ACS 5.3 one user multiple roles

Similar Messages

• Cisco ACS 4.2 one user in multiple local groups

  Currently i have group mapping like this
  ACS Groups           Window Groups
      Grp-A-B             Grp-1 and Grp-2
      Grp-A                        Grp-1
      Grp-B                        Grp-2
  For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

  Salam Muhammad,
  If you have a local user in ACS, that user can not be a member of two groups at the same time.
  The same concept applies to the external users. They can not be mapped to two different groups at the same time.
  If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
  '''snip'''
  Group Mapping Order
  ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
  ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
  '''snip'''
  Reference:http://goo.gl/cvc474
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Trying to set up multiple users, multiple roles in Tomcat

  I've been learning webapps by making a webapp for the school where my wife works -- to manage assigning students to the rotating schedule of art periods throughout the year. Lots of fun and very good learning. I bought a Tomcat book, installed Tomcat 4.1.24, and have been writing html, jsp's, servlets, etc.
  I've got a good deal of it working. Now I see that there will be areas of the app where it makes sense to restrict access to only those who have the roles -- the teacher who does the basic assignments work will have "manage" role, my wife who works in admissions will have "admin" access to the areas that allow students to be added to the database, general users will have access to areas where information is available but they can't change things. That sort of security planning.
  I'm not worried about industrial strength security. It's a nice place, no big security worries with the students, it's not on the web, just the school's local network. So I plan to use Tomcat's BASIC auth, and I've tried to set it up in the tomcat-users.xml and the webapp's web.xml.
  So I have 3 roles in tomcat-users.xml - user, manage, and admin. There would be a general user, named "user" with user role. That one could get in to the opening page, and to any other page not further restricted. The teacher would have "user" role to get in, and "manage" role to get to those pages that involve assignment tasks. My wife would have "user" to get in, and "admin" for admin stuff. A user would be blocked at the "secure" pages, but having logged in with both roles, the teacher and my wife would get them without further authentication.
  <tomcat-users>
  <role rolename="user"/>
  <role rolename="manage"/>
  <role rolename="admin"/>
  <user username="user" password="userhat" roles="user"/>
  <user username="hillary" password="managehat" roles="user,manage"/>
  <user username="susan" password="adminhat" roles="user,admin"/>
  </tomcat-users>
  In the web.xml, I thought I could set up 2 different "security areas" in the web.xml, as a "proof of concept" exercise.
  <security-constraint>
  <display-name>Entry Level Security</display-name>
  <web-resource-collection>
  <web-resource-name>Open Pages</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>user</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <display-name>Art Blocks Secure Pages</display-name>
  <web-resource-collection>
  <web-resource-name>Secure Pages</web-resource-name>
  <url-pattern>/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin</role-name>
  <role-name>manage</role-name>
  </auth-constraint>
  </security-constraint>
  However I find that the general user, after passing the BASIC authentication popup, gets the opening page, but then can get to the admin stuff without any further popups. I must be missing something.

  Hi,
  Tomcat is not big on security. It doesn't have good security in standalone mode.Whenever I used Tomcat, another web server like Apache was used to provide authentication. This doesn't answer questions but you know at least not to expect too much.
  http://galileo.spaceports.com/~ibidris/

• What happens if we assign multiple roles to one user

  Hi Experts,
  what is the outcome of the scenerio where multiple roles are assigned to one user in MDM
  example : role A has execute command for field X and another role B has read only command for the same field X, what happens if both the roles are assignes to user John?
  Thanks in advance
  Sharma.

  hello Abhishake,
  Thanks for the reply,
  so does that mean the user will have the execute role even though the second role was read only?
  Thanks,
  sharma

• Multiple Schemas under one user account with XE 10g

  Hi,
  I am using (learning) XE 10g. I would like to know if it is possible to have multiple schemas under one user account and have the schemas logically separated. As of right now, I have three schemas that I am working with, each one under a different user account. This is inconvenient, because I have to logout of one user account and login to another user account simply to be able to work with another schema.
  Thanks

  It isn't possible to have multiple schemas under one database user account. It is of course possible to grant rights to other database users, and or roles, in order to allow access to the tables/data from other accounts. In Oracle there is a one-one mapping between schema and user.
  Niall Litchfield
  http://www.orawin.info/

