Authorization in Directory
Hi All,
in both ESRepository and Integration Directory we can define more detailed authorization that restrict access to design and configuration objects.
[Documentation from SAP|http://help.sap.com/saphelp_nwpi71/helpdata/en/f7/c2953fc405330ee10000000a114084/frameset.htm]
Nevertheless the mentioned selection Path in Directory are only Patner -> Communication Component.
If I configure one role with unrestricted object accesses but Partner restriction, am I allowed only to create sender Agreement, etc with this partner ? Or the sender agreement is not included as object type with this selection path?
Another question is wether it is possible to restrict the access to a defined folder. Many thanks
best regards,
Hai
Hey,
refer to this document
page no. 13, 14 15
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a005629b-c063-2910-0fb8-f57dc68abaca
regards,
Milan
Similar Messages
-
OAM support for directory mapping
Is there a way OAM can be set up to point to one directory for a user store and point to another directory for the authorization data ( directory mapping ) ?
ThanksOAM native (out of the box) capabilities for authorization are based on accessing data from the authenticated user's LDAP profile.
So, one way to do this is to facilitate a process to get the data you need onto the user profile. Think provisioning process, some sort of sync, or directory virtualization / composite profile...
Otherwise, OAM provides you with the Authorization API which is what you use to build an authZ plugin to use when the data you need (in order to make an authZ decision) is not on the authenticated user's profile. This plugin needs to meet a specified OAM interface but what it connects to and the logic that it executes are completely in the hands of the developer.
See the OAM Developer's Guide for more information.
Hope that helps,
Mark -
Export and import LineGroups in CUCM 6.1
Hello,
I need to modify Linegroups in a CUCM 6.1, and like many, I need to do it through BAT, but I have not got the option in CUCM 6.1 (I have fount it in newer versions: 7.X, 8.X and 9.X)
In the help in the CUCM webpage you can found info that you can import/export this info, but I cann´t find this option in the BAT.
¿Anybody know if it´s possible import/export Linegroups in CUCM 6.1?
Thanks and regards,Hi Alberto,
Sadly this capability was added in CUCM 7.0(1)
Exporting Configuration
You can use BAT to export many new items in Release 7.0(1). The following list gives check boxes that are now available on the Export Configuration window for you to choose:
System Data
•Cisco Unified Communications Manager
•Cisco Unified Communications Manager Group
•Date/Time Group
•Device Pool
•Enterprise Parameter
•Location
•Phone NTP Reference
•Region
•Server
•Service Parameter
•SRST
•Security Profile (Phone & SIP Trunk)
•Physical Location
•Device Mobility group
•Presence Group
•LDAP System
•Device Mobility Info
•DHCP Server
•DHCP Subnet
•Application Server
•LDAP Directory
•LDAP Authentication
•MLPP Domain
•Resource Priority Namespace Network Domain
•Resource Priority Namespace List
•CUMA Server Security Profile
Call Routing Data
•Application Dial Rules
•CSS (Class of Control)
•Partitions (Class of Control)
•Route Filter
•Time Period (Class of Control)
•Time Schedule (Class of Control)
•Translation Pattern
•AAR Group
•Forced Authorization Codes
•Directory Lookup Dial Rules
•Client Matter Codes
•Call Park
•Call Pickup Group
•Directory Number
•MeetMe Number
•Cisco Attendant Console Pilot Point
•Directed Call Park
•SIP Dial Rules
•Line Group
•Route Group
•Hunt List
•Route List
•Hunt Pilot
•Intercom Route Partition
•Intercom CSS
•Access List
•Route Pattern
•Called Party Transformation Pattern
•SIP Route Pattern
•Intercom Directory Number
•Mobility Configuration
•Intercom Translation Pattern
•Calling Party Transformation Pattern
•Time Of Day Access
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/rel_notes/7_0_1/cucm-rel_notes-701.html#wp583099
Cheers!
