Can group membership be the target of an ACI?

Similar Messages

• Can I fade out the targets in the Design mode?

  I  did put some triggers and targets from the tooltip widgets on my site. How can I make the targets disappear in the Design mode??? Of course they are gone in the Preview mode, but hey disturb me very much in the Designe mode, cause I can't see anything behind.

  Hello,
  Disable the option shown in this screenshot: http://jingsite.businesscatalyst.com/jing/2013-10-18_2304.png
  Cheers
  Parikshit

• T-code : CRMC_R3_ORG_GENERATE, How can I link to the target system??

  Hi, everyone.
  First of all, Thanks for your reading my message with my heart.
  We are facing the critical problem.
  We want to download the customer master in R3 system to CRM(BBP600), but the problem is that there is no SALES AREA DATA!! (we need the sales office value for some reason.)
  Basically, CRM is linked to R/3(domestic system) and the customer data we want to download is in another R/3(Foreign GmbH system)
  we thought that the reason is there's no DIST,Channel and Division in PPOMA_CRM.
  so, we excuted the transaction, CRMC_R3_ORG_GENERATE to download the sales area organization,
  but the system we saw was not that we hope to link.
  How can we set the destination we hope to link for T-code CRMC_R3_ORG_GENERATE ?!?!
  If somebody know the procedure to connect to R/3(Foreign GmbH system), Please help us
  I really appreciate your help in advance.
  Thanks
  Best rgds,
  Hyo-ki

  Thank you for your reply.
  Before reading your advice, We delete all site ID and created new site ID for Foreign GmbH.
  after that, now we can connect to that system, and we can see the list of R3 sales area data.
  But, when we excuted the 'Creation' button, the system showed us red alert status in the bottom list screen of .CRMC_R3_ORG_GENERATE. T_T
  We already have the dist.channel code list and division code list for R3(domestic) in CRM,
  and another R3(Foreign) has the same codes list for Dist.channel and division.
  for example,
  R3(domestic) has customer code - 200341, and its sales area is 1000 / 20 / 10, and
  R3(Foreign) has the same customer code - 345201, and its sales area is 4100 / 20 / 10.
  so, I think the same codes of dis.channel and division causes that system showed red alert.
  am I correct??
  then, Is there any good strategy to maintain Customer master data (or any master data) in TWO R/3 systems with only one CRM
  using each dist.channel and division(the same code) ?

• Need to change the targeting group of a Rule or monitor after a alert is created.

  Hi All,
  I have created many alerts and they are working fine. Currently due to business requirement we have installed Windows server 2012 operating systems in our production environment. But we have targeted the
  "Windows server 2008 r2 full operation system" group as per the below screen shot. As we now have to import the management pack for Windows server 2012 as well.
  What we have planned is to change the targeting group from "Windows server 2008 r2 full operation system"
  to "Windows server operating system group" so the alert / monitor or rule will target all windows server which has been discovered in SCOM rather that only the servers running Windows server 2008 r2.
  I was also not able to set overrides for this as that server was not coming under Windows server 2008 r2 full operation system as it was a Windows server 2012 agent.
  I can also go ahead and create new alerts but i have created custom of 1000 alerts and i cannot go ahead and re create them.
  Is there any way to change them. If yes Can i do a bulk change via powershell ?
  Below is the screenshot of what i really want. Can any on e please help.
  Gautam.75801

  You can't really change the target class of a monitor in a sealed vendor pack. If this is your own custom pack, then you can change the target class no problem, but this would need to be done on the unsealed XML (using VSAE or some other authoring tool).
  Then you can seal the pack and re-import (should be upgrade compatible, since you are just changing the target).
  I'm not familiar with this particular monitor in your screenshot, but it looks like this should probably target Exchange? If this is the case, then I would recommend targeting the closest typed class that the monitor should run against. In this case, some
  type of Exchange class that is already in the Exchange management pack.
  Otherwise, you can also create your own custom class for targeting, which I describe in detail on my blog.
  Here are all my sample VSAE fragments.
  Here is an example of
  using the Application Component base for your new class.
  Here is an example of
  using Local Application base for your new class.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Can the target system in the REF command dynamically be specified?

