ACL on Users

Similar Messages

• Downloadable ACL for users only?

  Hello all,
  in ACS 5.4 I need customized ACL for users only.
  My scenario:
  There is a way to use some "Downloadable ACLs" in authorization profile but I want to define specific ACLs for some exeptions. For example: User A and user B get autorization profile "X". But user B is not allowed to access on a host. This "Deny rule" I will configure with custom attributes in the internal user store.
  Is that possible? How can I implement this rule?
  best regards,
  Stefan

  Hi,
  You can do this by following these steps:
  1. Set a user defined dictionary attribute under System Administration > Dictionary > Identity >Internal Users name it what you want and make sure the value is string
  2. Create the DACL in Named Permission Objects under the policy elements section
  3. Under the user account you will now see a filed for the dictionary name you called in step 1, make sure the filed matches the dacl you created in step 2
  4. Create your authorization profile under "common tasks" Set Dynamic as the DACL drop down select Internal Users and set the value to the attribute you created in step1.
  5 map the authorization policy to the access policy using the conditions that will give you these results.
  6. test and you should have what you are looking for.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• CUP user import: what XML field to use to set default ACLs for user?

  Can someone please tell me what XML tags to use within the import file (via CUP) to set the default Document and Folder ACLs respectively to Public and Protected.
  Thanks!
  Brian

  brian,
  did you ever figure out how to assign default ACL to a user using XML? if so, could you show me how to do it? thanks

• ACLs and users

  Hello,
  I want to find out if I can create a custom ACL in which I restrict my users from being able to see the groups or ACLs when the login to the web interface?
  i.e. they should just be defaulted to their home folder..
  Please, let me know.
  null

  Hi GB,
  take a look at: http://technet.oracle.com:89/ubb/Forum36/HTML/000210.html
  this should do ...

• ACL and user with more than one group

  I have a (simple) question, but I coudn't find answer in docs :(
  My problem is:
  I want to have in Tuxedo users, which belong to more than one ACL group. Each
  of this group have some special rights, i.e. group A could execute services K,L,M
  and group B could execute services M,N,O. If my user belongs to A and B group,
  which rights it have? Your rights are sum of rights of group or common part of
  them ? I will be very greatful for link to docs talking about it ....
  Best regards
  Dominik Michniewski

  user3715462 wrote:
  Hi All,
  it's just a question
  we're using R12 12.1.3 db: 11Gr2 on OUL5x64
  is it possible for an oracle user that can have more than one email address?
  i add 2 email addresses in E-MAIL box
  and it did not seem to work.
  Thanks in advance.
  Regards,What email addresses are you referring to? Is this at the OS level or the database/application level? Please elaborate more.
  Thanks,
  Hussein

• XCOPY folder with ACL - limited user

  Hi there,
  I created another post
  Here, but i think that's the wrong place for it. Apologies for double posting.
  I am trying to get one of my "limited user" to run a batch file which creates a folder from a template folder. Template folder has specific ACLs. but the user attempting to run it recieves "Access
  is denied"
  batch content:
  xcopy "\\server\templatefolder" "\\server\newfolder\" /O /X /E/ H /K
  The user running this batch is a limited user (Domain user but not part of the Local admin group)
  Windows 7 x64bit
  UAC is turned on
  Software
  Restriction Policy is in place but this particular batch file is allowed to run
  Apparently "/O" what triggers "Access is Denied". Any idea what permissions the user needs in order to run with "/O"? Adding the user to administrators, domain admin group is out of the question.
  I tried changing the ownership of the template folder to that user, no go.
  Thank you,

  Hi,
  First I would like to know if the issue is denied in copy files from the source folder, or copy files to the target folder.
  To confirm you can give the user full control on target folder and try again.
  And if "Apparently /O what triggers Access is Denied" means
  you have already confirmed that it is the source folder, what's the current user permission?
  I think it is easy for testing - create a test user with same permission as the "limited user", give it 1 permission at a time to find our the exact missing one.
   /O means "Copies file ownership and ACL information" so I think "Read permission" is needed. "Read attributes" may also be needed. I'll go and do a test as well. 
  If you have any feedback on our support, please send to [email protected]

