ACL on VersionSeries and VersionDescriptions

Similar Messages

• Query: Setting ACL for Roles and Programmatic Approach

  Hi All
  I'm trying to setup ACL for Roles on WCC(11.1.1.8) server by following the blog https://blogs.oracle.com/kyle/entry/access_control_lists_for_roles using Framework folder and have few queries
  Query 1:
  Created new folder and associate enterprise roles under Role access list
  1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
  2. Assigned Role 'Deployers' under Role Access List with RW permissions.
  3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
  4. Logged in using 'jcooper' and able to assess 'Myfolder'.
  5. Logged in using 'jausten' and also able to assess 'MyFolder'
  Observation
  Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' assess the folder? Am I missing some configurations here. Please let me know setup steps to achieve this functionality in desired manner.
  Query 2:
  Created a prototype using RIDC to create a folder programmatically and assigning RAL to the created folder
          DataBinder requestData = client.createBinder();
          requestData.putLocal("IdcService", "FLD_CREATE_FOLDER");
         requestData.putLocal("fParentGUID", getFolderGUID("/"));
          requestData.putLocal("fFolderName", "TestFolder");
          requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
          ServiceResponse  updateResponse = client.sendRequest(connectionContext, requestData);
  Observation
  Folder got created successfully, but 'Deployers' Role not assigned under Role access list.
  Query 3:
  Created a prototype using RIDC to assign enterprise roles to the existing folder
          DataBinder requestData = client.createBinder();
          requestData.putLocal("IdcService", "FLD_EDIT_FOLDER");
          requestData.putLocal("fFolderGUID", getFolderGUID("/TestFolder"));
          requestData.putLocal("path", "/TestFolder");
          requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
          ServiceResponse  updateResponse = client.sendRequest(connectionContext, requestData);
  Observation
  Role got associated with folder under Metadata section, whereas folder information section does not contain the reference of updated role e.g. Edit Folder Information section on WCC UI not showing the added role, whereas Edit Metadata values section of UI showing this role.
  Please suggest what I'm missing in configuration/code and appropriate way to achieve the functionality.
  Thanks.

  Thanks Jonathan!!
  Query 2 and 3 answered by this setting and it worked fine.
  Could you please also assist on Q.1
  Query 1:
  Created new folder and associate enterprise roles under Role access list
  1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
  2. Assigned Role 'Deployers' under Role Access List with RW permissions.
  3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
  4. Logged in using 'jcooper' and able to assess 'Myfolder'.
  5. Logged in using 'jausten' and also able to assess 'MyFolder'
  Observation
  Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' access the folder?
  Am I missing some config?

• Get-ACL Error Continuation and Server List

  Hi All,
  I'm conducting an audit of all folders on network shares that are spread accross several servers.  I'm very new to PS but from my research I have put together the following:
  Get-ChildItem \\server\share -Recurse | Where-Object{($_.psiscontainer)} | Get-Acl | select-object path -expandproperty access | Export-CSV results.csv
  This has been working ok but I hit an 'unauthrosied operation' error when it trys a folder that I do not have permissions to (i'm running as domain admin).  That's fine but it's a termination error which I can't seem to work around.  I have tried
  things like -ErrorAction SilentlyContinue but it just stops without producing the error and will not continue.  I have also tried a try and catch which I found on Technet but can't seem to get the -recurse to work:
  $fse = Get-ChildItem \\server\share -recurse | Where-Object{($_.psiscontainer)}
  $fse | %{$f=$_; try { get-acl $_.FullName } catch { Write-Warning "Failed to access $($f.FullName)" }}
  I've tried my best to get the code to continue after the error but I just can't see what I am doing wrong.  Any ideas?
  Also, I have many many shares to test which are all listed in a spreadsheet.  I'm been trying to research how I can use this spreadsheet instead of writing in the server and share for every one I want to test.  However this is now going way above
  my head and I can't get anywhere near to a semi-working example.  Is there a way I can use the above to reference a spreadsheet and test each share that is listed?
  Many Thanks.

