ACE Role question

Just a clarification about ACE roles. Why does the predefined "Admin" role have any rules beyond:
1. Permit Create all
Why are the other 3 rules necessary?
2. Permit Create user access
3. Permit Create system
4. Permit Create changeto
thanks,
marty

The ACE provides role-based access control (RBAC), which is a mechanism that determines the commands and resources available to each user. A role defines a set of permissions for accessing the objects and resources in a context and the actions you can perform on them.

Similar Messages

  • Ace 6500 question

    new to ace just purchased a new blade, could somebody advise on deployment in routed and single arm mode. if a client connects to the vip can the traffic route back out the vip interface to the servers. we have a dmz were we want to deploy a vip, once the packet enters the dmz and hits the vip can the servers be located on the same subnet as the vip and also a backup server on another dmz or even the inside of the firewall.

    I am also fairly new to the ACE modules, but I think I can answer your question. Yes the servers can be located on the same subnet as the VIP. As for the backup servers, as long as the ACE can reach the servers via IP you can load balance servers even if they are if different VLANs or DMZ's.
    I have a context in one arm mode and would suggest against it unless you do not have a choice. Even though one arm mode is easy to set up, it can be a little hard to troubleshoot if you have source NAT enabled, if you do not have Source NAT enabled on the ACE, you will have to configure PBR on the MFSC of the 6500 and specify what you want to go to the ACE(what needs to be load balanced).
    If you configure the ACE in routed mode, be sure that you configure it so that you do not run into an assymetrical routing issues.
    Like I said; I am fairly new to these load balancers, but we have very talented folks on this site that can assist you with almost any ACE related question that you may have.
    Good luck,
    John...

  • ACE checkpoint question

    I have a ACE checkpoint question. when u create a checkpoint to save the config on the ACE module where does the file get stored

    HI,,
    To display checkpoint information, use the show checkpoint command in Exec mode. The syntax of this command is:
    show checkpoint {all | detail name}
    The options and arguments are:
    •all-Displays a list of all existing checkpoints
    •detail name-Displays the running configuration of the specified checkpoint
    For example, to display the running configuration for a specific checkpoint, enter:
    host1/Admin# show checkpoint detail MYCHECKPOINT
    Sachin

  • Regarding the ACE roles

    Dear Friends,
    Can anybody expalin about ACE roles how it controls the system..
    Ponints will be rewarded.
    Thanks&Regards,
    Ganesh

    Take a look at the following blogs:
    - /people/boris.dingenouts/blog/2006/09/18/the-concept-and-implementation-of-crm-ace
    - /people/ravikiran.chittum/blog/2007/09/19/configuration-implementation-of-crm-access-control-engine-ace-part-1
    - /people/ravikiran.chittum/blog/2007/10/01/configuration-implementation-of-crm-access-control-engine-ace-part-2
    regards.

  • PSCS4 ACE Exam - Questions on 3D and Video included or not?

    Hi,
    I have been thinking of taking the ACE exam for CS4 for awhile now. I have been using a couple of the exam sims available, ExamAids & uCertify but have noticed that while the uC one has questions on 3D, Video and Animation, the EA one does not.
    Can anyone who has actually taken the test please tell me if they had to answer questions on these elements of the software. I'm not interested in what the questions were, just if they covered those subjects. I know they are not listed on the exam bulletin, but they might crop up in the 'Advanced Knowledge' section.
    And before anyone from the 'why bother with ACE exams' crowd chips in, I work for a training company that wants to become AATC, they need to use ACIs to achieve that status. So I need to become an ACE.
    Thanks in advance,
    Kris

    The questions are only comming from the prep guide, if something isn't mentioned there then it won't be in the exam. There's nothing about 3d in the prep guide so you don't need to learn about it but there are two subpoints about video so make sure that you go through those:
    •  Given a scenario, describe the proper color conversion to apply. (Scenarios include: To CMYK for prepress, to a different color space for Web or video.)
    •  Explain how to use features that handle images moving to and from video workflows.(Includes: Pixel aspect ratio, document presets, Video Preview.)

  • Managed Roles Question

    I have just a basci question. If I have a role in the form of :
    cn=MDMS, ou=Industrial, dc=test, dc=com
    Does the organization Industrial have to exist soemwhere in LDAP as a real ou?
    I am using the Java API and I need to associate the cn with an organizational unit, but I do not want to have
    someone phisically managing these groups.
    And if this can be done, are there any drawbacks and or gotchas that I need to be aware of.
    Thanks in advance...

