APEX Pages - User Access List with NTLM
Hi,
I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
1. users (hold user name, and user data)
2. pages (hold APEX Applications pages)
3. access_list (hold combined data of users and pages and access flag)
The last table will give me an SQL that can be used to create page level Authorization Scheme.
The problem is:
I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
Your helps will really help me, and thanks in advance.
Regards,
Aulia
This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.
Similar Messages
-
Regd:UAL(user access list) access assumptions
Hi All,
We are using UAL(user access list) in our application and during that we have come up with some queries regarding the access.
we are using ps3 and we are testing this from web
Assume that User1 is coming with (RWDA) and User2(RWD) access on the particular Security group(SG)for which we have enabled the ACL
Creation
1.User1 has created a folder with user2 being added under ACL and given (RWDA) with author metadata field being entered as user1.
a) user2 will not be able to add the new content directly as he is getting the following error(Content item <undefined> was not successfully checked in. You have insufficient privileges to assign the content item to user 'test1')
b)user2 can create a folder inside user1 folder and can create content under it.
2.If user1 has created a folder with user2 being added under ACL and given (RWDA) access with author field being left blank.
a)user2 will be able to create the content as well as folder under the user1 folder itself.
Deletion
1.user2 can delete any content item in the ablove scenarios as his effective permission would be intersection of (RWD) from ucm and (RWDA) from UAL irrespective of the author field who has created it.
Now the point is
When the user2 can't create the content when the author field is being set then how can he delete the content .
Ideally the user2 shouls be able to add the content as well as he is granted (RWDA) permission on that particular folder.
Can you please tell us if we are missing something
Thanks,
YashwanthOK I have just read your scenario and the ACL security is working correctly/as designed.
Permissions granted via ACL and security group DO NOT override one another. The user will get the resulting INTERSECTION of the two.
SO in this case you describe that the user has RWDA permissions set via the ACL and has RWD permissions on the Security Group to which the ACL applies.
This means the user has RWD permissions on this resource!
So quite simply they can delete as they are allowed to BUT can not 'check in as another user' in the dDocAuthor field as this requires Admin privileges.
Please ask if you have further Q's
Hope that helps
Tim
Edited by: Tim Snell on 12-Apr-2011 03:30
Corrected UNION to INTERSECTION - how embarassing! ;-) -
Best way to handle user access levels with spring.
I'm a spring newb, and I'm not sure how to properly handle user access levels with a validation controller. There seems to be a lot of information out there about creating simple login validators but like I've said I need to create multiple levels of user access. I could throw something together but i want to do it correctly. Does anyone here have any links to resources or information they could provide?
ZimmerS1337 wrote:
SoulTech aren't you a smart ass, why post anything at all?You don't get to control what people post, any more than we can control what people ask. It's best to let stuff roll off your back.
ST wasn't exactly abusive. If you had typed "spring security" into Google, you would have gotten exactly what I recommended. So why would you say that his advice to try Google first was being a "smart @ss"? It's actually a good recommendation. Try it before you post here.
% -
Extended access list with multiple ports
Hello All,
I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
I receive the following message:
The informations of my Switch are the following:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
12.2(52)SG, RELEASE SOFTWARE (fc1)
Please help me to resolve this problem.
Best regards.Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
Access list with multiple object groups
Hello Everyone,
I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
I am trying to use object-groups where ever i can. Here is an example.
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.
ThanksHi,
Seems to work on my test ASA
Attached it to my current LAN interface.
ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound_access in interface LAN
access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
object-group service obj_Meraki_outbound
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.255.240
object-group network obj_Meraki_pub
description: This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
Additional Information:
access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
- Jouni -
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
Show ip access-lists with remarks?
We have a 6509E and use ACLs for our SVIs. When viewing specific ones created I use "show ip access-lists NAME" and when finding remarks I have to constantly go back to the "show run | b NAME" but its seems clunky. Is there way to see the view of the first with the sequence numbers but show the remarks that I can only find in the show run?
Ok , i understand that i will have to use the public IP in my ACL on the ADSL connected interace.
If i obtain a private IP on my ADSL interface from the ISP, then is it the best method to aply the ACL on the LAN interface and assign it as IP ACCESS-GROUP xxx OUT ????
And one more question.
I understand the concept with ACL with one public IP that will be NAT (overloaded). What if i am using multiple public IPs that i will NAT on all of them ???
how does this affect my ACLs. Is there a way around this ????