  OK I have got it to run by using
  try
  Import-csv .\test.csv | % {Get-ChildItem $_.Servername -Recurse -ErrorAction Stop| Where-Object{($_.psiscontainer)} |
  Get-Acl | select-object path -expandproperty access | Export-CSV results.csv }
  }Catch{
  $_.Exception
  continue;
  However it still terminates when it gets to a folder it does not have the permission to access the ACL.
  I'd add a separate ForEach-Object call for each object returned from Get-ChildItem. Does this work?
  Import-Csv .\test.csv | ForEach-Object {
  Get-ChildItem $_.Servername -Recurse | Where-Object { $_.PSIsContainer } | ForEach-Object {
  try {
  $Path = $_.FullName
  $_ | Get-Acl | Select-Object Path -ExpandProperty Access
  catch {
  # You can ignore this, write a warning, send this to a separate file, etc
  Write-Error ("Error calling Get-Acl on '{0}': {1}" -f $Path, $_.Exception.Message)
  } | Export-Csv results.csv
  That will simply write any errors to the screen. Is that good enough, or did you want to store them somewhere?

• ACL missing fix and other general permissions fix

  i've been having huge preferences and permissions problems since upgrading to mavericks.
  i've repaired my permissions and i keep having the "ACL missing" or "ACL found but not expected" results.
  i've read some places that you don't need to fix them they don't hurt anything, but they're annoying as **** and
  i would still like to make them go away to see if it fixes my permission and preferences problems, like photoshop
  preferences resetting all the time.
  it would be great if anyone could give me a link to a fix or any ideas.  thanks.

  I found the same problem on my Mac but this did not happen immediately after installing Mavericks. I really have no clue how it happened. The fix is (appropriate buyer beware fine print) is to either use ACLr8 or to do it manually in a Terminal session. It worked with mine. I found this fix on the net somewhere (cannot remember where though).
  For example with the iTunes folder -
  sudo chmod -RN /Applications/iTunes.app
  (enter your user password when asked)
  Just repeat this with all other folders reported in Disk Utility.
  I would hesitate applying this fix at the / folder since it may be possible some files/folders require the special ACL permissions.

• Extended ACL permit ip and allowed ports

                     Hi everyone
  Need to confirm if we have extended ACL with object group below
  access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
  will above ACL allow all the ports  on the destination object group?
  Thanks
  mahesh

  And to illustrate the situation above
  Situation 1 - Only allow rule exists on the ACL
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  Allow ALL TCP/UDP source and destination ports
  Allow those from the source networks of SOURCE to the destination networks of DESTINATION
  Situation 2 - Deny rules exist before the allowing rule
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
  access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
  It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
  It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
  The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
  So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
  In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
  - Jouni

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar

• Anti spoof acl and cisco 7606

  Hi all,
  I have strange problem with anti spoof access-list which I would like to set up in cisco 7606 with 7600-PFC3CXL. So I made an access-list which is in [1.] and set up on interface Te1/1 like this [2.], but there are no match in output direction? Why? Well I made a test with [3.] but no matchs in access-list and ICMP was working than I made change [4.] and yeap icmp was not working and I have seen match in input direction good. It looks like that output direction in acl not working so I removed line 1 inc acl [4.] and icmp still not working and acl [3.] started matching icmp in line 1? Why? Can anybody help me? Thanks.
  Karel
  btw.> I tried solve this problem with this links:
  http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html
  http://www.cisco.com/web/about/security/intelligence/acl-logging.html
  [1.]
  Extended IP access list anti_spoof_Te1/1_input
  10 deny ip 10.0.0.0 0.255.255.255 any
  20 deny ip 172.16.0.0 0.15.255.255 any
  30 deny ip 192.168.0.0 0.0.255.255 any
  40 deny ip 127.0.0.0 0.255.255.255 any
  50 deny ip 194.79.52.0 0.0.3.255 any
  60 deny ip 0.0.0.0 0.255.255.255 any
  70 permit ip any OUR CIDR
  80 permit ip any host BGP Neighbor
  90 deny ip any any
  Extended IP access list anti_spoof_Te1/1_output
  10 deny ip any 10.0.0.0 0.255.255.255
  20 deny ip any 172.16.0.0 0.15.255.255
  30 deny ip any 192.168.0.0 0.0.255.255
  40 deny ip any 127.0.0.0 0.255.255.255
  50 deny ip any 0.0.0.0 0.255.255.255
  60 deny ip any OUR CIDR
  70 permit ip host BGP Neighbor any
  80 permit ip OUR CIDR any
  90 deny ip any any
  [2.]
  ip access-group anti_spoof_Te1/1_input in
  ip access-group anti_spoof_Te1/1_output out
  [3.]
  Extended IP access list anti_spoof_Te1/1_output
  1 deny icmp host from OUR CIDR host in INTERNET log-input
  10 deny ip any 10.0.0.0 0.255.255.255
  20 deny ip any 172.16.0.0 0.15.255.255
  30 deny ip any 192.168.0.0 0.0.255.255
  40 deny ip any 127.0.0.0 0.255.255.255
  50 deny ip any 0.0.0.0 0.255.255.255
  60 deny ip any OUR CIDR
  70 permit ip host BGP Neighbor any
  80 permit ip OUR CIDR any
  90 deny ip any any log-input
  [4.]
  Extended IP access list anti_spoof_Te1/1_input
  1 deny icmp host from INTERNET host from OUR CIDR
  10 deny ip 10.0.0.0 0.255.255.255 any
  20 deny ip 172.16.0.0 0.15.255.255 any
  30 deny ip 192.168.0.0 0.0.255.255 any
  40 deny ip 127.0.0.0 0.255.255.255 any
  50 deny ip 194.79.52.0 0.0.3.255 any
  60 deny ip 0.0.0.0 0.255.255.255 any
  70 permit ip any OUR CIDR
  80 permit ip any host BGP Neighbor
  90 deny ip any any

