Best practice for select access to users

Similar Messages

• Best Practices for Data Access

  Good morning!
  I was wondering if someone might give me some advice on some best practices for retrieving data from a SQL server in the cloud via a desktop application?
  I'm curious if I embed into my desktop application the server address (IP, or Domain or whatever) and allow the users to provide their own usernames and passwords when using the application, if there was anything "wrong" with that? Where-in my
  application collects the username and password from the user, connects to a server with that username and password, retrieves the data and uses it in-app.
  I'm petrified of security issues and I would hate to start using a SQL database with this setup only to find out that anyone could download x, y or z and connect to the database and see everything.
  Assuming I secure all of the users with limited permissions, is there anything wrong with exposing a SQL server to the web for my application to use? If so, what and what would be a reasonable alternative?
  I really appreciate any help and feedback!

  There are two options, none of them very palatable:
  1) One is to create a domain, and add the VM and your local box to it.
  2) Stick to a workgroup, but have the same user name and password on both machines.
  In practice, a better option is to create an SQL login that is member of sysadmin - or who have rights to impersonate an account that is member of sysadmin. And for that matter, you could use the built-in sa account - but you rename it to something else.
  The other day I was looking at the error log from a server that apparently had been exposed on the net. The log was full with failed login attempts for sa, with occasional attempts for names like usera and so on. The server is in Sweden - the IP address
  for the login attempts were in China.
  Just so know what you can expect.
  Erland Sommarskog, SQL Server MVP, [email protected]

• Best practices for defining Environment Variables/User Accounts in Linux

  Hello,
  After reading throught the Quick Install guide for 10gR2 on x86_64 Linux, I see that it is not recommended to define ANY variables in .bash_profile.
  I'm hoping to get a Best practices approach for defining environment variables - right now we use the oracle linux account for administration including sql*plus. So, where should the myriad variables be defined? Is it important enough to create a user account in linux to support best practices?
  What variables, exactly, should be defined? It seems that LD_LIBRARY_PATH is no longer being used?
  Thanks in advance
  Doug

  Something that I've done for years on unix/linux boxes is to create a seperate environment variable setup file for each instance on the box. This would include things like ORACLE_HOME, ORACLE_SID, etc. Then I would create an alias in my .bash_profile that would execute this script. As an example, I would create a orcl.env file that would hold all of the environment variables for this instance. Then in my .bash_profile I would create a line like the following:
  alias orcl=". $HOME/orcl.env"
  Then from anywhere you could type orcl and you would set your environment to connect to that database.
  Also, if you are using 10g, something else that is really nice if you are using sqlplus, and you connect to different databases without starting a new sqlplus session is to set a parameter in your $ORACLE_HOME/sqlplus/admin/glogin.sql file:
  set sqlprompt "_user 'at' _connect_identifier >"
  This will automatically change your command prompt to look like this:
  RALPH at ORCL >
  if you connect as GEORGE, your prompt will immediately change to :
  GEORGE at ORCL >
  This way you can always know who and where you are connected to.
  Good luck!

• Any Best Practices for Guest Access?

  Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
  I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
  My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

  ***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

• Best practice for SSH access by a user across multiple Xserves?

  Hello.
  I have 3 Xserves and a Mac Mini server I'm working with and I need SSH access to all these machines. I have given myself access via SSH in Server Admin access settings and since all 4 servers are connected to an OD Master (one of the three Xserves), I'm able to SSH into all 4 machines using my username/password combination.
  What I'm unsure of though is, how do I deal with my home folder when accessing these machines? For example, currently, when I SSH into any of the machines, I get an error saying...
  CFPreferences: user home directory at /99 is unavailable. User domains will be volatile.
  It then asks for my password, which I enter, and then I get the following error...
  Could not chdir to home directory 99: No such file or directory
  And then it just dumps me into the root of the server I'm trying to connect to.
  How should I go about dealing with this? Since I don't have a local home directory on any of these servers, it has no where to put me. I tried enabling/using a network home folder, but I end up with the same issue. Since the volume/location designated as my home folder isn't mounted on the servers I'm trying to connect to (and since logging in via SSH doesn't auto-mount the share point like AFP would if I was actually logging into OS X via the GUI), it again says it can't find my home directory and dumps me into the root the server I've logged in to.
  If anyone could lend some advice on how to properly set this up, it would be much appreciated!
  Thanks,
  Kristin.

