ACS 4.2 (Trial) User Group Restrictions?

Similar Messages

• SQ01 - User Group Restrictions

  Using transcation SQ01-Sap Query in the HR module is it possible to restrict users to specific queries. I have assigned users to user groups, but this does not appear to prevent users outside of the group running the query.
  All users concerned have access to the transaction with authorisation value '23'.
  Thanks
  Simon

  Hi,
  Did you check what are the restriction given while creating a Query.
  For more info
  http://help.sap.com/saphelp_nw04/helpdata/en/d2/cb42cb455611d189710000e8322d00/frameset.htm
  Cheers
  Soma
  Message was edited by:
          soma pradeep

• ACS 3.2.2 : user access restriction on define AAA client

  Is it possible to restrict some users, who use remote connection, to be only authenticated on selected device ?
  For exemple, I want authenticate users defined for WireLess Lan only on ours AP and i don't want that this users can be authenticated on our CVPN.

  Hello,
  Yes, this is possible with NAR (Network Access Retriction). I am assuming you are using ACS Windows, if so, here is a good white paper on this. For configuration help, please refer to user guide. But, this link will get you started.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  Thanks,
  Mynul

• Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

  Does anyone have any insight into this process. Please advise.

  Hi Eduardoaliaga,
  I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
  1) https://supportforums.cisco.com/thread/2061835
  2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
  3) https://supportforums.cisco.com/message/3581951#3581951
  Thks and Rgds

• Cisco ACS 4.2 one user in multiple local groups

  Currently i have group mapping like this
  ACS Groups           Window Groups
      Grp-A-B             Grp-1 and Grp-2
      Grp-A                        Grp-1
      Grp-B                        Grp-2
  For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

  Salam Muhammad,
  If you have a local user in ACS, that user can not be a member of two groups at the same time.
  The same concept applies to the external users. They can not be mapped to two different groups at the same time.
  If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
  '''snip'''
  Group Mapping Order
  ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
  ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
  '''snip'''
  Reference:http://goo.gl/cvc474
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Restrict metadata field during an update to a specific user group

  Hello everyone,
  I am having some trouble figuring out the best way to restrict permissions to change some metadata fields for 2 different groups of users.
  I have two user groups, A and B. Group A will be checking in documents that the B group will then review for accuracy and quality. Group B will then update an optionlist field called "Status" with either "Recommended" or "Not Recommended".
  This is not a workflow situation as the scope requires that all documents are immediately available for searching. I currently have a CheckIn and Search profile for the content permitting read write access to groups A and B. The "Status" field is hidden on the CheckIn page. Can anyone please suggest a good way to restrict the field "Status" on an Update page to just "B" users? Groups A and B should be able to update all fields with the exception of the B restricted "Status" field.
  Thanks!
  Edited by: user6750815 on Jun 2, 2010 4:11 PM

  Hey rMac,
  I understand it this way you have one profile for A and B user groups. On this profile Status field is hidden.
  If this is your problem you can approach it from two places, while making the rule for hiding the Status field, use rule activation condition. Make it active only for users with Role A . This way even with single profile some of the user with Role B will be able to see the Status field.
  otherwise you can put similar code in Restrict Personalization Link where in you make this hidden field editable and compulsory for Users in B.
  cheers,
  sapan

• Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

  1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
  2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
  3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
  Thanks in advance,
  Matt

  Try this:
  aaa authentication enable console
  aaa authorization command
  on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

• TMG2010 - Exhcange 2010 - Restrict User Groups

  Hey Guys, 
  We have TMG2010 currently reverse publishing OWA however no Pre-Auth is being used, the Exchange 2010 Auth Form is being used. 
  The TMG box is not Domain Joined, however if we joined it to the domain would we be able to use AD Security Groups to restrict access to certain services such as OWA?  Without enabling the "Pre-Auth" Functions of TMG? 
  Thanks, 
  Robert 
  Robert

  Hi,
  yes it is possible to restrict access to specific services like OWA/EAS/OA on the TMG Server for specific user/groups if the TMG Server is a member of the domain. You can also use pre-auth if the TMG Server is a member of a workgroup if you use LDAP
  on the TMG Server:
  TMG publishing:
  http://www.microsoft.com/en-us/download/details.aspx?id=8946
  TMG and LDAP:
  http://www.isaserver.org/articles-tutorials/configuration-general/Microsoft-Forefront-TMG-Using-LDAP-RADIUS-Authentication.html
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570

