Acl + wildcard pattern user's

Similar Messages

• Is there an easy way of creating an ACL for denying users?

  Hi All,
  I like to create an ACL that would prevent about 50 users from accessing a particular network in our MPLS network.  I do not want to create another vlan for this. 
  Let's say I want to deny this range 10.12.16.20 - 50   from accessing 10.3.0.0 network but allow then access to everthing else.  Is this how to do it?
  Access-list 101 deny 10.12.16.20  0.0.0.0  10.3.0.0  0.0.255.255
  Access-list 101 deny 10.12.16.21  0.0.0.0  10.3.0.0  0.0.255.255
  Access-list 101 deny 10.12.16.22  0.0.0.0  10.3.0.0  0.0.255.255
  -- this will go continue down to .50
  Access-list 101 permit ip any any
  Can I do something like this?
  Access-list 101 deny 10.12.16.20 - 50  0.0.0.0 10.3.0.0  0.0.255.255
  Access-list 101 permit any any
  Thanks

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  What Karsten has suggested, would be the "cleanest" approach, but if the IOS doesn't support it, what Rick suggested would be the way to do it using the fewest ACEs.
  If using Rick's approach, as he mentioned you can set ACEs on binary boundaries, variations on the "theme" might be to include a bigger block than needed, if the overage isn't harmful.  For example, when trying to exclude hosts 20 .. 50 one ACE could block 0 .. 63.
  Also remember you can mix permits and denies.  So say you wanted to block just 8 .. 63, you could permit 0..7, block 0..63 and then permit any.  Depending on your requirement, mixing permits and denies might require the fewest ACEs in your ACL.
  Of course the disadvange of a complicated ACL, it's harder to understand.  However, on a sofware based router, the shorter ACL might perform better.

• Everyone Deny Delete ACL on all user preferences

  Hi, I know that user accounts have an ACL on certain folders to prevent them being deleted, but on one of my users this ACL has appeared on all his preferences files and folder, and they are all explicit so I can't just change the enclosing folder and propagate to remove them.
  does anyone know a terminal command I could use to remove all of these because at the moment if the user tries to change any application preferences the app will crash on quit.

  This has happened to 50+ accounts on my file server as well, on accounts that were created only 2 weeks prior. I'd like to find out why this happens and how to prevent it.
  I find myself having to hand edit perms, which is a huge pain.

• Get-ChildItem with -LiteralPath is throwing "The specified wildcard character pattern is not valid" when filenames contain brackets

  I'm trying to get a list of folders in a hierarchy that don't contain any mp3 files. (The goal here is to eventually clean up all the "empty" folders that only have album art, thumbs.db, desktop.ini, etc. files left). So I wrote a quick PowerShell
  command to try to do this. But it doesn't seem to be working.
  I already checked out this thread <Get-ChildItem
  SomeFile[].txt occurs error because of the [brackets]: "specified wildcard pattern not valid"> and I think I'm using LiteralPath correctly. Any other hints for troubleshooting this problem? Here's the command I'm using.
  Get-ChildItem -Recurse -Directory | ?{
  @( @(Get-ChildItem -LiteralPath $_.FullName -Recurse) | ?{
  $_.Extension -eq ".mp3"}).Count -eq 0 }
  This is on the latest version of PowerShell found in Windows Technical Preview.

  Fair enough, but it still doesn't answer the original question- why isn't this working with -LiteralPath when the path contains brackets? 
  Get-ChildItem -Recurse -Directory | ?{
  @( @(Get-ChildItem -LiteralPath $_.FullName -Recurse) | ?{
  $_.Extension -eq ".mp3"}).Count -eq 0 }
  Thanks,
  Ben

• RE: Acls for a particular users

  Hi,
  I want to get a list of Acls for a particular users. Can anyone tell me how
  to achieve this. I am using the RDBMS Realm Implementation.
  After user logs in, I want to present the user with a list of applications
  that the user is authorized. To do this, I need to get a list of Acls for
  this user. I tried to implement a method in the DefaultRealmExtender which
  gets all the Acls and then checks for permission "execute". This works fine
  when the jsp is displayed, but if I leave the browser for a while and then
  refresh the page, the entire weblogic shuts down. After debugging, I found
  out that it blows up when it tries to check the permission. Any help will be
  appreciated.
  Thanks,
  Gajendra Sanil

  Hi VB,
  Thanks for your response. But the applicant is still active for some of the Vacancies. I can't delete that person.
  We can do this from the applicant from. NAv: Vacancies--> Applicants--> select the rejected applicants--> In the application tab there is one field called " Reconsider Applicant" If you select the reason you will be able to consider that applicant for that same vacancy but in the applicant tab i am not finding the reason field only for this applicant. I think this applicant perform some different step while he is with drewn the applicantion.
  Joshna.