Rob
"Why do the best things always disappear "
- The Band -
Client Authentication in iplanet web server 6.0
Hi,
I am trying to enable client authentication using SSL in iplanet 6.0. I want to compare the client's digital certificate to the one the server stores. The documentation states that i must store a client certificate as an entry in an LDAP directory, but I've been trying to find a alternative way of storing it (like how OpenSSH stores the public keys of logged users in its own 'authorization' file directory).
Is there a way to store a client's certificate in iplanet (without the use of an LDAP directory) and still let it participate in the client authentication process?
regards,
angeYes, I have recently struggled with the same issue. I don't believe the documentation is very clear. Here's how we did it:
1.) make sure you read Sun's documentation http://docs.sun.com/source/816-5682-10/esaccess.htm#1002576
2.) Make a new file somewhere in or above the directory you want to protect called .htaccess with the following:
# this example only allows the domain .gov
AuthUserFile <the entire directory or file path>
<Limit> GET
order deny,allow
deny from all
allow from .gov
</Limit>
3.) For the entire server (see Editing drop-down), click activate and leave File Name blank or ".htaccess" then click OK
4.) Apply changes dynamically or by stopping and starting the server -
MAC Authentication + Windows Server 2008 R2 Radius server
Hello there,
I have been trying to configure the MAC Authentication on Windows Server Network Policy Server but no success. Details on my configuration can be find below.
I have firstly enabled the Mac Authentication on 3com switch 4400 model.
enabling -> Mac-authentication
enabling authentication mode -> UsernameAsMacAddress
configuring a domain - mac-authentication domain abc.local.
I left the default Vlan (Vlan1)
While on my DC, I created a user
username: 00-00-00-00-00-00
password: 00-00-00-00-00-00
Lastly on the NPS Server, I configured the 802.1x Wired configuration, I configured the NAS (Radius Client) whici is the 3com Switch.
After completing the configurations, I turned on my computer with and logged on to the domain abc\00-00-00-00-00-00 with the password. But there was no success when the computer tried to connect to the network looking for DHCP services to obtain IP address.
On the NPS event service, I got:
User:
Security ID:
NULL SID
Account Name:
[email protected]
Account Domain:
abc
Fully Qualified Account Name:
abc\00-00-00-00-00-00
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
0000-0000-0000
NAS:
NAS IPv4 Address:
xxx.xxx.xx.xx
NAS IPv6 Address:
NAS Identifier:
00aa00aa00aa
NAS Port-Type:
Ethernet
NAS Port:
12345678
RADIUS Client:
Client Friendly Name:
3com
Client IP Address:
xxx.xxx.xx.xx
Authentication Details:
Connection Request Policy Name:
NAP 802.1X (Wired) 2
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
server.abc.local
Authentication Type:
PAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
All I could find was " Authentication failed due to the reason appeared in the reason code but I am very sure that the name and the password are the same. I hope someone can help me out.
Thanks.Hi,
Thanks for your post.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and
password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names.
For more detailed information about MAC Address Authorization, please refer to the below article. Hope it helps.
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
Quickfinder Server public user access
Hello,
I have Quickfinder working and most security is set up and working
except, when one loads the search page it defaults to "public access"
and a search with public access displays snippets from restricted
documents (although authentication is requested to view the document).
I have explicitly removed all rights for [public] in the restricted
folder, and set "Check authorization by directory" to "No" for the
virtual server in question.
There doesn't seem to be anything else I can do to prevent these
snippets from being viewed, but it does appear, from what I'm reading,
that this behavior should not occur.
Any suggestions?
Thanks!
- Ken
Ken McLeod
The Delphian School
http://www.delphian.orgOk, by tweaking some settings, I now get a list of document titles and
an "Unauthorized" message along with them.
Set Rights-based authorization to "by index" and specified a file from
which I specifically removed all rights for [public]. Then I set the
"Unauthorized hits filtered by" to "Templates" and that got me the above
result.
Is it possible to turn it off completely? In other words, instead of
getting a list of hits with "unauthorized" message, just get no hits at all?
Tia,
Ken
Ken McLeod wrote:
> Hello,
>
> I have Quickfinder working and most security is set up and working
> except, when one loads the search page it defaults to "public access"
> and a search with public access displays snippets from restricted
> documents (although authentication is requested to view the document).
