ChaRM security control on action

Similar Messages

• I'm stupid....how do you play game apps?  what controls the action?

  i'd like to get into some of the games offered in the app store but i'm ignorant when it comes to controling the action.

  It depends completely on the game. Every game will have a different way of controlling it. Some use the mouse, some use keys on the keyboard, and some use both. You'll need to look at the game you're interested in and see what it uses.
  Regards.

• HT4689 In the video: mission control in action,we see many open windows which I don't have. How do they get there?,

  In the video: mission control in action in Mac 101,we see many open windows which I don't have. How do they get there?

  On modern MBairs, the F3 key will take you to Mission control.  Once there, hold the Option key down and you'll see  a tab with the "+" sign on it.  Pressing this will add another desktop.  You can assign apps to desktops or just drag them there.   Switching between desktops is done by swiping either 3 or 4 fingers across the trackpad. (depend on the option chosen in System Preferences > Trackpad).

• Availability control with action 2 "Mail to project manager"

  Dear all,
  i was asked to implement the budget availabilty control with action 2 "mail to project manager".
  how can the managers receive the mails in the SAP when the budget is exceeded?
  can someone explain the config in detail?
  thank you very much.
  i have no idea how to achieve it ?
  thank you all.
  Judy
  09-06-01

  Hi
  This is possible with business work place ( SBWP)
  To achive this you need to do some settings
  1.OPS6 - Created Person responsible ( in that enter your SAP ID as office user)
  2.CJ20N - Maintained person responsible in Projects (WBS Elements)( the same you created in previous step)
  So whenever you are getting error message or warning message it will goto your business work place.
  3.Business Work Place - Maintained you manager email address for auto forward function
  In order to do that select the menu path settings -->office settings -->automatic forwarding
  Click create button
  Enter your manager mail address in forward to field and select U-->Inetrnet address and enter the time period.
  after this above settings ask your basis consultant to check the mail sending related settings in SCOT t code.
  If you carry out all the above steps the mail automatically reach your manager mail box.
  Please check and replay back
  Thanks
  S.Murali

• ChaRM security

  Hi,
  We are using ChaRM 7.0 (via workcenters) and are just starting to do some testing.
  We have created ChaRM security roles (ie. Tester, Developer, Change Manager) that we will be using.  Most of this security testing is going fine, however we have come across one issue that is holding us back a little.
  The scenario is a Change Manager (with Change Manager security role) gets assigned a Change Request for approval.  However, when this person goes into the workcenter, they can't see any Change Requests.  Other roles are seeing information in the workcenter with no problems.  We believe this has to do with authorisations because when we give that role the functions from anothe role, this starts working again.
  What should we be looking at from a security perspective to get this working?
  The other thing is I am using tcode CRM_DNO_MONITOR to view all CRs, however, I am unable to see any data when I execute this report.  I am not running any filters/layouts etc. so bit puzzled as to why this isn't working.
  Regards
  Shaun

  I would recommened running an Authorisation trace to find any problems with the authorisation of that role, which auth objects are accessed.  Do you have a custom Change Request transaction (i.e. ZDCR)? If so in your change manager role have you created the role with access to this change document.
  For example:
  Object: CRM_ORD_PR
  Business Transaction: ZDCR
  Paul

• ITSM & ChaRM Security Approach

  Hi Gurus,
  I am new to ITSM & ChaRM security. I have read lot of documentation about this but We don't want to use the standard template roles for ChaRM provided by SAP. We would like to customize roles from scratch based on testing/trace results to get accurate security access (no more or less access),
  Is this a good approach ? Which approach is normally used by companies whether they just copy standard roles and implement ?
  also, do we need to create business partner for all end users who can create support message?
  Regards,
  Salman