• Visual Totals and users in multiple roles

  Hello,
  I have a few questions regarding dimension security and visual totals enabled.
  The infrastructure:
   - multiple roles
   - users are members of multipe roles
  1) if I have multiple roles and the user is member of multiple roles  - if I set "Visual Totals" to true on one role it does not work?
  2) same as "1" but if I set the visual totals on all roles it does not work?
  is this the intended behavior? - does it only work if the user is only in one role? or do I do something wrong?
  We want to have on two roles visual totals and on the others not - if possible. And if the users is member of other roles it would be OK if he sees all values..
  3) How would Visual Totals work if I allow some nodes but deny all children of the node?
  4) Is there some advanced documentation - which extens the information from "ms-help://MS.VSCC.v80/MS.VSIPCC.v80/MS.SQLSVR.v9.en/uas9/html/b028720d-3785-4381-9572-157d13ec4291.htm"
  Thanks for your help.
  HANNES

  Years after I am going to search for the same answer I was looking 7 years ago....
  Maybe someone out there can answer them now?
  http://www.hmayer.net/

• Multiple roles assigned to an user

  Hi folks,
  My question sounds to be something weird, but wanted to be cautious. I see a lot of users in my environment with multiple roles assigned to them. When i checked the roles of an user who has three roles assigned to him, i noticed that all the roles have some tables in common with the same grants in all the three roles, and all these three roles are assigned to the same user. Will there be any problem?
  An example to explain my senerio...
  User scott has three roles A,B and C assigned to him. All the three roles have execute on xy.abc procedure and select,insert,update,delete on xy.xyz table. Will there be any problem to the user who is assigned all these three roles. Will there be any confusion from oracle to chooose from which role?
  Thanks

  This sounds to be something new. So When a oracle
  tries to hold all the privileges does it do a
  distinct on the table grants, so that i will have
  just one entry of the privilege of an object, though
  it exists in all the roles assigned to that user.No, the table objauth$ looks like this,
    1* select * from objauth$ where rownum < 100
  SYS@etest> /
        OBJ#   GRANTOR#   GRANTEE# PRIVILEGE#  SEQUENCE# PARENT                OPTION$       COL#
         133          0          5          0          1
         133          0          5          3          2
         133          0          5          5          3
         133          0          5          6          4
         133          0          5          9          5
         133          0          5         10          6
         133          0          5         11          7
         135          0          5          0          8
         135          0          5          3          9
         135          0          5          5         10
         135          0          5          6         11
        OBJ#    GRANTOR#  GRANTEE# PRIVILEGE#  SEQUENCE# PARENT                OPTION$       COL#
  ---------- ---------- ---------- ---------- ---------- ------------------ ---------- ----------where
  OBJ# is object ID, could be any object not only table,
  GRANTOR# is user# , ROLE is also considered a special USER internally in Oracle.
  SYS@etest> select user#, name from user$
    2  /
       USER# NAME
           0 SYS
           1 PUBLIC
           2 CONNECT
           3 RESOURCE
           4 DBA
           5 SYSTEM
           6 SELECT_CATALOG_ROLE
           7 EXECUTE_CATALOG_ROLE
           8 DELETE_CATALOG_ROLE
           9 EXP_FULL_DATABASE
          10 IMP_FULL_DATABASE
  ..............So different roles will have different records in objauth$. Even it's same privilege of same object granted to same user.
  a GRANTEE# can have same privilege to the same object from different GRANTOR#

• Multiple users under my name, can I transfer files/data onto just one user account if I have an external H.D.  when I tried to delete info off one of the accounts it said I did not have permission? I assume I was in an account that was not admin.

  I noticed I have set up 4 Admin user accounts under my own name with diff. variations as seen in the attchment.  Some have a diff. password to log on to which I am able to do.  This computer is used for my business and I need info that is scattered on the other 3 accounts to be in/on ONE admin account. 
    I don't know how i ended up with multiple accounts.  Maybe due to having two 24" iMacs and multiple iPhones & iPad2 for me and family.   
  I use this computer for business and personal. 
  Due to multiple Admin user accounts I have important info scattered on the other accounts resulting in some accounts have some of the info to others having much more  but not ALL.   Some accounts have from a couple hundred songs, podcasts, etc. etc.  to a few 1,000 on another Admin account.   
  I want to consolidate ALL of my info, files. songs, podcasts, pictures & email etc. into one Admin account and delete the other accounts to reduce confusion. 
  I was told by my local Apple authorized service shop that it is not easy but moving most of the info is possible.  Their caveat was email would probably not be able to be moved other than forwarding each email I wanted out of each account and opening in the account I wanted to consolidate into. 
  As a side note,  I get an error message at times saying that I do not permission/authority to delete / move files?  What might be the issue when I encounter this type message?
  Thanks for any help.
  Bob

