Campus / Enterprise VLAN Security Integration

Ji Jeal  
One of the things that always bothers me about (including the many different ways of) deploying guest wireless is the need to have a VLAN that contains untrusted guest traffic on the same switches that carry trusted corporate traffic.
Given that the deployment model for a site with local internet break-out such as H-REAP requires the VLAN to be on multiple switches what are the recommendations and best practices to make the chance of someone breaking out of this guest VLAN nil?
Is this a viable model for a high security environment (like a bank or defence company)
Whilst my perception is that the biggest risk here is that someone unintentionally / mistakenly creates a L3 interface on the VLAN e.g. to provide DHCP services the same as all the corporate VLANs, I am also concerned that there is the possibility that someone could potentially attack the devices / switches and configure their way out of the VLAN.
I know there are several ways to get around this (like using the anchor controller) but that doesn't always work.
Thanks

I am trying to figure out two things;
1) Can I be confident that logical VLAN seperation provides "enough" security and the answer to that really is dependent upon how well and robustly the infrastructure components (AP, WLC, switch) are tested to manage the attack vectors, for example the obvious one being to encapsulate with VLAN tagging, do all the devices "deny" the possibility to spoof the vlan and so on...
2) In terms of configuration - is there something I havent thought of that is a (easy ?) way to not have the untrusted data directly touching the VLAN (e.g. tunnelling or something) between the AP and the local internet break-out (like an anchor controller but without the need to deploy WLCs in every branch) - which would effectively mean it didn't matter if the switch was misconfigured or a bug allowed crafted packets to break the switch or break the security as there's a "buffer" between the guest wireless traffic and the switch.
But I guess as a side question - is there a way to protect against mis-configuration (other than adding a note on the vlan saying "Dont configure a layer 3 address on this VLAN" - VRF Lite could be an option but as you say - quite a bit of overhead.
Thanks

Similar Messages

  • Get error while Integrating with Oracle's Enterprise User Security

    Hi,
    I am trying to create an Oracle Enterprise User integrating with OVD and MS Active Directory.
    I am following all the steps in Integrating with Oracle's Enterprise User Security.
    In the documentation section: "Configuring Oracle Virtual Directory for the Integration"
    I have applied the steps successfully until:
    Update and load the entries into the Local Store Adapters by performing the following steps:
    I have successfully extended the Oracle Virtual Directory schema with the loadOVD.ldif
    However I am getting errors in the next step: Update realmRoot.ldif to use your namespaces
    The next step states the following:
    Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname,
    and memberurl attributes in the file. If you have a DN mapping between Active Directory and
    Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.
    The realmRoot.ldif file is located in ORACLE_VIRTUAL_DIRECTORY_HOME/eus,
    where ORACLE_VIRTUAL_DIRECTORY_HOME represents the location where Oracle Virtual Directory is installed.
    The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.
    Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
    ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port -D cn=admin -w Admin_Password -v -a –f realmRoot.ldif
    When I run the ldapmodify command I get the following error:
    add dc:
    testldap
    add objectclass:
    top
    domain
    domainDNS
    adding new entry DC=testldap,DC=local
    ldap_add: Operations error
    ldap_add: additional info: LDAP Error 1 : null
    The actual realmRoot.ldif looks like this:
    # Please uncomment the following one line if you are importing this
    # LDIF file via OVD Manager or OVD Server's ldapmodify tool.
    #version: 1
    #dn: dc=com
    #dc: com
    #objectclass: domain
    dn: DC=testldap,DC=local
    changetype: add
    dc: testldap
    #o: subarashii
    objectclass: top
    objectclass: domain
    objectclass: domainDNS
    #objectclass: orclSubscriber
    #orclsubscriberfullname: subarashii
    #orclVersion: 90400
    # If your domain structure has more layers than dc=subarashii,dc=com,
    # for example, it's dc=us,dc=subarashii,dc=com, you will need to load
    # the following ldif entry/entries too.
    # Uncomment out the following, if required.
    #dn: dc=us,dc=subarashii,dc=com
    #orclversion: 90400
    #orclsubscriberfullname: us
    #objectclass: domain
    #objectclass: top
    #objectclass: orclSubscriber
    #dc: us
    # Adding EUSDBGroup entry
    # Modify the memberurl attribute and replace it with your own domain name
    #dn: cn=EUSDBGROUP,dc=subarashii,dc=com
    #cn: EUSDBGROUP
    #memberurl:ldap:///dc=subarashii,dc=com??sub?(&(objectclass=orclService)(objectclass=orclDBServer))
    #objectclass:groupofuniquenames
    #objectclass:groupofurls
    #objectclass:top

