AD - SunDS 5.2 minumal access rights required to set passwords in DS

Similar Messages

• We have two users that have been using Creative Cloud for almost a year. Recently, sometime in the last 4ish weeks, the users can no longer run Creative Cloud apps. (Yes, our subscription is paid.) Error simply says administrator access is required

  We have two users that have been using Creative Cloud for almost a year. Recently, sometime in the last 4ish weeks, the users can no longer run Creative Cloud apps. (Yes, our subscription is paid.) Error simply says administrator access is required to install. The apps have already been installed. The users cannot run them unless they are in the local admin group.Using "Run as admin" does not work. It gives the same error.
  I have opened a case with adobe support and was basically told to suck it up and put the users in the admin group. Actually, what was said was that it is "mandated that the users have administrative rights". 
  There are a couple of things wrong with this. It was working for both users until recently - a recent required creative cloud update. The users have never been local admins yet the apps were working (poorly, but working).
  We are in an enterprise environment and users simply do not have administrative rights on the computers.
  I have changed permissions on all adobe folders, granting users or authenticated users modify or full control rights, did the same in whatever Adobe registry HKLM keys I could find. Nothing has allowed the users to run the apps - unless they are put in the local admin group.
  Someone has to have a fix for this. Adobe apps have proved to have far too many vunerabilities to even entertain the idea of elevating user rights. I can't imagine that enterprise environments are allowing this.
  Any help or suggestions are greatly appreciated.

  Jeff,
  Thank you for your response. The users in question are "standard" domain users. We do not reduce users permissions below the standard level.
  The apps do not load with their current standard user permissions.
  The thing that makes this odd, is that up until recently they did this issue with cloud apps. The only way I can make it work for them now is to put them in the local administrator group on their pc's - which is not going to happen.
  This is what they now see. As I said before, this was not a problem up until recently they would see all their available apps. If I put them in the local admin group the apps are listed without having to install. Everything is there, just not accessible to the user.

• Access rights in case of a tree-like structure, with inheritance

  Hello,
  the project I've just started to work on should include an easy way (from the user's point of view) to grant/revoke access rights on a tree-like structure with inheritance.
  Basically we are working for several international companies who want to use our application to watch/manage some of their web projects - each project belongs to one company and consisting of several 'campaigns' in several countries (there can be several campaigns per country, but each campaign belongs to exactly one country).
  From our point of view this is a tree-like structure, with a 'root' node at the top level, 'companies' at the first level, 'countries' at the second level, 'campaigns' at the third level, and modules of our application (for example a module to display overall stats of the campaing, and so on) at the fourth level. There could be (and probably will be) some more levels, but that's not important at this point - it will always be a tree-like structure.
  The customer's reqirements are natural - the administrators should be able to grant/revoke access to 'subtrees' of this structure. For example the top managers should be able to see all the data related to their company, the local managers should be able to see all the data related to their company in the country they work in, etc. On the other hand the relular employees should not see some of the modules (with details about clients of the company).
  I wonder whether this can be solved using JAAS in an elegant and flexible manner - from the documents / whitepapers / tutorials I've seen till now it seems to me it seems to me not too suitable.
  All the data will be stored in relational database (Oracle, and in some cases PostgreSQL), and it would be nice to have the access rights stored in the same way (but it's not required). We have some ideas how to solve that using a single table containing paths in the tree, but at this point it's only an idea (not a single line of code written).
  We are sure somebody has already to solve such a problem - maybe using JAAS, maybe some other technology - and we don't want to reinvent a wheel. Do you have an idea how to solve this (using JAAS or something else)?

  Well, I forgot to explain what the 'inheritance' means ...
  We do not want to set the access right on each node of the tree - we prefer (as well as the users) to set/store only as much information as needed. We'd like the nodes to inherit the access rights from their parent nodes. For example we'd like granting access to particular project to mean granting access to all campaigns in all countries (related to the project), without the need to set and store these rights for each of the campaigns/countries.

• Problems Managing User Access Rights for Web Gallery

  Has anyone else had issues changing the user access rights for a web gallery? It seems like the access is everyone or no one. Are the user rights handled per event in the gallery? I had issues adding events to the user's view/download rights in the publish settings.
  Also, can these settings only be set when an event is first published? Attempting to change the user access rights after the event is published seems to require a re-upload of the images.
  Any thoughts?

