Add Resource to user as IDENTITY USER ADMINISTRATORS

Similar Messages

• SCCM 2012 Security to allow users to add resource to a collection

  Hi,
  I need to permission IT Support staff so they are able to add computers to certain collections in SCCM 2012. I created a new Role and assigned the following permissions under "Collection"
  Read, Modify, Modify Resource, delete resource, read resource, Modify Collection setting, read AMT.
  Also allowed read at site level.
  Users are still unable to add computers to a collection ? Any ideas why ?
  I did read a previous post which said something about also having to permission users to the limiting collection but this doesnt make sense, and sounds insecure.
  Thanks

  Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question.
  Create a new collection that is a copy of your collection limiting collection mentioned above.
  Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection.
  Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection.
  Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget
  to add your security scope.
  Apply the changes and test - don't forget to restart the console of your test account.
  This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish.  It does NOT allow modify on the limiting collection. And it separates the specific collections
  you tag as being modifiable by the specified group.
  We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection.  Allowing modify to the All Workstations collection allowed modifications
  to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed.
  Hopefully this will solve your issue and give you some options going forward.

• Programatically Check if the logged in user is in the Administrators group in Project Server (C#, VS2010)

  Hi I would like to be able to check if the logged in user is a member of the administrator group programatically through c#
  I know that I can get the user's GUID / check if they are actually a user in project server (resource table in reporting DB) but I am having trouble finding out how to programatically check if they are a member of the "Administrators" group.
  Could somebody please provide a code sample of how to check if a user is in the administrators group when you have their GUID or username or name?
  I did not see a table in the reporting DB that has this so I am guessing this has to be done through the PSI..
  Thanks in advance!
  BTW.. i am just wondering is there a way to check each groups permission levels? was wondering that if it is possible, what is the best way to implement a similar security model to that of the actual project server 2010

  hi Amit :) I ended up finding the answer myself before you posted here but thank you for your reply anyways, it is basically the same thing that I did.
  This is what I ended up doing :) Basically I have three different types of users configured in my web.config - admins, readwrite users, and read only users. In my code here I loop through and find out who the person is. Based on what group they are in I
  can later show/hide different options in my application :)
  SvcSecurity.SecurityClient security = new SecurityClient(ENDPOINT_PROJ_SECURITY);
  string adminGroupsString = ConfigurationManager.AppSettings["adminGroups"];
  string readWriteString = ConfigurationManager.AppSettings["readWriteGroups"];
  string readOnlyString = ConfigurationManager.AppSettings["readOnlyGroups"];
  List<string> adminGroups = new List<string>(adminGroupsString.Split(';'));
  List<string> readWriteGroups = new List<string>(readWriteString.Split(';'));
  List<string> readOnlyGroups = new List<string>(readOnlyString.Split(';'));
  List<Guid> adminGroupIDs = new List<Guid>();
  List<Guid> readWriteGroupIDs = new List<Guid>();
  List<Guid> readOnlyGroupIDs = new List<Guid>();
  List<Project> projectList = new List<Project>();
  SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["RDB"].ConnectionString);
  con.Open();
  SqlCommand command = new SqlCommand("SELECT * FROM MSP_EpmResource where ResourceNTAccount = @username", con);
  command.Parameters.AddWithValue("@username", this.User.Identity.Name);
  SqlDataReader reader = command.ExecuteReader();
  if (reader.Read())
  string resourceID = reader["ResourceUID"].ToString();
  //Get a list of security groups
  SvcSecurity.SecurityGroupsDataSet sgds = security.ReadGroupList();
  //Get the IDs of the required groups
  foreach (SvcSecurity.SecurityGroupsDataSet.SecurityGroupsRow ds in sgds.SecurityGroups)
  if (adminGroups.Exists(group => ds.WSEC_GRP_NAME == group))
  adminGroupIDs.Add(ds.WSEC_GRP_UID);
  else if (readWriteGroups.Exists(group => ds.WSEC_GRP_NAME == group))
  readWriteGroupIDs.Add(ds.WSEC_GRP_UID);
  else if (readOnlyGroups.Exists(group => ds.WSEC_GRP_NAME == group))
  readOnlyGroupIDs.Add(ds.WSEC_GRP_UID);
  bool isAdmin = false;
  //Go through each group using the id and check if the current
  //user is in that group (for example here check if the user is an admin)
  foreach (Guid id in adminGroupIDs)
  SecurityGroupsDataSet group = security.ReadGroup(id);
  foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
  if (member.RES_UID.ToString().Equals(resourceID))
  isAdmin = true;
  Session["createReport"] = "true";
  break;
  //If the user is not an admin then continue checking who they are
  if (!isAdmin)
  bool readWrite = false;
  //Check if the user is a read write group member
  foreach (Guid id in readWriteGroupIDs)
  SecurityGroupsDataSet group = security.ReadGroup(id);
  foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
  if (member.RES_UID.ToString().Equals(resourceID))
  Session["createReport"] = "true";
  readWrite = true;
  break;
  //If the user is not a read write group member either then check if they are a team member
  if (!readWrite)
  foreach (Guid id in readOnlyGroupIDs)
  SecurityGroupsDataSet group = security.ReadGroup(id);
  foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
  if (member.RES_UID.ToString().Equals(resourceID))
  Session["createReport"] = "false";
  break;
  Cheers! :)

• What is the difference between using the command "dsmgmt" and the "Managed By" tab when adding users to the local administrators Account on a Read-Only Domain Controller?