    You can do this, there should be no gotchas.

  • Privilege and roles Question

    Hi All
    I did a queries
    SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
    WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
    GRANTEE        PRIVILEGE       GRANTABLE
    USER1 SELECT NO
    USER1 INSERT NO
    USER1 DELETE NO
    USER1 UPDATE NO
    USER_ROLE SELECT YES
    USER_ROLE INSERT YES
    USER_ROLE DELETE YES
    USER_ROLE UPDATE YES
    SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
    TYP      GRANTEE   GRANTED_ROLE   ADMIN_OPTION
    ROLE USER1 CONNECT NO
    ROLE USER1 RESOURCE NO
    ROLE USER1 USER_ROLE NO
    My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
    Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..

    Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
    Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
    Try:
    grant insert on table1 to user1;

  • Certificate Authority CA Role question

    Well I haven't asked a question on here in quite some time.
    Does anyone know if I can export my CA role and cert from first primary servwer ZEN internal CA store and import on another primary for redundant internal zen CA servers?
    Not sure if this is supported or even works in case one bites the dust.
    Thanks in advance

    Originally Posted by mark7508
    Well I haven't asked a question on here in quite some time.
    Does anyone know if I can export my CA role and cert from first primary servwer ZEN internal CA store and import on another primary for redundant internal zen CA servers?
    Not sure if this is supported or even works in case one bites the dust.
    Thanks in advance
    No, you can't have "redundant".
    But the CA server is only needed when Generating Certs such as when building a new Primary or configuring an Auth Satellite.
    I've seen folks lose their CA server and not know it for a year or more )
    Simply make sure you have followed the steps for backup up your CA and if you ever lose your CA server permanently, you can use those files to install the CA service on another server.

  • Role Question

    The SCOTT user has been granted the CONNECT and RESOURCE roles only.
    The database administrator (DBA) grants MGR_ROLE to the SCOTT user by using this command:
    SQL> GRANT MGR_ROLE TO SCOTT WITH ADMIN OPTION;
    Which statement is true about the SCOTT user after he is granted this role?
    A: The SCOTT user can grant the MGR_ROLE role and the privileges in it to other users.
    B: The SCOTT user can grant the privileges in the MGR_ROLE role to other users but not
    with ADMIN_OPTION.
    C: The SCOTT user can grant only the MGR_ROLE role to other users but not the privileges
    in it.
    D: The SCOTT user can grant the privileges in the MGR_ROLE role to other users but cannot
    revoke privileges from them.
    what is the true answer And why?
    Thanks in advance

    SYS@orcl > create role mgr_role;
    Role created.
    SYS@orcl > grant create any view to mgr_role;
    Grant succeeded.
    SYS@orcl > grant mgr_role to scott with admin option;
    Grant succeeded.
    SYS@orcl > connect scott/tiger
    Connected.
    SCOTT@orcl > grant create any view to mike;
    grant create any view to mike
    ERROR at line 1:
    ORA-01031: insufficient privileges
    SQL> grant mgr_role to mike;
    Grant succeeded.(C) The SCOTT user can grant only the MGR_ROLE role to other users but not the privileges in it. (if this means that Scott cannot grant the individual privileges)
    Enrique
    Edited by: Enrique Orbegozo on Dec 18, 2008 7:40 PM

  • ACE Module Question

    Hi,
    I have the following configuration:
    policy-map type loadbalance first-match test
    class L7-URL
    sticky-serverfarm test
    insert-http src-ip header-value %is:%ps:%id:%pd
    class class-default
    serverfarm test
    Does the class class-default need to be in the above configuration? The reason I as is because I see it in some examples and not in others.
    Regards,
    John...

    class-default act as a last resort under policy configuration. If there are multiple classes to check against the traffic then policy will compare traffic against all the classes and if there is no match then actions for class-default will be used.
    In your case
    ACE will look for the condition in "class L7-URL" , if it matches then it will use sticky-group test (which should have a serverfarm associated to it). Serverfarm under the sticky group will be used if the client request matches the class L7-URL.
    If client request doesnt match the condition in "class L7-URL" then server farm test (under class-default) will be used.
    HTH
    Syed iftekhar Ahmed

  • ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

    Hi
    Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
    Example:
    Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
    The "client" Server does not support SSL.
    Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
    Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
    Regards

