BI 4.0 Universe Security

Similar Messages

• Not able to edit membership of universal security groups

  I’m not able to edit membership of My Universal security groups using outlook, when I add/remove members it shows the error
  “Changes to the public group membership can’t be saved. You do not have sufficient permission to perform this operation on this object”
  I've already assigned the RBAC role “Security Group Creation and Membership” to a security group and the user who is editing the group is the member of this role group. I’ve also tried to assign the role directly to user, but it also did not work.
  Exchange 2010, Outlook 2010.
  Could someone please suggest me on this.
  ------- Subodh

  No, I am still facing issue.
  I’m not able to edit membership of My Universal security groups using outlook, when I add/remove
  members it shows the error
  “Changes to the public group membership can’t be saved. You do not have sufficient permission to
  perform this operation on this object”
  I've already assigned the RBAC role “Security Group Creation and Membership” to a security group
  and the user who is editing the group is the member of this role group. I’ve also tried to assign the role directly to user, but it also did not work.
  I have multi domain scenario like Exchange is in child domain and AD Users are in Parent domain.
  ------- Subodh

• Can't add a mail enabled public folder to allowed senders on a mail universal security group in Exchange 2010

  Hello,
  I'm trying to allow a mail enabled public folder permissions to send to a mail universal security group. In the past if I wanted to add a PF as an allowed sender I would do it via the AuthOrig setting on that group using adsiedit.  I just noticed today
  that if I add the PFs DN to that attribute of the group, nothing happens.  No matter how long I wait the PF never shows up under the allowed senders list on the group. If you try and send as the PF you get a bounce about not being allowed to send to that
  group.  If I go back into AD and check, the PF is still listed under the AuthOrig attribute.  I tried this on a few different groups and with a few different PF and I'm stumped.  I think the last time I had to update this setting on a group
  was before I installed roll-up 5 for SP3. 
  If I do the same test with a user, it works as it should and they show up in the allowed senders list.  
  If I take a group that isn't restricted to specific senders and add a PF DN to the AuthOrig attribute of the group, the button in the message delivery restrictions for that group in the EMC will change from all senders to only senders in the following list,
  but the PF wont be listed in the box of allowed senders.  If I remove it from the AuthOrig attribute the group will change back to allow all senders.  It's really weird, so any help or light you can shed on this would be greatly appreciated. 
  -Mark

  Hello,
  I check many threads and articles, but there is no related information to verify the issue.
  If your purpose is that adding a mail-enabled public folder to allowed senders on a distribution group, there is a workaround method. You can create a new distribution group, and then add the public folder to the new distribution group, and add
  the new distribution group to the Only senders in the following list field of the target distribution group.
  Here is an article for your reference.
  http://support.microsoft.com/kb/2746885
  Cara Chen
  TechNet Community Support

• Migrate Universe Security restrictions

  Hi,
  I have modified Access Restrictions in a universe and added a Group  using CMC, in Development region.
  Now I need to migrate these changes to Validation region.
  I've been doing report and universe migration from Dev to Validation using Import Wizard.
  For the access restrictions to get reflected in Validation is it enough to migrate the Universe.
  Please could someone help me out in this regard.
  Many Thanks,
  Vai

  Hi,
  you have to migrate simultaneously also the user groups you applied the restrictions for. Add them along with the universe in the list of the objects to transfer.
  Regards,
  Stratos

• Using security groups to grant Full Mailbox Permissions

  Hi, I've of course found several articles discussing granting full mailbox permissions to universal security groups in Exchange 2010, however, most of them are outdated and provide contradicting information.
  So I figured I'd ask here to generate a more 'current' discussion of this and get the real answers.
  If I do the following:
  1. Create a shared mailbox
  2. Create a Universal Security group (USG)
  3. Add User X to the USG
  4. Grant the USG Full Access Permissions to the shared mailbox
  Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
  Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24 hours
  before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately.
  So what is the real truth here when using USGs to grant Full Access?
  https://social.technet.microsoft.com/Forums/exchange/en-US/9840fd13-daf8-45aa-ab35-4a827f1ba1e0/exchange-2010-unable-to-assign-full-access-permissions-using-a-security-group?forum=exchangesvrgenerallegacy
  Thanks,