• Restrict password resets to certain user groups in UME

  I am investigating if it is possible to create a UME action which restricts admins to unlocking/locking IDs and resetting passwords for users in a certain user group.  I know you may need to create a UME permission class and action.  Has anyone done this?  If so how?
  Thanks and Regards,
  Mosi

  Hi Mosi,
  did you have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/2b/306bb5bc98f24f8a85d489449af456/frameset.htm">Documentation about the Company Concept</a>? This can also be used to delegate administrative taks in your case.
  Regards,
  Patrick

• WLC 4402 + ACS 5.4 + AD: is it possible to use separate ip dhcp pools according to AD user group?

  Hello, we are using WLC with ACS and it is working well.
  We have AD group WiFi_access, and all users from these group are able to athunticate during connecting to corporate wifi network.
  How we could make, for example, two AD groups: WiFi_access and WiFi_VIP and users from first group get 10.7.0.0/24 adressess and 10.8.0.0/24 from the second? or it could be 10.7.0.0-100 and 10.7.0.100-200 it doesn't matter.
  the main goal is: different AD groups of users must have different privileges and these is controling via ACL on their default gateway switch.

  You can use "aaa-override" feature to do that. In that case once user get connected & if he is belong to "WIFI_VIP" group ACS can override the user vlan to a different one (10.8.0.0/24) what they initially associate to.
  You can get an idea about the concept from the below post
  http://mrncciew.com/2013/05/21/aaa-override-in-acs5-2/
  HTH
  Rasika
  *** Pls rate all useful responses ***

• Restrict user group authorization on reporting

  Hi all;
  I've problem restriction of user groups on monitoring reports.
  By using RSSM transaction I gave only one user group to reach the reports but I still see the other groups on report.
  Thanks.
  Korel.

  Hi Chris,
  There is no standard report available for this purpose. However all this information is stored in table UME_STRINGS.
  You can write your own SQL queries to generate such reports. However please note that this table is not normalized, and it's a master UME table. You should use it strictly for READ ONLY purpose.
  For a sample code you which i wrote some time back, you might refer:
  http://forums.sdn.sap.com/thread.jspa?threadID=2088099&messageID=10859334#10859334
  Thanks
  Prashant

• Restricting  Access for SQ01 User Group

  Hi ,
  Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
  Thank you
  Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

  Hi,
  Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
  If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

• Displaying User groups in ACS 4.2

  Is there an easy way to display User groups similar to NDG's?

  Is there an easy way to display User groups similar to NDG's?
  Hi,
  Unfortunately there is no view like viewing NDG in ACS 4.2, Yes you can see different gropus configured in ACS when you go into Group setup and by drag down option you can view the number of groups configured in ACS.
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Not able to restrict user groups from accessing certain entities

  We have created user groups and are trying to give them restricted access to certain entities so that they can perform consolidations only for those entities. But even after creating Security Classes (and assigning them to the entities in the metadata) and assigning [Default] security class access as Read Only, the users are still able to access and consolidate all the entities using process control.
  Can anyone please let me know how to restrict consolidation to only certain entities?

  To solve this you need the following information:
  -- What roles do the users have? Anyone with the Administrator role has full access to all classes.
  -- Examine the groups. If any users are members of a group which has more access than the users have as individuals, they get the greater access level. You can generate a report which shows all roles for all users including the derived roles.
  -- Examine your metadata. Do the entities in question have the classes you intend? If you omit a class (the field has been left blank), HFM treats it like the [Default] class.
  With this information we could help you troubleshoot the issue.
  --Chris                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Restricting Queries in HR: Compensation Management User Group

  I am trying to restrict the Infoset /SAPQUERY/HR_XX_CM_03, which contains salary/compensation queries, assigned to User Group /SAPQUERY/H0, from being accessed by anyone.  In SQ03, user group /SAPQUERY/H0, there are no users assigned but users with access to SQ01 can select the user group /SAPQUERY/H0  and access the queries tied to infoset /SAPQUERY/HR_XX_CM_03.  Why are users able to access the infosets of the user group when no users are assigned to the user group?

  Turns out that security authorization for access to SQ01 had an S_QUERY value of 02 which allows for full change.  With this value the user group/user assignments done via sq03 did not work.  Setting S_QUERY to 23 allows for user group assignment to restrict access in sq01