  When I use the
  "dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
  group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
  "dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account? 

  Hi,
  For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
  managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
  In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx). 
  On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
  So the difference between them should be only the way they do the same thing.
  For more details, please refer to the below article:
  http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Add a new attribute to a user

  I would like to add a new att to an user, that is i would like to have more atts in a user, but these atts aren�t in the inetusergroup, so do you know how to add more attributes to an user? I would like to add for example the att yuuuuuuu but i can add it,. I must create a class that descend for inetgroupuser and add the att, that is easy but the problem is how i do to recognize that for identity server at the time of register.

  The best approch to add new set of attributes are define a custom object class which is extended from the inetorggroup. Add that class in to the Directory Server instance.
  After that the custom object class and it's naming attribute and other attributes you update in the ums.xml.
  Once updatation is done, drop the DAI Sevcie and load it again to make these changes effective.

• Issue on LDAP as a user-store for WebLogic Administrators

  Hi All,
  I have configured a Novell LDAP into WEblogic 10.3.2 successfully. I am able to view all of LDAP users and groups on Weblogic Admin Console, which includes my own account in LDAP.
  Now I am trying to configure my account as a Weblogic administrator so that I can log in the Weblogic Admin Console as my own account in LDAP. I don't want to set up an Administrators group in LDAP. I want to add the user to the Admin global role. As my understanding, all I need to do is
  1. Go to "myrealm"
  2. Click the tab "Roles and Policies"
  3. Click the tab "Realm Roles"
  4. Expand the link "Global Roles"
  5. Click the link "View Role Conditions" coressponding to the name "Admin". Enter the panel "Edit Global Role"
  6. Click the button "Add Conditions"
  7. Select "Predicate List" as "user"
  8. Click the button "Next"
  9. Enter my username (jwang) in LDAP to the field "User Argument Name:"
  10. Click the button "Add"
  11. Click the button "Finish"
  12. Back to the page "Edit Global Role"
  13. Here I can see
  User : jwang
  Or
  Group : Administrators
  14. Click the button "Save"
  15. Restart the server
  16. Log in with the new user jwang. It got denied.
  Can someone help me on this and why I can not log in?
  Thanks a lot.
  John

  Hi Faisal,
  Thank you very much for your prompt reply. With your suggestion, I do figure out where my problem is. I did set the control flag in my ldapAuthenticator "OPTIONAL". However, it appears that the DefaultAuthenticator is given as "REQUIRED" by default.
  Once I changed it to be "OPTIONAL", it works.
  Thanks again.
  John

• System Identity User does not have privileges in ACS

  Hello Everyone!!
  We have CiscoWorks integrated with ACS, the authentication works but the authorization does not. I check and we have the role System Administration for this user in ACS for every applications like; Common Services, RME, DFM, IPM, Campus Manager, etc.
  However in the Common Services < Home < Security< ACS appears the integration in red color and means that the System Identity User does not have all the privileges in ACS.
  Any idea??
  Kathy

  Login as the same user, use the same responsibility and then try to do the exact same update (item/field/value) using the screen.
  Then use the api.
  Make sure you add a line to set the context properly before calling ego_item_pub.
  I did not see that in your code.
  something like
  fnd_client_info.setup_client_info(&appl_id, &resp_id, &user_id) -- replace the variables with the appropriate value
  Hope this helps,
  Sandeep Gandhi

• Failed to sync user with identity native://nvid=9236b494f1ddf8ca:-7297b89f:

  Hi,
  I have created a native user in hyperion share services 11.1..2.1 and provisioned him as a planner for one planning application.The issue is getting errors when i am giving access to dimension members in planning application.
  Below are the errors:
  1)failed adding users and groups
  2)Failed to sync user with identity native://nvid=9236b494f1ddf8ca:-7297b89f:132610f37e3:-7e0f?USER with user provisioning. Check Planning log for details
  Regards,
  Ra