  Problem solved.
  I had to put the following lines in the specified "0000_any_80.my.website.conf" file:
          <Directory "/Library/WebServer/subdomain.domain">
                  Options All +MultiViews -ExecCGI -Indexes -Includes
                  AllowOverride None
                  # For Password protection
                  AuthType Digest
                  AuthName "Password Protection"
                  require valid-user
                  <IfModule mod_dav.c>
                          DAV Off
                  </IfModule>
          </Directory>

• Files in Archive folder having limited access rights

  hi forum,
  i am using a File->XI scenario, where file is picked from a folder say XP1, and archived (as per configuration in the sender channel) to another folder say Archive, and subsequently sent to Integration server,
  the case is, the files in the Archive folder has the owner XP1ADM with access rights rw_ _ _ _ _ _ _,
  as a result, i cannot view the files in the Archive folder, as i m using a a user-id which is different from XP1ADM,  -
  (i am required to view these files - mandatory requirement)
  for information, the UMASK of XP1ADM is 022 (found by typing the command UMASK in it shell),
  hence, according to me, the files should have access rights 644 (since UMASK is 022), but the files are having access rights 600,
  can you please tell me why it is so,
  please help

  Gaurav, thanks fro the reply,
  i guess even if i keep the user in XPIADM's group, it wont do any good.....as access rights for group in 600 is 0,
    correct me if i m worng....
  anyways i didnt understand your reply---->
  <<Your administrator has to set the permissions group for the ID you use for this folder similar to XP1ADM.>>
  thanks

• Grant the access rights to manager run the work flow history report without edit /delete rights

  I found that only Team Member / Workspace creator / Administrator can run
  the work flow history report. However, we have a Purchase Order request
  which need ask the supervisor for 1st approval and manager for 2nd approval.
  But those managers want to see who prepare the P.O. and supervisor done the
  first approval before their 2nd approval. How can I can grant the access
  right to the manager to run the work flow history report for this purpose? I
  tried grant the role "team member" to those manager, however, it will also
  allow them to modify or delete the entry as they are the team member, but we
  only want allow those managers can approve the entry and view the work flow
  history without other acces such as add/delete/edit to prevent the human
  mistake.
  Pls advise how can I do this? Thanks!
  Regards

  Create a new role in teaming can fulfill this requirement. Thanks!
  "Joey" wrote in message news:_Cvqo.66903$[email protected]. .
  I found that only Team Member / Workspace creator / Administrator can run
  the work flow history report. However, we have a Purchase Order request
  which need ask the supervisor for 1st approval and manager for 2nd approval.
  But those managers want to see who prepare the P.O. and supervisor done the
  first approval before their 2nd approval. How can I can grant the access
  right to the manager to run the work flow history report for this purpose? I
  tried grant the role "team member" to those manager, however, it will also
  allow them to modify or delete the entry as they are the team member, but we
  only want allow those managers can approve the entry and view the work flow
  history without other acces such as add/delete/edit to prevent the human
  mistake.
  Pls advise how can I do this? Thanks!
  Regards

• Bpf - package access rights

  Dear Xperts,
  i have created a bpf templete say bpf1 & created instance say my process.
  there are 5 companies for consolidation,for specific user say user1 i have given right of comapny xyz only.
  bpf runs correctly by showing only company xyz in bpf web main menu for user1.
  problem is when i run a package,in criteria selection box requiring to select entity,time,category etc details for running package,it shows all 5 company in entity selection box. so user1 is in position to run package for other company for which it does not have right.
  so can anyone tell me how to greyout entity selection box so that user1 can run only company xyz or is there any way i can set access rights while running package in criteria selection box.also i m working on nw 7.5 version
  thanks
  kashyap.

  Dear Raju,
  i have given secondry admin rights to user1 with bpf excution tasks .
  i was able to allow access to this user only to one company by mentioning his domain name in owner property of entity dimension.
  do i need to make any further changes?
  thanks
  kashyap.

• Access rights on external usb drives gets reset.

  Hi!
  I use external usb-drivers for backup. I don´t wont other users on my iMac to access this drives, so I have set the access rights for "Everyone" to *"no access"*.
  This works as intended, for a while... But for no reason what so ever, the access rights get´s reset to *"Read & Write"*. This might happen after a day or two..
  Anyone experienced the same? Anyone know why this happens, and maybe have a solution to this problem?
  Best regards
  Geir.

