Compass Server and Access Control

Similar Messages

• User management and Access Control in HCM Cloud

  Hello,
  Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
  - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
  The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
  Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
  - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
  I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
  I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
  Best regards,

  OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
  At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

• Installing program on server and access it from mac workstation

  Hi
  How can i install a program on a mac server and access that program from mac workstation.
  On windows server you use the remote app manager application to do this. is there something similar on mac?

  Hi,
  - This isn't exactly what you are asking for but there is an App:  /System/Library/Coreservices/Screen Sharing.app on the Mac which is similar in operation to Terminal Services Client but is based on VNC. 
  - Thus it  will be a whole user's logon session which would run on the mac server .  
  I haven't used Screen Sharing.app on a large scale deployment of clients connecting to an OS X Server.
  Hope this helps

• Inside Identity and Access Control products

  Hello,
  For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
  http://identitycontrol.blogspot.com

  Latest Topics
  1) Video of Federated Access Control
  2) RSA Conference 2007

• Inside identity and access control products : blog

  Frinends,
  Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
  Latest topic i added is "SAML in action"
  Please post your comments also so I can improve the contents.
  Thanks

  Thanks a lot idmguru!!
  your efforts are simply awesome..
  -Yash Bansal

• Inside of idm and access control products

  Hello Friends,
  For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
  blog URL --> http://identitycontrol.blogspot.com/
  Thanks
  idmguru

  Frinends,
  Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
  Latest topic i added is "SAML in action"
  Please post your comments also so I can improve the contents.
  Thanks

• War file and access control with WebLogic

  I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
  This is how my weblogic.properties file looks like:
  weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
  weblogic.password.koko=kokokoko
  weblogic.password.arnebelinda=arne1234
  weblogic.security.group.ppuseradmins=arnebelinda
  and my weblogicURL.policy:
  deny Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
  and finally, my web.xml-file:
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app>
       <session-config>
            <session-timeout>30</session-timeout>
       </session-config>
       <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>admin</web-resource-name>
                 <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
            <auth-constraint>
                 <role-name>ppuseradmins</role-name>
            </auth-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>WebLogic Server</realm-name>
       </login-config>
       <security-role>
            <role-name>ppuseradmins</role-name>
       </security-role>
  </web-app>
  it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
  Does anybody have a clue? I would really appreciate it!
  I am using WebLogic 5.1 sp 9
  best regards,
  PJ

  In you pocily file entry, you have specified "/admin/-"
  However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
  Could that be the problem ?

• War file and access control

            I am trying to put some access control on different files in my war-file, but just
            can't get it to work... It seems like all roles defined in weblogic.properties
            gives the user access to all files in the war. I just don't understand the connections
            between the security realm, the weblogicURL.policy file and the web.xml file...
            If I do not specify a weblogic.security.URLAclFile, no access control is done
            at all.
            This is how my weblogic.properties file looks like:
            weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
            weblogic.password.koko=kokokoko
            weblogic.password.arnebelinda=arne1234
            weblogic.security.group.ppuseradmins=arnebelinda
            and my weblogicURL.policy:
            deny Principal weblogic.security.acl.GroupImpl "everyone" {
            Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
            and finally, my web.xml-file:
            <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
            "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
            <web-app>
            <session-config>
            <session-timeout>30</session-timeout>
            </session-config>
            <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
            </welcome-file-list>
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>admin</web-resource-name>
            <url-pattern>index.jsp</url-pattern> </web-resource-collection>
            <auth-constraint>
            <role-name>ppuseradmins</role-name>
            </auth-constraint>
            </security-constraint>
            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>WebLogic Server</realm-name>
            </login-config>
            <security-role>
            <role-name>ppuseradmins</role-name>
            </security-role>
            </web-app>
            it does not matter which user is part of the ppuseradmins group. The user koko
            is not a member, but is given access to my whole .war anyway (after submitting
            correct username/password). Omitting the <realm-name> does not seem to work either;
            the default realm is not used, instead null is used.
            Does anybody have a clue? I would really appreciate it!
            I am using WebLogic 5.1 sp 9
            best regards,
            PJ
            

  In you pocily file entry, you have specified "/admin/-"
  However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
  Could that be the problem ?

• Computer Lists and Access Control

  Hi
  I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
  Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
  I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
  All users can still login to these 'access controlled' servers, in effect the list is ignored.
  Has anyone got this working or can shed some light on what I'm doing wrong ?
  Thanks,
    Mac OS X (10.4.6)  

  Hi, Tropic
  You must to load the class into an jar file
  Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
  Hear a sample script to do it.
  javac SomeApplet.java
  jar cvf SomeJarFile.jar SomeApplet.class
  keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
  jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
  Regards,

• EJB and access controll???

  Hi all,
  I have a question about access control via EJB,
  For example I have a client app�ication and on start I will prompt user for user name and password, and now what to do with this information how to pas it to the ejb server, or??? Or may be some of you have any link to tutorial as an answer? My EJB will access database and I want to use the access control from database.
  Thank you in advance.