  thanks Andrey and Thorben.
  Andrey - We have a scenario where End users won't create incidents from solman but through satellite system via "Create support message" then our support desk team (Level2) will use the incident number and assign it to the team and support desk team can also create incidents directly through solman(so support desk team would definately need user id in solman and bp).
  Thorben - I am thinking of creating one single role per function group (like Change manager). Probably, I will end up creating not more than 6 - 10 single security roles per our function groups.
  1) End-User
  REQUESTER - who creates ticket - this is by default already there
  2) Support Desk
  (2nd level support) - who receives the ticket first or creates a new ticket and
  assigns Support team
  3) Support
  Team/ Message Processor - who process ticket and create Change Request
  4) Tech/Dev   - who updates Change Request with estimates, assigns
  developer etc. and sends it for approval - possibly CHARM
  CHANGE MANAGER without Approval capacity??
  5) Business
  Approver (NOT a CHANGE MANAGER) - should only have Change Request approval
  authorizations
  6) Developer -
  as SAP defined
  7) Tester - as
  SAP defined
  8) Operator/Basis - as SAP defined
  9) ADMIN - Together IM ADMIN and CHARM ADMIN

• Security procesing failed(actions mismatch) while invkng secure web-service

  Hi,
  This mail is to seek help from our Java community in a issue that we are currently facing with web service we have written in the application
  that I am currently working on. An early response in this is highly appreciated.
  I have implemented Java client to invoke the secure web-service(Signing and Encryption of SOAP Request). I am using the classes WSSecEncrypt & WSSecSignature for signing and encrypt the request.
  I did the signing and encryption for the SOAP request, invoked the Web-service. The server side received the request and sent the encrypted response. But I am getting an error in the client side while receiving the encrypted response.
  Client side :
  1) sign the SOAP reuqest with client private key
  2) Encrypt the request with server side public key
  3) invoke the web-service ( request sent to server and server sent the response) but getting error while reading the encrypted the response.
  Server side :
  1) receive the request
  2) decrypt the request, process the request
  3) encrypth the response and send to client
  I am getting the below exception exactly at below line (while getting encrypted response) and I have pasted the java client code below
  SOAPEnvelope resEnvelope = call.invoke(msg);
  Exception message :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultSubcode:
  faultString: security processing failed (actions mismatch)
  faultActor:
  faultNode:
  faultDetail:
  {http://xml.apache.org/axis/}hostname:apsp9097
  security processing failed (actions mismatch)
  at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
  at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
  at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
  at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:601)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1774)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2930)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
  at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
  at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
  at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
  at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
  at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
  at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
  at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
  at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227)
  at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
  at org.apache.axis.Message.getSOAPEnvelope(Message.java:435)
  at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:796)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
  at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:727)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
  at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
  at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
  at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
