Assign personal access list to user in ACS 5.1

Hello.
Is there any way (in ACS 5.1) to assign personal access list to each user instead of assigning it to Authorization profile and Authorization profile to user?
Thanks for any help.

This should be possible
You need to do the following:
1) Goto
System Administration >
Configuration >
Dictionaries >
Identity >Internal Users >
CreateCreate a user attribute that will store the DACL name of type string. We wil call this attribute DACL
2) When you create a user (
Users and Identity Stores >
Internal Identity Stores > Users >
Create) you will now see the attribute "DACL" that can be created as part of each user record
3) Create an authorization profile: (
Policy Elements >
Authorization and Permissions >
Network Access > Authorization Profiles >
Create)In "Common Tasks" tab, for "Downloadable ACL Name" select "Dynamic" option followed by "Internal Users"  and then select the name of attribute you seelcted in step 1)
You can now use this authrization profile as a result in policies. When a user authentications the string from the DACL attribute in the user record will be used as the name of the attribute to download

Similar Messages

  • Problem in Accessing list of users while Provisioning New User in SS

    Hi Experts!!
    I am working on Hyperion Planning applications (Hyperion 9.3.1) & we have externalized user authentication in Shared services. During the process of provisioning new user in Shared Services, the problem occurs when I try to set the application access type as “Essbase & Planning” for the new user.
    To assign the new user as “Essbase & Planning” user type, I need to select the new user from the list of available users which gets displayed on selecting global Analytic Server located under Project directory in Shared Services. However when I click on the analytic server, it shows *“loading”* on the right side screen & hour glass icon can also be seen on the screen. But the list of available users does NOT appear despite waiting for quite some time.
    While I am not able to access it even if I logon to the shared Services directly from the Server using remote access, my USA team can access the list of available users locally from their machine as well as from the server & are able to perform the step. Our server is located in USA & I access it from India. What could be the reason for this difference? Any suggestions/ input from you would be a great help for me in solving this issue.
    Thanks in advance

    Hi Rinku/John ,
    Thanks for your reply. My US team has tried this particular step from their local machine as well as directly from the Server. They were able to see the listbox containig the list of available users & could set the application access type as "Essbase & Planning" for the new user. When I remotely log into the server (using mstsc) I use the IE installed on the server to acess Shared Services. My US team also use the same IE when they log into SS directly from the server & are able to performing this step. Hence there should not be any issue with the browser ,port or firewall.
    I agree this is very weird problem because I get stuck only at this step where I have to set the application access type as 'essbase & Planning" for the new user. Rest every thing else is accessable in SS.
    Any suggestion / input would be great help.

  • Access list of user worklist display columns

    Hi all,
    Is anyone aware of a way to access the list of columns a user has selected to display in their work item list?
    Typically the list of columns is simply the project variables, however using the "Add/Remove Columns" link, a user is able to customize the columns being displayed. We are looking for a way to access the list of columns the user is currently looking at through code.
    Any suggestions would be greatly appreciated.
    Thank you!

    could not understand the what you are looking for?
    list of columns that the user configured to view .... can u elaborate

  • Virtual telnet/downloadable access lists: acl authorization denied error

    Hello,
    has someone else experienced the same "issue" as described below ? And can someone (Cisco ?) tell whether this is by design, and if so, what the reasoning is behind this ?
    We use virtual telnet for user authentication, when users need to pass traffic through a PIX, and use downloadable access-lists after successful authentication.
    When a user authenticates himself, an error message appears in the virtual telnet window: "error: acl authorization denied".
    And the PIX log shows:
    109005: Authentication succeeded for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
    109015: Authorization denied (acl=#ACSACL#-IP-PIX_ACL-421492f3) for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
    This error message disappears when we add telnet access for the virtual telnet-IP@ in the downloadable access-list on the Cisco ACS. I could not find any reference to this configuration quirk in any document.
    Now, with or without the error, the user can use virtual telnet and everything permitted
    in the downloadable acl without any problem (so why post an error message then ?).
    thanks

