BI-Permissions based on 1:n characteristic

Hi experts,
I've got the following scenario:
I've to process CRM-records in the BW-System.
The CRM-permission-model allows to permit all users which are assigned to a document (opportunity) via partner-roles.
In other words: If DocID 12345 has n users assigned to it, this n users shall be permitted to see that document.
In the BW-system the permissions are normaly based on the characteristics which are part of a record.
In this case the n assigned users cannot be part of the record, and there's no 1:1 relationshipt beween the document and the permisson-relevant users.
So, what is the best practice in such cases?
One idea would be to evaluate the permitted DocIDs on the fly (by joining against the an relationship-table DocID/Partners).
But that might lead to more than 2000 DocIDs which is too much for the sql-select.
Any hints or ideas how to solve this problem?
Thanks in advance,
best regards,
Marco

I did some testing and realized that the 2000-records problem obviously does not exist here.
But the number of values a user is permitted to seems to be stronly relevant for the runtime of the query:
If the user ist permitted to 2500 records, it takes 5s till the variable-screen is displayed - and another 10 till the report is done.
5000 records ---> 10s till var-screen, 33s till report.
10000 records ---> 35s till var-screen, 90s till report.
So the conclusion seems not to linear.
Best regards,
Marco

Similar Messages

KM Permissions based on MetaData

Hello,
I am wondering if there is any way to apply access permissions based on a metadata tag on a document. What I would like to do is see if there is a way to have a metadata property pre-defined which allows for a "level of access". For example, if we create a "classification" property with forced values of 1, 2 and 3, and set it as mandatory for all docs, is there any way to restrict access to the document such that 1 cannot, 2 cannot but 3 can (based on their respective classification)?
I know that the user has no specific "metadata" per say, but can we allow/disallow it VIA a mapping to the group they reside in from the UME?
Kind regards,
Judson

Hi Judson,
I think this would require custom development.
After creating a metadata / property in KM & to make it accessible in the Details -> Properties, the new property need to be added in the all_groups. But again this has no connection with the permissions at UME level.
Well this is what I can think of randomly:
1. Create the required metadata and add them in the appropriate groups.
2. Write a code which will extract the permissions at group level and then play around with switching the properties on/off.
Hope this helps.
All the best!
Warm Regards,
Ritu

Billing plan type determination based on Variant configuration characterist

Hi All,
We have a process where in to determine the Billing plan of the contract based on the Characteristic value of the material.
If the characteristic value is 'M' Monthly billing plan and assign corresponding billing plan to FPLA, if value is 'Q' then quarterly.
what is the right place to update the FPLA table and further getting FPLT updated automatically.
We tried doing the code in MV45AFZZ, VBKD routing.. But the FPLT is not getting updated all the time.
Thanks,
Ajai.

Prathiba
Are you able to resolve this issue?

How get codesource of caller in SecurityManager, change perms based on it?

I want to have a SecurityManager that does something like:
public void checkPermission(Permission perm)
      //Pseudo code
      if ( allowedList.contains( caller_context ) ) return;
      else
            //Pass to another SecurityManager object
            baseSecurityManager.checkPermission( perm );
}If I know what jar file the allowed code was loaded from how would I find out if the calling code's context is the same (from that jar or other jars I "OK" )?

Thanks for taking the time to help me on this! :)
* SecurityManager isn't designed for delegation to another SecurityManager. The variuos check* method may be overriden to allow extra permissions. If you don't delegate to the method that was originally called, you might miss something.I know that normally this is the case but the specs on this require it. :(
* The model is that every frame in the current AccesControlContext (acc) has the required permission. So you need to iterate through and throw when you find an unprivileged frame. This is what AccessControlContext.checkPermission does.Yeah, I was trying to iterate through the classes from getClassContext() but when i call getProtectionDomain(), it starts an endless loop.
* Use AccessController.getContext in preference to SecurityManag.getClassContext.Unfortunately, that doesn't help. You can't get at any of the classes/codesources/protectiondomain in the context. The only thing you can do is ask it if, according to it's internal algorithm, the permission is implied. I can't get any info about the calling class' codesource.
* (Since 1.4,) ProtectionDomain constructed with the four argument constructor are dynamic, and add permissions from the current Policy. This seems like what you want to do.Hmmm, there might be something here, but the problem is I don't think it will work as there will be an installed 3rd party SecurityManager that may or may not even pay attention to that. (I've been pretty surprised at the number of security manager implementations that don't check that stuff and simply return "OK")
* Source for SecurityManager and other classes is in src.zip of the JDK. SecurityManager.checkPermission, uses java.security.AccessController.Yeah, I checked this but it simply goes to native code which checks for info that's only available to Sun's JVm code.
Thanks again!