  Other users on your iMac can easily right-click on the external hard drive icon, get info and check the "Ignore ownership on this volume". Then everyone can read and write on the backup drive which probably isn't what you want. Theoretically, only users with admin rights can check that box, but there's plenty of ways to circumvent this.
  If you want to restrict access more, lauch Disk Utility and create a new Read/Write disk image with encryption on the external drive. This will take some time to create and ask you for a password. I'd recommend a strong password (use the password generator that pops up) and let it be stored in your keychain. This way, Time Machine won't ask you to enter the password to back up or enter time machine. You should write down that password though in case the internal hard drive fails or your home folder (including the keychain) gets corrupted. You will be required to enter the password to do a full restore from Time Machine.
  The downside of this is that the other users of your iMac can't use Time Machine at all.
  Per default, the Time Machine rights are so that you can only access your own home folder plus the shared and public folder (and other non-standard folders within anyone's home folder as it has no specific access rights). Try logging in from another account or the guest account and see if you can access your user account's backup files in, say /Documents. It should deny access and not even reveal the folder's contents.

• Access Rights Assignment per Report/Layout

  Dear SAP Experts,
  Could you give me a hint where access rights for reports (smartforms or sapscript) are assigned?
  To give more requirement, what if we want to be more specific such that for example, we have 2 companies which are using the same report (e.g. Invoice), but we want to assign a different layout for each company automatically (depends on the company code of the invoice)? Is this "customizable" or should be programmed?
  Your advice is highly appreciated.

  Hello,
  This will be the customized one, create an authorization object like ZXYZ in SU21, and now inform the basis guys to assign the auth object to the  required profiles, no win the report program i.e. the print program use Authority-check syntax. If the sy-subrc = then get the one layout or else another layout.

• Allow dashboard to be accessed by users with no access rights to the plateform

  There are some users which would like to access a specific dashboard without having access rights to the platform, and we are searching for a solution. What we want is a scheduled job that would update the dashboard data or make the dashboard accessible in an offline mode, but it seems that these solutions are not applicabale.
  If you have implemented a solution before or find a work-around, please let me know.
  Regards.

  Hi Sawaf,
  This can be done using "Widgets" which is one of the BO BI Platform client Tools.
  1. You need to create a separate user id for the user and provide view access rights only for the required dashboard that has been saved in BI Launchpad.
  2. User need to install widgets on his local machine, create a new host for the required BI Platform by entering the Server IP address and Login Credentials as below.
  3. After entering all the details, it shows a message that "server logged in successfully". Right click on the widgets icon from the taskbar, click on document list explorer. It shows the documents in the BI Platform, select the dashboard and double click on it. after the dashboard is opened in the Widgets window drag it onto the user desktop and run it.
  4. In this way user can view dashboards or reports on his desktop without any access to BI platform.They can keep the file opened on their desktop all the day also.. Session does not expire in this method.
  5. If you want data to be refreshed for every 1 hour or so.. keep a query refresh button in the dashboard, select all the queries in it and select a trigger cell. You can write a excel function in that trigger cell so that the cell value changes every 1 hour (OR) select refresh every 1 hour option from the bex query properties in the dashboard.

• OIM Organization Access Rights Inheritance

  I'm using OIM 9.1.0. I have two Organizations defined in OIM, they are defined as parent and child org. If I assign the access right for the parent org to an OIM group, it seems this group will not automatically be granted the access right for the child org.
  Is it possible to make the group also have the access right to the child org without specifically assign it?

  My suggestion would be request based Enable/Disable/Revoke. You can code an approval task to validate submission of the request based on a group membership and either allow the process to continue or reject the request. Once you give someone access to manage users and access to the menu item, they will have access to all the drop downs for that user. You will need to test the permissions. You can give the group update writes to specific objects, and only read only to others and see if this meets your requirements.
  -Kevin

• Overload the default access right policies?

  Hello,
  We want to use Oracle Content Database to implement a DMS for a bank, who has complex access rights (as an example, imagine that the access rights become more restrictive after 8 PM).
  Hence our question: is it possible to overload the standard access rights of Oracle Content Database with our own hand-crafted policies, e.g. provided in a stored procedure?
  Thanks for any help
  Pascal Sartoretti

