Anyconnect new tunnel group

Similar Messages

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• WebVPN Tunnel-Group Aliases and URLS

  Hi,
  <br />
  <br />I have a requirement to create a new group policy and a new tunnel-group and apply it to a webvpn user account
  <br />
  <br />
  <br />The web vpn is working fine without any issues when I give a new name under Group Aliases and URL
  <br />
  <br />My requirement is to use the existing Group Alias for this new tunnel-group. When I enter the existing alias it says it is already used by other tunnel-group
  <br />
  <br />Please help

  If you use the same group-alias for two tunnel-groups, then how will the firewall distinguish between the two? Let say, as per your requirement you want to have the group-alias 'securevpn' for two tunnel-groups, TG1 and TG2. Now how will the firewall map a user landing on this alias to a group? TG1 or TG2? round-robin? :). This is not possible AFAIK.
  Please rate if helpful.
  Regards
  Farrukh Haroon
  CCIE # 20184 (Security)

• Anyconnect tunnel-group and group-policy from LDAP

  Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
  To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
  It is my understanding that the authentication method is provided by the tunnel-group.
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group LDAP_AD
  This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
  Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
  When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
  To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

  Fabian, 
  Your connection lands on a tunnel group and picks a group policy. 
  A typical way to overcome the problem you're indicating is by using group-url. 
  a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
  vide:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  M.

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

• User inherits privilege 15 when inside a tunnel-group - ASA 5510 7.2(2)

  Hello
  After enabling AAA and assigning a user a privilege level of 3(Read only) for management purposes, I realize that user has in fact a privilege 15 when logged in to ASDM (5.22). If I create a new account outside a tunnel-group, it works fine but if I move that new user inside a tunnel-group then it gets a privilege of 15.
  Any thoughts?
  Thanks!
  Guido

  Hello, 
  I'm sorry but you posted on the wrong forum, this one is for small business devices.
  Try posting on this forum:
  LAN, Switching and Routing
  I hope this hels

• How do I set up a new sub group email on the macbook ?

  I will begin by freely admitting that I am not computer literate...I switch on and use. The present email has been in existence for so long I can't remember how it was set up, think the laptop did it by itself.
  The problem...
  I want to set up a sub group email address for the small club that I am treasurer for and then use this so members can pay subscriptions via paypal.
  I followed the yahoo instructions to set a new email address and this was OK, the address is shown at the foot of the my account page on yahoo as the only sub group. ISP is BTinternet.com so that uses yahoo.
  Easy so far.
  Remember opening sentence !
  How do I set up my existing email page to show when a message has been received on the new sub group email. I use macmail on a macbook , not PC outlookexpress. In other words, how do I open/access/show this new email on the macbook ? I don't want to compromise the existing email set-up, just have a 'secondary' or 'sub group' account.
  Thanks
  Brian

  Yes, you just setup another account in Mail, on the Second page where it has Description you need another Name in there than the Other one has.
  http://email.about.com/od/macosxmailtips/qt/access_aol.htm
  Message was edited by: BDAqua

• SSL Multiple Tunnel Groups with Multiple group policies

  Hello folks.
  Have a query and cant seem to find an answer on the web.
  I have configured SSL Clientless VPN on a lab ASA5510, using 2 tunnel groups, one for enginneers and one for staff, mapped to 2 different group policies, each with different customisation. I have mapped the AD groups to the tunnel groups using both ACS and now LDAP (currently in use), both working successfully, using group lock and LDAP map of IETF-Radius-Class to Group name ensures engineers get assigned to the engineers tunnel group and staff get mapped to the staff tunnel group only.
  The question i have is....is there a way to use a single tunnel group to map the user based on AD group which will then use the correct Group-policy (1 tunnel group to multiple group-polciies). I have seen examples of doing this with different URLs but want to know if they can all use the same URL and avoid using the drop down list using aliases.
  It may be a simple "No" but it would be nice to know how to do it without using the URLs or drop down list. Users are easily confused ......

  Easy. Disable the drop-down list, and use the authentication-server (LDAP or Radius) in the DefaultWEBVPNGroup. By default when you browse to the ASA, it will be using the DefaultWEBVPNGroup. Let LDAP or Radius take care of the rest.
  You will get the functionality you are looking for.
  HTH
  PS. If this post was helpful, please rate it.