Thanks,
George -
Nexus1000v : ip access-list with port range
Hi,
I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
Can any body verify the scirpt and tell whats the problem with the script?
vm x.x.x.x is on Veth2
config t
ip access-list Veth2_rc_vmfw_acl_in
deny tcp any host x.x.x.x eq 3389
exit
ip access-list Veth2_rc_vmfw_acl_out
deny tcp host x.x.x.x any eq 3389
exit
interface Veth2
ip port access-group Veth2_rc_vmfw_acl_in in
ip port access-group Veth2_rc_vmfw_acl_out out
exit
exit
ThanksLicense? Check Data Features
-
Transmission - Web Page user access
Hello,
Is it a known limitation that only Admin user can log on the transmission app web page on a PX6-300D box running latest lifeline 4.1 as of this post date.
I would very much appreciate that users or selected user groups can also have access to the transmission app web page or know if this can be done at the momment.
Regards,
Pavit
Solved!
Go to Solution.Hello Pavit
To access the Transmission feature you would need to be able to access the admin management pages. Currently there is not a way to access Transmission by any non-admin level users.
LenovoEMC Contact Information is region specific. Please select the correct link then access the Contact Us at the top right:
US and Canada: https://lenovo-na-en.custhelp.com/
Latin America and Mexico: https://lenovo-la-es.custhelp.com/
EU: https://lenovo-eu-en.custhelp.com/
India/Asia Pacific: https://lenovo-ap-en.custhelp.com/
http://support.lenovoemc.com/ -
Help is appreciated
In Pages Preferences, Autocorrection Preferences, turn off Automatically Detect Lists. That should stop the unwanted behavior.
Jerry -
Hello,
Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?
Thanks,The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.
It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
I am trying to retrieve a user access list for the following t-codes:
Financial Reporting:
FS00 u2013 general ledger accounts
OB52 u2013 Close accounting periods
Fixed Assets:
AS01
AS02
ABZON
ABAVN
If we run it just by t-code, the access list is incorrect. Can anyone suggest a a different way to retrieve a correct user list such as what authorization objects, etc. I should specify when running each t-code?
Thanks
Rajayou can check table AGR_1251 with object S_TCODE...
In field" value" enter t-codes.
This works as long as you havent defined a "from to" authorisation for S_tcode in your roles
Edited by: Markus Roth on Nov 1, 2011 7:53 PM -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Nered to know where I can view ACL denies regarding "access-list deny any log" ?
I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. CheersHi,
Yes, with an extended access-list with the last line:
deny ip any any log
with "sh log" you can see the source address of the packets being dropped.
Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
logging console debugging
logging monitor debugging
With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
access-list 101 deny tcp any range 0 65535 any range 0 65535 log
access-list 101 deny udp any range 0 65535 any range 0 65535 log
access-list 101 deny icmp any any log
access-list 101 deny ip any any log
to log the sources and destinations IPs and port numbers.
Best Regards,
Pedro Lereno -
Convert named access list to line numbers
I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
Thank you!Hi Emily,
I guess this is what you are looking for. I have not tried it my self but would like to test it out.
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard | extended} access-list-name
5. sequence-number permit source source-wildcard
or
sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. sequence-number deny source source-wildcard
or
sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
This link should help :
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
regards,
-amit singh
Maybe you are looking for
-
Excise and Non Excise Warehouse
Hi Friends, We are receiving the same material, sometimes cenvatable to cenvatable stores and some times non cenvatable to non cenvatable store. when I need it in cenvatable store, then I have to transfer from non cenvatable a
-
Hi , While I am trying to create PR with a material for a plant type I am getting the following message . There is no provision for value-based inventory management for this material type in this plant. Account assignment is thus necessary. I want to
-
I think that I found a bug in the new iTunes 8.0 PC
I don't know if this is a bug or not, but has anyone notice that when you click on an item "link" in iTunes and if your mouse pointer remains on the link that you just click on, that the page will not move to the link until you move your pointer off
-
Quality Notification Customization
Dear Sir, I am New to QM and have been assigned a task to configure QN for Customer Complaints with reference to the SD Billing document Or Delivery Document. Kindly tell me what i should do to configure the business requirements. I need customizing
-
USB printer not seen wirelessly on Airport Express through Airport Extreme
Hey everyone, I just bought an Airport extreme and a new Airport express for my house. I've got the Extreme in the basement where it is sending out wifi and directly plugged into a PS3 and the new Airport Express, which is 2 floors upstairs. The Expr