  Should logging in via SSH auto-mount the share point?
  Yes, of course, but only if you've set it up that way.
  What you need to do is designate one of the servers as being the repository of home directories. You do this by simply setting up an AFP sharepoint on that server (using Server Admin) and checking the 'enable user home directories' option.
  Then you go to Workgroup Manager and select your account. Under the Home tab you'll see the options for where this user's home directory is. It'll currently say 'None' (indicating a local home directory on each server). Just change this to select the recently-created sharepoint from above.
  Save the account and you're done. When you login each server will recognize that your home directory is stored on a network volume and will automatically mount that home directory for you.

• Best Practice for managing Groups and Users

  We want to create a Corporate Portal for the Department and it's Organizations. We want to have one Portal Public page as the main entry for all our users. When a user login, he will be re-direct to is Organization Portal page.
  I need to find a good document, a case study if possible, on how to define my Groups in OID to achieve this. I need a document that explain how to setup and manage Groups for a Corporate Portal.
  Thank you!

  Hi!
  The Portal Admin Guide gives a good overview about the groups administration.
  I don't know about case studies that address your problem.
  When you have different home pages for different groups you can administer this with the Portal Group Profile portlet in the admin section of Portal.
  cu
  Andreas

• Best practice for selection-screen in global classes

  Hello everyone,
  I have build several selection screens (overall 150+ select options / parameters) some time ago and want to reuse some of them within a global class encapsulating a ALV grid. Is there an easy way to forward the values of a selection screen into my class?
  I have thought of a function module (in the function group which contains the dynpros) to extract the values. Is this a state-of-the-art approach?
  Thanks in advance,
  Alej

  Hi Uwe,
  correct me if I'm wrong: I remember RS_REFRESH_FROM_SELECTOPTIONS not doing the job perfectly, what ever it was, maybe
  'RS_REFRESH_FROM_SELECTOPTIONS' reads only the main selection screen of a report; it will not give you SELECTION-SCREEN BEGIN OF SCREEN ... contents.
  At least it is good for extracting the names of all SELECT-OPTIONS and PARAMETERS. Then use a dynamic assign like
  data:
    lv_assign type string
  field-symbols:
    <selopt> type table.
  CONCATENATE '('IM_CALLING_PROGRAM')' SELNAME INTO lv_assign.
  assign (lv_assign) to <selopt>.
  This not only enables you to use but also to modify the select-options on the screen as you want or need.
  I know since 10 or more years SAP warns to use the dynamic ASSIGN. But it works perfectly and will probably never be changed.
  Regards,
  Clemens

• Best practice for low bandwidth end-users

  Hey guys,
  I'm new to CS and am about halfway through my planning stages for a web app.
  My end users will be predominantly on 256k-512k connections (yeh I know it sucks, but this is regional/rural Australia) and a fairly large proportion of those are going to be on satellite which is incredibly latent.
  Does anyone have some tips on keeping it lean and mean regarding coding or have any experience's they'd mind sharing?
  Cheers

  At JavaOne, I attended a great technical session on extreme web caching. He talked about ways to make sure the browsers cache the static information, such as images.
  Web Caching is very important for high traffic, high performance web site but few people know all the professional-level strategies. In this talk I'll share some of the tricks of the trade, including advanced tips from Yahoo's Mike Radwin.
  To get a good intro to cross-browser web caching techniques check out the caching tutorial at www.mnot.net.

• Best practices for one account's users to get new accounts?

  After eight years of sharing my iTunes account, my kids are moving out into the real world.  How would/should they get their "own" iTunes accounts?  They will want to buy their own music with their own money (without Dad's payment info) but of course want to be able to continue to play all the music they've bought over the years on my account.  What is the best way to accomplish this?