  at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
  at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
  at org.apache.axis.client.Call.invoke(Call.java:2767)
  at org.apache.axis.client.Call.invoke(Call.java:1870)
  at CallSecWS.main(CallSecWS.java:118)
  Java Code :
  Properties clinetProps = new Properties();               
            MessageContext msgContext = null;          
            System.setProperty("javax.xml.soap.MessageFactory", "org.apache.axis.soap.MessageFactoryImpl");          
            FileInputStream fis = new FileInputStream("C:\\crypto.properties");          
            clinetProps.load(fis);
            Crypto ClientCrypto = CryptoFactory.getInstance(clinetProps);
            //Creating Messaging Object
            InputStream inStream = new ByteArrayInputStream(soapMsg.getBytes());
            Message axisMsg = new Message(inStream);
            axisMsg.setMessageContext(msgContext);
  //creating envelople based on Message
            SOAPEnvelope envelope = axisMsg.getSOAPEnvelope();
  // Encrypting an signing the SOAP request
            WSSecEncrypt encrypt = new WSSecEncrypt();
            WSSecSignature sign = new WSSecSignature();
  // Set the encryption and signging details
            encrypt.setUserInfo("serverpublickey");     
            String strProvateKey = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
            String password = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.password");
            sign.setUserInfo(strProvateKey,password);     
  // Creating the header
            Document doc = envelope.getAsDocument();     
            WSSecHeader secHeader = new WSSecHeader();
            secHeader.insertSecurityHeader(doc);
       // Dcoument ment signed and encrypted
            Document encryptedDoc = encrypt.build(doc, ClientCrypto, secHeader);
            System.out.println("After Encryption....");
            Document encryptedSignedDoc = sign.build(encryptedDoc, ClientCrypto, secHeader);
       Message msg = (Message) toSOAPMessage(encryptedSignedDoc);
       System.out.println(msg.getSOAPPartAsString() );
  // Encryption and signing done and invoking the secure web-service
            String endpoint = "http://sys.ws.com/services/SecureService";
            Service service = new Service();
            Call call = (Call) service.createCall();
            call.setTargetEndpointAddress( new java.net.URL(endpoint) );
            call.setOperationStyle(org.apache.axis.constants.Style.MESSAGE);
  // Sender handler
            WSDoAllSender send = new WSDoAllSender();     
            send.setOption( WSHandlerConstants.SIG_PROP_FILE , "crypto.properties" );
            send.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
            send.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT +" " + WSHandlerConstants.SIGNATURE );
            send.setOption( WSHandlerConstants.USER, "PrivateKey" );     
            send.setOption( WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");     
            send.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );     
  // Receiver handler
            WSDoAllReceiver recv = new WSDoAllReceiver();
            recv.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE+ " " + WSHandlerConstants.ENCRYPT );
            recv.setOption( WSHandlerConstants.SIG_PROP_FILE, "crypto.properties" );
            recv.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
            recv.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );          
            recv.setOption( WSHandlerConstants.ENCRYPTION_USER ,"serverpublickey");
            // Setting the handlers          
  call.setClientHandlers(send, recv);
            System.out.println("Set the all parameters");
  // Invoking the web-service.
            SOAPEnvelope resEnvelope = call.invoke(msg);
  public static SOAPMessage toSOAPMessage(Document doc) throws Exception
       Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
       byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
       ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
       MessageFactory factory = MessageFactory.newInstance();
       return factory.createMessage(null, in);
  Thanks
  J Ashok
  Edited by: 846090 on Mar 21, 2011 11:34 AM