  Hi squishmike,
  Thank you for your question.
  Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
  A: By my testing, we still go through the ‘open addition mailbox’ setting in outlook when we open outlook with new profile.
  Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24
  hours before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately. 
  So what is the real truth here when using USGs to grant Full Access?
  A: Question 1 has been answered it. It will show share mailbox by ‘open additional mailbox’, we will add shared mailbox manually.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim

• Problem when exporting Universe to Enterprise

  Hi All,
  I am facing problem when exporting universe to enterprise. I am getting the following error.
  "You do not have the right to add objects to the folder /webi universes" .
  1) I tried logging with admin account still getting the same error.
  2) I tried adding my user id to admin group but still has the same problem.
  I did not make any new changes to security. Do not know what might be the reason. Any ideas would be greatly appreciated.
  Environment: BOXI 3.1, windows server 2003.
  Thanks and Regards
  Sudharsan.

  Hi Prasanna,
  1) I checked the rights on universes for Administartors and Everyone for webi universes folder :
  Universe Security:
        a) Administartors:  Private
        b) Everyone has public.
  User Securtiy:
        a) Administrator : has full access
        b) Everyone : No access
  2) I tried adding my user id to admin group and exported it, but no luck. I also brought a new user into the system (thinking that i might have some restrictions some where)  and added him to admin group and tried with his user id too but still has same problem.
  Thanks
  Sudharsan.

• Implementing object security in BO XI 3

  Hi,
  Please let me know how to implement object level security in BO XI 3.  I did it in 6 and not in XI.  I am able to find the security group in the designer.  But not able to find any place to attach the same to the user in CMC as we did in  Supervisor.  Please guide me.
  Thanks and Regards,
  Subbu S

  Login into the CMC and under Universes select the universe you want to assign object security to your users for. In the context menu (right mouse button) select Universe security .
  Regards,
  Stratos

• Exchange 2013 Mail Enable Existing Security Groups

  Hello,
  I can't seem to find how to mail enable an existing Security Group in Exchange 2013.  Does anyone know how to do this?  I have created them as Universal Security Groups in Active Directory.  I see that if you create them from the Exchange
  Admin Center, it will work, but I have a ton of groups with very complicated memberships that exist in AD and I would prefer not to delete them, recreate them, and adjust membership.
  I looked for a cmdlet that would let me do this, but I can't seem to find one.
  Does anyone know how to Mail Enable an Existing Group from Exchange 2013?
  Thanks

  Hello Stewart,
  If these groups are universal security groups, you can just follow Martina's suggestion to do that.
  Thanks,
  Evan Liu
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]
  Evan Liu
  TechNet Community Support

• Built in Approval workflow can't send to AD univeral security mail enabled group (email recipient not valid)