  Following links may help you
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

• ACL and Folder G component

  Hi,
  I want to know if in UCM 11g Access control list functionality is applicable for Folder G component or only for Framework folder component
  Thanks in advance

  Thanks Jiri and Srinath,
  I set config variables according to the documentation and to your post, set ACL security group and create a role with RW privilige to ACL Security group, assign this role to user1 and user2.
  In checkin page i see the metadata fields. I have checked in a document and assign ACL as Security group and in ACL i put only user1 with RW access to this doc. After check in it occures that user2 has RWD
  access to this document. It should only user1 to have access. What i have missed or done wrong ?

• ACL and HSRP

  Nexus 5596UP
  Regarding RACLs and HSRP
  How many HSRP groups does the Layer3 module support ?
  The Layer 3 module supports 2048 Racls .. What does that mean`?
  Is that the number of entries or the number of acls its supports ( and the acl can be as big as you want? )
  Iam looking at but it dont quite understand it...
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-682225.pdf
  Best Recards
  Thomas
  Zitcom A/S

  Not true. You example is 2 RACL. Please see the following output:
  switch# sh run int e1/1
  !Command: show running-config interface Ethernet1/1
  !Time: Fri Aug 19 01:20:56 2011
  version 5.0(3)N1(1a)
  interface Ethernet1/1
    ip access-group test in
    no switchport
    ip address 1.1.1.1/24
  switch# sh run | sec access-list
  ip access-list test
    10 permit ip 1.1.1.1/32 2.2.2.2/32
    20 permit ip 2.2.2.2/32 3.3.3.3/32
    30 permit ip 3.0.0.0 255.0.0.0 1.0.0.0/24
  switch# sh ip access-list sum
  IPV4 ACL test
          Total ACEs Configured: 3
          Configured on interfaces:
                  Ethernet1/1 - ingress (Router ACL)
          Active on interfaces:
                  Ethernet1/1 - ingress (Router ACL)
  HTH,
  jerry

• Default acl permissions for root and user?

  after running permissions i keep getting acl permissions changed and will repair. Apparently it doesn't. Is their a manual way of resetting to defaults for both root and user.

  Turns out they didn't change themselves, but authentication got out of whack. This post fixed it for me, but I just jogged access on ical and blogs. Not sure which or both is needed, but after I toggled them over and back I was up and running again.
  <SNIP>
  Solution found athttp://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
  It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
  Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
  Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
  After much head scratching it turns out to be a sACL (Service Access Control List) issue.
  This thread solved the mystery!
  http://discussions.apple.com/thread.jspa?threadID=1654864
  To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
  Open Server Admin on a computer (any), and connect with the local admin to the machine.
  Select the server and authenticate.
  Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
  If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
  Save.
  Try logging in again… should be a good one!
  </SNIP>

• NWDS + View Permission and ACL

  Hi Experts,
  After configuring DTR , next we are going for ACLs and view permissions in DTR perspective .
  I want to know what is the need of configuring ACLs , view permissions and principals .
  Thanks a lot .