>
> I have explicitly removed all rights for [public] in the restricted
> folder, and set "Check authorization by directory" to "No" for the
> virtual server in question.
>
> There doesn't seem to be anything else I can do to prevent these
> snippets from being viewed, but it does appear, from what I'm reading,
> that this behavior should not occur.
>
> Any suggestions?
>
> Thanks!
>
> - Ken
Ken McLeod
The Delphian School
http://www.delphian.org -
LDAP-Server configuration and using
Hi,
can anyone tel me how it function with the LDAP-Server in the Adobe LiveCycle Es?
What i have to do? and how can i get user data from the logged user via LDAP?
ThankLiveCycle ES has an administrative console you can get at http://localhost:8080/adminui. You can log in with administrator/password.
Under the Settings section, you can go to User Management and then Domain Management.
In there you can define a new Enteprise Domain and create a new Authorization and Directory for that new domain.
In the Authorization, you can select LDAP. Under the Directory, you'll be taken through a wizard that will help you configure the LDAP connection to get the list of users and groups.
Then go back to Domain Management and select "Synch Now". You can set that synchronization to occur periodically.
Once you can connect to the LDAP server properly and get the list of users, you should be able to log to the different interfaces using users from the LDAP system.
You might need to give them LiveCyle roles to access some of the interfaces like adminui, workspace, etc. You can add roles under Settings/User Mangement/Role Management
Jasmin -
How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?
I have a Network Policy Server running on Server 2012 R2. I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
and that works great.
Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
mac address. I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.
I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password. I
do not want to do that. This is not an option.
I have also found several posts about using ieee802Device. I can't find a way to get that to work.
I also found a suggestion to use msNPCallingStationID ad attribute. I can easily set this for each user as their mac addresses but how do I configure the
NPS server to use this attribute to authenticate this?
If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
Thank you for your assistance!Hi,
I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
add the MAC address as the computer user name and password,
To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
If you want to combine the MAC address MAC filtering and
EAP Authentication, you can refer the following related article:
Enhance your 802.1x deployment security with MAC filtering
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
More information:
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
Authorization by User and Group
http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
The similar thread:
NPS: Override User-Name and User Identity Attribute
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
The related third party article:
Configuring IEEE 802.1x Port-Based Authentication
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
Hope this helps. -
I am trying to authorize my computer and I get an error message: The required directory was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed. Help?
I used Terminal to change the permissions on the folder in question. I followed the instructions in this article:
iTunes: Missing folder or incorrect permissions may prevent authorization
In my case, the folder was there, so I needed the command to change permissions on the folder, not to create one. I was hesitant to use Terminal b/c I know that if I made an error I could wipe out my hard drive or render my computer unusable. So to be SURE I didn't make an error, I carefully copied the command from that page and *pasted* it into Terminal. Also, before I could do anything in Terminal, I had to go change my admin password (it had been a blank password before and that's not acceptable for making changes in Terminal). I was just super careful when entering my password or doing anything else while Terminal was open (making sure I didn't accidently hit the spacebar or another key, etc.) And it fixed the problem right away.
What was confusing for me was that the iTunes error message said to change permissions in the FINDER, which is what I was trying to do. It didn't mention Terminal. What would really be helpful is if Apple included a link to a page like this in their error message. -
Data Dependent Authorization in Integration Directory
Hi all,
I faced a couple of questions regarding Data Dependent Authorization in Integration Directory:
1) I've configured user role in Integration Directory to restrict access to certain services and communication channels.
When I configure it as follows:
Selection Paths:
Operator: Include
Party: -
Service: ZMDMBS
Objects:
Operator: Include
Types: *
Actions: Full Edit
I get expected behaviour: user assigned to this role can modify ZMDMBS and can't modify any other Service in ID.
And when I change <i>Selection Paths -> Operator:</i> to <b>Exclude</b> I expect that all services will be modifiable except ZMDMBS. But in this case no of the services is modifiable.
Is my configuration of the authorization wrong ?