  Well, I've been trying this for a while. By my calculations, at this rate, installing all the applications one by one and trying to restore all the data manually will take me about six years. I would finished just in time for the Tokyo 2020 Olympics.
  The main problem is, I don't know where all the bodies are buried. Just one example, I'm using Cornerstone for an svn client. I have working copies of multiple repositories on my computer. I really don't want to set them all up again, and I can't figure out where the Cornerstone preferences and all settings are stored. I couldn't find them in the Library anywhere.
  And that's just one case.
  I haven't done much with my MacBook Pro yet, I think in retrospect the easiest course of action is to reinstall OS X as though it were new MacBook Pro, start from scratch, and use my Time Machine backup with the migration assistant and go from there.
  And that's what I'm doing right now. I'm in the middle of reinstalling OS X.
  Afterwords I'll use a clean app uninstaller application to get rid of all the applications that I'm not using. And I'll just hack away at directories that I know I haven't looked at for years, with the confidence that I have a backup both in Time Machine and in CCC and also on my iMac. That's three backups.
  I would rather start out "light", but I can see it's just going to take forever and a day to get it done. Anyway, fortunately nothing is carved in stone, and I can always try again if I want to. But dealing with all the documents and all the applications one by one separately was just obviously going to take too much time.
  I'll report back on my results. And I appreciate your suggestion.
  Doug

• Best Practice for storing PDF docs

  My client has a number of PDF documents for handouts that go
  with his consulting business. He wants logged in users to be able
  to download the PDF docs for handouts at training. The question is,
  what is the 'Best Practice' for storing/accessing these PDF files?
  I'm using CF/MySQL to put everything else together and my
  thought was to store the PDF files in the db. Except! there seems
  to be a great deal of talk about BLOBs and storing files this way
  being inefficient.
  How do I make it so my client can use the admin tool to
  upload the information about the files and the files themselves,
  not store them in the db but still be able to find them when the
  user want's to download them?

  Storing documents outside the web root and using
  <cfcontent> to push their contents to the users is the most
  secure method.
  Putting the documents in a subdirectory of the web root and
  securing that directory with an Application.cfm will only protect
  .cfm and .cfc files (as that's the only time that CF is involved in
  the request). That is, unless you configure CF to handle every
  request.
  The virtual directory is no safer than putting the documents
  in a subdirectory. The links to your documents are still going to
  look like:
  http://www.mysite.com/virtualdirectory/myfile.pdf
  Users won't need to log in to access these documents.
  <cfcontent> or configuring CF to handle every request
  is the only way to ensure users have to log in before accessing
  non-CF files. Unless you want to use web-server
  authentication.

• Best practice for external but secure access to internal data?

  We need external customers/vendors/partners to access some of our company data (view/add/edit).  It’s not so easy as to segment out those databases/tables/records from other existing (and put separate database(s) in the DMZ where our server is).  Our
  current solution is to have a 1433 hole from web server into our database server.  The user credentials are not in any sort of web.config but rather compiled in our DLLs, and that SQL login has read/write access to a very limited number of databases.
  Our security group says this is still not secure, but how else are we to do it?  Even if a web service, there still has to be a hole in somewhere.  Any standard best practice for this?
  Thanks.

  Security is mainly about mitigation rather than 100% secure, "We have unknown unknowns". The component needs to talk to SQL Server. You could continue to use http to talk to SQL Server, perhaps even get SOAP Transactions working but personally
  I'd have more worries about using such a 'less trodden' path since that is exactly the areas where more security problems are discovered. I don't know about your specific design issues so there might be even more ways to mitigate the risk but in general you're
  using a DMZ as a decent way to mitigate risk. I would recommend asking your security team what they'd deem acceptable.
  http://pauliom.wordpress.com

• Best Practices for user ORACLE

  Hello,
  I have few linux servers with user ORACLE.
  All the DBAs in the team connecting and working on the servers as ORACLE user and they dont have sperate account.
  I create for each DBA its own account and would like them to use it.
  The problem is that i dont want to lock the ORACLE account since i need it for installation/upgrade and etc , but yet i dont what
  the DBA Team to connect and work with the ORACLE user.
  What are the Best Practice for souch case ?
  Thanks

  To install databases you don't need acces to Oracle.
  Also installing 'few databases every month' is fundamentally wrong as your server will run out of resources, and Oracle can host multiple schemas in one database.
  "One reason for example is that we have many shell scripts that user ORACLE is the owner of them and only user ORACLE have a privilege to execute them."
  Database control in 10g and higher makes 'scripts' obsolete. Also as long as you don't provide w access to the dba group there is nothing wrong in providing x access.
  You now have a hybrid situation: they are allowed interactively to screw 'your' databases, yet they aren't allowed to run 'your' script.
  Your security 'model' is in urgent need of revision!
  Sybrand Bakker
  Senior Oracle DBA

• Best practices for setting up users on a small office network?