    Did you ever get your questions answered about the realmRoot.ldif file? Did you manage to configure a successful integration of OVD with EUS? I am battling with trying to get Oracle Virtual Directory integrated with Enterprise User Security, but every step I take in Chapter 7 of the OVD manual fails in some way, and the instructions are often vague. I am not sure how to modify the realmRoot.ldif file. Is there any improved documentation on this? I have logged a Service Request, but not getting any help. Any resources or documentation you know of that provides better guidance would be much appreciated. I am way behind my schedule now and this is a very frustrating exercise.
    Thanks.

  • The OMS is not set up for Enterprise Manager Security

    Hi, I'm trying to add an agent to grid control and its not connecting with the management server because i cant secure it...
    bash-2.05$ ../../bin/emctl secure agent <password>
    Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
    Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
    Agent is already stopped... Done.
    Securing agent... Started.
    Requesting an HTTPS Upload URL from the OMS... Failed.
    The OMS is not set up for Enterprise Manager Security.
    i have tried this on two seperate servers, both do the exact same thing. However, on my repository server where the OMS is housed, i can secure the agent no problem. Does anyone know what the problem could be? My OMS is on a Linux (SuSE 10.2) 32-bit machine.
    heres the emdctl.trc on the agent machine:
    2007-07-11 11:00:20 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
    2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
    2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
    2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
    2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
    2007-07-11 11:00:22 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
    2007-07-11 11:00:22 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
    2007-07-11 11:05:10 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
    2007-07-11 11:05:10 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
    2007-07-11 11:10:08 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
    2007-07-11 11:10:08 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
    bash-2.05$ lsof | grep 3872
    bash-2.05$
    seems to be failing the connect but nothing is running on the port so i'm not sure why
    Thanks in advance
    Message was edited by:
    user581869

    some further information and hopefully someone can help me...
    I went to the OMS binary folder (fmc45712:$OMS_HOME/bin) and executed the following commands...
    $OMS_HOME/opmn/bin/opmnctl stopall
    $OMS_HOME/bin/emctl stop oms
    $OMS_HOME/bin/emctl secure oms
    $OMS_HOME/bin/emctl start oms
    $OMS_HOME/opmn/bin/opmnctl startall
    then i go to $AGENT_HOME on the OMS machine (fmc45712:$AGENT_HOME/bin) and execute..
    $AGENT_HOME/bin/emctl status agent -secure
    Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
    Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
    Checking the security status of the Agent at location set in /opt/oracle/OracleHomes/agent10g/sysman/config/emd.properties... Done.
    Agent is secure at HTTPS Port 3872.
    Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
    OMS is secure on HTTPS Port 1159
    I then to go the server i deployed the agent on that i want to get communicating wtih my OMS...
    $AGENT_HOME/bin/emctl status agent -secure
    Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
    Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
    Checking the security status of the Agent at location set in /u101/em/agent10g/sysman/config/emd.properties... Done.
    Agent is unsecure at HTTP Port 3872.
    Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
    OMS is running but has not been secured. No HTTPS Port available.
    same command, different computer, but on the same network, and it just doesn't work. The OMS is on Linux x86 and the agent on the alternate computer is on HP-UX. If anyone has any help it'd be much appreciated.