• Error while adding new security group in content server

  Hi,
  When i am trying to add new security group in UCM using User Admin applet i am getting following error:
  Event generated by user 'weblogic' at host 'vpunvfpctnsz-07.ad.infosys.com:16200'. Unable to execute service ADD_GROUP and function insertGroupRow.
  Unable to execute query 'IroleDefinition(INSERT INTO RoleDefinition (dGroupName, dRoleName, dPrivilege, dRoleDisplayName)
  values ('Test_111', 'admin', 0, ''))'. ORA-00001: unique constraint (DEV_OCS.PK_ROLEDEFINITION) violated
  java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV_OCS.PK_ROLEDEFINITION) violated. [ Details ]
  An error has occurred. The stack trace below shows more information.
  !csUserEventMessage,weblogic,vpunvfpctnsz-07.ad.infosys.com:16200!$!csServiceDataException,ADD_GROUP,insertGroupRow!$!csDbUnableToExecuteQuery,IroleDefinition(INSERT INTO RoleDefinition (dGroupName\, dRoleName\, dPrivilege\, dRoleDisplayName)<br>          values ('Test_111'\, 'admin'\, 0\, ''))!$ORA-00001: unique constraint (DEV_OCS.PK_ROLEDEFINITION) violated<br>!syJavaExceptionWrapper,java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV_OCS.PK_ROLEDEFINITION) violated<br>
  intradoc.common.ServiceException: !csServiceDataException,ADD_GROUP,insertGroupRow!$
  at intradoc.server.ServiceRequestImplementor.buildServiceException(ServiceRequestImplementor.java:2071)
  at intradoc.server.Service.buildServiceException(Service.java:2207)
  at intradoc.server.Service.createServiceExceptionEx(Service.java:2201)
  at intradoc.server.Service.createServiceException(Service.java:2196)
  at intradoc.server.ServiceRequestImplementor.handleActionException(ServiceRequestImplementor.java:1736)
  at intradoc.server.ServiceRequestImplementor.doAction(ServiceRequestImplementor.java:1691)
  at intradoc.server.Service.doAction(Service.java:476)
  at intradoc.server.ServiceRequestImplementor.doActions(ServiceRequestImplementor.java:1439)
  at intradoc.server.Service.doActions(Service.java:471)
  at intradoc.server.ServiceRequestImplementor.executeActions(ServiceRequestImplementor.java:1371)
  at intradoc.server.Service.executeActions(Service.java:457)
  at intradoc.server.ServiceRequestImplementor.doRequest(ServiceRequestImplementor.java:723)
  at intradoc.server.Service.doRequest(Service.java:1865)
  at intradoc.server.ServiceManager.processCommand(ServiceManager.java:435)
  at intradoc.server.IdcServerThread.processRequest(IdcServerThread.java:265)
  at intradoc.idcwls.IdcServletRequestUtils.doRequest(IdcServletRequestUtils.java:1332)
  at intradoc.idcwls.IdcServletRequestUtils.processFilterEvent(IdcServletRequestUtils.java:1678)
  at intradoc.idcwls.IdcIntegrateWrapper.processFilterEvent(IdcIntegrateWrapper.java:221)
  at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at idcservlet.common.IdcMethodHolder.invokeMethod(IdcMethodHolder.java:87)
  at idcservlet.common.ClassHelperUtils.executeMethodEx(ClassHelperUtils.java:305)
  at idcservlet.common.ClassHelperUtils.executeMethodWithArgs(ClassHelperUtils.java:278)
  at idcservlet.ServletUtils.executeContentServerIntegrateMethodOnConfig(ServletUtils.java:1592)
  at idcservlet.IdcFilter.doFilter(IdcFilter.java:330)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:94)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:414)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:138)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused by: intradoc.data.DataException: !csDbUnableToExecuteQuery,IroleDefinition(INSERT INTO RoleDefinition (dGroupName\, dRoleName\, dPrivilege\, dRoleDisplayName)
  *          values ('Test_111'\, 'admin'\, 0\, ''))!$ORA-00001: unique constraint (DEV_OCS.PK_ROLEDEFINITION) violated* at intradoc.jdbc.JdbcWorkspace.handleSQLException(JdbcWorkspace.java:2441)
  at intradoc.jdbc.JdbcWorkspace.execute(JdbcWorkspace.java:584)
  at intradoc.server.UserService.insertGroupRow(UserService.java:1201)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at intradoc.common.IdcMethodHolder.invokeMethod(IdcMethodHolder.java:86)
  at intradoc.common.ClassHelperUtils.executeMethodEx(ClassHelperUtils.java:310)
  at intradoc.common.ClassHelperUtils.executeMethod(ClassHelperUtils.java:295)
  at intradoc.server.Service.doCodeEx(Service.java:549)
  at intradoc.server.Service.doCode(Service.java:504)
  at intradoc.server.ServiceRequestImplementor.doAction(ServiceRequestImplementor.java:1622)
  ... 39 more
  Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV_OCS.PK_ROLEDEFINITION) violated
  at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:89)
  at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:135)
  at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:210)
  at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:473)
  at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:423)
  at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1095)
  at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:193)
  at oracle.jdbc.driver.T4CStatement.executeForRows(T4CStatement.java:1028)
  at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1379)
  at oracle.jdbc.driver.OracleStatement.doScrollExecuteCommon(OracleStatement.java:5846)
  at oracle.jdbc.driver.OracleStatement.doScrollStmtExecuteQuery(OracleStatement.java:5989)
  at oracle.jdbc.driver.OracleStatement.executeUpdateInternal(OracleStatement.java:2012)
  at oracle.jdbc.driver.OracleStatement.executeUpdate(OracleStatement.java:1958)
  at oracle.jdbc.driver.OracleStatementWrapper.executeUpdate(OracleStatementWrapper.java:301)
  at weblogic.jdbc.wrapper.Statement.executeUpdate(Statement.java:503)
  at intradoc.jdbc.JdbcWorkspace.execute(JdbcWorkspace.java:564)
  ... 50 more
  I checked in database , the security group Test_111 is not present in ROLEDEFINITION table.
  What could be the issue?
  Regards,
  Minal