• ACL on Users

  Hi I have written the following function to create my own ACL and effect the
  same on the
  groups and a particular folder.Though the ACL object gets createdand gets listed
  in the web browser view
  , when i click it, i am not able to view the details,but instead , i get a
  window saying"Unable to modify the ACL details"...The same
  problem persists in the IFSMANAGR console also..
  Also the ACL does not really work for the User..
  that is, the User who should not view the folder is able to view it ,even though
  the ACL is applied.
  ..I would be very greatful if someone could scrutinize the below code and
  explain me the reason for the above behaviour.
  public ISecurityPolicy createSecurityPolicy( String[] permissions ,
  oracle.ifs.beans.Group aGroup, LibrarySession ifs,String name ){try{
  AccessLevel permission = new AccessLevel(permissions);
  AccessControlEntryDefinition aceDef = new
  AccessControlEntryDefinition(ifs); aceDef.setAccessLevel(permission);
  aceDef.setGrantee( aGroup.unWrap() );
  AccessControlListDefinition ACLDef = newAccessControlListDefinition(ifs);
  ACLDef.addAceDefinition(aceDef); ACLDef.setName(name);
  new_acl = (AccessControlList)ifs.createPublicObject(ACLDef);
  System.out.println("THE NEW ACL CREATED <Security policy>
  :"+new_acl.getName() ); return this; }catch(Exception e) {
  System.out.println("Error in the creation of the security policy <SECURITY
  POLICY > :"+e); return null; } }
  Thanks in advance,
  Raja

  Which user are you creating the ACL as ?. Which user are using when you try the access the ACL via iFSManager or the WebUI ?
  Remember that when an ACL is created it inherits the default ACL of the user who created it. This means that in order to edit an ACL the user attempting to modify the ACL must have permission to update it.
  I need much more information in order to be able to determine what you are trying to achieve and why it is not working.
  Can you post the complete source to the class that contains the method in your earlier post.
  If this class is not ISecurityPolicy please post the code to this class too.
  Also where does oracle.ifs.beans.Group come from. The iFS Class which represents a Group is DirectoryGroup. If oracle.ifs.beans.Group is your own class please supply source.
  Please post the code that shows how you set up the arguments to createSecurityPolicy. I need to see what permissions contains and where aGroup comes from.
  null

• Using ISE to assign ACL's for VPN users

  Hi,
  I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
  Does anyone know of a good document or training video knocking about that I can use?
  Thanks
  Jason

  Jason,
  If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
  If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• CUP user import: what XML field to use to set default ACLs for user?

  Can someone please tell me what XML tags to use within the import file (via CUP) to set the default Document and Folder ACLs respectively to Public and Protected.
  Thanks!
  Brian

  brian,
  did you ever figure out how to assign default ACL to a user using XML? if so, could you show me how to do it? thanks

• XCOPY folder with ACL - limited user

  Hi there,
  I created another post
  Here, but i think that's the wrong place for it. Apologies for double posting.
  I am trying to get one of my "limited user" to run a batch file which creates a folder from a template folder. Template folder has specific ACLs. but the user attempting to run it recieves "Access
  is denied"
  batch content:
  xcopy "\\server\templatefolder" "\\server\newfolder\" /O /X /E/ H /K
  The user running this batch is a limited user (Domain user but not part of the Local admin group)
  Windows 7 x64bit
  UAC is turned on
  Software
  Restriction Policy is in place but this particular batch file is allowed to run
  Apparently "/O" what triggers "Access is Denied". Any idea what permissions the user needs in order to run with "/O"? Adding the user to administrators, domain admin group is out of the question.
  I tried changing the ownership of the template folder to that user, no go.
  Thank you,

  Hi,
  First I would like to know if the issue is denied in copy files from the source folder, or copy files to the target folder.
  To confirm you can give the user full control on target folder and try again.
  And if "Apparently /O what triggers Access is Denied" means
  you have already confirmed that it is the source folder, what's the current user permission?
  I think it is easy for testing - create a test user with same permission as the "limited user", give it 1 permission at a time to find our the exact missing one.
   /O means "Copies file ownership and ACL information" so I think "Read permission" is needed. "Read attributes" may also be needed. I'll go and do a test as well. 
  If you have any feedback on our support, please send to [email protected]

• Editing ACLs to add system-level users

  So, I'd like to edit the permissions on a file to match another file. The ACL for the other file includes users such as system and wheel. The one I need to edit does not, and I can find no way to edit this to add anything other than user-level users. What the heck? This was no problem in Tiger, yet in Leopard I have no way of modifying the permissions properly. What gives? How do I add users from the entirety of the system, not just the upper-level fluff?
  Message was edited by: Noble Brown

  I'm trying to copy over a system file from another machine to replace one that I believe is corrupted. However, doing this in the user space messes up the permissions, removing the system user and adding the active user account. Trying an mv in the Terminal was met with little success as well and it didn't even move the darn file. Using the "get info" window to check the ACL shows the user account, wheel, and everyone. I need to delete the user account and add system, but neither appear to be possible from the Finder, which is ridiculous. This is a grotesque downgrade from Tiger's permissions settings which, although a bit crude, were just fine for this kind of thing. Now it's a better interface, but one that's been severely limited.