  Hi Pascal,
  I understand.
  I think what you wrote is enough for me to get a better understanding of what you're trying to do: each document in CDB may map to a transaction in an external banking application, each of which may imply its own security policy in some way.
  You are correct -- there is no way to override the security model of CDB with another implementation.
  However, you can change the security configuration for folders or documents in CDB programmatically with the CDB API. Therefore, it is possible to update a security configuration in CDB to match a security policy defined by an external application, as long as you can set up a "trigger" mechanism that is invoked when changes are made to the external application that need to be applied to CDB.
  Of course, you will need to come up with a mapping from your external application's security model to CDB's model that is based on users, groups, and roles. Given that you are able to create custom roles and ad-hoc groups in CDB, this should be possible, depending on the complexity of your external application's security model.
  You can also use the CDB EventHandler feature to implement a time-based custom "trigger" that can be implemented to make changes to CDB security at various intervals based on the rules you want to enforce.
  I have another question about the application you are planning:
  - Do you envision end-users accessing CDB directly, and using the built-in user interfaces, such as the Web GUI and ODrive?
  - Or do you think it will be more likely that end-users will access the external "banking application" directly, which would have a custom user interface and specific features for banking?
  In the second scenario, the banking application would use CDB "behind the scenes" to store and retrieve documents required by the banking application. (CDB would not need to have users and passwords for the end-users -- only one (or a few) "application" users that would be used to provide access to the banking application.)
  - Luis

• How do I fix an access rights error when launching Image Processor in Adobe Bridge CC?

  Often when I am working on files and want to batch process Jpegs for clients I get an error message from Image Processor.  It will state "I am unable to create a file in this folder.  Please check your access rights to this location ...."
  I have cleared cache and up'd my history levels.  I checked to make sure the files were not locked and read/write was enabled.  I am not sure why this error keeps occurring.  I am using Adobe Photoshop CC 2014 (2014.2.2 release) with Adobe Bridge CC (6.1.0.115)

  It's an endless circle.
  See if these instructions help: iTunes repeatedly prompts to authorize computer to play iTunes Store purchases

• How to define a new user in Enterprise manager with Specific access rights?

  Hi,
  I want to create a new user in OEMS 11g who should be able to access only the scheduler jobs section.
  How can this be acheived?

  You can create new administrators via the Setup --> Administrators page
  You can grant certain access rights to targets, you can not however grant priv to only access the job system
  Take a look at http://download.oracle.com/docs/cd/E11857_01/em.111/e14586/security3.htm#sthref235
  Regards
  Rob
  http://oemgc.wordpress.com

• You do not have sufficient access rights, pls help

  Hi folks,
  I'm getting the "You do not have sufficient access rights" error accessing the Identity System Console. The same admin account can access User/Group/Org Manager screen, however, for some reasons user and group searches return no results. This is the second OIS install against the same ldap dir (ovd to sun 6.3), so I had to specify Id server was not the first one to avoid profile conflict with oblix DBAgents. The admin user had been selected during prev install, and exists under o=Oblix in both cn=Web Masters and cn=Directory Administrators.
  I have LDAPMaxNoOfRetries set to the number of dir servers +1 in all globalparams.xml on OIS. I also can modify ldap dir via both ldapmodify and ldap browser binding to OVD as same user. Turning the TRACE on didn't showed any errors except for the following:
  DB_RUNTIME WARNING 0x00000504 ldap_config_db.cpp:187 "Exception during DB runtime code" function^LDAPConfigDB::Open() status^17
  DB_RUNTIME WARNING 0x00000504 ldap_config_db.cpp:355 "Exception during DB runtime code" function^LDAPConfigDB::ReadOblixDBConfig()status^17
  SCHEDULER_FRAMEWORK ERROR 0x00000501 ../obschedulerthread.cpp:316 "ObError exception caught" ObScheduledTaskLiaison::LoadTasks^ObWFScheduledTaskLiaison
  PPP INFO 0x000008C7 obeventcatalog.cpp:183
  Cannot find the action
  function^ObEventCatalog::GetActionEntry2Modify()
  actionName^front_page_admin_klogin_post
  APP_BASE WARNING 0x00000833 oblixbasecommon2.cpp:1235
  Login failed
  Error^You do not have sufficient access rights
  numLoginFailures^1
  There's nothing in the ldap logs either. The only warning I get per that user is in the ovd log:
  DoSManager: Found unbound connection from active ip addresses
  DoSManager: Found unbound connection from active users
  The Oracle Support is clueless, please help.
  Thank you, Roman

  Hi Vinod,
  Thanks for the post. OK, if I got it right, I have two entries under obcontainerId=DBAgents for each of my primary Id servers. For the one I currently use, I have this towards the bottom:
  obname=oblixConfig-OIS_mdi-oamlx-3
  obname=default-OIS_mdi-oamlx-3
  Both entries have obdbusedby set to OIS_mdi-oamlx-3 which is my OIS id. The obsearchbasestr is different: o=Oblix,o=paychex inc for the oblixConfig, and o=paychex inc,c=us for the default one. Is that's the way it should be?
  Thanks Roman
  P.S: I've noticed I get same error accessing My profile under User Manager.