  Hi Eshwa,
  thank you for your reply, I found a nice developer guide on the link that you give me, but I steal have a problem with undestanding of practical way to pas user information from client application to ejb server, may be you can give mi a pice of code or an small example, where is geted 2 String (user name and password) and sent to the ejb server to be autentificated, and then to have acces to the resources that is accessable for this user (discribed in the deployment description user - role).
  Anyway thank you again.
  Best regards Alexander Hincu .

• Nintex Workflow and Access Control

  Hello, can anybody help with getting owner permissions on Nintex workflows in Sharepoint 2010 with Powershell.
  I also want to ask your opinion about Access control in Sharepoint 2010. Should all Access Control like AD, Sharepoint, Titus be in the hands of Administrator or some of it like Titus be in the hand of the Developers.
  Best Regards Olafur_s
  Icelandic DBA admin

  Hello
  Hemendra,<o:p></o:p>
  Thank you
  for your answer. I have developers that create sites and lists and they are all Site Collection admin. The problem is that they can go everywhere they want and look into all kinds of sensitive information and do all that they want to do. So basically they
  are running the system. <o:p></o:p>
  I am new to
  Sharepoint as an admin but I have experience in other system like AD, Exchange, SQL. The evolution of this Sharepoint system here brought it to the point that the developers have too much admin rights and the system is not working well. I am trying to
  find the fine line between the Administration part, my work, and the developers part and not steeping on the developers toe's.
  Best regards Olafur_s<o:p></o:p>
  Icelandic DBA admin

• Qs About SQL Server and RoboSource Control

  Hi. I have two questions:
  (1) Will the SQL Server Compact edition work as the db used
  for RoboSource Control? I know that it has a limit of 4 GB.
  (2) Do I have to install a copy of RoboHelp (and, thus, of
  the RoboSource Server Configuration Utility) onto the network
  server where my SQL database is located, or can I configure the SQL
  database remotely from one of the client machines?
  Thanks!

  Hi. Yes, you are correct that the "RSC Server" is really just
  a SQL db that you have modified using the RSC Database
  Configuration tool.
  We are working on a client project from several
  locations--some people are at the client site sometimes, some
  people are at home sometimes, and some people are at our company
  site sometimes. The client software that we are documenting
  requires us to be connected to the client VPN if we are not at the
  client site. However, we would like to store the RH files on our
  company server, which can be VPN'd into from either our client site
  or from home.
  Apparently the VPNs will pass the IP/HTTP protocols that
  SQL/RSC uses. What we'd have to do is log into the company VPN (if
  necessary) at the beg of the day, use the "offline" feature of RSC
  to check out the documents, and then log off the company VPN and
  onto the client VPN to access the software we are documenting. Then
  reverse the process at the end of the day or whenever.
  However, our company doesn't want to install SQL on our
  storage machine which is just a file server. And we don't want to
  store it on the client site, either. (We're just documentation and
  training, after all, not real software developers.)
  One alternative to using RSC is to use merged projects, since
  each tech writer will only be working on one section of the
  documentation at a time. However, I'm concerned about context
  sensitivity and merged projects. I found a good discussion where
  one of the Peters (the two gurus on here who are named Peter) gave
  an extensive description of how to do CS with merged projects.
  However, someone reported that they couldn't get it to work using
  RH7.
  As a relatively novice (though technically inclined) user, I
  would like to avoid the issues with merged projects and CS.
  Therefore, I think what I'm going to do is store the RSC server on
  my local machine and check out the documents for tech writers
  myself, then check them back in when the writer is done.
  I'm testing today and I will report back on my results.
  Thanks for your responsiveness and let me know if you have
  any opinions on this!
  HKB

• Getting error in starting identity server and access server in OAM

  Hi all,
  Am new to OAM . now am try to do sso for two different resources . i completed installations but now the error is the while starting the identity server the error is "*oracle access manager identity server services on local computer started and then stopped .some services stop automatically if they have no work to do , for example, the performance logs and alters service* ". and while starting access server the error is "*could not start the oracle access manager access server service on local computer. error 1067: the process terminated unexpectedly* " any one please give me solution for this error

  Hi Pokuri,
  Perhaps the Identity Server's oblog.log file has some helpful information in it. One possibility: is the ldap server that the Identity Server uses up and running (and visible on the network)?
  Regards,
  Colin

• 2-way SSL and access control using the client certificate

  Hi,
  I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
  Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
  - The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
  - The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
  - Validate whether the client should be trusted (via the list in the trusted credentials)
  - Check whether the resource should be granted based on the "username".
  The on-line manual says
  "If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
  "The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
  So the questions I have are:
  - If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
  - Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
  Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
  - Without defining the security policy for the application, the debugging messages show that
  getRoles(): input arguments: subject:0
  Entitlement - <Role:Annonymous with expr:Grp(everyone)>
  Any suggestions? Thanks.

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• SSL connection between Dist Auth UI Server and Access Manager

  Hi,
  I have a Dist Auth UI Server installed in Web Server 7 and working properly, but now i want to configure it to talk with Access Manager with a secure port.
  I have configured Access Manager (also deployed in Web Server 7) in a secure port (443). I have requested and installed the server certificate in the Access Manager Web Server instance and also the root entity certificate.
  My question is: how must i configure the UI Server to communicate with the Access Manager Server in a secure way and trust the certificate that the WS of the AM presents ?
  Regards,

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.