  Have a read here Transferring files from one User Account to another
  Stefan

• One user appearing multiple time in Users on System report

  Hi,
  While checking the logging report I found one user is appearing multiple times. Is this the normal behaviour of Hyperion of Is there any setting in Hyperion to display one user only once.
  Also can we control the users the from loging into systme multiple time at a time.
  Thanks,
  Ajaya Kumar

  If multiple people know the username and password they can definitely be shared. This is a violation of your licensiing and is a major reason why most SOX departments require Active Directory linking. For testing purposes I have created native IDs to be shared among people so that I know they are identical.

• HT1206 Lots of info about one user using multiple computers. What about multiple users with separate Apple IDs using same computer? Having problems getting my wifes new iPhone talking to her apple account on the computer we share (2 users)

  Lots of info about one user using multiple computers. What about multiple users with separate Apple IDs using same computer? Having problems getting my wifes new iPhone talking to her apple account on the computer we share (2 users)

  You need to create a user account for your wife (or yourself depending on who has the current user account). When syncing, each of you should sign in as a separate user, login to iTunes and then sync. I had this problem when my sister got an iPhone. When we did her initial sync, everything on my iPhone showed up on hers. Apple gave me this solution.

• One user for multiple tablespaces

  Hello.
  Oracle 11g enterprise.
  Whenever I setup a new tablespace on my server, I create a user for each tablespace on the server.
  Is is possible to create only one user for all tablespaces on a server?
  What is the easiest way to create this one user to have all roles and privileges across all tablespaces?
  Any suggestions are greatly appreciated.

  I would seriously question a design with 'N' databases (whether they are on 1 or more or 'N' servers is not the issue) and DBLink from each of the databases to every other database.
  Not only is it going to be hell to manage (how and when can you decide to shutdown a database for maintenance / patching / server/hardware maintenance when you have N-1 others connecting to it online), but it indicates a possibly high level of data duplication.
  So we still revert to why you think you need that many databases and that many users and that many database links.
  As has been pointed out, there is no relation between tablespaces and DBLinks. NONE whatsoever.
  As for tablespaces and users, I can have
  a. One Tablespace and 10 database accounts with any 1 to 10 of the accounts storing data objects in the tablespace
  b. Ten Tablespaces and 1 database account storing data objects across all 10 tablespaces
  c. 100 database accounts but only 1 to N of them having any data objects, the others only doing SELECT/INSERT/UPDATE/DELETE on objects owned by 1 to N schemas. (This one schemas all being in 1 tablespace or M tablespaces).
  There is no one-to-one correspondence between users and tablespaces necessary. Tablespaces are for logical grouping of data objects.
  I keep referring to data objects as these (Tables, Indexes, LOBs, IOTs, Clusters etc) require storage. Objects like Sequences do not require separate tablepaces although they have persistent values. Objects like DBLinks and Views are only definitions and require no storage (other than in the data dictionary !). Objects like Procedures and Packages and Triggers are code objects and require no storage (other than in the data dictionary).
  So :
  1. Such a design needs to be questioned.
  2. Even if you need such a design, do not tie DBLinks to Tablespaces.
  3. Even if you need DBLinks, do not tie Users to Tablespaces.

• One domain, multiple users

  I use iWeb with MobileMe/iDisk to host www.mydomain.com with no problems. I use the custom domain feature in MobileMe and the domain is registered with GoDaddy. I would like to set up a subdomain for my brother so that he could use iWeb from his own computer to publish to hisname.mydomain.com using whatever method would work best. I know how to set up the subdomain forwarding but the thing that I can't figure out is if there is any way for him to publish his web site to my iDisk. The only thing I can come up with would be to give him my password and then have him publish the site to a folder in iWeb.
  I also have a MobileMe family pack with an unused account. Is there some way that this could help me? I could give him his own account and he could publish it to his own iDisk but then the URL isn't going to look right? Any suggestions are appreciated. Has anyone else come up with a good solution for letting multiple users publish to the same domain from different computers with iWeb?