  Hello all,
  I have a main script which calls additional other scripts in different target systems (according to a defined system landscape). So far so good. Now when I have another system landscape in place, it's very likely that I have to handle other target systems.
  With the REF command I can call these other eCatt scripts but how can I dynamically specify the target system? According to the eCatt team this is not possible. Does anyone of you have an idea how I can have a workaround? Is there a BADI / Userexit etc. which I can use?
  I want to avoid to work with version, because I would duplicate the script. When you maintain one place you also have to remember the other versions you have.
  Kind regards,
  Thomas

  Hi Thomas,
  >Now when I have another system landscape in place, it's very likely that I have to handle other target systems.
  I suggest to keep the target system at the REF command (since that anyway should have a name which qualifies the role of your system instead of system name, e.g. ERP or CRM or SCM ).
  To change the landscape you can exchange what makes up the landscape: your system data container.
  Sample:
  1) SCRIPT "Scenario" call SCRIPT "Create_Order" in system CS1 which is CRM system
  2) SCRIPT "Scenario" call SCRIPT "Check_Replicated_Order" in system ER1 which would be ERP system
  As long as you are about to code the scripts:
  - Have a system data container SD_DEV
  - Define system CRM with rfc-destination to CS1 and ERP with rfc to ER1
  - In your scripts only use the terms ERP and CRM
  -> REF ( Create_Order, CRM ).
  -> REF ( Check_Replicated_Order , ERP ).
  Once you come to test another landscape:
  - Simple copy SDC SD_DEV to SD_TEST_LANDSCAPE1
  - Exchange only the rfc destinations to have ERP and CRM point to new systems
    (don't modify the existing destination, since you will need them still)
  Now start your Script "Scenario" with System data container SD_TEST_LANDSCAPE1 on start screen or even assign the system data container name in Test organizer at test package level.
  This is the way you can switch landscapes very easily. It only requires to use logical target system names from the beginning.
  Hope this helps or at least starts a discussion about it.
  Best regards
  Jens

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Dynamic Group Membership - All SQL Computers in a Domain

  I am trying to create groups containing all SQL servers in each domain. I am using the Wizard in the console. However I appear to be having winter blues as I can't work out how to do it. Everything I try results in an empty group.
  Can someone please explain what I need to do to?

  Roger
  Thanks for the input. The code looks logical and I applied it and imported a revised MP. However I am not getting any membership in the group. There is another group membership in the same MP and that populates correctly, so I haven't a clue where I'm going
  wrong. As you can see below my rule is the same as yours, except with a different domain name.
  <Expression>
               <And>
                            <Expression>
                                         <RegExExpression>
  <ValueExpression>
  <Property>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/NetbiosDomainName$</Property>
  </ValueExpression>
  <Operator>ContainsSubstring</Operator>
  <Pattern>DOMAINNAME</Pattern>
                                         </RegExExpression>
                            </Expression>
                            <Expression>
                                         <Contained>
  <MonitoringClass>$MPElement[Name="MicrosoftSQLServerLibrary6410!Microsoft.SQLServer.ComputerGroup"]$</MonitoringClass>
                                         </Contained>
                            </Expression>
               </And>
  </Expression>
  Eric

• Export Users data with group membership

  Hey Guys,
  I'm using csvde to export users data for management reports.
  I'm asked to add to the exported data the group membership of the users and I'm having problem doing that.
  My current script is:
  csvde.exe -s 192.168.xx.xx -d "ou=CS,dc=Domain,dc=com" -r objectClass=user -l "Company,DisplayName,sAMAccountName,title,lastlogon,pwdLastSet" -f c:\usersonly-Users.csv
  Can anyone help me adding column with groups the user is member of?
  Thanks
  Nir 

  Add the memberOf attribute to the list of attribute values to retrieve.
  Richard Mueller - MVP Directory Services

• AD account used for running SIA locked during group membership querying

  Hello,
  I have code that is querying user / group membership from the BOE repository using the Java Enterprise SDK.  When running against an environment using an AD service account to run the SIA, an error is thrown and the AD account is subsequently locked when I execute my code.  The error is as follows:
  com.crystaldecisions.sdk.exception.SDKServerException: The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
  The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79]  50068 { ,  , secWinAD}
       ...The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator.   Plugin error: SecWinAD Error: an error occurred in CADCredentialManager::SwitchSecurityContexts().
  If the account is successfully running the SIA, I'm not understanding why this message is being thrown.  Also - I'm assuming some internal login is happening with this AD account when I query for group membership (?), as I am able to query for other types of metadata without error / locking the account.  Based on the error thrown, the authentication with this ID is failing, and is probably being attempted multiple times, resulting in the account being locked?  Can anyone provide insight here?
  Thanks...