  1) Try importing CMU bundle with 'Overwrite Duplicates' option unchecked .
  2) In the CMU bundle, open file roles_guest.hda and see if 'guest' role has access to any group that start with special character or group you haven't created in the system..
  Eg: guest
  #AppsGroup
  0
  Also open securitygroups folder in CMU bundle, and see if you can find any groups that starts with special character or group you haven't created in the system.
  3) Identify that group and execute below query in the UCM database.
  select * from roledefinition where dgroupname= '#AppsGroup';
  Replace '#AppsGroup' with the groupname you identified.
  4) Solution would be to delete all the rows with dgroupname= '#AppsGroup' from the 'roledefinition' table.
  delete from roledefinition where dgroupname= '#AppsGroup';
  Replace '#AppsGroup' with the groupname you identified.

• Creating the New Update groups in case of the Credit Management

  Hi Can any one help out in the following requirement:
    Is it possible to Create a new update group in case of the Credit Management?SAP standard provides only three update groups viz., 000012, 000015 and 000018. We would like to have a customized group in order to meet the clients requirements.
            Also is it possible to update the open contracts value in the credit exposure?
     Thanks & Regards
     Soma

  HI
  You can define your own credit groups  according to your client's requirement.
  here is the path....
  IMG > SPRO>SALES AND DISTRIBUTION --> BASIC FUNCTIONS -->
  CREDIT MANAGEMNT / RISK MANAGEMENT --> CREDIT MANAGEMENT
  -->  DEFINE CREDIT GROUPS --> NEW ENTRIES AND CREATE YOUR OWN
  CREDIT GROUPS AS UR UR REQUIREMENTS.
  hope this will help u ...
  bye