Equipment search based on Class and Characteristic data

Hello Experts,
We are looking for some inputs on how to get index created on Class and Characterstics for Equipments.
We are using Embedded Search , TREX Version 7.10.44.00, Changelist 323327 (710_REL), InstallationType ESH along with ECC 6.0/Ehp4.
We can't see any standard template available in our cockpit(ESH_COCKPIT) for Class and Characteristic but we can see a template on Equipment(EQUI).
We have the following software components available : EA-HRGXX, ESH_COMMON_OBJECTS and SAP_APPL however class and characteristic are missing.
We tried to import it but unavailable in the import queue. Hence it seems we need to create it manually.
Question:
Is it available in some patch or something from where we can import it? We assume these should be definitely available somewhere since these are standards templates.
From where we can get the technical details if we want to create these manually?
How to configure the index to get the relevant field data from ECC-->TREX for these new indexes(Class/Characteristic) created?
What extra coding required to do this? Where we can find the details on how to program and run this?
Any other related info around this will be really helpful.
Many Thanks
Sanjay

hi,
the standard templates are only delivered with EHP5 and NW 7.2 as part of the standard delivery.
cheers,
Om

Admin Permissions based on Role

I would like to set up my AD so that members of my help desk can reset passwords for domain users and no one else. I would like my help desk to be able to add computers to the domain and to reset passwords. I have made a security group that allows
them to join computers to the domain but I do not see how to allow them to reset passwords without being able to reset everyone's passwords, i.e. higher administrators.
Any help would be appreciated.

Awesome didn't realize it was that easy. I did all that, now how does the helpdesk person access the console to change the password?
You need to install the admin tools on their boxes. Search the web for "RSAT" and download those tools, there is different packages for Windows 7/Windows 8
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog

Can forms be assigned permissions based on certain users?

Is there a way to manage individual forms and set / allow only certain people to view the results of said forms? I would like to make forms that only certain managers in our company can view, and make changes too. Is that possible?

I have figured this little issue out....

Permissions for Windows Service on Server

Post Author: bdimon
CA Forum: Authentication
I wrote a Windows service running as an Active Directory user. It cannot print on the Windows Server so I wrote a windows application to test the permissions. When a user with local admin rights runs the test application, it prints. He starts the program using the "Run As" option and enters the Active Directory user from the service, he gets the same error as the Windows Service gets. This must be permissions-based.
When I installed this Windows Service on a staging server, everything was fine. However the staging server was not "secured" by the network team so the Active Directory user had Read/Execute permissions on the C: drive. I do not want to ask for these permissions on the production server's C: drive.
The error is:
System.Exception: Load report failed. ---> System.Runtime.InteropServices.COMException (0x800002AD): Error in File UNKNOWN.RPT:
The request could not be submitted for background processing.
   at CrystalDecisions.ReportAppServer.ClientDoc.ReportClientDocumentClass.Open(Object& DocumentPath, Int32 Options)
   at CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.Open(Object& DocumentPath, Int32 Options)
   at CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.EnsureDocumentIsOpened()
   --- End of inner exception stack trace ---
   at CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.EnsureDocumentIsOpened()
   at CrystalDecisions.CrystalReports.Engine.ReportDocument.Load(String filename, OpenReportMethod openMethod, Int16 parentJob)
   at CrystalDecisions.CrystalReports.Engine.ReportDocument.Load(String filename)
   at WindowsApplication1.frmTestServerPrint.PrintCrystalReport(String& ErrorText, String ReportFileName, String PrinterLocation, Int32 PayTransStatusCode)

Post Author: jgreg311
CA Forum: Authentication
I believe I'm having a similar problem, and was hoping to see if either you have found an answer to the problem or reactivate this thread in hopes someone will finally answer us.I'm creating reports using a windows service as well. The report files are compiled into the DLL, and they are being exported to save them to disk.   The error is being generated when the report object is first accessed (which happens to be when attempting to set the Text property on a TextObject). It works fine on my development machine. I've installed the service on the production server using a Visual Studio 2005 Setup and Deployment project. I added the 2005 Crystal merge module to the setup, so all necessary files should exist on the server. The service is running as a domain user that has admin rights on the local machine, but we're still getting this error that seems, according to posts I've found online, to be a permissions issue.Here is the exception in its entirety:
Exception Type:
System.Exception
Exception Message:
Load report failed.
Exception Stack Trace:
at
CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.EnsureDocumentIsOpened()
at CrystalDecisions.CrystalReports.Engine.ReportDocument.Load(String
filename, OpenReportMethod openMethod, Int16 parentJob) at
CrystalDecisions.CrystalReports.Engine.ReportClass.Load(String
reportName, OpenReportMethod openMethod, Int16 parentJob) at
CrystalDecisions.CrystalReports.Engine.ReportDocument.EnsureLoadReport()
at
CrystalDecisions.CrystalReports.Engine.ReportDocument.get_ReportDefinition()
at ...
Inner Exception:
System.Runtime.InteropServices.COMException (0x800002AD): Error in File
UNKNOWN.RPT: The request could not be submitted for background
processing. at
CrystalDecisions.ReportAppServer.ClientDoc.ReportClientDocumentClass.Open(Object&
DocumentPath, Int32 Options) at
CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.Open(Object&
DocumentPath, Int32 Options) at
CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.EnsureDocumentIsOpened() Any help with this would be GREATLY appreciated. Once again Crystal Reports are the only thing holding up an important project.