2) Is it possible to restrict access to all configuration objects relevant to specific Scenario ?<b>2) Is it possible to restrict access to all configuration objects relevant to specific Scenario ?</b>
i dont think so it is possible. But u can lock the object so that other users cannot modify it. -
There was an error storing your authorization information on this computer.The required directory was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed.
I'd try the following document with that one:
iTunes: Missing folder or incorrect permissions may prevent authorization -
Authorization Error For XI Integration Repository and Directory
Hi All,
I am new in this field.
While accessing Integration Repository and Directory, I am getting the error "No Authorization for this action". I am trying to login with user J2EE_ADMIN, have following roles :
SAP_J2EE_ADMIN
SAP_J2EE_ADMIN
SAP_J2EE_GUEST
SAP_XI_ADMINISTRATOR_J2EE
SAP_XI_CONFIGURATOR_J2EE
thnx and regds:
N.N. Tiwarihi,
go to http://<host>:<port>/index.html -->User Management log in using j2ee_admin
When you go into one of the tabs, there will a client entry . Just change.
You should able to do the same thing with UME provider service in the visual admin.
Please check Note 938980 if you are using VPN.
This is probably a Java Web-Start issue. Please check logon with other JWS versions. Also check if you have any conflicting JWS versions installed.
This is a checklist for logon errors:
/people/shabarish.vijayakumar/blog/2006/02/13/unable-to-open-iresrid-xipipi-71-updated-for-pi-71-support
Also check the methods in these threads:
Authorization error; unknown user name or incorrect password
Authorization error in Integration Repository.
Note: reward points if solution found helpfull
Regards
Chandrakanth.k -
No authorization in Integration Directory
Hello
We are trying to create Scenario objects inside Integration Directory but it is giving No authorization error. we are using XISUPER as the user.
we could develop mappings inside IR.
Thanks in advance
Regards
RajeevHey,
Relevant problem is with the roles assigned to XISUPER. As said above call the transaction su01 -> Enter User Name -> choose Display-> Select ROLES tab.
Check Wether u have the role assigned .
1) SAP_XI_DEVELOPER
2) SAP_XI_DEVELOPER_ABAP
3) SAP_XI_DEVELOPER_J2EE
If they aren't assigned assign them or else ask ur basis admin to do it. It should resolve the problem.
<b>Cheers
*RAJ*
*REWARD POINTS IF FOUND USEFULL*</b> -
While accessing Integration Directory (No authorization for this action)
Hi,
I am getting below error, while accessing Integration Directory it is showing (No authorization for this action
I had provided necessary authorization to XI* users & j2ee_guest, j2ee_admin.
below error is in application.log
#1.5#0019BB24F5460065000000130000145000045BA13A34D68B#1226647931285#/Applications/ExchangeInfrastructure/Directory#sap.com/com.sap.xi.directory#com.sap.aii.ib.web.clidist.DownloadServlet#J2EE_GUEST#0####59978c50b21e11dd9a8b0019bb24f546#SAPEngine_Application_Thread[impl:3]_18##0#0#Error#1#com.sap.aii.ib.web.clidist.DownloadServlet#Plain###Cannot locate jnlp resource
Thrown:
com.sap.engine.services.httpserver.exceptions.HttpIOException: Write timeout. HTTP client read timeout or callback from dispatcher not received for [10000] milliseconds.
at com.sap.engine.services.httpserver.server.ResponseImpl.sendResponse(ResponseImpl.java:281)
at com.sap.engine.services.servlets_jsp.server.runtime.client.ServletOutputStreamImpl.flush(ServletOutputStreamImpl.java:411)
at com.sap.engine.services.servlets_jsp.server.runtime.client.ServletOutputStreamImpl.write(ServletOutputStreamImpl.java:236)
at com.sap.engine.lib.io.GZIPMultiOutputStream$StreamTool.deflate(GZIPMultiOutputStream.java:123)
at com.sap.engine.lib.io.GZIPMultiOutputStream.write(GZIPMultiOutputStream.java:339)
at com.sap.engine.services.servlets_jsp.server.runtime.client.GzipResponseStream.write(GzipResponseStream.java:230)
at com.sap.aii.ib.web.clidist.DownloadResponse$FileDownloadResponse.sendResponse(DownloadResponse.java:114)
at com.sap.aii.ib.web.clidist.DownloadServlet.handleRequest(DownloadServlet.java:104)
at com.sap.aii.ib.web.clidist.DownloadServlet.doGet(DownloadServlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:160)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Regards,
hariHi,
Thanks for your quick update,
I had provided for all necessary aauthorizations in SU01. still i am facing problem.
here i am attaching default.0.trc contains error.