  • Completion Insight not working correctly when using Enterprise User Security (EUS) logon

    This is a pre existing issue we've experienced with SQL Developer, though I've only just worked out what is causing the issue it is present in previous versions of the tool, up to the current 4.0.EA2.
    We experience issues with the Completion Insight functionality of SQL Developer.
    When we log into a database using Enterprise User Security i,e authenticating against OID, the schema of the database account is prefixed to any reference to public synonyms, ie all user_%, all_%, dba_% and v$% views.
    When I change the authentication of the database account back to normal database authentication the schema prefix correctly isn't shown. It simply suggests the synonym name of the views.
    An example of this is as follows when attempting to query the DBA_TABLES view:
    The database account is ORADBA and has DBA privs.
    The EUS user that is mapped to the ORADBA schema is dbutler.
    The ORADBA user is configured to authenticate externally (against OID).
    I login with my dbutler directory credentials:
    If I start typing:
    select * from dba_tabl
    The object name is suggested as ORADBA.dba_tables
    If I change the authentication of the ORADBA account back to database authentication, the prefix is no longer present.
    i.e If I start typing:
    select * from dba_tabl
    The object name is suggested as dba_tables

    If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
    regards,
    --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                   

  • [svn:bz-trunk] 20680: Tomcat 7 Login Module work, due to the Tomcat 7 Security framework change we need to work out the security integration piece for tomcat 7 .

    Revision: 20680
    Revision: 20680
    Author:   [email protected]
    Date:     2011-03-08 08:23:30 -0800 (Tue, 08 Mar 2011)
    Log Message:
    Tomcat 7 Login Module work, due to the Tomcat 7 Security framework change we need to work out the security integration piece for tomcat 7. So far the ValveBase and tomcat Realm had API changes which will impact on the Login integration with Tomcat 7
    Modified Paths:
        blazeds/trunk/modules/opt/build.xml
    Added Paths:
        blazeds/trunk/modules/opt/lib/catalina-708.jar
        blazeds/trunk/modules/opt/src/tomcat/flex/messaging/security/TomcatValve708.java

    Revision: 20680
    Revision: 20680
    Author:   [email protected]
    Date:     2011-03-08 08:23:30 -0800 (Tue, 08 Mar 2011)
    Log Message:
    Tomcat 7 Login Module work, due to the Tomcat 7 Security framework change we need to work out the security integration piece for tomcat 7. So far the ValveBase and tomcat Realm had API changes which will impact on the Login integration with Tomcat 7
    Modified Paths:
        blazeds/trunk/modules/opt/build.xml
    Added Paths:
        blazeds/trunk/modules/opt/lib/catalina-708.jar
        blazeds/trunk/modules/opt/src/tomcat/flex/messaging/security/TomcatValve708.java

  • Enterprise User Security and Password Policies

    Hi!
    I'm testing Enterprise User Security. Till now everything has gone ok, I can connect to my db using oid users.
    Now I'm configuring OID password policies for my realm but it seems that these are not applied when I connect through db. For example, I can try to logon with a wrong password as many time as I want, although in policies a limit of three is set.
    Is this correct?!

    If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
    regards,
    --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                   

  • How to configure Enterprise User Security ?

    Hi All,
    I am following the oracle document for setting up Enterprise User Security to setup Enterprise user security between OID 11g and database 11g . but right now if i click on the "Enterprise User Security" link in the Security under the Server tab , I am getting a HTTP 500 internal error , please kindly provide your inputs .
    Regards,
    Senthil.

    Hi,
    You don't so much configure enterprise voice for federation, you just configure enterprise voice. Then when you configure you're environment for federation, the voice features will take care of themselves. The two are separation components / features.
    But you'll need to be a little more specific; Are the two user forests using the same Lync environment through a forest trust(s) (resource or central forest topologies)? If they are, then you don't need to do anything with federation for these
    two forests to leverage enterprise voice between their users - it will just work. However if each user forest is using a separate Lync environment, then you will need to configure federation between the two and make use of Lync Edge servers.
    You can enable enterprise voice for users without an SBC or gateway, this component is used merely to connect your Lync platform to the PSTN. You may also use a direct SIP trunk to your mediation server as you have eluded to, although I never recommend this
    in production for security reasons (which I feel others will back me on), it is still a supported option.
    Let me know if I've interpreted this completely wrong.
    Kind regards
    Ben
    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
    Lync | Skype | Blog: Gecko-Studio

  • Officejet 6000 wireless and WPA2-Enterprise network security

    I own an Officejet 6000 wireless printer. The manual says that it should be compatible with a wireless network with WPA2-Enterprise network security but when setting up the connection (I am using a macbook and am setting the printer up via usb connection) the newtork is listed but the security type is "unsupported." For whatever its worth it is listed 5 or 6 times but probably thats a different issue.
    I can still select the right network but it only asks for a security key, but my network security requires a log-in name and password.
    What can I do to get my printer connected to the network?