  Ted is right on the mark with this one.
  The cause is outlined in the exception indicating a problem with the SwitchSecurityContexts() function.  The Active Directory plugin requires a set of credentials with which to connect to Active Directory and perform any necessary lookups.  Therefore, the issue is not with the account running your SIA (and by extension your CMS), but the Active Directory administration credentials you've set on the plugin (either via the CMC or through code).  When the CMS tries to impersonate, or switch security context to the other account, it fails to authenticate against Active Directory.
  Check to make sure this property is set identically to the account running the SIA, and like Ted said, that you can successfully update the plugin via the CMC.
  Thanks,
  Jim

• AD/OID Group Membership Integration

  I have Oracle DIP/SSO and Zero Sign-on working. My client wants to grant a role to a user in AD and then that correspondingly grants the same user in OID a database role.
  I have read in an oracle whitepaper (Using Oracle with Microsoft Active Directory) that using Oracle DIP a change in user group member in AD can result in a corresponding change in group membership in the Oracle environment.
  Has anyone done this? Can you point me in the right direction?

  In order to do this you update the group in the AD. This is done by using the groups or user icon and add an user to a specific group.
  The synchronization profile in the OID/DIP will usually take care of this.
  cu
  Andreas

• Get-Mailbox filter group membership

  I am trying to create a powershell script that reports on information for a set of mailboxes. How can I use the Get-mailbox command and filter by the group membership of the AD account connected to the mailbox? I just want a list of mailboxes from accounts
  that are in the VoicemailEnabled group.
  I know this isn't possible but to illustrate what I am trying to do:
  $mailboxes = Get-Mailbox -OrganizationalUnit "ou=Rooms,dc=contoso,dc=com" -Filter "Memberofgroup -eq 'VoicemailEnabled'"
  Any suggestions on how to do this?

  Unless I'm misunderstanding, this cmdlet does it for you: Get-DistributionGroupMember
  The above cmdlet doesn't have server-side filtering, because the members are actually only learned AFTER the group is returned.  So that means you'd have to do something like:
  Get-DistributionGroupMember group1 | where {$_.OrganizationalUnit -eq 'laptop.lab/Demo Users'}
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• Design question: Change Group membership for a AD resource via SelfService

  Hi all,
  based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
  From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
  Or is there a way to allow end users to change their resource data directly under "My Resources" ?

  there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
  Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.

• Unable to edit Distribution Group membership via Outlook (works via ECP).

  SITUATION: I am attempting to enable the ability for specified users to edit the membership of Exchange 2010 distribution groups via Outlook 2010.  I have configured permissions via RBAC for them to be able to do this by following the instructions and
  running the script found here:
  http://msexchangeteam.com/archive/2009/11/18/453251.aspx
  After running the script, users specified as group managers are able to edit group membership through the ECP.  But when they attempt to do so via Outlook, they receive the same message that they would see if the permission to edit group membership
  was not enabled:
  "Changes to the public group membership cannot be saved.  You do not have sufficient permission to perform this operation on this object."
  QUESTION:  Does anyone have any idea as to why we are still unable to edit group membership via Outlook, when all the permissions appear to be enabled doing so?

  Click Start
   Collapse this imageExpand this image
  , point to All Programs , point to Exchange Server 2010 , and then click
  Exchange Management Shell .
  At the command prompt, run the following cmdlet:
  New-RoleGroup DistributionGroupManagement -Roles "Distribution Groups"
  At the command prompt, run the following cmdlet:
  Add-RoleGroupMember DistributionGroupManagement -Member <var>UserName</var>
  Open Outlook and try to remove from your distribution list those members that you could not remove before

• Issue with INSERT INTO, throws primary key violation error even if the target table is empty

  Hi,
  I am running a simple
  INSERT INTO Table 1 (column 1, column 2, ....., column n)
  SELECT column 1, column 2, ....., column n FROM Table 2
  Table 1 and Table 2 have same definition(schema).
  Table 1 is empty and Table 2 has all the data. Column 1 is primary key and there is NO identity column.
  This statement still throws Primary key violation error. Am clueless about this? 
  How can this happen when the target table is totally empty? 
  Chintu

  Nope thats not true
  Either you're not inserting to the right table or in the background some other trigger code is getting fired which is inserting into some table which causes a PK violation. 
  Please Mark This As Answer if it solved your issue
  Please Vote This As Helpful if it helps to solve your issue
  Visakh
  My Wiki User Page
  My MSDN Page
  My Personal Blog
  My Facebook Page

• AD Group Membership revoked on adding new group through role and acespolicy

  Hi all,
  when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
  when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
  The ootb AD task, remove user from group is triggered.
  The problem is happening only in Testing environment.
  In development envi it is working fine.
  it is not removing the default group memberships.
  any ideas? thoughts? which I need to check.
  my oim server is 11.1.1.3.0, with weblogic setup.
  Edited by: Venu on Dec 2, 2011 1:06 PM

  Do one thing:
  Take New User
  Assign First BILLING
  Assign Second Group
  And then ASSIGN CONTRACT
  Update the results.
  It is happening in one env so you might have done some configuration or it could be env issue as well.