    Try to disable authorization and see if this error stops

  • How to get list of users who have access to a SAP module

    Hi,
    We are developing a tool in Java where we will pull the data from various modules in SAP (like Purchase order, Invoice etc). Lets take Purchase Order Module as example. I can get the data using BAPIs (like BAPI_PO_GETDETAIL).
    However to implement Authorization, I also want the list of users/groups that have access to Purchase order module. Is this possible? Or can we get the ACL information from the tables in database like EKKO for Purchase order?
    I have tried searching for solution but couldn't find any. Please suggest if there is some standard way by which we can pull the ACL information via Java, or if this can be achieved by some custom RFCs.
    Thanks,
    Anurag

    Anurag,
    The best way is to wirte a RFC Function Module (It will fetch the roles of the user from agr_users table) which will take user id as import paramter and will give you assigned roles.
    Please let me know if you still need any further information.
    Thanks,
    Hamendra

  • List EM Users and their access to targets

    Hi,
    We have a requirement to show who has access to Enterprise Manager and what can each person do. Seems simple enough. Still, lol, I cannot find a report or an example of how to do this.
    How do I list all of the administrators in Enterprise Manager (other than taking a screenshot of the 'Administrators' page under Setup), please?
    How to I list each Administrator's privileges by Target?
    Thank you in advance!
    - Beach

    Hello,
    Thank you.
    That gives me a list of users in the Grid Control. How do I determine which targets each user can use, please?
    Now that I know about this table, I will start looking around the schema to see what I can find.
    - Beach

  • VPN filter per remote access user (via ACS)?

    Hello everyone,
    I'm deploying IPSec Remote Access VPN for my company. I have Cisco ASA 5540 (8.0.4) and Cisco Secure ACS. I have successfully configured the system with authentication by ACS.
    The question is, I want to apply filter policy for per user. I know that there's a method called vpn-filter. If I use local authentication, I can apply ACL to user attribute.
    eg.
    access−list 103 extended permit tcp 10.1.49.2 255.255.255.0 host 10.1.1.10 eq 3389
    username testvpn attributes
    vpn−filter value 103
    But users are configured on ACS, so how can I apply vpn-filter policy to the user? I dont really want to apply vpn-filter to group-policy.
    Please help me to find a method. Thank you very much.
    Regards,
    Hiep Nguyen.

    Hi,
    I think this is what you are looking for
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml
    You will need to setup the IETF like this
    filter-id=acl_name
    There is a good example right there (better than mine) let me know how it goes.
    Mike

  • Regd:UAL(user access list) access assumptions

    Hi All,
    We are using UAL(user access list) in our application and during that we have come up with some queries regarding the access.
    we are using ps3 and we are testing this from web
    Assume that User1 is coming with (RWDA) and User2(RWD) access on the particular Security group(SG)for which we have enabled the ACL
    Creation
    1.User1 has created a folder with user2 being added under ACL and given (RWDA) with author metadata field being entered as user1.
    a) user2 will not be able to add the new content directly as he is getting the following error(Content item <undefined> was not successfully checked in. You have insufficient privileges to assign the content item to user 'test1')
    b)user2 can create a folder inside user1 folder and can create content under it.
    2.If user1 has created a folder with user2 being added under ACL and given (RWDA) access with author field being left blank.
    a)user2 will be able to create the content as well as folder under the user1 folder itself.
    Deletion
    1.user2 can delete any content item in the ablove scenarios as his effective permission would be intersection of (RWD) from ucm and (RWDA) from UAL irrespective of the author field who has created it.
    Now the point is
    When the user2 can't create the content when the author field is being set then how can he delete the content .
    Ideally the user2 shouls be able to add the content as well as he is granted (RWDA) permission on that particular folder.
    Can you please tell us if we are missing something
    Thanks,
    Yashwanth

    OK I have just read your scenario and the ACL security is working correctly/as designed.
    Permissions granted via ACL and security group DO NOT override one another. The user will get the resulting INTERSECTION of the two.
    SO in this case you describe that the user has RWDA permissions set via the ACL and has RWD permissions on the Security Group to which the ACL applies.
    This means the user has RWD permissions on this resource!
    So quite simply they can delete as they are allowed to BUT can not 'check in as another user' in the dDocAuthor field as this requires Admin privileges.
    Please ask if you have further Q's
    Hope that helps
    Tim
    Edited by: Tim Snell on 12-Apr-2011 03:30
    Corrected UNION to INTERSECTION - how embarassing! ;-)