• Translation Pattern Wildcard Match

  Our organization uses 5 digit internal extensions throughout. Our CEO would like the ability to dial any 5 digit extension in our organization but wants his caller id to be shown as his name and the extension of his secretary – basically masking his 5 digit extension. I believe the simplest way to achieve this is to create a Translation Pattern, but I’m having an issue trying to match the wildcards in a TP in CUCM7.1.5. At this stage I have set up a new Partition and CSS just for the CEO’s phone and placed a test phone in the new CSS. I then created a TP which is where I run into a problem.
  In the TP I have selected the proper partition and in the Calling Party Transformations section I have listed the Calling Party Transform Mask as the secretary extension (we’ll say 55555 for this example). When I use an exact Translation Pattern match (say 12345) the translation works as I would expect (when I dial 12345 from the test phone, the caller ID shows as 55555). However, when I use any wildcards in the Translation Pattern (i.e. XXXXX) the translation does not occur. Now when I dial 12345 the true caller ID number shows instead of the translated number.
  I’m basically looking for a catch all rule from the CEO’s phone that will translate to 55555. I’m guessing I’m overlooking something simple here – any assistance? Thanks in advance.

  I set up a calling party transformation pattern with the same results. The issue seems to be in matching the dialed pattern or Translation Pattern field. In my testing the pattern is matched only when it's exact and not when wildcards are used. See the first attached screen shot where the pattern is '12345'. When this is applied it works as would be expected and the caller ID on the receiving phone shows 55555. But, on the second attached screenshot using wildcards, when 12345 is dialed the caller ID shows as the number on the phone and not the translated value. For some reason the wildcards don't seem to match.
  I've tried various wildcard patterns such as XXXXX, 1234X, and [0-8]XXXX - none work. The last one is the one I'd really like to use. Other thoughts or suggestions?

• PROBLEM IN ASSIGNING DESKTOP TO A PARTICULAR USER

  Hi Experts,
  Iam facing a problem i.e
  If iam assigning a desktop to a particular user the user is not reflecting any changes......
  if iam keeping ***
  then we are able to adapt the changes but i want only particular user to adapt the changes ..
  how it is possible  plz help me in this...
  waiting for u r response.....
  Regards,
  Shilpa

  Hi ,
  If your are not sure about user name , use the wildcard pattern , but make sure you use only a single *
  i.e
  1)IF User = shilpa*
  THEN Portal Desktop = dekstop path
  2)IF User =*  shilpa  *
  THEN Portal Desktop = dekstop path
  Here 1st option will work , 2nd will not work. "  use only a single *   "
  Regards,
  Sunitha Hari

• Username not showing up in access log for authenticated users

  I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
  request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
  Here's an excerpt from the access log:
  // anonymous access attempt, redirects to login page...
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
  // at this point they are logged in and their username should be reflected in the access log, but is not:
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>AllFiles</web-resource-name>
        <description>
                   Restricts anonymous access.
                </description>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>
                 Authenticated Users
                </description>
        <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?

  Some background:
  The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
  (Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
  That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
  If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
  If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help.

• Server 2003: make user template with read-only access for shared folders

  I have need to make a type of user (like Administrator, Power User, Mobile User, User, etc.) that has read-only acess to shared folders. So when I make a new user and assign the "read-only user" template I wish to have, the user can open files
  in the shared folders on the server, but not edit, save or delete files. Other users can and should remain able to edit, save & delete.
  Before I dig in, is this even possible?

  You could create a Group called ReadOnly, and set that to have Read on the ACLs of the relevant files or folders.
  Make that template user a member of that group.
  As long as they are not also a member of another group that gives them higher permissions, this would work.
  Otherwise set the ReadOnly group to deny Write, which would over ride any other permission set.
  So,
  Folder A
  ACL:
  ReadOnly : R
  Users: Read/Write
  If a user is a member of Users & ReadOnly, they would get read/write to Folder A. As permissions are cumulative.
  If you did the following:
  Folder A
  ACL:
  ReadOnly : R
  ReadOnly: Deny Write
  Users: Read/Write
  The users in ReadOnly would be denied write, as it overrides the cumulative permissions.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?