  Hello Chet,
  MobileMe only supports one personal domain per MobileMe login.
  If your goal is to give your brother his own personal domain (www.example.com) for use with his own iWeb site then assigning him his own MobileMe member name from your family pack would be the way to go.
  If you are both using the same computer, make sure he is using iWeb and publishing from a separate user account. Publish from one user login to two separate MobileMe member names can get confusing.
  Hope that helps
  ~ Mr. Madison
  Do you have a backup?
  Mac OS X v10.5, v10.6: How to back up and restore your files

• Multiple websites on multiple user accounts. Want all websites in one user

  I have multiple websites in multiple user accounts. At the time I started this way iWeb 08' didn't allow more then one website per user.
  I now have three limited user accounts with three iweb sites. One in each account. I'd like to move two of them to the main user account and have all three available to me in the user account I call mine. Is this possible with iWeb 09'? i can, by hand, recreate them in the main account, but I'd like an easier solution.
  I am hoping it is possible to combine the files from each "Domain.sites" and make one magical come together with each site in place.
  Thanks Everyone

  Move all of the Domain.sites2 files to one user account and rename them to represent the site inside, i.e. Myfirstsite.sites2, Mysecondsite.sites2, etc. Put them all in your User/Library/Application Support/iWeb folder.
  Using the application suggested by Wyodor merge the sites into a new domain file. You can only merge 2 sites at a time so you'll have to do 2, then select that new one and merge with a 3rd file, etc.
  Click to view full size
  New domain files are created by the merge process so your original domain files will be untouched.
  OR, you can leave the domain files as they are, named individually, and use iWebSites to choose and open the site you want to work on and publish. I manage multiple sites with iWebSites:
  This way the domain files loads more quickly and if there's a problem only one site is affected.
  OT
  Click to view full size

• Multiple users shuts down to only one user

  I have multiple users on my IMac.
  Recently when I go to log on the computer instead of show all users, it shows only one user (not me) and I have to log on to that user and log off to see all users again.
  Any ideas how to fix this?

  After migrating your whole user account from another computer you will be left with 2 user acounts on the target computer.
  The best way to keep just the new user account is to log into the account you want to keep, then go into system preferences > users&groups (Accounts if using snow leopard) then delete the other account.
  (Make sure you have a backup of any files you wish to keep on that user account if any)
  If you wanted to just merge particular files from one computer to another instead of creating two user accounts you would be better off using the good old drag and drop method instead of migration assistant.

• How to open multiple sessions for one user?

  Sorry for the silly question but I couldn't find it googling or searching through this forum, so I started wondering whether it's possible in SQL Developer to open multiple sessions for one user. I'm fairly new to SQL Developer and databases in general.
  When I open SQL Developer and connect to a schema, a worksheet opens named MYSCHEMA. If I disconnect then connect, another worksheet opens, named MYSCHEMA~1. I assumed these were different sessions, but if I enter into one worksheet:
  select col1 from my_table where row_id = 1
  -- shows result is 1
  update my_table set col1 = 0 where row_id = 1
  select col1 from my_table where row_id = 1
  -- shows result is 0and then enter into the second worksheet:
  select col1 from my_table where row_id = 1
  -- shows result is 0I would have expected the second worksheet to report 1 because the first worksheet did not issue a COMMIT. Thus, I'd guess both worksheets are the same session? Is that right? If so, how do I have two sessions open simultaneously (opened by same user)?
  I'm trying to implement the code at the bottom of this post, for which testing requires at least two sessions:
  Re: Help with Procedure
  Edited by: tem on Apr 18, 2012 6:44 AM

  Thanks Jim,
  Ctrl-Shift-N doesn't do anything for me. I'm on a mac -- by experimenting it looks like command-N does what you're looking for. This appears to be the same as left-clicking on the "New" icon in the top left corner of SQL Developer, or selecting from the pull-down menu, File > New.
  This opens "Create a New" window that appears to be a wizard. What would I select at this point? Options are: Database Connection, Table, View, Package, ...
  I don't see an option for "Worksheet".
  UPDATE:
  OK, I found that if I select "SQL File", a worksheet becomes available. Perhaps this is what you intended. However, when I issue the command
  select col1 from my_table where row_id = 1;it still returns 0 instead of 1. Hmm, maybe my initial assumption was wrong -- if this is a second (e.g. different) session, should I expect the changes made in the first session in SQL Developer (the UPDATE command) WITHOUT a commit, to be observed in this second session? I thought that changes made in one session were not viewable in a different session until these changes are committed in the first session? If so, how to show this in SQL Developer? I must be missing something basic here.
  Or, is SQL Developer issuing some sort of "auto-commit" without my knowledge?
  Edited by: tem on Apr 18, 2012 8:00 AM