  Hello,
  I am setting up a small office and am wondering what the best practices/steps are to setup/manage the admin, user logins and sharing privileges for the below setup:
  Users: 5 users on new iMacs (x3) and upgraded G4s (x2)
  Video Editing Suite: Want to connect a new iMac and a Mac Pro, on an open login (multiple users)
  All machines are to be able to connect to the network, peripherals and external hard drive. Also, I would like to setup drop boxes as well to easily share files between the computers (I was thinking of using the external harddrive for this).
  Thank you,

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• Best Practice for Deleted AD Users

  In our environment, we are not using AD groups. Users are being added individually. We are running User Profile Service but I am aware that when a user is deleted in AD, they stay in the content database in the UserInfo table so that some metadata can be
  retained (created by/modified by/etc).
  What are best practices for whether or not to get rid of them from the content database(s)?
  What do some of you consultants/admins out there do about this? It was brought up as a concern to me that they are still being seen in some list permissions/people picker, etc.
  Thank you!

  Personally I would keep them to maintain metadata consistency (Created By etc as you say). I've not had it raised as a concern anywhere I've worked.
  However, there are heaps of resources online to delete such users (even in bulk via Powershell). As such, I am unaware of cases of deleting them causing major problems.
  w: http://www.the-north.com/sharepoint | t: @JMcAllisterCH | YouTube: http://www.youtube.com/user/JamieMcAllisterMVP

• Best Practices for Accessing the Configuration data Modelled as XML File in

  Hi,
  I refer the couple of blof posts/Forum threads on How to model and access the Configuration data as XML inside OSB.
  One of the easiest and way is to
  Re: OSB: What is best practice for reading configuration information
  Another could be
  Uploading XML data as .xq file (Creating .xq file copy paste all the Configuration as XML )
  I need expert answers for following.
  1] I have .xsd file which is representing the Configuration data. Structure of XSD is
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue</Config>
  <FrameworkConfig>
  2] As my project will move from one env to another the property-value will change according to the Environment...
  For Dev:
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Dev</Config>
  <FrameworkConfig>
  For Stage :
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Stage</Config>
  <FrameworkConfig>
  3] Let say I create the following Folder structure to store the Configuration file specific for dev/stage/prod instance
  OSB Project Folder
  |
  |---Dev
  |
  |--Dev_Config_file.xml
  |
  |---Stage
  |
  |--Stahe_Config_file.xml
  |
  |---Prod
  |
  |-Prod_Config_file.xml
  4] I need a way to load these property file as xml element/variable inside OSb message flow.?? I can't use XPath function fn:doc("URL") coz I don't know exact path of XMl on deployed server.
  5] Also I need to lookup/model the value which will specify the current server type(Dev/Stage/prod) on which OSB MF is running. Let say any construct which will act as a Global configuration and can be acccessible inside the OSb message flow. If I get the vaalue for the Global variable as Dev means I will load the xml config file under the Dev Directory @runtime containing key value pair for Dev environment.
  6] This Re: OSB: What is best practice for reading configuration information
  suggest the designing of the web application which will serve the xml file over the http protocol and getting the contents into variable (which in turn can be used in OSB message flow). Can we address this problem without creating the extra Project and adding the Dependencies? I read configuration file approach too..but the sample configuration file doesn't show entry of .xml file as resources
  Hope I am clear...I really appreciate your comments and suggestion..
  Sushil
  Edited by: Sushil Deshpande on Jan 24, 2011 10:56 AM

  If you can enforce some sort of naming convention for the transport endpoint for this proxy service across the environments, where the environment name is part of the endpoint you may able to retrieve it from $inbound in the message pipeline.
  eg. http://osb_host/service/prod/service1 ==> Prod and http://osb_host/service/prod/service2 ==> stage , then i think $inbound/ctx:transport/ctx:uri can give you /service/prod/service1 or /service/stage/service1 and applying appropriate xpath functions you will be able to extract the environment name.
  Chk this link for details on $inbound/ctx:transport : http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/context.html#wp1080822