• ACL rights assignment in new user script

  I've been tasked with converting an old new-user script that runs at least once a day written in VB to PowerShell. This script takes as input a CSV file we get from HR that has all necessary info and creates a user, adds them to specific groups based on
  the info in the CSV, enables their Exchange mailbox, and creates their home directory. I'm having a bit of trouble planning out the rights assignment part on the user home directory; I need to be able to add the specific user (set by variable at the beginning
  of the script) and three static groups. What is the best way to do that? I can easily grab outside modules if needed (a section of my script checks for and if necessary installs modules and adds snap-ins), but I'd rather keep this 100% PowerShell - no icacls
  or outside commands.
  Any suggestions?
  Thank you in advance.
  [email protected]

  Here's what I came up with for the File System Stuff:
  foreach ($user in $userlist)
  $samaccountname = $user.empid
  $FQN = "domain\" + $samaccountname
  $homedirpath = "\\fileserver\users\$samaccountname"
  new-item -ItemType directory -path $homedirpath -force
  #Set ACLs for user and required groups
  $homedir_acl = get-acl $homedirpath
  $acl_access1 = 'domain\HomeDirectory Admins'
  $acl_access2 = "domain\$samaccountname"
  $fullrights = "Fullcontrol"
  $modifyrights = "Modify"
  $inheritrights = "ContainerInherit,ObjectInherit"
  $rule1 = new-object system.security.accesscontrol.filesystemaccessrule ($acl_access1, $fullrights, $inheritrights, "none", "Allow")
  $rule2 = new-object system.security.accesscontrol.filesystemaccessrule ($acl_access2, $modifyrights, $inheritrights, "none", "Allow")
  $homedir_acl.addAccessRule($rule1)
  set-acl $homedirpath $homedir_acl
  $homedir_acl.addAccessRule($rule2)
  set-acl $homedirpath $homedir_acl
  #Set owner on home directory
  $owner = New-Object System.Security.Principal.NTAccount($FQN)
  $homedir_acl.setowner($owner)
  set-acl $homedirpath $homedir_acl
  [email protected]

• Need Users and ACL permission for KM Reports

  Hello Experts,
  Need you help for one requirement , in which i need to provide a list of users with ACL permission of each report from KM. There is huge amount of reports so it is quite time consuming to get each report open & to check the ACL and user from KM.
  It there is any thing , so that i can get the list of user with the ACL permission for each reports?
  Any help will be appreciated with points.
  Regards
  AK

  Hi AK,
      I misunderstood your query,if you just want to check the permission of all reports then you can use the default permission report available in the content Administration->KM Content->toolbox->reports->permission report.
  http://help.sap.com/saphelp_nw04/helpdata/en/fe/5290412facac5fe10000000a1550b0/frameset.htm
  If you could not find the report contact basis team to do the configuration
  http://help.sap.com/saphelp_nw04/helpdata/en/07/dad131443b314988eeece94506f861/frameset.htm
  Naga

• How to create a mail-only user

  In WGM I need to have several users that have access to an e-mail account only, they never should get ftp access (or even terminal SSH, telnet, etc.).
  So I solved this (at least I think so) by doing the following settings:
  (1) "Accounts" section, concerned user: "Advanced" tab, "login shell" set to "None".
  (2) "Home" tab, no home directory chosen.
  I tried then to login via ftp as such a user, which was refused. But the message was just "login failure" so I'm unsure if I simply misspelled the password (I tried it five times, so not realistic) or whether or not this has worked.
  Somewhere else I got the advise to also create a ACL list for the "Sharing" folder - but since this user has no home directory and no shell, I feel that this is not necessary nor makes it sense (I have a lot of users that change sometimes and creating one ACL per user is quite complex).
  Can an expert of this forum tell me if it is sufficient what I did to the user's account preventing them to login via ftp, but still are able to send/receive mails ?

