ARD 2.2 Allows Unauthorized User Screen to be Viewed

My friend with ARD 2.2 wanted to try connecting to my Mac.
I setup an account for him and setup Sharing/Apple Remote Desktop such that only his special account User had ARD privileges (including Observe and Control).
I switched users to his special account. He entered my IP and we spent a half hour getting it working and we were quite proud of ourselves. He disconnected his control session. I switched users back to my normal account (which was NOT on the list of Users for ARD to access). As soon as I did this his ARD Master List showed the new user. He double clicked and saw my screen -- which I think should have been private.
Is this a bug? We reproduced it to another Mac in his house. This is very discouraging -- the Sharing/Services/Apple-Remote-Desktop/Access-Privileges dialog gives a false sense of security!

I understand the administrator's desire to be able to administer the machines. And I realize that ARD is primarily aimed at system administrators. However, I'd like to make two observations. The first one is pretty simple, the second one is, I think much more important.
1) A feature like the one Brad describes would be useful, just not useful to the typical system administrator in a business for their typical scenario
2) The user interface presented in the Apple Remote Desktop Access Privileges pane is very misleading. The paradigm of the Mac is user-centric. By that measure, the UI suggests that each user on the computer can enable or disable remote administration features. The implied behavior (contrary to actual behavior) is that you turn on remote administration for particular users and that the remote administrator is allowed to do the specified things to that user's account. This is a misleading user interface choice and should be fixed. I also don't think it would be very hard to fix. For example, if they appended "for any account" or "to any account" or "any account" to the end of each of the items. The items currently read:
Generate reports
Open and quit applications
Change settings
Delete and replace items
Send text messages
Restart and shut down
Copy items
Observe
Control
Show when being observed
They would become:
Generate reports under any acocunt
Open and quit applications for any account
Change settings for any account
Delete and replace items under any account
Send text messages by any account
Restart and shut down under any account
Copy items
Observe any account
Control any account
Show when being observed

Similar Messages

Privilege to allow a user to create a view in another user's schema

Hello,
I need to allow a user to create a view in another user's schema.
Say, to connect as USER_A and run statement: 'create view USER_B_SCHEMA.myview as select...'
Is there any way to accomplish that without granting USER_A privilege to CREATE ANY VIEW? I want to keep USER_A at the lowest profile possible.
Thanks!

You have the option to create an stored procedure, here a test case (no optimized, no bug free):
SYS@orcl > create user sp_owner identified by sp_owner;
SYS@orcl > grant create any view to sp_owner;
SYS@orcl> create procedure sp_owner.create_view (
2 view_name varchar2, view_sql varchar2 ) is
3 begin
4 execute immediate 'create view '||view_name||' as '||view_sql;
5 end;
6 /
Procedure created.
SYS@orcl > create user test identified by test;
SYS@orcl > grant create session to test;
SYS@orcl > grant execute on sp_owner.create_view to test;
TEST@orcl> execute sp_owner.create_view('scott.emp_vw','select * from scott.emp')
PL/SQL procedure successfully completed.HTH
Enrique
PS. If your problem was solved, consider marking the question as answered.

Allow PUBLIC users to search and view basic OID data

Have tried to use the People Search portlet available under Portlet Repository: Administration Portlets: SSO/OID.
Portlet works fine so long as user is logged in. However, I need to be able to allow ANYBODY to search and return this basic user data.
Is there a way to do this, either by configuring something or by creating a custom report on a mapped (synonym) table/view???

Hi Sonia,
I don't think it's possible with the People Search Portlet - the application that controls the People Search Portlet is the Oracle Delegated Administrative Services & it requires a login via SSO to perform search / update Operations.
I would suggest that you develop a custom portlet using either PL/SQL or Java ( using simple JNDI ). You can later extend your own application to suit future business needs.
Regards,
Sandeep

Allowing a User to choose the ALV layout format on selection-screen

Hi all,
I would like to know how i can add a parameter to my selection-screen which would allow the User to choose a saved ALV layout format before pressing F8 rather than after. As used in CO15 or MB51.
Thanks femi.

yes , You can check the program BCALV_TEST_FULLSCREEN_LAYOUT to check how F4 help is to be used .
to check existene of variant is pretty simple.
Pass the variant name in the ALV display FM .