    I get the feeling that most of the people replying here don't know the difference between WPA2-Personal and WPA2-Enterprise.
    Personal has a passkey.
    Enterprise uses both a username and password, usually in conjunction with a Radius server (802.1X athentication).
    What we've had to do solve this problem is create a second SSID on the network that authenticates on WPA2-Personal. We use a really long password to secure the network, one that I will never be able to memorize in my lifetime.
    All we can hope for is that these enterprise-level vendors will, perhaps, gain a greater understanding of wireless authentication processes and the needs of actual enterprise customers who at least a percieved need for wireless printer capabilities. It used to be that customer was always right, though. Perhaps those days are gone...
    The other problem that probably ought to be addressed on consumer end is the fact that multicast tools that make AirPrint work (such as Bonjour), are being blocked from crossing between your wired and wireless networks, perhaps by the wireless controller or due to inefficient routing hierarchy or NAT/PAT issues. Solve this issue and you won't have a need for wireless printers.

  • Enterprise User Security, How do I store the DB password somewhere else?

    Hi Guys,
    I'm running Oracle 11gR2 and OID 11gR1.
    Right now I have enterprise user security working, however I would like to decouple Apps / Directory password from the DB password in OID.
    I understand that I can stick the password in orclpasswordverifier.
    I have tried to add a new Password Verifier in OID, set up the appropriate appID in the password verifier, added the orclpasswordverifier.<appid> = password into my user but the set up refuses to go to orclpasswordverifier.<appid> it still uses the value of userpassword and orclpassword. I have also read the manual like 5 times.
    I've even tried to move the Password Verifier around, to root DBSecurity context, to my domain's context, swapped around the appid value, but no matter what it doesn't seem to work.
    Any advise please?

    I could able to find out the solution for the first item by looking at the forums and some documentation.
    We can specify the some part of the URL in the cgicmd.dat file as a key value pairs, which is located in <Oracle-Home>/reports/conf
    testreports: userid=scott/tiger@ORCL destype=CACHE server=ust %*
    Here the key is -- testreports
    Now new URL to access the report like
    http://localhost:7778/reports/rwservlet?cmdkey=testreports&report=sample_report.rdf&desformat=pdf&p_from_date=02-MAY-2006&p_to_date=03-SEP-2006
    You can see that Key is passed as cmdkey=testreports
    Please do remember that you have to append %* at the end of the key, this will allow part of the Key specified in the config file and part will be supplied in the URL
    Madhu

  • Renaming Sql Server 2008 r2 enterprise edition security roles

    Hello All,
    We got a requirement to rename existing  SQL SERVER 2008 R2 ENTERPRISE EDITION security roles.
    We are unaware of the impact on the existing users with these roles.
    Can anybody advise us if we rename the role name manually,
    We have to restart the sql server services to reflect the role name change to the users with these
    roles?
    Thanks In Advance 

    Hello All,
    We got a requirement to rename existing  SQL SERVER 2008 R2 ENTERPRISE EDITION security roles.
    We are unaware of the impact on the existing users with these roles.
    Can anybody advise us if we rename the role name manually,
    We have to restart the sql server services to reflect the role name change to the users with these
    roles?
    Thanks In Advance 
    What security roles are you talking about?
    built-in server- or database-roles? - those cannot be renamed.
    User-defined roles can be renamed at any point in time without any problems unless you write code that specifically accesses them by name yourself.
    Andreas Wolter (Blog |
    Twitter)
    MCSM: Microsoft Certified Solutions Master Data Platform, MCM, MVP
    www.SarpedonQualityLab.com |
    www.SQL-Server-Master-Class.com