    Hello Byron,
    Yes, the ACE can do it
    Here you have some of the flavors of SSL with the ACE.
    Here you have a sample about it:
    parameter-map type http CASE_PARAM
      case-insensitive
      persistence-rebalance
      set header-maxparse-length 65535
      set content-maxparse-length 65535
    class-map match-all CLEAR_TEXT_VIP
      2 match virtual-address 172.20.120.19 tcp eq www
    policy-map multi-match JORGE-MULTIMATCH
      class CLEAR_TEXT_VIP
        loadbalance vip inservice
        loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options CASE_PARAM
    policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
      class class-default
        serverfarm ENCRYPTED-SERVERFARM
        ssl-proxy client SSL-PROXY-JORGE
    ssl-proxy service SSL-PROXY-JORGE
      key TAC-key
      cert TAC-cert
    serverfarm host ENCRYPTED-SERVERFARM
      rserver JORGE-SERVER 443
        inservice
    Here you have some additional details under the configuration guide:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
    Here you have some additional samples:
    http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
    Hope this helps for you and fix your issue
    Jorge

  • "SUIM User Users by Complex Selection Criteria by Role" question

    Hi all,
    Suppose the situation is:
    Composite role ZCR contains single role ZSR (profile T-001) . Composite role ZCR assigned to below two users with different expire date (both users are not locked and not expire):
    UserA - 01.01.2013
    UserB - 01.01.2024
    (Case 1) SUIM -> User -> Users by Complex Selection Criteria -> by Role (either specify ZCR or ZSR) the result is:
    UserA
    UserB
    (Case 2) SUIM -> User -> Users by Complex Selection Criteria -> by Profiles (T-001) the result is:
    UserB
    Is SUIM has error or other assumption on Case 1?   I expected the result is UserB only.
    I knew there is program PRGN_COMPRESS_TIMES to remove assignment which have already expire and all the related tables.  Please let me know if the result in case 1 is SAP standard or can be fixed by OSS notes?  Thanks.
    Regards,
    Donald

    Hi Donald,
    If the user having validity expired role in his user master SU01, then the expired role can be seen under 'Role' tab in SU01 with 'Valid to' date, but the role relevant profile will be removed from user at the time of role expiration date.
    So when you search for users based roles (Case 1), the SUIM lists all users who are assigned to that particular role, irrespective of expired role assignments. So in Case 1, please follow below step for accurate results.
    1.  (Case 1) SUIM -> User -> Users by Complex Selection Criteria -> by Role (either specify ZCR or ZSR) the result is:
    UserA
    UserB
    2. Then select all users in SUIM output (UserA & UserB), and click on 'In Accordance with Selection' button. So that you can see the users and the (ZCR) ZSR role 'Valid to' (End Date) date for each user.
    By doing second step here, you will get the accurate results. This is how the SUIM works.
    Thanks
    Sridhar
    >point begging removed by Moderator - last warning!<

  • BEx Roles question

    /thread/750293 [original link is broken]
    Edited by: sam on Feb 20, 2008 4:18 PM

    Hello Sam,
    You have to create Roles in PFCG and assign appropriate reports authorization to the roles. For example you can create roles for End User , Power User etc.
    Once this is done, then assign the user to the Roles.
    For more details
    [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
    [Authorizations in a SAP Business Information Warehouse Project|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be]
    [SAP NetWeaver 2004s BI Authorizations for Reporting - Webinar Powerpoint|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a6c54319-0e01-0010-20a4-fb81ad32f330]
    [Authorizations in a SAP Business Information Warehouse Project|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b014a2fa-fc1c-2a10-6ab2-e8e288de0e08]
    [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
    [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
    Hope it helps
    Thanks
    Chandran