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Renumbering with ACL-Friendly Role-Based Addressing or...?

We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6. Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN. This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically. Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches. Why so many, you ask? We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency:
Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch. For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch. For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch. The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer. I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
Thoughts? What issues have we neglected to consider? No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations. From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3. It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
Thanks in advance for your ideas!
-Aaron

Hi David,
Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
Rajesh

Restricting user access based on a site column value in a document library.

We have a business requirement to show the contents of a document library based on a value (or values) in the site column (or multiple columns). For example, my document library has a custom site column called confidentiality. This
will have values like restricted, internal and public. Now, based on the AD Group the user belongs to, I should be able to control the access to Restricted or Restricted and Internal files from the document library. We are using SharePoint Online 2010.
Please suggest the best way to achieve this requirement?

SharePoint's security model doesn't allow you to specify security based on metadata. You could however create a Sandboxed Solution containing a Feature that registers a custom event receiver on the Document Library. The logic inside this
Event Receiver would fire after editing item properties (ItemUpdated) to apply item-level permissions based on the rules you need.
Make sure to read the article below to determine if fine-grained permissions are suitable in your case:
http://technet.microsoft.com/en-us/library/gg128955.aspx

Permissions in AD not populating

I have two environments both running SharePoint 2013:
1. My Dev environment
2. Customer production environment
I go through the following procedure to add users to security groups. In My development environment this works fine and permissions are assigned as expected. In my customer's environment I'm getting problems for the bold sections. It sometimes takes a week
sometimes a day for users to actually get permissions.
Create an AD group “MyADGroup”
Add a user “UserA” the AD group
Create a SharePoint security group “MySPGroup”
Add MyADGroup to MySPGroup in SharePoint’s permissions settings
Check permissions on UserA -> permissions are supplied directly
Add UserB to the AD group
Check permissions on UserB -> permissions are supplied directly
Logged in as User B and I’m getting access to the site without any problem.
The problem only seems to occur when I add new people to existing AD groups. It looks like SharePoint doesn't apply the AD group changes. The time that we have to wait for the AD changes to be applied seems to be random as issues do disappear randomly (not
after a certain period of time and not always on the same day of the week)

The problem arises from the fact that SharePoint caches claims tokens, including tokens for groups. So it can take up to 24 hours for a new user to actually get their permissions based on being added to an existing AD group. This article explains
the issues:
http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem.

Permissions issues after migration

I've just got hold of a new retina MBP, and have had a number of issues since using setup assistant to transfer everything over from my old MBP to my new MBP.
I suspect these are all permissions based - but would appreciate some help from an expert. My conviction that they are all permissions related is because initially I had an issue with not being able to access certain folders and applications (including Mail), which was resolved by my adding my user name to the Sharing and Permissions info section of the Home and Applications folders, and applying changes to all contents.
However these issues still remain:
TopSites in Safari not updating to show that the websites have changed.
     - This despite me trashing the TopSites plist from library, and emptying the cache.
My Epson scanner won't open.
     - When I plug it in and open the application it tells me it cannot 'write to file', and then shuts itself down.
When I open iPhoto I always get the welcome message, and I can't find an option not to show this on start-up.
     - It's like the MBP doesn't register that I'm not using iPhoto for the first time, even though everything else works fine.
I always get a file - cache.db - sitting on the top of my Home file.
   - I can trash it but it always pops back.
My Address Book won't update.
     - iCal updates fine, and my updates are changed on iCloud but I can't get the Address Book to pick up changes on my MBP.
When I reboot and open Mail it always opens the latest email at the time of my original migration
     - and not the latest or the unread at the top.
I'd be grateful if any experts out there could offer up any solutions to these riddles.