  • Oracle ADF security integration with Oracle E-Business Suite SDK JAAS

    I have an Oracle ADF 11.1.2.2 application that is using ADF security for authentication and authorization.
    When we deploy this application to our JDeveloper integrated weblogic server, we utilize the security setting of "Custom" and use weblogic users and roles to map to the ADF application roles. In that environment our security is working properly.
    I have a Weblogic 10.3.5 standalone server that has the ADF runtime installed as well as the Oracle E-Business Suite SDK JAAS implementation installed.
    When I deploy the Oracle ADF application to the standalone weblogic server, I am directed to the JAAS login page when I attempt to access any JSF page (including those that I have granted View access through the anonymous-role. Does the Oracle ADF anonymous-role work (allow for anonymous page access) when JAAS security is handled by the Oracle E-Business Suite SDK JAAS implementation?
    Per the SDK instructions, when we install the Oracle ADF deployment on Weblogic we have selected "DD only" for our security setting. We have defined enterprise roles in the Oracle ADF security setup (jazn-data.xml) that are assigned the appropriate application roles. Those enterprise roles have the same name (i.e. UMX|YOURROLE) as the E-Business Suite roles that are assigned to our test users. When we login with an E-Business Suite user / password we are receiving an error:
    Error 401--Unauthorized
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.2 401 Unauthorized
    Any thoughts on why that would be?
    Thanks
    Dan

    Thanks Juan.
    With the debugging options enabled it appears the issue is not an issue with the user / role credentials - it seems like the resource grants from jazn-data.xml are not being reviewed in my standalone weblogic instance EAR deployment:
    [JpsAuth] Check Permission
    PolicyContext: [TestApp]
    Resource/Target: [untitled1PageDef]
    Action: [view]
    Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
    Result: [FAILED]
    Evaluator: [ACC]
    Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@13f5d07
    CodeSource=file:/app/oracle/product/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
    Principals=total 2 of principals(
    1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
    2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
    When I access the same page from my integrated weblogic server I see:
    [JpsAuth] Check Permission
    PolicyContext: [TestApp]
    Resource/Target: [untitled1PageDef]
    Action: [view]
    Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
    Result: [FAILED]
    Evaluator: [ACC]
    Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@13f5d07
    CodeSource=file:/app/oracle/product/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
    Principals=total 2 of principals(
    1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
    2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
    When I review my EAR - I do see jazn-data.xml at:
    /META-INF/jazn-data.xml
    I will review the system-jazn-data.xml to see if the policy information has been migrated properly as part of the EAR deployment.
    Thanks.
    -Dan

  • IPhone enterprise setup - security concerns

    Dear all,
    My company (3000+ users) is in the process of integrating the iPhone into the enterprise, and the ideal setup would be :
    - OTA (Over The Air) sync of calendar and contacts with ActiveSync
    - OTA push mail with ActiveSync
    - ActiveSync policies enforcement (like passcode, etc...)
    But :
    - Users will have to sync their apps, music, photos, podcasts, ... from home; we do not wish to deploy iTunes on corporate computers; this could represent an important loss of productivity, and too much to cope with for our Helpdesk.
    First question : does this make sense ?
    Secondly, my concern as the company's security officer is : what happens to the corporate data when the iPhone is synced (and backed up) with the employee's private (aka. home) computer ? Does iTunes save Exchange data (settings, e-mails, calendar, contacts) to the computer ? If yes, is there a way to prevent this ?
    Any answer would be greatly appreciated. Thanks.
    jdm7

    Cam you clarify your questions? What does "IT people warn that if include it in the server for sync will breach security on patients data" mean?
    Do you mean if you sync with Exchange and there is patient info on the iphone? AHA.org says that encryption is not required, BUT it may be expected. IF Encryption is not required, but you do have patient data on the iPhone then you must at least:
    1. Use SSL to sync with Exchange - this would protect the data in the air
    2. Use the Apple Enterprise tools to force password lock on the iPhone and force a data wipe if so many incorrect passwords were entered.
    That is at least at a minimum.

  • Testing the enterprise portal in integration with documentum.

    hi
    can any one plz tell me how to test the enterprise portal when it is integrated with the documentum(content server).in order to check how the data is flowing from documentum to sap portal.
    regards,
    babu.