Pls guide me,
#1.5#0019BB24F546006E0000000F0000145000045BA198970570#1226649514800#com.sap.engine.services.httpserver##com.sap.engine.services.httpserver#XIAFUSER#228##tdcusappay_PXI_4766550#XIAFUSER#096e7910b22211dd812c0019bb24f546#SAPEngine_Application_Thread[impl:3]_10##0#0#Error#1#/System/Server#Plain###User XIAFUSER, IP address
HTTP request processing failed. HTTP error [403] will be returned. The error is [You are not authorized to view the requested resource.No details available].#
#1.5#0019BB24F546005F000000500000145000045BA19A61CE61#1226649544878#com.sap.engine.services.httpserver##com.sap.engine.services.httpserver#XIAFUSER#229##tdcusappay_PXI_4766550#XIAFUSER#1b5c02f0b22211dd82890019bb24f546#SAPEngine_Application_Thread[impl:3]_37##0#0#Error#1#/System/Server#Plain###User XIAFUSER, IP address
HTTP request processing failed. HTTP error [403] will be returned. The error is [You are not authorized to view the requested resource.No details available].#
Thanks & Regards,
hari -
Authorization error when logon to IB-Repository and Directory
Hi,
we patch from SP12 to SP13. At SP12 logon to IB (Repsoitory and Directory) work without problems. But
after applying SP13 to XI we can't logon to IB anymore.
The error is "Authorization error, unknown user name or
incorrect password". The user we use can logon to the
Server so password should be ok. And the same user have
been also used when we still have SP12.
We have cleared the WS Cache an do the Re-Ininitialize
like mentioned in other thread dealing with this problem.
But it doesn't help so far.
Login to SLD, Runtime Workbench with the same user work
without problem. So it can not be the issue with wrong
name and password.
Have somebody faced this problem after patching to SP13.
Our XI run on Windows 2000.
Thanks,
Ly-Na PhuHi,
First check in RSSM whether your InfoProvider is checked for authorization object 0PERS_AREA. Also determine whether do you need this authorization object ?If yes, then it should be checked otherwise check mark should be unchecked. If 0PERS_AREA is checked for your InfoProvider, then you should have some value in this object when you create the role. Either * for all values or restricted value for it. Goto Pfcg select the role and add the authorization values for the 0PERS_AREAobject.
GSM.
Maybe you are looking for
-
I am unable to print anything from any website.
As of a week or so ago, I cannot print anything from Firefox. I'm using FF 3.6.13, and Max OS X 10.6.6 on a 3+ year-old (Intel Core 2 Duo) iMac. I'm connected via ethernet to a Brother laser printer. I am unaware of any change in any element of the c
-
HP Laser Printer - No location
I have a MBP 8,2, using Mt. Lion 10.8.3 I have an HP LaserJet P2015dn wired to the machine via ethernet. When I boot the machine, the printer cannot be located and I am forced to re-add the printer each time. The machine does re-locate the printer,
-
Adobe Flash Player will not play my .flv video
I redered a 5 min editing from Premier CS4 as steaming FLV, but if I try to play it in Adobe Flash Player, the player will open with white background and not play the movie. The file is playing though in other players like Adobe Media Player. Is ther
-
Add contact to event in Calendar
Hi there I am just trying to find out if, I am able to add a contact from address book to an event in my calendar on the new iPhone 3G? Thank you for your help best regards
-
Reporting and Report tools for CCM
Can anyone point me in the right direction or give me some suggestions on reporting in CCM. To be a little more specific; for example if a few users complain they are tryin to make outbound calls, and getting a busy signal, is there any reporting too