  Hi,
  I have seen this though maybe not in the same context, I will describe what I saw..
  Migrated planning database, updated sid for native users...
  1 native was fine logging into the planning app, the other user got "Failed to sync with user provisioning. Check Planning log for details"
  The sid was correct so it wasn't a problem on the planning side, what I did notice was in the EAS console the user did not exist, usually when you first log into planning it will check if the users exists in essbase, if they don't then it adds the user as a planning user to essbase.
  What I did was add the user in HSS as having essbase server access, then refreshed security in EAS, the user now appeared in EAS as an essbase user.
  Then tried to log into planning and suddenly the user could connect with no problems.
  So then I removed the essbase server access for the user in HSS and refreshed security in EAS, the user was gone, tried to log into planning and logged in with no problems.. Migrated identities in Planning.... Back in EAS the user was now in there as a Planning user...
  I don't know if this the same problem but you could try playing around with the essbase security and see what happens.
  Cheers
  John

• How can i add a new user and change user'password with javamail?

  how can i add a new user and change user'password from a mailserver with javamail?
  email:[email protected]

  Well user creation and updation is a system property..U need to go through that part...as it depends on the system you are hosting pout your application...
  if it is linux...u have to use some shell programming\
  bye for now let me know if this guides you or if you need some more stuff.
  bye

• Problem in creating a user in Identity management

  hi all
  i work on portal 7.0 and am involved in the branding of the portal.
  when i try to create an user in Identity mgt the following error message is displayed..
  ..current user has user creation permissions in th UME , but cannot create users in the backend systems(datasource).Original and possibly untranslated message was "no active writeable datasource found for usr craetion,check your permissions configuration".
  kindly help
  thanks in advance
  krishna chaitanya.

  Hi Chaitanya,
  I think you are using a LDAP or SAP system to store users. The problem is when you are defining the datasource configuration file. This might be in *read only * mode.
  You can check this by System Admin -> System Configuration -> UME Configuration ->Data Sources tab..
  You check wether you data source config file is in read only mode or not. If this file is in read only mode you cannot create users from the front end
  You need to create users from LDAP or SAP system what ever may be your back end.
  Thanks,
  Raju Bonagiri

• RECEIVER: ERROR: Access to requested resource is not authorized for user

  Hi,
  I installed two instances of COREid Federation in my machine. Also installed SiteMinder and LDAP. Source Domain of COREid (8101) uses LDAP as IdMBridge and Destination Domain (9101) uses SiteMinder as IdMBridge. I am trying to access the resource protected by the SiteMinder from the source domain using the URL which is constructed using the pattern given in the PDF:
  http://mymachine.domain.com:8101/shareid/saml/ObSAMLTransferService?DOMAIN=DestinationDomain&method=POST&TARGET=http://mymachine.domain.com:8887/Source/Source.html
  Assertions are generated and I can see the assertion in the Source domain and transferred to the Destination Domain.
  when i try to access the Source.html protected with siteminder, I get the following error in the Destination Domain Shareid Log file:
  ERROR - [http10113-Processor3] - RECEIVER: ERROR: Access to the requested resource is not authorized for user uid=username, ou=People, dc=xyz,dc=com
  Please help me to solve this issue?
  Note: When the resource is accessed directly, siteminder authorizes the same user.

  We also occationaly have this error.  See my log for an example :
  Transaction completed successfuly for DocEntry = 54358 : In company FIXTHISPLEASE on 3/2/2010 9:48:49 AM
  Transaction completed successfuly for DocEntry = 54365 : In company FIXTHISPLEASE on 3/2/2010 10:24:55 AM
  Transaction completed successfuly for DocEntry = 54403 : In company FIXTHISPLEASE on 3/2/2010 12:14:53 PM
  -5006 - The requested action is not supported for this object. for DocEntry = 0 : In company FIXTHISPLEASE on 3/2/2010 1:38:45 PM
  Transaction completed successfuly for DocEntry = 54424 : In company FIXTHISPLEASE on 3/2/2010 2:40:44 PM
  Transaction completed successfuly for DocEntry = 54425 : In company FIXTHISPLEASE on 3/2/2010 3:01:51 PM
  Transaction completed successfuly for DocEntry = 54426 : In company FIXTHISPLEASE on 3/2/2010 3:03:41 PM
  Transaction completed successfuly for DocEntry = 54427 : In company FIXTHISPLEASE on 3/2/2010 3:05:12 PM
  As you can see from 9:48am to 3:05pm, one occurance of this error occured.  And they say that the transaction was
  tried a few seconds later and it worked.
  the STARTTRANSACTION() and ENDTRANSACTION() are used by the DI API so I'm really in the blank about this error and it starts to anoy the customer.  Their SAP is 2007 SP01 PL08
  Any concrete ideas about this ?