My MacBook Pro will not allow me to log in at the user screen. It sits frozen and will not prompt me to input my password.

My MacBook Pro will not allow me to log in at the user screen. It sits frozen and will not prompt me to input my password.

If the normal restart doesn't work, and you restart on the recovery hard drive, from the choices of things to do window that appears, select Terminal, and in the Terminal window type: resetpassword and then press enter. You will have a window with the users to choose from to reset the password. Select the one you want and you will be able to reset the password, double entry of course.

How do you use Time Machine to restore a specific users account? I can't do it from the user screen because I am not allowed. I can't do it from the admin because I can't see other users in Time machine.

I can't restore my user account from the users screen because I get an alert that Mac OS needs something. I can't restore in TimaeMachine from the Admin screen because I can't see other users home folders. What can I do?

See Pondini's TM FAQs for starters.

How to allow multiple users login to a MAC PRO without interruption?

I have a mac pro, which runs Yosemite, (2013 module) to be used as a server. However, I have difficult to let multiple users to use the mac simultaneously.
Objective:
    One person uses the mac directly on his desktop, while the others to login remotely though VNC from PC (win 7/Linux).
    The users have their own workspace, and they will not interrupt each other.
What I tried:
    I created two mange accounts on the MAC.
    Account 1 was used to directly login on the mac desktop.
    Account 2 was used to login to the mac from a PC though VNC. (I also tried this from a Centos workstation with the Tiger VNC viewer)
Problem:
When account 2 is login, the location monitor will automatically change to that account as well. Both accounts shared exactly the same screen, mouse & keyboard actions. It is impossible to let multiple users to use the MAC pro simultaneously without interruptions.
If I use "hdiutil attach" to mount a dmg file though SSH with account 2, the folder will automatically show in the local desktop login with account 1.
Question:
I read something about the "Per-user screen sharing". It says, "You can remotely log into a Mac with any user account on that computer and control it, without interrupting someone else who might be using the computer under a different login." Is it possible to do this from a PC or Linux client?
If the problem is simply due to the poor functionality of the build-in VNC service in Yosemite, I appreciate your help to suggest some other decent VNC server for Yosemite. I know the Vine Server (OSXvnc), but I failed to install it on the mac because it is incompatible with the Yosemite.
Does the SSH is supposed to work in this way in OSX? I mean the local account can see the folder mounted by another account though SSH.
If any specific version of Yosemite is required to allow multiple users to access a mac simultaneously? Just as the win 7 professional allow only one user to login in at each time. But with the remote desktop server of windows, multiple users are able to use the same computer at the same time without any problem.
If you familiar with any of the above questions, please help. Any comments and suggestions are appreciated.
I know the best way to get the solution is to direct call the apple support. However, it is really not easy to call them. Because it always results with long waiting time and then the people pick up the phone will transfer my call to an expert who will make me to describe the problem again.
Since I'm not interested in the technique details of all the problems, it is also grateful if you would provide a direct instruction to let me setup the computer for the purpose.
Thanks you very much for your kindly help.

I cannot help with the screen sharing, although I have just tried it with a RealVNC client on an iPad and it seemed to work OK.
However on the disk showing on all users desk tops have you unchecked the "ignore ownership on this volume" check box? You can check the drives permissions with CMD i command.

Unauthorized User can see the aggregated result?

Dear all,
I got a problem that, unauthorized user can see the aggregated result.
e.g. A user who is allowed to read data of Sales Office (0SALES_OFF) 0001 only. (It is done in the RSECADMIN already)
Now a cube contains Sales records of Sales office 0001 & 0002 :
Sales Office 0001 Sales Value 3000
Sales Office 0002 Sales Value 2000
When the user execute a query from the cube without any selection criteria, it give the aggregated Sales Value 5000.
But if the user try to drill down for each sales office, it can then give error, because the user are not suppose to see Sales Office 0002 records.
What I expect is an error at the very beginning when the user execute the query, saying the cube contains data that the user is not suppose to see, the user need to put in the correct Sales Office as criteria first.
Is there anyone can help on this issue?? I have no idea how can this happened?
Many Thanks!!!
Chris