  Background: SP2010 SP2 with March 2015 CU installed. Using the built-in Approval - SharePoint 2010 workflow on a library. The Approval workflow does send email to individual users when users are specified in the Approvers field instead of a group. We
  need to use a group. The workflow reports the error email recipients are not valid. I don't see anything in ULS logs. The Exchange server tracking logs do not show the emails to the AD group being processed (no evidence they are even received into Exchange,
  but all other mail from SharePoint goes through, including the workflow's email to the workflow initiator). I can send email to the AD group from Outlook and all group members get it.
  To send Approval workflow email to a mail enabled AD Universal Security group, what
  exactly are the requirements?
  Q1. Does the SharePoint\system account (aka web app pool account) *absolutely* need to have a mailbox?
  If so, I need some clarification. I saw
  http://www.spdev.info/2012/11/using-security-groups-with-workflows.html which was offered as a solution in another post. It says "To allow SharePoint to email the mail enabled security group you need to either create a mailbox for the SharePoint service
  account, or attach the email address provided in the Outbound Email Settings as an additional email alias for a mailbox." Then it says you need to do *both* - create a mailbox for service account *and* add the outbound email settings address as an alias
  in the *service account's* mailbox settings. Well, we can't do the latter. We are using a dedicated AD account with a mailbox for SharePoint mail settings purposes, and no two mailboxes can have the same alias.
  I tried adding the AD account specified in the Reply From: outbound email settings (Reply To: is set to a distribution list) to the AD group's "Message Delivery Restrictions" and UNchecking Require that all senders are authenticated (even
  though the AD account does authenticate). I tried allowing All Senders and UNchecking Require authentication (though that leaves email address open to spammers), but neither worked.
  Q2. Does the AD mail enabled group need to be synchronized via User Profile Sync?
  We currently only sync users. I do see the AD groups (we use AD groups into SharePoint groups security model) in SharePoint's People and Groups, and the mail address for the mail enabled group is *not* present in the properties. Is it a requirement to sync
  the AD groups so that the email address shows in the AD group's properties in SharePoint?
  The AD group is in a SharePoint group with Approve permissions. The individual AD group members are also in another AD group in a SharePoint group with Contribute permissions. I even placed myself in the AD group to test whether permissions issues; I am
  farm admin. All SharePoint groups are set to allow Everyone to read the group's members.
  This is driving me crazy.
  Thanks,
  Joan

  Hello Victoria,
  Thank you. I have an update. I got the workflow working. Turned out to be two separate unrelated issues:
  (1) invalid email address for recipient was because the email address of AD group was not present in SharePoint's properties for group. Also why nothing appeared in Exchange Server tracking logs; the email was never sent from SharePoint. Once this was remedied
  (explained below), the Task Assigned email was sent out to the AD group.
  (2) the Task Assigned email was rejected by Exchange for reason 550 5.7.1 RESOLVER.RST.AuthRequired. The Exchange tracking logs clearly showed this. Setting the AD group's properties Mail Flow Settings, Message Delivery Restrictions to "Only senders
  in the following list: <the domain account of the email address specified in SharePoint outgoing email Reply From setting>" and UNchecking "Require that all senders are authenticated" allowed the Task Assigned email to go through.
  Answer to Q1: It is not required for System account (aka web app pool account) to have a mailbox when the SharePoint outgoing mail settings Reply From email address is of a domain account of the domain SharePoint is in. That is our scenario, as I noted we
  use a domain service account dedicated for SharePoint mail. I can't speak to other scenarios. The Reply To: does not have to be the same email address; we use a distribution list. And, ever paranoid about spamming because of unchecking require autenticated
  senders, I verified that my own account could not send email to the group (Outlook provides message "You do not have permission to send to: <GroupName>").
  Answer to Q2: I did not have to sync groups via User Profile Service. What I did do, however, was remove the AD group from SharePoint, People and Groups, Groups list, and readd it. (Note: what I *literally* did was was remove the SharePoint group from all
  permissions, remove the AD group from the SharePoint group, then remove the AD group from the Groups list, readd the AD group into the SharePoint group, and reassign permissions to the SharePoint group - Read to top-level site, Read to subsite (has unique
  permissions), and Read, Approve to the subsite library with the workflow. In order to start clean. When I readded the AD group to the SharePoint group, it came in with an email address; email address now shows in the group's SharePoint properties. I noticed
  that the format was GroupName instead of Domain\GroupName. (I had originally created the AD group as a Global Security group, added it to a SharePoint group, *then* (after I found out about that requirement when first troubleshooting workflow) converted it
  to Universal and mail enabled it.
  I suppose, would syncing groups would fix this issue of SharePoint not updating AD group changes?
  Additional note: I first gave the AD group Read to the library directly instead of giving Read to the SharePoint group, tried the workflow, and the email was sent. I then removed the AD group's direct permissions to the library and added the SharePoint group
  to the library and that also worked. So I was able to use the AD group in SharePoint group (I had read in one post that would not work).
  Thanks,
  Joan

• My home sharing and remote app does not work. How do I fix it? I am on a university network.