  Hi,
  This mail is to seek help from our Java community in a issue that we are currently facing with web service we have written in the application
  that I am currently working on. An early response in this is highly appreciated.
  I have implemented Java client to invoke the secure web-service(Signing and Encryption of SOAP Request). I am using the classes WSSecEncrypt & WSSecSignature for signing and encrypt the request.
  I did the signing and encryption for the SOAP request, invoked the Web-service. The server side received the request and sent the encrypted response. But I am getting an error in the client side while receiving the encrypted response.
  Client side :
  1) sign the SOAP reuqest with client private key
  2) Encrypt the request with server side public key
  3) invoke the web-service ( request sent to server and server sent the response) but getting error while reading the encrypted the response.
  Server side :
  1) receive the request
  2) decrypt the request, process the request
  3) encrypth the response and send to client
  I am getting the below exception exactly at below line (while getting encrypted response) and I have pasted the java client code below
  SOAPEnvelope resEnvelope = call.invoke(msg);
  Exception message :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultSubcode:
  faultString: security processing failed (actions mismatch)
  faultActor:
  faultNode:
  faultDetail:
  {http://xml.apache.org/axis/}hostname:apsp9097
  security processing failed (actions mismatch)
  at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
  at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
  at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
  at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:601)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1774)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2930)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
  at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
  at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
  at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
  at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
  at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
  at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
  at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
  at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227)
  at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
  at org.apache.axis.Message.getSOAPEnvelope(Message.java:435)
  at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:796)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
  at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:727)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
  at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
  at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
  at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
  at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
  at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
  at org.apache.axis.client.Call.invoke(Call.java:2767)
  at org.apache.axis.client.Call.invoke(Call.java:1870)
  at CallSecWS.main(CallSecWS.java:118)
  Java Code :
  Properties clinetProps = new Properties();               
            MessageContext msgContext = null;          
            System.setProperty("javax.xml.soap.MessageFactory", "org.apache.axis.soap.MessageFactoryImpl");          
            FileInputStream fis = new FileInputStream("C:\\crypto.properties");          
            clinetProps.load(fis);
            Crypto ClientCrypto = CryptoFactory.getInstance(clinetProps);
            //Creating Messaging Object
            InputStream inStream = new ByteArrayInputStream(soapMsg.getBytes());
            Message axisMsg = new Message(inStream);
            axisMsg.setMessageContext(msgContext);
  //creating envelople based on Message
            SOAPEnvelope envelope = axisMsg.getSOAPEnvelope();
  // Encrypting an signing the SOAP request
            WSSecEncrypt encrypt = new WSSecEncrypt();
            WSSecSignature sign = new WSSecSignature();
  // Set the encryption and signging details
            encrypt.setUserInfo("serverpublickey");     
            String strProvateKey = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
            String password = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.password");
            sign.setUserInfo(strProvateKey,password);     
  // Creating the header
            Document doc = envelope.getAsDocument();     
            WSSecHeader secHeader = new WSSecHeader();
            secHeader.insertSecurityHeader(doc);
       // Dcoument ment signed and encrypted
            Document encryptedDoc = encrypt.build(doc, ClientCrypto, secHeader);
            System.out.println("After Encryption....");
            Document encryptedSignedDoc = sign.build(encryptedDoc, ClientCrypto, secHeader);
       Message msg = (Message) toSOAPMessage(encryptedSignedDoc);
       System.out.println(msg.getSOAPPartAsString() );
  // Encryption and signing done and invoking the secure web-service
            String endpoint = "http://sys.ws.com/services/SecureService";
            Service service = new Service();
            Call call = (Call) service.createCall();
            call.setTargetEndpointAddress( new java.net.URL(endpoint) );
            call.setOperationStyle(org.apache.axis.constants.Style.MESSAGE);
  // Sender handler
            WSDoAllSender send = new WSDoAllSender();     
            send.setOption( WSHandlerConstants.SIG_PROP_FILE , "crypto.properties" );
            send.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
            send.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT +" " + WSHandlerConstants.SIGNATURE );
            send.setOption( WSHandlerConstants.USER, "PrivateKey" );     
            send.setOption( WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");     
            send.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );     
  // Receiver handler
            WSDoAllReceiver recv = new WSDoAllReceiver();
            recv.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE+ " " + WSHandlerConstants.ENCRYPT );
            recv.setOption( WSHandlerConstants.SIG_PROP_FILE, "crypto.properties" );
            recv.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
            recv.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );          
            recv.setOption( WSHandlerConstants.ENCRYPTION_USER ,"serverpublickey");
            // Setting the handlers          
  call.setClientHandlers(send, recv);
            System.out.println("Set the all parameters");
  // Invoking the web-service.
            SOAPEnvelope resEnvelope = call.invoke(msg);
  public static SOAPMessage toSOAPMessage(Document doc) throws Exception
       Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
       byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
       ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
       MessageFactory factory = MessageFactory.newInstance();
       return factory.createMessage(null, in);
  Thanks
  J Ashok
  Edited by: 846090 on Mar 21, 2011 11:34 AM