  • How to find out list of users and their access on Sharepoint

    Hello Everyone
    How can i find out list of users and what access they have on SharePoint site? I want to create table with list of the users and their access?
    Thanks

    you can get the report using below powershell scripts. first one gives list of users in a site collection level.
    The second link generates the permissions reports for each user.
    http://techtrainingnotes.blogspot.com/2010/12/sharepoint-powershell-script-to-list.html
    https://sp2010userperm.codeplex.com/
    My Blog- http://www.sharepoint-journey.com|
    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

  • How to find out list of users who have access to particulat SID

    HI
    How to find out the list of users who has access, to a particular SID?
    Satish.

    jurjen,
    Thanks for replying, actually i was trying to navigate and execute the report using, SUIM...
    could you help me to find out the list of users who has access to a particular system.. using SUIM.
    satish.

  • How to get list of users who all are having full access in sharepoint site using client object model c#

    Hi,
    I want to fetch the list of users who all are having full access to the sharepoint list using client object model with .Net
    Please let me know if any property for the user object or any other way to get it.
    Thanks in advance.

    Here you are complete code i created from some years it lists all groups and users, you can just add a check in the permissions loop to see if it is equal to Full Control.
    Private void GetData(object obj)
    MyArgs args = obj as MyArgs;
    try
    if (args == null)
    return; // called without parameters or invalid type
    using (ClientContext clientContext = new ClientContext(args.URL))
    // clientContext.AuthenticationMode = ClientAuthenticationMode.;
    NetworkCredential credentials = new NetworkCredential(args.UserName, args.Password, args.Domain);
    clientContext.Credentials = credentials;
    RoleAssignmentCollection roles = clientContext.Web.RoleAssignments;
    ListViewItem lvi;
    ListViewItem.ListViewSubItem lvsi;
    ListViewItem lvigroup;
    ListViewItem.ListViewSubItem lvsigroup;
    clientContext.Load(roles);
    clientContext.ExecuteQuery();
    foreach (RoleAssignment orole in roles)
    clientContext.Load(orole.Member);
    clientContext.ExecuteQuery();
    //name
    //MessageBox.Show(orole.Member.LoginName);
    lvi = new ListViewItem();
    lvi.Text = orole.Member.LoginName;
    lvsi = new ListViewItem.ListViewSubItem();
    lvsi.Text = orole.Member.PrincipalType.ToString();
    lvi.SubItems.Add(lvsi);
    //get the type group or user
    // MessageBox.Show(orole.Member.PrincipalType.ToString());
    if (orole.Member.PrincipalType.ToString() == "SharePointGroup")
    lvigroup = new ListViewItem();
    lvigroup.Text = orole.Member.LoginName;
    // args.GroupsList.Items.Add(lvigroup);
    DoUpdate1(lvigroup);
    Group group = clientContext.Web.SiteGroups.GetById(orole.Member.Id);
    UserCollection collUser = group.Users;
    clientContext.Load(collUser);
    clientContext.ExecuteQuery();
    foreach (User oUser in collUser)
    lvigroup = new ListViewItem();
    lvigroup.Text = "";
    lvsigroup = new ListViewItem.ListViewSubItem();
    lvsigroup.Text = oUser.LoginName;
    lvigroup.SubItems.Add(lvsigroup);
    //args.GroupsList.Items.Add(lvigroup);
    DoUpdate1(lvigroup);
    // MessageBox.Show(oUser.LoginName);
    RoleDefinitionBindingCollection roleDefsbindings = null;
    roleDefsbindings = orole.RoleDefinitionBindings;
    clientContext.Load(roleDefsbindings);
    clientContext.ExecuteQuery();
    //permission level
    lvsi = new ListViewItem.ListViewSubItem();
    string permissionsstr = string.Empty;
    for (int i = 0; i < roleDefsbindings.Count; i++)
    if (i == roleDefsbindings.Count - 1)
    permissionsstr = permissionsstr += roleDefsbindings[i].Name;
    else
    permissionsstr = permissionsstr += roleDefsbindings[i].Name + ", ";
    lvsi.Text = permissionsstr;
    lvi.SubItems.Add(lvsi);
    // args.PermissionsList.Items.Add(lvi);
    DoUpdate2(lvi);
    catch (Exception ex)
    MessageBox.Show(ex.Message);
    finally
    DoUpdate3();
    Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation

  • Query to find the list of users having access to a particular scenario

    Hi,
    I am learning Hyperion Planning 9.2 x version. I wanted to know the query to find the list of users having access to Plan Iteration - 1 scenarion.
    As I am new to Hyperion Essbase and Hyperion Planning, I am assuming these ideas work out to get the desired result.
    1) As Hyperion Planning uses Relational DB to store the User Security information, we can query the list of users who is having access to Plan Iteration - 1 Scenario.
    I am not sure if this solution works. Please correct me If I am wrong.
    2) We can also query from the essbase editor to find out who all having access to this scenario.
    If the above is correct, can you please provide me the query.
    I am really need of this and I will be happy if any one provide the solution.
    Thanks & Regards,
    Upendra. Bestha

    Hi,
    If you are looking for some SQL to retrieve the access rights by member then you can use something like (SQL Server code though can easily be modified for Oracle)
    SELECT usr.object_name as Username,mem.object_name as Member,
    'Access Rights' = CASE acc.access_mode
    WHEN -1 THEN 'None'
    WHEN 1 THEN 'Read'
    WHEN 2 THEN 'Write'
    WHEN 3 THEN 'Write'
    ELSE 'Unknown' END,
    'Relation' = CASE acc.flags
    WHEN 0 THEN 'Member'
    WHEN 5 THEN 'Children'
    WHEN 6 THEN 'Children (inclusive)'
    WHEN 8 THEN 'Descendants'
    WHEN 9 THEN 'Descendants (inclusive)'
    ELSE 'Unknown' END
    FROM
    hsp_access_control acc, hsp_object mem, hsp_object usr
    WHERE acc.object_id = mem.object_id
    AND acc.user_id = usr.object_id
    AND mem.object_name = 'Plan Iteration - 1'
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • List of users who has access to current community

    Hi,
    Is there an API which provides list of users who have access to current community in ALUI? Will there be huge performance impact in retrieving the list of all users who have access to current communty?
    Thanks
    Sampath

    Sorry,
    I am not quite following you..
    Users can only view a community if the permissions exist for that specific community. I dont understand what do you meant by
    "I need to let user type a name and show his/her user ID from the list of users who have access to the current community".
    Are you trying to look at user permissions based on a list of communities existing in the portal? The user can't even get to that community if he doesn't have permissions.

  • How can I list all users who have access to a particular TABLE or VIEW

    Hi,
    Can someone tell me how I can list all users who have access to a particular TABLE or VIEW.
    Abhishek

    Hi,
    Take a look on this link: http://www.petefinnigan.com/tools.htm
    Cheers

  • I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

    I have a requirement where I have to give the list of users who can access a specific computer define in AD.
    I am new with PS.
    Do you have a script to list users that can access a computer object of AD ?
    I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
    How can i have this information. please help
    Import-Module activedirectory
    $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
    $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

    I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
    I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
    "Do you have a policy that restricts access to computers and do you audit for compliance?"
    I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
    I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
    curiosity  then you may need to discuss his requirements with him in more depth.
    ¯\_(ツ)_/¯

Maybe you are looking for

  • Need help in using iframes

    hi, My requirement is that i have to provide a hyperlink to a value which would open a new window with the links. the window is opened by passing three parameters, viz childid, parentid, type The new window would have one main frame(call it main_fram

  • How can I embed a PowerPoint presentation into Adobe Muse?

    I am working on my capstone presentation for university and would like to embed a couple of my best presentations into a some of the webpages. How can I do this?

  • Webservice to IDOC : Bridge sync/async

    Hi, I have a simple scenario where we send data synchronously via webservices and idoc would be created in target system. So I need to create a sync/async bridge. But i have a doubt in first receiver step and its properties: Syncronous interfaces -->

  • EventListeners for multiple remote object calls

    Hi all, I have a Flex component that is displaying content from multiple (specifically two) remote object calls. I can call both remote methods, get the results back, pass them off to their respective ItemRenderers, etc. with no trouble. What I need,

  • Buttons don't work unplugged, work plugged in

    I am asking this question because I'm sure there's a way to fix it, but my iPod mini recently got a bit wet, and so I left it a few days and restored it and everything, but now if it is plugged into my computer and I eject it from iTunes, but leave i