  • ACE Stickiness Question

    Hi Folks,
    First of all I am new the job and have very little ACE expierence. I work on a large campus. We have to 6513's with an ACE blade in each. A few contexts configured for different applications. Basically the server guys have come to me and asked me to enabled stickiness on one of there contexts.
    Now I am sure this is basic stuff to ye guys but I am just wondering what I need to do? Can I implement this on the fly without causing an outage? I have cut and paste  the relevant context below. And added the changes I think that need to be made. Do you guys think this will work and will it cause any outage?
    I appreciate any help at all guys:
    Here is current config:
    probe tcp APPS-PROBE
    port 8080
    interval 3
    passdetect interval 5
    parameter-map type ssl SSL-APPS-ADVANCED
    cipher RSA_WITH_RC4_128_MD5
    rserver host SERVER1
    ip address 10.10.10.1
    inservice
    rserver host SERVER2
    ip address 10.10.10.2
    inservice
    ssl-proxy service SSL-APPS-PROXY
    key appfiles.pem
    cert appfilesCAcert
    chaingroup APPFILES-CHAINGRP
    ssl advanced-options SSL-APPS-ADVANCED
    serverfarm host APPS-FARM
    predictor leastconns
    probe APPS-PROBE
    rserver SERVER1 8080
    inservice
    rserver SERVER2 8080
    inservice
    class-map match-any APPS-VIP
    2 match virtual-address 10.10.10.4 tcp eq https
    policy-map type management first-match MGT-POLICY
    class class-default
    policy-map type loadbalance first-match APPS-POLICY
    class class-default
    serverfarm APPS-FARM
    policy-map multi-match APPSPOLICY
    class APPS-VIP
    loadbalance vip inservice
    loadbalance policy APPS-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server SSL-APPS-PROXY
    service-policy input APPSPOLICY
    Will adding the following to the context make stickiness work?
    sticky ip-netmask 255.255.255.255 address source STICKY-APPS-FARM
    timeout 720
    timeout activeconns
    replicate sticky
    serverfarm APPS-FARM
    policy-may type loadbalance first-match APPS-POLICY
    class class-default
    sticky-serverfarm STICKY-APPS-FARM
    I am really lost on this and only getting this from looking at stickiness on other configs. Can you guys advise will this work.

    Also look at the following :
    www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html
    Autogenerating a MAC Address for a VLAN Interface
    By default, the ACE does not allow traffic from one context to another  context over a transparent firewall. The ACE assumes that VLANs in  different contexts are in different Layer 2 domains, unless it is a  shared VLAN. The ACE allocates the same MAC address to the VLANs.
    When you are using a firewall service module (FWSM) to bridge traffic  between two contexts on the ACE, you must assign two Layer 3 VLANs to  the same bridge domain. To support this configuration, these VLAN  interfaces require different MAC addresses.
    To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
    mac address autogenerate
    For example, enter:
    host1/Admin(config-if)# mac address autogenerate
    To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter:
    host1/Admin(config-if)# no mac address autogenerate

  • Basic ACE Design Question

    Hi All,
    In the network layout below, does the ACE need to be setup in a routed mode to work? can it be also be setup in a bridged mode in this scenario?
    Network Cloud <--> Firewall <--> ACE <--> Router <--> Server Farm.
    Any refences would also be greatly appreciated.
    Thanks in advance.
    HH

    you only need the server adjacent if you do transparent loadbalancing. Which means you do not nat the virtual ip to the server ip.
    Instead the servers are configured with a loopback ip address the same as the vip on the loadbalancer.
    You can always bridge between 2 vlans and this is possible in your case.
    However, I don't see the need to insert a router between the ace module and the servers.
    Can't you have the ace module inserted between the router and the servers ?
    Or get it rid of the router and have the servers directly connected to the ACE vlan and using the firewall as gateway ?
    Gilles.

Maybe you are looking for

  • Lost BT Modem Function with N95

    Until I did a SECOND Firmware upgrade (first was to 20.0.015, second to 21.0.016), I was able to use my N95 as a modem via BT with my Palm TX. Now, when I attempt to connect, a BT connection is established followed by a 3G/3.5G data connection visibl

  • How to realize the other three events triggered by a sequence of events occurs?

    How to realize the other three events triggered by a sequence of events that occurs between Labview, and the time interval between three events for the 50ms? 1110340053

  • Start and stop the Communication channel from Java Mapping

    How to start and stop the Communication channel from Java Mapping in XI 3.0 Scenario  PI - > MQ -> Third Party web application  Web application is down and then Communication channels are stop manually .   We need to automate this process, MQ Solutio

  • How to remove report total

    Hi, I have created an SQL report for class students term wise examination. I have made the report break on terms column. In the term field values displayed as "First Term", "2nd Term" and so on. Every thing is very excellent, grouping by term field,

  • Setup User Hierarchy in system-jazn-data file.

    Hi All, We are using the File Based Security Provider for the Human Workflow Tasks in BPEL 10.1.3.4. How can we setup the Manager/Reportee Hierarchy in the system-jazn-data.xml file? I can see the user and role definitions there but I not see any kin