• Yesterday, since I downloaded the lastest version 3.6.6, every time firefox opens and when I click on something, I get multiple error windows that say "ERROR: Security Manager Vetoed Action. I can't hardly use if anymore because of all the window pop-ups

  Yesterday, since I downloaded the latest version 3.6.6, every time firefox opens and when I click on something, I get multiple error windows that say "ERROR: Security Manager Vetoed Action". I can't hardly use if anymore because of all the window pop-ups. What can I do? Can I go back to an older version?
  == This happened ==
  Every time Firefox opened
  == I downloaded version 3.6.6 yesterday

  hello, when this is happening after you've already updated firefox with your admin account, try to delete the ''updates'' folder and ''active-update.xml & updates.xml'' within the %localappdata% folder of your restricted account like it is described in http://kb.mozillazine.org/Software_Update#Software_Update_not_working_properly

• Controlling user actions without ADF Security

  Hi!
  I have an application in which we use J2EE security, and therefore we have user accounts that can be managed by, in our case, the OID. We have not implemented ADF security yet, because that means we will have to import all kinds of permissions to a suitable place in the OID, and there is no time yet to investigate how to do that (especially how to migrate it to a node in the OID where we want the info, not the default way).
  Now I have a requirement to make a JSF screen with an input form read only, based on either a user role or a parameter being populated or not.
  I know that I can achieve this by modifying all ReadOnly and Disabled properties of the controls and put an EL expression in there, but I would rather do this on a higher level. Is it possible to make a whole iterator or form read-only with EL or using backing beans?
  Regards,
  Jeroen van Veldhuizen

  Jeroen,
  You could certainly write some code in a backing bean that would iterate over all the children of the form and set the property. Without using ADF security (which would let you do it on the iterator level - much preferred, but more work), I cannot think of another way other than setting readOnly/disabled on each individual control.
  You can iterate over the children of a component using something like this:
      UIComponent target;
      List children;
      int i, cnt;
      children = target.getChildren();
      cnt = target.getChildCount();
      for (i = 0; i < cnt; i++)
        // do whatever here
      }Hope this helps,
  John

• System and security control panel

  Could someone with a W520 take a screenshot of the lenovo apps in their "system and security" section of control panel please. I am doing a ground up install from bare windows 7 to get rid of the preloaded SQL server 2005 and adding back the programe I want.
  Just want to seee what came preloaded.
  Thanks

  njb,
  Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
  *Non Lenovo employee*
  I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =)

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• Controlling Plan "Action"  Recommendations

  Question for Kevin and other experts,
  While running ASCP unconstrained plans, when we have purchase order supplies in the future and no corresponding demands, the plan comes with a recommendation of action = "Cancel" on these supplies.
  Let's assume our planners do not want to go ahead with this "Cancel" recommendation, as they expect some demand to come in for these items, and these are long lead times and we would like to keep the purchase orders as is.
  When we invoke the Horizontal plan for this Item, the Horizontal plan does not seem to consider the supplies with action of "Cancel" in the Projected Available Balance calculations. (show quantity of 0 on those buckets). However when we double click on the zero quantity it pulls up the corresponding uncancelled purchase orders in that period.
  If I update the disposition status type on MSC_SUPPLIES to null from 2 on these purchase orders (disposition_status_type =2 , means that the plan recommended to cancel them) and then invoke horizontal plan again, the Projected available balance takes into consideration the purchase order quantity.
  My question:
  Is there any way from the workbench, we could flag the supplies marked by the plan as recommended for cancellation, as overridden by the planner. (We already tried "firming" and that doesnt make a difference)
  Thanks
  Raghav

  Hi
  The ideal situation is if you can expose the demand that planners are expecting for these items either in form of forecast of safety stock to avoid any workarounds.
  If this isn't feasible to do, you may make these PO firm as suggested before in ERP if you don't want Plan to recommend any changes or use Planning Time Fence option at purchase part.
  I still believe that keeping the system aware of demand corressponding to these supplies is the best scenario in long run since any impact of changes to these demands can then be assessed by the system and acted upon by planners. This will avoid planners mistakenly building more supplies than needed and can provide some level of control and visibility to these phantom/ ghost demands.
  Thanks
  Navneet Goel

• Security issues with action commands....