  Hi Jain,
  An access control list (ACL) defines the privileges principals (can be an individual user or a user group) have for a particular resource. Technically speaking, an ACL consists of access control entities or ACEs. It also assigns one or more privileges to a principal.
  Rules
  It is not necessary to define ACLs for all resources. On the other hand, it is possible to define different ACEs for one resource that exclude one another. To solve these conflicts, the permissions are interpreted according to a set of rules that independently apply to all privileges.
  The resource path is used to determine the permissions. The permissions need not be defined for all resources: A resource of a child hierarchy level inherits all permissions granted to a parent folder, unless permissions are granted to the child resource directly.
  Refer to this Links For More Information
  [https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0f341af-e86e-2910-3e8a-d9e3c227d938]
  [http://help.sap.com/saphelp_nw04/helpdata/EN/21/53882f3fee0243b6c774e26ebed880/content.htm]
  I Hope This Information Might Be Helpful For You.
  Regards,
  Sharma.

• ACL and SUID file?

  Can someone tell me what the following Disk Utilities errors mean and hopefully how to fix them:
  ACL found but not expected on "private/var/root/Library/Preferences".
  ACL found but not expected on "private/var/root/Library".
  ACL found but not expected on "private/var/root".
  Warning: SUID file "System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool" has been modified and will not be repaired.

  I have the same problem and it's been a long time getting here from there.
  I must have a 1000 ACL Found messages and a couple of SUID messages. If it were just a couple each, there would be no problem with what Apple states about the SUID. Apple has not responded to the ACL message that I am aware of.
  The real problem for me is the length of time it takes for Repairing Permissions - I'm talking hours.
  We need a way to get rid of these unwanted messages. Is there help out here other than a statement that they exist?
  I have a backup program that repairs permissions after backing up. It's a 4 hour backup. Undoing Repair Permissions, the backup takes only 10 minutes.
  So, if it at all possible,I would like to keep this board open until we have a real repair/solution.
  I mean no offense to anyone.
  Bud

• IFS and versioning capability

  Hi, I am new to iFS, does anyone can tell me more about versioning capabilities of iFS ? and where to find more material on this subject.
  TIA, Sreedhar

  The best place to start is with the javadoc. The 'versioning objects' are Family, VersionSeries (VS) & VersionDescription (VD).
  Start off with the example that you're versioning a Document (which is a subclass of a PublicObject). There will be one Family object and one VS. A future enhancement will support multiple VS per family. For each version, there will be one VD and one Doc.
  A simple picture of a doc w/3 versions:
  Family
  |
  VersionSeries
  |
  | | |
  VD VD VD
  | | |
  Doc Doc Doc
  This is a start. Hope this helps.
  -S

• Single sign-on and different usernames and passwords

  Hello,
  I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
  information about the background of single sign-on.
  I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
  user for the first login to the portal (with username and password).
  Now I would like to integrate my webmail-programm (to get emails from
  Lotus Notes via Internet) as a portlet.
  For my understanding the user has to authorizate to get access to webmail.
  Therefore I create a ACL for webmail and this ACL is assigned to my
  security Realm.
  I would like the portlet to show after login the number of mails for the
  specific user. But where are the username and password for webmail stored
  and how are they received and forwarded?
  I understand that my ACL included all users that have access to webmail
  (i.e. all users). But I only want emails for the specific user.
  Does WLS get all usernames and passwords while the first login? Do I have to
  implement a algorithmen to get the specific username and password for the
  requested resource in my portlet?
  Has anyone solved a similar problem or can tell me where I can get more
  information. I read the WebLogic Security document but I cant find a
  answer to my questions.
  Thanks
  Lydia

  Lydia,
  I'm not an expert in this area, but I can give you a start.
  As for single sign-on, there are different levels. For single sign-on across web-apps,
  the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
  does this.
  What you are talking about is single sign-on across back-end applications through
  a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
  kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
  at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
  with their SiteMinder product. Neither is included in the Weblogic license. I'm
  sure either vendor would be excited to explain how their product will solve your
  problem if you give them a call.
  As for where the username and passwords are stored, that is up to the realm. If
  you are using the default WLPS RDBMSRealm, the username and encrypted password
  are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
  in your LDAP server.
  Hope this was useful!
  PJL
  [email protected] wrote:
  Hello,
  I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
  Now I try to unterstand the functionality of Single sign-on when a user
  has different usernames and passwords for different applications.
  Can someone explain where the usernames and passwords for a user are
  stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
  application how username and passwords are mapped? Or usernames and
  passwords for all applications are the same and will be equalized?
  Precisely I would like to get access to a mail-account for a specific
  user
  (webmail from Lotus Notes).
  Thanks for any help
  Lydia

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh