  when trying to deploy a lvlib or downloading code from a PC to a FP controller I get this error message "Access denied: This host computer's IP address is not on the target's allowable access list.". I have added the PC's IP address from within Max on the access list of the FP target (althoug default is full access to everyone). This did not help, I still get the same error message. Both systems are on the same IP segment.
  sincerely
  søren h. jensen

  Hello,
  Short of time right now, but I had the same problem: Here is a dump of my own notes on how I solved the pbolem (not necessary to reinstall software):
  I attempted to update these data with Measurement & Automation Explorer (MAX) using the "FieldPoint Access Control" panel in MAX: I set "*" and Read/Write and pressed "Apply": MAX Claims it has updated the Access Rightsm, but we are still unable to Deploy the CFP from the Project Explorer.
  SOLUTION:
  Use WS_FTP-PRO (or any FTP Client) and access the IP Address of the FieldPoint using anonymous login.
  Transfer the file ni-rt.ini from the root of c:\ on the Fieldpoint to the local PC and edit the settings as shown below.
  FTP the file back to the Fieldpoint.
  Set the following settings in "server.tcp.access" and "RTTarget.IPAccess":
  server.tcp.access=""+*""
  NOTE: Double Quotes here
  RTTarget.IPAccess="+*"
  NOTE: Single Quotes here
  +* means every IP address can access.
  It turned out that MAX had left the following (probably illegal) values in the fields:
  """" and ""
  Geir Ove

• Access list with multiple object groups

  Hello Everyone,
  I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
  I am trying to use object-groups where ever i can.  Here is an example.
  object-group service obj_Meraki_outbound
  service-object tcp destination eq 443
  service-object tcp destination eq 80
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.2.11.0 255.255.255.240
  network-object 10.5.11.0 255.255.225.240
  object-group network obj_Meraki_pub
  des This group lists all hosts associated with Meraki. 
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
  object-group service obj_Meraki_outbound
  service-object tcp destination eq 443
  service-object tcp destination eq 80
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.x.x.x 255.255.255.240
  network-object 10.x.x.x 255.255.225.240
  object-group network obj_Meraki_pub
  des This group lists all hosts associated with Meraki. 
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
  I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
  What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
  Thanks

  Hi,
  Seems to work on my test ASA
  Attached it to my current LAN interface.
  ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         WAN
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outbound_access in interface LAN
  access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
  object-group service obj_Meraki_outbound
  service-object tcp destination eq https
  service-object tcp destination eq www
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.2.11.0 255.255.255.240
  network-object 10.5.11.0 255.255.255.240
  object-group network obj_Meraki_pub
  description: This group lists all hosts associated with Meraki.
  network-object host 64.156.192.154
  network-object host 64.62.142.12
  network-object host 64.62.142.2
  network-object host 74.50.51.16
  network-object host 74.50.56.218
  Additional Information:
  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
  Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
  - Jouni

• APEX Pages - User Access List with NTLM

  Hi,
  I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
  I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
  1. users (hold user name, and user data)
  2. pages (hold APEX Applications pages)
  3. access_list (hold combined data of users and pages and access flag)
  The last table will give me an SQL that can be used to create page level Authorization Scheme.
  The problem is:
  I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
  Your helps will really help me, and thanks in advance.
  Regards,
  Aulia

  This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
  You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
  That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
  If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
  Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
  I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

• AP1231 crashes when adding Mac to access list

  I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
  I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
  Is there a limit to Mac's is this a software bug?
  thanks

  If the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.

• TCAM and Access Lists

  Hi
  I am getting myself confused with the TCAM tables and access-lists. From reading the switching book I can see that the access-lists are compiled into the TCAM. What is confusing me is how a switch does a lookup in parallel when the access lists are written in a specific order. You can't parallel something which has to be done in sequence.
  Am I just misreading this part and the author means that each statement is looked up in a parallel table lookup, in serial order?
  Also how do we achieve the parrallelism, is there a multiprocessor asic doing something weird and wonderful in there with parallel code like OCCAM? (showing my age there :) )

  Hi Carl,
  As i mentioned eariler, we could say CBAC is a kind of Access list.
  Access list is just filtering some prefixes/ports. CBAC is the additional feature over ACL. We make use of the ACL in CBAC to inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions.
  Just go thro. this link for both ACL and CBAC,
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#cbac
  Rgs,
  Balaji. V

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• Access-list configuration

  hi
  i have the following configuration:
  interface FastEthernet0/1
  description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
  no ip address
  duplex full
  speed 100
  interface FastEthernet0/1.2007
  description ***** Connect To MASTER_SHUKEI_ON *****
  encapsulation dot1Q 2007
  ip address 172.21.2.46 255.255.255.248
  interface FastEthernet0/1.2008
  description ***** Connect To TRAST *****
  encapsulation dot1Q 2008
  ip address 172.21.2.54 255.255.255.248
  interface FastEthernet0/1.2009
  description ***** Connect To TRAST *****
  encapsulation dot1Q 2009
  ip address 172.21.2.62 255.255.255.248
  interface FastEthernet0/1.2010
  description ***** Connect To TRAST *****
  encapsulation dot1Q 2010
  ip address 172.21.2.707 255.255.255.248
  and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
  thanks

  HI
  Configure access-list
  access-list 10 deny u r vlan2007 range
  access-list 10 permit any
  int f0/0.2007
  access-group 10 in
  same for vlan 2008
  Thanks
  Mahmood

• Extended access list question

  Hello,
  any suggestions why the following ACL will not apply?
  access-list 100 permit udp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 established
  access-list 100 deny udp any host 192.168.155.18
  access-list 100 deny tcp any host 192.168.155.18
  access-list 100 permit ip any any
  interface GigabitEthernet0/2.16
  description Subnetz 192.168.155.16/28
  encapsulation dot1Q 16
  ip address 192.168.155.17 255.255.255.240
  ip access-group 100 in
  The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
  Thanks,
  Thomas

  Hi Rick,
  no there is no NAT or other things turned on on this device.
  Router#sh ip access-list 100
  Extended IP access list 100
      10 permit udp any host 192.168.155.18 eq domain (379 matches)
      20 permit tcp any host 192.168.155.18 eq domain (5 matches)
      30 permit tcp any host 192.168.155.18 established (1 match)
      40 deny udp any host 192.168.155.18 (788 matches)
      50 deny tcp any host 192.168.155.18 (79 matches)
      60 permit ip any any (562 matches)
  Router#sh ip int gi0/2.16
  GigabitEthernet0/2.16 is up, line protocol is up
    Internet address is 192.168.155.17/28
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound  access list is not set
    Proxy ARP is disabled
    Local Proxy ARP is disabled
    Security level is default
    Split horizon is enabled
    ICMP redirects are never sent
    ICMP unreachables are always sent
    ICMP mask replies are never sent
    IP fast switching is enabled
    IP fast switching on the same interface is enabled
    IP Flow switching is enabled
    IP CEF switching is enabled
    IP Flow switching turbo vector
    IP Flow CEF switching turbo vector
    IP multicast fast switching is enabled
    IP multicast distributed fast switching is disabled
    IP route-cache flags are Fast, Flow cache, CEF, Full Flow
    Router Discovery is disabled
    IP output packet accounting is disabled
    IP access violation accounting is disabled
    TCP/IP header compression is disabled
    RTP/IP header compression is disabled
    Policy routing is disabled
    Network address translation is disabled
    BGP Policy Mapping is disabled
    WCCP Redirect outbound is disabled
    WCCP Redirect inbound is disabled
    WCCP Redirect exclude is disabled
  Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
  Thanks,
  Thomas

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• Access Denied error (code 5)

  Hi
  I am using server 2008 r2 sp1 while installing any windows update or my sql I am getting error code 5 access denied
  and i am installing with Admin ID. What can be the reason?

  Checked this ? 
  https://social.technet.microsoft.com/Forums/en-US/522a1177-22eb-458b-a113-d1958e0b991e/sql-express-access-denied-error-code-5?forum=sqlexpress
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• Apache Error Log mod_security: Access denied with code 400

  Hi
  I am seeing the Access denied with code 400 errors in the apache log's after applying CPU Patch updates below into a Dev/TEST environment
  RDBMS Patches: 9032412 & 9352191 & post steps below:
  @?/rdbms/admin/dbmsaqds.plb
  @?/rdbms/admin/prvtaqds.plb
  @?/rdbms/admin/prvtaqiu.plb
  Java Fix > [ID 1082747.1]
  E-Business Suite Patches & post steps below:
  9323613 & 9506302
  Compiled Forms PLL files using adadmin to solve the known problem below
  ORA-04062: signature of package "APPS.FND_HELP" has been changed
  ORA-04062: KEY-HELP trigger raised unhandled exception ORA-04062.
  the error can be replicated by following the steps below:
  Log in to Oracle Apps E-Business Suite (11.5.10.2) select Report Management Information Responsibility and then transaction reports. (Opens Oracle Discoverer 4i Viewer) > select either Period to date or Year to date and then select any department & and any period (date) and then apply parameters:
  Error message in browser
  This error (HTTP 400 Bad Request) means that Internet Explorer was able to connect to the web server, but the webpage could not be found because of a problem with the address.
  For more information about HTTP errors, see Help.
  Apache log shows:
  error_log shows the following:
  [Fri Jul  8 10:52:08 2011] [error] [client 10.180.225.5] mod_security: Access denied with code 400. Pattern match "!^([-_@|#!=A-Za-z0-9/ :.$/(/)]){0,255}([-_@|#!=A-Za-z0-9/ :.$]){0,255}$" at ARGS_NAMES. [hostname "loadbalancer.webdomain"] [uri "/discoverer4i/viewer"] [unique_id ThbTSAq0BRQAABrfK7M]
  access_log shows the following:
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/shadow_bottom02_leading_ltr.gif HTTP/1.1" 200 861 0
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/seperator.gif HTTP/1.1" 200 42 0
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/arch_blue_bottom_ltr.gif HTTP/1.1" 200 984 0
  10.180.225.5 - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/white.gif HTTP/1.1" 200 37 0
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/bar_blue_leading_edge_middle_ltr.gif HTTP/1.1" 200 111 0
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/bar_blue_trailing_edge_middle_ltr.gif HTTP/1.1" 200 129 0
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/shadow_bottom_leading_edge_ltr.gif HTTP/1.1" 200 862 0
  IP ADDRESS - - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/btopshadow.gif HTTP/1.1" 200 44 0
  IP ADDRESS- - [08/Jul/2011:10:51:39 +0100] "GET /disco4iv/html/images/bshadow.gif HTTP/1.1" 200 59 0
  IP ADDRESS - - [08/Jul/2011:10:52:08 +0100] "POST /discoverer4i/viewer HTTP/1.1" 400 227 0
  I have tried to follow a number of metalink notes but unable to resolve this issue, metalink notes looked at are:
  976473.1
  389558.1
  1313128.1 Patch 10324904 applied
  394587.1
  389558.1 Patch 5107107 applied
  1143882.1
  376992.1 Patch 3950067 applied
  Any ideas or suggestions most welcome
  Thank you
  Regards
  Arfan
  Edited by: user1717313 on 08-Jul-2011 04:59

  Hi JD
  I have tried the steps i.e stop apps tier, run adconfig on apps tiers and then started services on apps tiers and can replicate the error
  thanks
  Arfan
  Hi Helios
  I checked note 1080465.1 Patch 9506302 has been applied & Recompile all Forms PLL files using adadmin.
  I ran the sql feom the note, output below
  SQL> select text from dba_source where name='FND_HELP' and line <3;
  TEXT
  package Fnd_Help AUTHID CURRENT_USER as
  /* $Header: AFMLHLPS.pls 115.22 2009/10/12 12:56:58 nchiring ship $ */
  package body FND_HELP as
  /* $Header: AFMLHLPB.pls 115.115 2010/03/19 06:45:24 nchiring ship $ */
  Thanks
  Arfan
  Edited by: user1717313 on 08-Jul-2011 05:04