Hi,
Now I understood your concern correctly. Unfortunately, I do not have prompt answer for you. So, User should be able to view the aggregated result, but not to irrelevant sales office. If you don't have condition on Aggregated Result, restricting to individual Sales Office can be done in RSECADMIN.
Let's wait for other's opinions.......
Regards,
Suman

Multi User Screen Sharing

I recently bought a mac mini to replace Win 8 file server and have a question about screen sharing. I have created 2 users one is the main account which i guess is an admin and 1 user as a standard user. If i log into mini as the Main User then screen sharing from remote computer just logs into this account(mirror of the mini) however if i log into mini as stardard user or secondary user then i get an option share display or Log in as the main user. Is there a way i can force this option or behavior if i log into mini as the main user. ie i would like to have mini boot into admin automatically and then be able to log in as a user from a remote computer not affecting the monitor of the main computer. Is this possible?
Thanks,
Matt

Thanks for the link but I had already read that. Problem is that when logged into macmini(computer I want to log into from remote machine) as user a when I try to log in from imac it automatically logs in as user a in screen sharing mode! No option to choose log in as user B or a dialog to choose that option.... It simply starts in screen sharing mode. I have preferences set to allow all users on macmini. If I log in as user b on Mac mini then I have the option to choose to log in as user a which is opposite what I am trying to do. How can I change this behavior?
Thanks again.

Home with multiple user/screen name Mac. ATV can only access the library of the person using the computer? Seems like a HUGH flaw??

We have a Mac that is set up to allow multiple users with their own log in and settings. (imagine a family of four). So if my wife sits down at the Mac to work. Then I can't access my iTunes library though the apple tv because my screen name and iTunes has to be shut down!! Seems like a huge oversight in the device?! Is there a way around this? Seems like it makes the apple TV nearly useless unless for a multiple person household.

Welcome to the Apple Community.
You don't need to shut down your user account for your wife or anyone else to use their user account.
If it isn't already set, go to system preferences > Users & Groups > Login Options and check 'Show fast user switching'. Then from the top RH corner of the menu bar you can switch between users at will.
Keeping a user account logged in should enable its iTunes library on the Apple TV.
(Note, I've never tried this with non admin accounts)

ARD will not authenticate OD users in ard_admin group

I can successfully control a client with a local account using ARD 3.0, but not with an OD account added to the WGM group ard_admin, ard_reports, etc. I have been successful at times with both OD and Active Directory accounts, but cannot get consistant results and need to add hundreds of macs to ARD for management.
I have confirmed the client and server are talking via WGM as I can move the client's dock around using Group/Prefs and changing the Dock display.
I can even login at the client using the OD user's credentials, but again, from ARD, access is denied using the OD user's credentials.
ARD simply will not let me manage/generate reports of clients using the OD user credentials, I get 'Authentication failed to "client name"' when I click on Control or Observe. The Client Status column reports Access Denied.
All clients are running 10.4.6 or better.
Ultimately, my intent is to use AD users as members of the ard_admin, etc. groups and have successfully done so a few times, but not consistantly.
Am desperate for some guidance and Apple Tech support has recreated the problem once, but can no longer recreate in order to continue working the issue.
I am wondering if there is a random Kerberos authentication issue going on, but I have even used KB300765 to prevent clients from getting conflicting sources.
Ideas/

Here's the fix.
First from the Remote Desktop application you must create a Client installer (from the ARD File menu). When building the installer be sure to answer the following questions...
Customized installer. YES
Remote Desktop Startup; YES
Show ARD Menu: Your choice
Create Users?: No
Enable directory-based Administration: YES (what was necessary for me to get working)
Specify access privileges: Your choice
Other settings are your option...
Save the new Client installer.
Secondly, move it to your clients and run it. If necessary, this will upgrade your clients' ARD client software and open the door for AD/OD Administration access.
I couldn't find this documented anywhere. I would have thought the necessary "Enable Directory-Base Administration" would have been in the client's ARD Access Priviliges screen somewhere.
G5 Xserve ARD 3.0 Mac OS X (10.4.7)

Compiz starting with GDM allowing multiple users

When i start compiz after login I've got slow GDM when changing user and
white screen after second login.
So there's no way to launch compiz and support two different sessions?
Or can I start compiz together with gdm and not individually for each user?