  Since no one of the discussions could verify this, I called Apple today and asked them. Although I had some concerns about the knowledge of the operator I talk with, he has confirmed that anything was done correctly.
  Should Apple or I being wrong, please let me know how to better solve this problem

• Permissions for Linux user accessing Leopard share

  We have a very simple networking setup at our video post production facility. Basically, files are shared everywhere and to everyone. No open directory or DNS serving. Just AFP and SMB.
  Our Linux based Smoke/Flame/Lustre system needs access to the files severed/shared by an Xserve with a big attached RAID. It has no problem connecting or seeing the files. However, it typically is denied write permissions. When the Smoke operator creates a folder on the share he can't access the folder until I grant the Others/Everyone group read and write perms. The Linux user logs in with the same user account that everyone else uses.
  Some time ago, the always smashing Gerrit DeWitt gave me some terminal commands to set ACLs for users/groups of this shared RAID. They work beautifully and I have had no permissions issues since applying them. Except for this Linux system.
  Would it be good practice to use this command to set the Everyone group permissions for this share?
  sudo chmod -R +ai "group:everyone allow readattr,readextattr,readsecurity,\
  list,search,read,execute,writeattr,writeextattr,delete,\
  append,write,deletechild,add_file,addsubdirectory,\
  fileinherit,directoryinherit" "/Volumes/RAIDH/Smoke_InfernoStorage"
  Also, is there some configuration change I could make to the Linux system to make it a little more Mac compatible in this area?
  Thanks

  It's worth checking into - let us know what you find. What you describe certainly sounds like a problem with permission propagation settings for SMB / Samba since the AFP side works fine.
  I've seen other posts about problems that crop up because of differences in the versions of Samba employed between systems, so that's a possibility as well. And I'd have no suggestions for you in that regard other than some searching of the web for clues as to how to work with that issue.
  -Doug

• ISE Authorization PermitAccess - EPM-HOLE-ACL

  Hello,
  I have a 6509 switch that is running 12.2(33) SXI9 code that has a unique issue. When the client connects they are authenticated and match an authorization profile that gives the default PermitAccess.   Unfortunately at this point the client can only access what it is allowed in the ACL-DEFAULT. 
  When I look at the logs I see:
  Mar 27 18:14:02 EDT: %EPM-6-POLICY_APP_SUCCESS: IP aa.cc.dd.ee | MAC 001a.1111.2222 | AuditSessionID AC10FB8A0000007101BDF21B| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME EPM-HOLE-ACL| RESULT SUCCESS
  What is this Named ACL EPM-HOLE-ACL? This ACL is not defined in ISE or the switch.           

  Kyle,
  I do not know what the EPM-HOLE-ACL but found  it a little comical. However, this is true that you have to apply  another dacl to override the acl default which is applied on the port.  Keep in mind you will also run into this issue if you decide to (i am  basing this off the 2k 3k behavior) set a guest vlan if the radius  server is dead, because of this default ACL the users will not be able  to get anywhere outside of that acl.
  There is a  feature enhancment in the works to provide an acl if radius server is  dead or when authentication fails...etc. However I think this ties all  back into to your question, that if there isnt a dacl assigned to  override the port acl then this seems to be the behavior.
  Tarik Admani
  *Please rate helpful posts*

• Hiding Users in IFS

  I am trying to hide users in a certain group from users in another group in IFS. I would like each group to only see those users in their specific group.
  When I apply an ACL to users in one group so other groups can't see them the other users also CANNOT access files uploaded by those in the first group.
  Is there anything I can do or do users have to be visible to those who would access files uploaded by those users?
  Thanks,
  Matt

  If i've understanded your problem, you could do that:
  Create a new ACL (documentsACL, for instance).
  Put both groups in the ACL entry list, giving then both the necessary rights.
  Then, for the new documents created by each groups you must give this new ACL, not the user default.
  Try that and reply if it's ok or not.
  Bye.
  Felippe Neto

• Users & Groups not in Get Info options

  When opening a Get Info window to change Sharing & Permissions, adding a new entry to the list shows maybe 4 options when the OS has dozens of users & groups. Why are standard options like "staff" not showing up?