• Error in PipelineManager while creating new payment group

  Hi Everyone,
  I am  trying to create a new payment group for purchasing an item with the reward points.  i am trying to modify the pipeline flow by overriding commercePipeline.xml.  i have added the following lines of code in that xml.
  commercepipeline.xml
  <pipelinemanager>
  <pipelinechain name="validatePaymentGroup">   
    <pipelinelink name="dispatchOnPGType">
      <transition returnvalue="5000"
        link="validatePointsPG" />
    </pipelinelink>
    <pipelinelink name="validatePointsPG"
      transaction="TX_MANDATORY">
       <processor jndi=
        "/com/mystore/order/processor/ValidatePointsPaymentGroup" />
    </pipelinelink>
  </pipelinechain>
  <pipelinechain
    name="validatePaymentGroupPreConfirmation">
    <pipelinelink name="dispatchOnPGTypePreConfirmation">
      <transition returnvalue="5000"
       link="validatePointsPGPreConfirmation" />
    </pipelinelink>
    <pipelinelink name="validatePointsPGPreConfirmation"
     transaction="TX_MANDATORY">
       <processor jndi=
        "/com/mystore/order/processor/ValidatePointsPaymentGroup" />
    </pipelinelink>
  </pipelinechain>
  </pipelinemanager>
  when i am starting  the server  getting below error:
  ERROR [nucleusNamespace.] Unable to start service "/atg/commerce/PipelineManager": atg.nucleus.ServiceException: CONTAINER:atg.service.pipeline.PipelineInitializationException; SOURCE:atg.service.pipeline.TransitionException: A PipelineLink is already mapped to return code [5000] in the pipelink named [dispatchOnPGType].
  when i tried to check the commercepipeline in Dynamo Administration it is showing that the pipelinechain is locked
  CommercePipelineManager
  Pipeline Chains
  Chain Id
  Num Runners
  Enabled
  Locked
  LockAcquiredTime
  LockReleasedTime
  LockingThread
  validatePaymentGroup
  0
  false
  true
  Fri Jan 24 10:55:46 IST 2014
  N/A
  main
  loadOrder
  0
  true
  false
  N/A
  Fri Jan 24 10:55:44 IST 2014
  N/A
  updateOrder
  0
  true
  false
  N/A
  Fri Jan 24 10:55:44 IST 2014
  N/A
  processOrder
  0
  true
  false
  N/A
  Fri Jan 24 10:55:45 IST 2014
  N/A
  validateShippingGroup
  0
  true
  false
  N/A
  Fri Jan 24 10:55:46 IST 2014
  N/A
  refreshOrder
  0
  true
  false
  N/A
  Fri Jan 24 10:55:44 IST 2014
  N/A
  processOrderWithReprice
  0
  true
  false
  N/A
  Fri Jan 24 10:55:44 IST 2014
  N/A
  repriceOrderForInvalidation
  0
  true
  false
  N/A
  Fri Jan 24 10:55:44 IST 2014
  N/A
  validateForCheckout
  0
  true
  false
  N/A
  Fri Jan 24 10:55:45 IST 2014
  N/A
  Thanks&Regards,
  RKishore

  U have assigned return code 5000 in both chain to ur new pipeline link.
  OOTB 5000 is already assigned to invoice chain.
  U need to change return code to new unassigned value.Also return code must be added in expected return codes in ValidatePaymentGroupByType component.
  Refer this: Oracle ATG Web Commerce - Extending Order Validation to Support New Payment Methods
  Thanks,
  Nitin.

• Creation of new employee groups and sub groups

  Hi All,
  What all the steps should I follow to create new employee groups and sub groups? and  How many structures should I create for this?
  Its urgent pls.......
  Good replies will be rewarded!!!!
  Regards,
  Sita

  Hi
  You can create the employee groups depending up on your clients requirement, Eg: Permanent, Temporary, Seasonal, Trainee, Advisor etc
  And define the employee subgroups and assign them to the employee groups Like
  Enterprise structure>Definition>Human Resource Management-->Employee Groups & Employee Groups
  Enterprise structure>Assignment>Human Resource Management-->Assign employee subgroup to employee group
  you can create employee subgroups depending up on your requirement like asst manager, manager, GM, MD, VP ETC an assign them to the employee subgroups ok.
  Ensure that certain empployee subgroups may not be assigned to employee group based on requiremen, but create all the employee sub groups which is existing in the organization.
  Regards

• In panorama, when I left click and drag to open a new tab group, unclicking doesn't create the new group and left clicking again only creates another group without finalizing the first one.

  In Firefox 4.0 beta 11 (Windows 7 Professional) left clicking in panorama creats a new tab group but letting go doesn't finalise the group. I have XP mode on my computer and firefox b11 works fine in the virtual PC.
  Edit:
  This has continued into Firefox 4 RC2

  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.com/kb/Safe+Mode
  *https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes

• Cannot create new Calendar Group in Mountain Lion

  I am using a brand new iMac. I didn't use the migration tool-- instead I exported all of my Calendars from Snow Leopard and Imported them via the File menu in the Calendar application in Mountain Lion.
  Under the File menu, there is no "New Calendar Group" option. Command-Shift-N results in an error alert sound and no action.
  I do not use iCloud for anything other than email-- everything is turned off in System Preferences.
  In Calendar, under the Preferences -> Accounts section, I have NO accounts. It is completely blank.
  My previous groups from my export/import are there under the "On My Mac" section of the Calendars panel. I can edit them. But I cannot create any new ones.
  Any suggestions? Everything on the internet says I need to deactivate my iCloud account calendars... but I don't use them.

  Ah, Barney, you are a lifesaver!
  Sorry for the late reply, I was away from my computer this weekend.
  All of my calendars had been in groups. I moved one of them outside, and TA DA-- "New Calendar Group" appeared.
  Thanks so much for the help. I will have to leave 1 calendar outside of a group so I can add as many as I'd like.