    Have a look
    test the system alias connection.If it is successful , then it will work.
    https://www.sdn.sap.com/irj/scn/thread?messageID=977224
    Koti Reddy

  • OBIEE-EBS data security integration

    Hi all,
    I am trying to implement the HR-Org based data security in EBS-OBIEE integration.
    After creating the initialization blocks EBS Single Sign-on Integration,Get Oracle EBS Security Context,Group-EBS Responsibility I have created a new initialization block HR Organizations to populate the session variable "HR_ORG" and I am using the following the query.
    Even though the session variables GROUP and USER are getting their values correctly and integration works fine, the variable HR_ORG says "has no value definition".
    [nQSError: 10058] A general error has occurred. [nQSError: 23006] The session variable, NQ_SESSION.HR_ORG, has no value definition. (HY000)
    SQL Issued: SELECT "Per Business Groups"."Business Group Id", VALUEOF(NQ_SESSION.HR_ORG) FROM HR
    Please help me for implementing the data security after the EBS-OBIEE integration..
    For populating HR_ORG variable by row wise initialization:
    SELECT DISTINCT 'HR_ORG',TO_CHAR(SEC_DET.ORGANIZATION_ID)
    FROM
    SELECT
    'HR_ORG', ASG.ORGANIZATION_ID
    FROM
    FND_USER_RESP_GROUPS URP
    ,FND_USER USR
    ,PER_SECURITY_PROFILES PSEC
    ,PER_PERSON_LIST PER
    ,PER_ALL_ASSIGNMENTS_F ASG
    WHERE
    URP.START_DATE < TRUNC(SYSDATE)
    AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_DATE) END) >= TRUNC(SYSDATE)
    AND USR.USER_NAME = ':USER'
    AND USR.USER_ID = URP.USER_ID
    AND TRUNC(SYSDATE)
    BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
    AND PSEC.SECURITY_PROFILE_ID = FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_PROFILE_ID', URP.USER_ID, URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_APPLICATION_ID)
    AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
    AND PER.PERSON_ID = ASG.PERSON_ID
    AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
    AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
    -1, URP.RESPONSIBILITY_ID,
    NULL, URP.RESPONSIBILITY_ID,
    FND_GLOBAL.RESP_ID)
    UNION
    SELECT DISTINCT 'HR_ORG',
    ORGANIZATION_ID
    FROM PER_ALL_ASSIGNMENTS_F ASG,
    FND_USER USR
    WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
    AND USR.USER_NAME = ':USER'
    AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
    AND ASG.PRIMARY_FLAG = 'Y'
    ) SEC_DET
    Thx!

    Duplicate post see Re: obiee-ebs  data  security integration

  • ODI11g, Console and Enterprise Manager(EM) integration

    Hi all,
    I need some information on the integration of ODI Console with Enterprise Manager.
    Any links or documents will be helpful.
    Thank you

    Hello,
    For BAM console you need to hit http://hostname:portname/OracleBAM for example http://localhost:9001/OracleBAM
    Only IE will support BAM.
    Regards
    Siva Sankar

Maybe you are looking for

  • Creative Cloud desktop app launches, does nothing

    Attempting to install a new product with CC. The window comes up and is completely blank. I have a PC running windows 7. I Tried reinstalling CC. I have many adobe products already installed and running. Also, CC on a Mac sharing the same Internet co

  • Problem with stack generation for upgrade EhP6- 7 (IDEX-DE)

    When calculating a stack for the upgrade EhP6->7 we encounter the following error: In long text, it says: Any ideas? Do I have to include the SPs manually?

  • Can't register my CS4 after computer crash

    My old computer crashed and I got a new computer. I installed CS4 from the origional discs and it will not let me register. It says I have an invalid serial number. The discs were an upgrade from an older version of Flash when I bought it a couple ye

  • At selection-screen on exit-command

    hi to all  my querry is as  follows . pls tell what is the usse of at selection-screen on exit-command  event where do we  use it . can u pls give some sample coding . points will be rewarded definitely .

  • Copy paste a cat face

    Hello, I am trying to copy and paste a cat face once I've used the clipping mask technique. Once I am done pasting the Cat face it wont copy just the part that has been clipped, it copies the whole entire selection I made. check the picture attached