  I need to enable a folder to be read/write by "staff" for a specific application I am using, and the new GUI isn't allowing me to do that
  What app is it? Why does it require you to do this? What folder is it that you want to modify? What are you trying to achieve? More then likely there is a better way to do it, or may not be needed in the first place.
  Lasso web application. In order to execute file editing commands (read txt files, write them, manipulate uploads, etc), the target file/folder must have, under the POSIX rules of 10.4, either an owner of "lasso" (a user created by the software), or the group of "staff."
  In order to make the source code files themselves easy to administer on the server, I typically have always left owner as the main user I log into the system with, and set group to staff. This is the most convenient configuration for ≤ 10.4 systems.
  In 10.5, after copying files to servers I'm seeing a mixture in the Get Info ACL of {user owner}, admin, and everyone in some systems, and {user owner}, staff, and everyone in other systems. Haven't tracked down why the difference (I suspect preservation of permissions somehow during the copy). Even when staff is in the ACL, it's not a part of the options the GUI presents.
  Anyway, I was trying to take advantage of the ACL in allowing two otherwise separate users/groups to have some shared access, and needed "staff" as a group for these files.
  I didn't just use the chgrp command as I don't yet know the consequence of using POSIX commands on what I want to be ACL controls. So, am trying to do some digging into all that now. I was just thrown by the lack of visibility of all the usual user & groups options I am used to seeing in ≤ 10.4.

• Get-ACL command help

  Hey all
  I am trying to use power shell to query the security permissions of all my active directory users that do not have a certain group assign to them in the security tab.  Ie Account operators.
  I can use the powershell command (Get-ACL 'AD:\CN=myuser,CN=Users,DC=mydomain,DC=com').Access | ft IdentityReference,AccessControlType
  -A to pull all the permissions for one users but i cannot see a way of filtering it for the missing group and scan on all users.
  I have tried to use dsquery and pipe the data to powershell with not much success
  Powershell is on server 2012
  Any suggestions

  Hi hellopaul,
  Please try :
  $users = (get-aduser -filter *).distinguishedname
  foreach ($user in $users){$user;(get-acl "AD:\$user").access | ft identityreference,accesscontroltype}
  Hope it helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ACL and posix conflict? Can't get folder access to work properly

  We have a folder on our website that all employees need to be able to write to, but they do not need to be able to create folders or delete anything. There is a second group with full permissions to the folder.
  ACLs:
  Upload Full Access - R&W
  Company Access - Custom (full read, write does not include: create folder, delete, delete subfolders and files)
  POSIX:
  O: _www : R
  G: Company Access : R
  E: None
  The full access group is easy and works perfectly.
  The limited group is a pain and the permissions don't work 100% the way needed.
  With that setup, they cannot create new files at all.
  If I set G: R&W, then they have free reign as the ACL is being ignored.
  If I set G: R, then they have no write abilities as the ACL is being ignored.
  With either group setting if I grant "create folder" permission in the custom ACL, then users can create folders and they have full create/delete permissions within the new folders, but this is what I need to prevent not allow.
  I've never had problem setting up a share with strange ACL access permissions before. Does this directory hate me? I'd like to do this without having to create another user group.
  Suggestions?

  Hi,
  Yes, the GUI of ServerAdmin won't add the <Directory> config sections to the apache config file. Read about that <Directory> config section, look at /etc/apache2/httpd.conf and /etc/apache2/sites/0000SOMETHING.
  The good news is once you put the <Directory> config sections in there, it will stay there.
  In someways the GUI of ServerAdmin is bad, in that it is just adding text lines to your apache config file, and it doesn't alway know what to add, whereas if one must do one's own typing in the config file, then one is aware of what is in there, what it is doing.
  I ran into a similar issue. But do read the config files, and the apache.org documentation. It is good documentation, and the config files are pretty clear to follow.