RAGHAVENDRA HARI N wrote:
Allowing multiple users to receive Ibot in OBIEE-11g with out specifying email addresses.
How to use S A System subject area in OBIEE-11g
How to specify condition in Ibot of OBIEE-11GYou can use the SA System subject area after you set it up by following the documentation link provided below. It could be used in OBIEE Delivers which enables contact information, such as e-mail addresses to be retrieved from a database and used as delivery devices in Delivers instead of having the user's manually setup their own delivery device.
Here is the link to the documentation on how to setup SA system subject area in OBIEE 11g:
http://docs.oracle.com/cd/E14571_01/bi.1111/e10541/sa_system.htm
You can set the condition in the condition tab which is the 3rd one I suppose.

[SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

Hello,
Here's my problem, I've got two boxes gypsy and crow and gypsy has a habit of having the display lockup, I don't think the system is completely locked up so I'm pretty sure I can ssh and reboot it (since I set up ssh on gypsy, the box hasn't actually locked up, though, so I don't know for sure)
Becuase I'm paranoid, I don't want to allow ssh into gypsy to do anything BESIDES reboot, so I'm interested in what's the best way to implement this. I could stick the reboot command into .bash_profile for my dedicated reboot user, but if you're fast enough w/ ^c you (where you are, presumably, automated cracking software) could, concievably, kill the process before it's done running, and end up logged in.
This is going to be continued in a browser that isn't links.
Edit: Continued:
So I tried writing a shell script
#!/bin/bash
sudo reboot
and using that script as the login shell for the dedicated reboot user ("rebooter"), but I would get a permission denied error when I tried to login as the user then. (My sudoers file allows the user "rebooter" to run reboot w/o a passwd). So it seems like in princple you could make this work, I'm just doing somthing wrong.
But this raises another question, could I still manage to login to bash by interupting this script? I don't think so, becuase in this instance bash is not running interactively, please tell me if I"m wrong.
Is there maybe a better way to set this up? Maybe there's something I can do with the config to sshd to force login by the "rebooter" to force a reboot?
I guess there might also be some way for me to set things up with chroot so that if you managed to login as "rebooter" you couldn't do anything meaningful besides reboot anyway, but I haven't looked into this yet. If this is the best answer, go ahead and tell me to rtfm, but first I'd like to know if there's a simpler solution.
Last edited by pseudonomous (2008-09-27 00:57:23)

carlocci wrote:
you could change the user shell to something like this
carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/usr/bin/sudo shutdown now -r
or
carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/bin/bash -c sudo shutdown now -r
I tried this, and it didn't work, I think it gave me "permission denied" errors, so I wonder if I got the syntax wrong. what I was doing was using "usermod -s " to try and change the shell and I was confused as to how to properly put the white space in you need to run the command "sudo reboot".
Thanks, everybody for your suggestions, I will look more into an ssh key based-authentication. I don't really want to run webmin becuase I don't need to any remote administration besides rebooting, so webmin seems like overkill. I will report back after trying to set this up.
When I say "display locks up" I mean that, for some reason, either after boot or after I end a window manager session, my screen turns black and it looks like X is trying to restart but failing (there's a change in the shading on my monitor I associate with that) hitting control alt backspace doesn't help and trying to switch to one of the consoles doesn't work either. But I don't think the system is dead becuase I can toggle numlock and scrolllock on and off. (Which doesn't work when X completely freezes) I can't replicate this behavior on demand, it seems to occur more or less randomly.

In ALV Report ,a field to allow the user EDIT/CHANGE

Hi Guys,
My requirement is
in the ALV Grid display iam having 10 fields.5th field should be allow the user EDIT/CHANGE mode.
what ever he enters the value the same should be updated to an custom table.
EX.
o/p:
0001 0002 0003 0004 0005 0006 0007 0008 0009 0010
Now the user changed the value 0005 to 0011.
0001 0002 0003 0004 0011 0006 0007 0008 0009 0010
now 0011 should be updated in custom table.
to do this process please suggest a best way for coding.
thanks in advance.
Sunil.

hi
*& Report ZTESTDEMO_INTERACTIVE_LIST_2
REPORT ZTESTDEMO_INTERACTIVE_LIST_2.
TABLES: MARA,MARC,MARD.
* internal table itab_mara 3 fields matnr, ernam,mtart
DATA: BEGIN OF ITAB_MARA OCCURS 0,
MATNR LIKE MARA-MATNR, " material number
ERNAM LIKE MARA-ERNAM, " name of person who create
MTART LIKE MARA-MTART, " Material Type
END OF ITAB_MARA.
* internal table itab_marc 3 fields matnr, werks,lvorm
DATA: BEGIN OF ITAB_MARC OCCURS 0,
MATNR LIKE MARC-MATNR,
WERKS LIKE MARC-WERKS, " Plant
LVORM LIKE MARC-LVORM, " Flag Material for Deletion at Plant Level
END OF ITAB_MARC.
* internal table itab_mard 2 fields
DATA: BEGIN OF ITAB_MARD OCCURS 0,
MATNR LIKE MARD-MATNR,
LGORT LIKE MARD-LGORT, " Storage Location
END OF ITAB_MARD.
SELECT-OPTIONS: S_MTART FOR MARA-MTART.
INITIALIZATION.
S_MTART-LOW = 'HALB'.
S_MTART-HIGH = 'HAWA'.
S_MTART-OPTION = 'BT'.
APPEND S_MTART.
START-OF-SELECTION.
SELECT MATNR ERNAM MTART FROM MARA INTO TABLE ITAB_MARA WHERE MTART IN
S_MTART.
PERFORM DISPLAY.
TOP-OF-PAGE.
WRITE:/2(15) 'MATERIAL NO',20(20) 'CREATED BY',45(15) 'MATERIAL TYPE'.
FORM DISPLAY.
LOOP AT ITAB_MARA.
WRITE:/ ITAB_MARA-MATNR UNDER 'MATERIAL NO' HOTSPOT ON,ITAB_MARA-ERNAM
UNDER 'CREATED BY',ITAB_MARA-MTART UNDER 'MATERIAL TYPE'.
HIDE: ITAB_MARA-MATNR.
ENDLOOP.
ENDFORM.
AT LINE-SELECTION.
CASE SY-LSIND.
WHEN 1.
SELECT MATNR WERKS LVORM FROM MARC INTO TABLE ITAB_MARC WHERE MATNR =
ITAB_MARA-MATNR.
PERFORM DISPLAY1.
WHEN 2.
SELECT MATNR LGORT FROM MARD INTO TABLE ITAB_MARD WHERE MATNR =
ITAB_MARC-MATNR.
PERFORM DISPLAY2.
when 3.
sy-lsind = 0.
ENDCASE.
FORM DISPLAY1.
LOOP AT ITAB_MARC.
WRITE:/ ITAB_MARC-MATNR HOTSPOT ON, ITAB_MARC-WERKS,ITAB_MARC-LVORM.
HIDE: ITAB_MARC-MATNR.
ENDLOOP.
WRITE:/ SY-LSIND.
ENDFORM.
FORM DISPLAY2.
LOOP AT ITAB_MARD.
WRITE:/ ITAB_MARD-MATNR, ITAB_MARD-LGORT.
ENDLOOP.
WRITE:/ SY-LSIND.
ENDFORM.
regards
ravish
<b>plz dont forget to reward points if helpful</b>

Allow certain users to capture quotation after bid end date

Hi
Is it possible to allow certain users to be able to capture quotation on behalf of suppliers using surrogate bid after the end date has been reached but before the opening date? How would I do this?
Regards

Hi
As the end date and opening date are at the header level common to all bidders/vendors, we cannot manually capture quotation for specific suppliers using surrogate bidding. I dont think there is even a BADI for this.
Rgds
Reddy

ARD 2.2 Allows Unauthorized User Screen to be Viewed

Similar Messages

Maybe you are looking for