  Hi
  I have a webapplication that under its context has two diffenent
  maps, one is admin and the other one is user.
  I use an ActionRouter and has actions like list-clients.do.
  The admin map is restricted area described in web.xml.
  You have to be in AdminRole to get access.
  My problem is that if I log in as user, I can "shoot" actions commands
  like list-clients.do from the user area and Servlet maps to the proper
  jsp that is in the admin map. When I then try isUserInRole and so on
  there is only a quetstionmark. If I run from admin area the isUserInRole
  knows who is logged in.
  I put in the list-clients.do in the url like: http://myplace.com/users/list-clients.do and servlet reply with jsp from
  admin area.
  Anybody know why not the restricted area declared in the web.xml file
  works during that condition, and how to solve this?
  Im working with Tomcat 4.1 and use SingleSignOn.
  Heres my web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <filter>
  <filter-name>loginfilter</filter-name>
  <filter-class>argus.web.util.LoginFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>loginfilter</filter-name>
  <url-pattern>/admin/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>loginfilter</filter-name>
  <url-pattern>/user/*</url-pattern>
  </filter-mapping>
  <servlet>
  <servlet-name>action</servlet-name>
  <servlet-class>argus.web.servlet.ActionServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>setup</servlet-name>
  <servlet-class>argus.web.servlet.SetupServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>action</servlet-name>
  <url-pattern>*.do</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>0</session-timeout>
  </session-config>
  <security-constraint>
  <display-name>ArgusAdmin</display-name>
  <web-resource-collection>
  <web-resource-name>AdminAdaptor</web-resource-name>
  <url-pattern>/admin/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>ArgusAdmin</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <display-name>ArgusUser</display-name>
  <web-resource-collection>
  <web-resource-name>UserAdaptor</web-resource-name>
  <url-pattern>/user/*</url-pattern>
  <url-pattern>/index.htm</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>ArgusAdmin</role-name>
  <role-name>ArgusUser</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.htm</form-login-page>
  <form-error-page>/loginError.htm</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>ArgusAdmin</role-name>
  </security-role>
  <security-role>
  <role-name>ArgusUser</role-name>
  </security-role>
  </web-app>
  Many Thanks
  Ben

  I found them in my firewall list on my Windows 8.1 Pro installation and posted a question on a forum as well, though I don't think it was here.  I don't believe anyone ever answered.
  It looks as though these are parts of the bundled virtual private networking clients.
  Note, for example, the "distributed by Microsoft as part of Windows 8.1" wording on this page:
  http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=605
  -Noel
  Detailed how-to in my eBooks:  
  Configure The Windows 7 "To Work" Options
  Configure The Windows 8 "To Work" Options

• Documentation for SolMan / ChaRM Security Rolls / Authorizations

  Good Day;
  I am currently setting up all the roles / authorizations for the different areas within Solution Manager / ChaRM.
  I have been looking for a u201Cdetailedu201D document on all the security authorizations for Solution Manager / ChaRM. So far the only document I am able to find is the Security Guide for SAP Solution Manager 4.0 as of SP 15.
  If there are more detailed documents, would someone point me in the right direction.
  Regards
  Don

  Thanks Roel;
  I am looking at user role authorizations.
  The first thing I want to setup is the Team leader roles.
  I need the team leader to have the ability to do the following
  1.Create Issues
  2.Create change requests
  3.Change the status of a change request to u201CIn Developmentu201D
  4.Create transports and tasks
  5.Release transports
  The Team leader will not have the authorization to u201Capprove u201C change requestsu201D 
  Thanks Again
  Regards
  Don

• Controlling Corrective Actions from Cloud Control 12c

  Hi Experts
  we have setup corrective actions on some process that runs on our host
  is there a way we can control the corrective action when in case or maintenance...
  Example: if the host is down for maintenence prupose how can we stop corrective actions script to kick off and stop sending notification from the cloud control 12c.
  Thanks
  Edited by: TechAdmin on Nov 12, 2012 9:32 AM

  Blackouts can be used to disable collections during maintenance cycles.
  http://docs.oracle.com/cd/E24628_01/doc.121/e24473/emctl.htm#BABHFDII