  My home sharing and remote app does not work.
  Here is my setup:
  Macbook 2009 running Mac OS X 10.6.8
  Itunes 10.6.1
  Ipod Touch 4th gen Mac OS X 5.1
  I am on a university secured network.

  Hi Charles, chinese may be difficult, see our resident language ecxpert, Tom's reply here...
  https://discussions.apple.com/message/20061347#20061347
  On the slowness...
  See if the Disk is issuing any S.M.A.R.T errors in Disk Utility...
  http://support.apple.com/kb/PH7029
  Open Activity Monitor in Applications>Utilities, select All Processes & sort on CPU%, any indications there?
  How much RAM & free Disk space do you have also, click on the Memory & Disk Usage Tabs.
  Open Console in Utilities & see if there are any clues or repeating messages when this happens.
  In the Memory tab of Activity Monitor, are there a lot of Pageouts?
  https://discussions.apple.com/servlet/JiveServlet/showImage/2-18666790-125104/AM Pageouts.jpg

• Converting AD security object to Exchange object

  Hi all,
  We have created Universal Security Groups in AD,then add members to the Group so they can get FULL or Send As permission in Shared mailboxes.In ECP Exchange doesnt see these Groups,so we have to use PowerShell to add those permissions.
  Now we will migrate over 1k mailboxes to Exchange Online and as far as i know all permission will be gone,since these Security Groups are not Exchange Object.
  Is there a way we can convert existing AD Object to Exchange Objects?
  Thanks and sorry if posted in wrong section.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

  Hi,
  You can use the Set-ADGroup cmdlet to change the group's GroupCategory property from security group to distribution group. Note that the LDAP attribute is GroupType.
  What's more, you can also do this using ADUC, here is the steps for your reference:
  Open ADUC -> Microsoft Exchange Security Groups -> right click the group you want to change -> Properties -> click Distribution -> Apply
  For more information, here is a thread for your reference:
  Change security groups to distribution groups
  http://exchangepedia.com/2012/08/exchange-2010-change-security-group-to-distribution-group.html
  Note: Microsoft is providing this information as a convenience to you. The site is not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any information found there. Please make sure that
  you completely understand the risk before retrieving any suggestions from the above link.
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Removing the Last Security Update

  I would like to remove the last security update (I think it's - Security Update 2007-002 (Universal) - Security Updates ) - to see if it's what messed up 1 application - (that's the only thing that's changed).
  and No - I didn't do a backup prior to the install... (too bad)
  Q: how do I manually remove the last security update

  Hi Rev Dave;
  What application?
  Maybe if you tell us that information we might be able to tell you if the Security Update might be causing this problem.
  Removing an update is non-trival task especially if you don't have a backup.
  Allan

• Who removed user from AD Universal secuirty group

  Hello , i am trying to find who removed user from universal AD group , i checked audit management policy is enabled but some how event is not getting generated or unable to find those events so please help how to find who did that job - removed the user
  from universal security group.
  And suppose if anybody is deleting and the logs should be generated on one of the local site Domain controller is that correct ? so anywhere or it can be generated on the member server. Any free third party tool who can help here .
  Thanks

  Here is another informative technet blog resource that helps to track all the changes made in active directory : http://blogs.technet.com/b/askpfeplat/archive/2012/03/05/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-i-the-case-of-the-mysteriously-modified-upn.aspx
  If you wish to audit such changes automatically, you may also consider on this automated solution (http://www.activedirectoryaudit.com/) that would be a better approach to audit all the critical changes
  into real time and get instant notification for through customized email notification.

• Natd stopped working after Software Updates: Bogus VLAN injections?