• Request Error - The server encountered an error processing the request. The exception message is 'Unable to retrieve the requesting user's identity

  I'm trying to create an Orchestrator Connector in Service manager, It is not going well.
  The most resent alarm is
        <p class="heading1">Request Error</p>
        <p>The server encountered an error processing the request. The exception message is 'Unable to retrieve the requesting user's identity.'
     For the Orchestrator Web Service URL: I have http://Server_Name:81/Orchestrator2012/Orchestrator.svc/
  I created a new Run As account that uses Windows authentication, when I test the connection thats the alarm I get.
  Paul Arbogast

  Hi,
  Can you access the URL using a browser? Does it work with the credentials used for the RunAs account?
  Strange error message though - are the account you are running the console with, present in the SCSM CMDB?
  Regards
  //Anders
  Anders Asp | Lumagate | www.lumagate.com | Sweden | My blog: www.scsm.se

• OIM 11gR2 Add combo box UDF on Create User Form

  Hi.
  We have created a new UDF on user form. It is a lookup field and has the following lookup associated: "Lookup.Users.Continente"
  "Lookup.Users.Continente" has two values, both of them checked as Enabled.
  From the form designer all the values are displayed when selecting one default value so it is reading correctly from the lookup.
  We published the sandbox after this.
  Then we created a new sandbox and tried to add that field to the Create User Page. We went to "Create User Page", customize it and add content from "Data Component - Catalog" -> "userVO" -> Select the UDF, clicked on "Add" and selected "ADF Select One Choice".
  A new combobox is added but no values are shown. We have plublished the sandbox, restarted OIM, purged cache, etc... but it still shows an empty combo box. We have also tried adding it as "ADF Input List of values" but it does not add the field to the create user page.
  Any ideas of what are we doing wrong?
  The idea is very simple, just create a field with the same behaviour as, for example,  "User Type" field. A combobox that displays the enabled values from a lookup...
  We have also tried creating the UDF cheking the searchable option, searchable picklist and all the possible combinations.
  Thanks in advance!!

  oim version is oim 11gR2 with BP4

• Unable to create the user in identity management

  Hi,
  I have installed ABAP+JAVA system as per standard ABAP will take care of java datasourse.
  But we can create the user in identity management, I could not create the user in identity management.
  In R3 for j2ee_admin user i have given the role SAP_BC_JSF_COMMUNICATION and SAP_BC_JSF_COMMUNICATION_RO
  I am phasing the issue when i create the user in identity management  :
  Current user has user creation permissions in the UME, but cannot create users in the back-end system (data source). The original and possibly untranslated message was: "No active writeable datasource found for user creation, check your Persistence Configuration.".

  Please check this thread  /message/7428560#7428560 [original link is broken]
  Thank  you,
  Shyam

• Identity User( Find Current Logged in User) Windows Forms

  I have implemented dummy code for logging in to a windows Forms Application using Identity (Owin Auth). part of my code is as follows:
  private bool validateuser()
  bool isAuthorised = false;
  Login1 log = new Login1();
  if (DialogResult.OK == log.ShowDialog())
  Splasher.Show(typeof(frmSplash));
  userC = log.usernameTextBox.Text;
  PassC = log.passwordTextBox.Text;
  if (userC == "" || PassC == "")
  count++;
  //isAuthorised = false;
  if (count > 0) log.LoginStatus.Text = "Empty passwords or usernames are not allowed. please try again";
  if (count == 2) MessageBox.Show("You have one try remaining");
  if (count == 3) { MessageBox.Show("You have exosted your tries application will now close"); Application.Exit(); }
  validateuser();
  else
  var userStore = new UserStore<IdentityUser>();
  var userManager = new UserManager<IdentityUser>(userStore);
  var user = userManager.Find(userC, PassC);
  if (user != null)
  var userIdentity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
  isAuthorised = userIdentity.IsAuthenticated;
  userIdentity.AddClaim(new Claim("FullName", user.UserName));
  userIdentity.AddClaim(new Claim("User_Id", user.Id));
  return isAuthorised;
  else
  count++;
  //Application.Exit();
  if (count > 0) log.LoginStatus.Text = "You may have entered a wrong password or username. Please try again";
  if (count == 2) MessageBox.Show("You have one try remaining");
  if (count == 3) { MessageBox.Show("You have exosted your tries, application will now close"); Application.Exit(); }
  validateuser();
  count = 0;
  return isAuthorised;
  When the code works fine and is able to authenticate from the database. In the current form, I'm able to get the current user by using user.UserName or id by using user.Id
  How do I get to retrieve the name or Id of the current logged in user from another form. Please Help
  Thanks
  My ASP

  Type in c.Type is giving an error. could I be missing any important reference?
  My ASP
  Hi,
  Looks from Aram's code, I found a blog from Leandro Boffi.
  http://leandrob.com/2012/02/claims-identity-c-4-0-dynamics/
  Some similar code like Aram's. You should install
  Windows Identity Foundation and the companion
  WIF SDK
  Best regards,
  Kristin
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.