The procedure below will reset the permissions of a home folder in OS X 10.7.4 or later. If you're running an earlier version of 10.7, update to the current version first. This procedure should not be used in OS X versions older than 10.7.4.
Back up all data.
Click the Finder icon in the Dock, then press the following key combinations, in the order given:
Command-3
Shift-command-H
Command-I
The Info window of your home folder will open. Click the lock icon in the lower right corner and authenticate with the name and login password of an administrator on the system. If you have only one user account, you are the administrator.
In the Sharing & Permissions section of the window, verify that you have "Read & Write" privileges. If not, use the "+" and "-" buttons in the lower left corner to make the necessary changes.
By default, the groups "staff" and "everyone" have "Read Only" privileges. With those settings, the files at the top level of your home folder will be readable by other local users. You can change the privileges to "No Access" if you wish, but then your Public and Drop Box folders will be inaccessible to others, and Personal Web Sharing won't work. Most likely, you don't need to change these settings.
If there are entries in the Sharing & Permissions list for users or groups besides "me," "staff," and "everyone," delete them.
Click the gear icon at the bottom of the Info window and select Apply to enclosed items... from the drop-down menu. Confirm. The operation may take several minutes to complete. When it does, close the Info window.

Ssd died with wife's data on it only able to salvage ,mdf file - Save a man's life ... how do I restore / attach / recreate log file - no permissions on new drive

         My wife asked me if I could create a VB program for her - load her data onto SQL Server to test her for some medical exams. Since I have been "playing" with both Visual Studio and SQL for over 10
years, I said sure. Copied her Excel file, transferred the data to SQL and started "playing".
       Play time ended abruptly the other day when my Solid State Drive died. I was only able to salvage the .MDF off the disk. Lost the log file and lost the Excel file. Yes, for all of my databases I had regularly scheduled
backups to another disk. I hadn't set that up for hers yet, thinking that the data was available on another computer altogether.
       No big deal, right? Just get the original Excel file back from the wife("Offsite backup") and reload the data from Excel. Problem ... she deleted the file 2 months ago thinking I had the data, and there is no
recovery as the sectors where that data was located on her hard disk have since been overwritten.
      As to my situation: I told here that things were "going fine" and that I just had a couple more things to recover and we would be back up in business. Thinking that Dangling from a bar over a tank of great whites
with a freshly cut hand might be preferable to telling her that I just fried over 300 hours of her hard to come by, time, by assuming the data was safe.
       From what I can tell, the .MDF file is intact. I have nothing else, and that was attached to a database on what was essentially another computer. Yes, I "Assumed" I had good backups. Yes, I have learned my lesson.
Please save a man's life and help me out.

                   I had my disk die with the only copy of my wife’s medical “Question and Answer”
(Q_And_A) database on it. She thought it was safe and sound on my computer, and I thought we had an “Off site” backup of the data on hers and hadn’t set up backup for it.
1.)
The bad things are, only the .mdf file was intact.
2.)
All of the permissions based on the old copy of Windows 7 and SQL 2005 or 2008 ( I am not sure which the .mdf was created in.) have gone the way of the dodo.
       Bought a new disk. Reloaded windows 7 64 bit. Loaded SQL 2014 (Thought now was a good time to upgrade.) Problem
… so far I have not been able to attach and recreate the log file …
          Just to finish up the data I have, the database was closed properly and is NOT in a read
only state according to file properties. That said, I still don’t have a solution.
So far I tried these three sets of commands:
CREATE DATABASE
Q_And_A
ON
(FILENAME
=
N'E:\Mikes 128GB\SQL2014\MSSQL12.SQL2014\MSSQL\DATA\Q_And_A.mdf')
FOR
ATTACH_REBUILD_LOG
GO
And this set of commands:
CREATE DATABASE
Q_And_A
ON
FILENAME
=
N'E:\Mikes 128GB\SQL2014\MSSQL12.SQL2014\MSSQL\DATA\Q_And_A.mdf')
FOR
ATTACH
GO
EXEC
sp_attach_single_file_db
@dbname='Q_And_A', @physname=N'E:\Mikes 128GB\SQL2014\MSSQL12.SQL2014\MSSQL\DATA\Q_And_A.mdf'
GO
         So far this is the computer’s reply to everything I have thrown at it. I haven’t told my wife that 600 hours
of her work is inaccessible, and I would really rather not do so. Anything anyone can offer would be great.
File activation failure. The physical file name "E:\Mikes 128GB\SQL2014\MSSQL12.SQL2014\MSSQL\DATA\Q_And_A_log.ldf" may be incorrect.
The log cannot be rebuilt because there were open transactions/users when the database was shutdown, no checkpoint occurred to the database, or the database
was read-only. This error could occur if the transaction log file was manually deleted or lost due to a hardware or environment failure.
Msg 1813, Level 16, State 2, Line 1
Could not open new database 'Q_And_A'. CREATE DATABASE is aborted.
          Is there anything else anyone out there can offer as help? My wife has often said that
she doesn’t believe in divorce. But murder she will consider. If she loses 600 hours of her data this could be my last post. I am joking … I think … That said, any help is extremely welcome. Thanks in advance.

Role Based Access Control in Java

Hi,
we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
Does any1 have any comments on this? Thnx
Dave

Hi David,
Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
Rajesh

BI-Permissions based on 1:n characteristic

Similar Messages

Maybe you are looking for