  Software Update installed three packages on the iMac today:
  Safari 3.1 Update (Universal)
  Security Update 2008-002 (Universal)
  AirPort Extreme Update 2008-001
  This machine (running 10.4.11, fully updated now) is my connection-sharing gateway the internet for my wife's MacBook, a Linux box and a TiVo unit.
  Comcast ==(ethernet)== public-IP iMac ==(wireless)== private IP MacBook, Linux, TiVo
  I ran my usual firewall + Internet sharing script after the mandatory reboot.
  The iMac's broadband connection worked fine for local programs (Safari, ssh) but none of the machines with private IP addresses on the LAN could see the outside world. The machines on the home LAN could see each other fine -- ping, ssh, etc. Time to start testing!
  When I pinged an external machine from the Linux machine, the DNS lookup succeeded after a delay, but it seemed that no ICMP responses came back. Actually, packet tracing with Wireshark showed that the responses had come in with an extra four-byte header field I had not seen before: something called "802.1Q Virtual Lan" inserted between the Ethernet II header and the Internet Protocol header. Sample packet dump (slightly edited):
   No.:  20
   Time:  00:04:56.746703
   Source:  64.233.187.99
   Destination:  192.168.1.2
   Protocol:  ICMP
   Info:  Echo (ping) reply
   Frame 20 (102 bytes on wire, 102 bytes captured)
   Ethernet II, Src: AppleCom_54:1b:30 (00:17:f2:54:1b:30), Dst: FirstInt_94:75:8f (00:40:ca:94:75:8f)
    *802.1Q Virtual LAN*
       *001. .... .... .... = Priority: 1*
       *...0 .... .... .... = CFI: 0*
       *.... 0000 0000 0000 = ID: 0*
       *Type: IP (0x0800)*
   Internet Protocol, Src: 64.233.187.99 (64.233.187.99), Dst: 192.168.1.2 (192.168.1.2)
   Internet Control Message Protocol
  Looking further back in the trace, it turned out that the DNS delay had the same oddity. The Linux machine sent out a request to the primary DNS server, got back an immediate response with the extra "802.1Q" field, waited 5 seconds, sent out a DNS request to the secondary server, got an immediate normal response (without "802.1Q"), then immediately used the returned numeric address for the pings. It's as if the Linux machine ignored the packet with the extra, interposed header.
  I traced HTTP traffic to google.com and saw a similar pattern:
  1. bogus 1st DNS response
  2. delay
  3. good second DNS response
  4. sent HTTP SYN packet
  5. got back HTTP SYN/ACK with extra "802.1Q" field
  6. multiple retries of steps 4 and 5.
  I suspect that one or more of the software updates is inserting this VLAN stuff into NAT-ed packets over Airport. The receiving machines drop the packets because they expect the Ethernet II header to be followed by the IP header, not 802.1Q data.
  An old discussion thread ([VOIP VLAN using 802.1q frames causing massive dropped packets|http://discussions.apple.com/thread.jspa?threadID=378673#1833386]) talked about a similar problem.
  Here are the NAT-related commands from my firewall script:
    natd -u -dynamic -interface en0
    /sbin/ipfw add divert natd all from not me to any via en0
    sysctl -w net.inet.ip.forwarding=1
  Question: is there a known workaround to get the MacOSX network drivers not to insert 802.1Q VLAN headers?
  Thanks in advance!
  --GCL

  Hello faab:
  Welcome to Apple discussions.
  I am afraid to indicate that you probably will need to wait until you are back and have the software install DVD.
  There is really no way to tell what happened. To fix it, however, you really need the DVDs.
  Barry

• How do I stop Firefox from automatically filling in the spaces for my username and password on one of my password protected websites?

  Firefox is automatically entering my username and password on my Sacramento State University secure password site. I am trying to get that function stopped. I do not want my username and password automatically entered in the spaces provided for log in. I want to manually enter that information myself each time I log in to that particular secure password protected site.
  So far...I can not find a way to do that. All I find is a way to change my password. I do not wish to change my password. I just do not want it automatically entered for me.

  Thanks guys...I did as you suggested and it worked! Thanks!
  However...just want you all to know...a computer illiterate like myself had trouble finding which function on the menu bar to click on to find the options and security settings to "unclick." Eventually...I found the correct window.
  Thanks again...your advice worked!