Configuration & authorization checklist

Similar Messages

• Not able to decide on : Mission Configurable Authorization

  Hello,
  I post here after begging people to
  please understand my problem first.this is what I need to achieve:
  It is about dynamic authorization.
  My application will have an admin page where the admin will be able to give access rights to users for certain actions on certain pages. these could be any permutation and combination.
  I need to be able to authorize them based on this condition.
  For example :
  If it were a mechanic application.
  The admin will be able to authorize MechA to be able to perform "Add, Delete" actions on garage A, but only VIEW rights on garage B.
  similarly MechB to be able to only "ADD" in garage A, but ADD,DELETE in garageB.Again, the number of garages can be many. the admin will be able to add a garage and delete a garage.
  (ofcourse, based on the current access rights they have, the JSP will display those current access rights)
  I have poured over google search and forums and security frameworks to decide on an approach for this.
  I initially had thought that I will have a table which will have two cols USER and PERMISSIONS.
  where users would be the suers and permissions would be URLs. Ex. :
  mechA | garageA/add.jsp
  mechA | garageA/delete.jsp
  mechA | garageb/view.jsp
  However, this premature understanding will not work because of obvious reasons (if I need to update or delete the URL for the user.. I am screwing up everything).
  Then, now I am thinking of an XML based authorization now. where the parent node will be the user name and his child nodes will be the URLs he has access to. Though i have not worked on this, I know this will be of no use, because my application will have the capability to switch between a db and LDAP. I have very little knowledge of LDAP though.
  No secuirty framework is going to be of help ( i have looked extensively through JAAS and Acegi).
  because they function majorly on ROLES. In my case I have no ROLES at all :-(
  I have been pulling my hair out trying for a solution for this kind of a configurable scenario, where the user base could be on a DB and on LDAP.
  Any ideas/help/pointers towards an approach would be highly appreciated.
  thanks in advance for your time.

  If you don't have roles now, rethink your design.
  What if another mechanic comes in as a replacement
  for an existing mechanic who left or goes on holiday?
  Do you really want to have to assign all permissions
  to the new mechanic again? No, you want to be able to
  say: this new mechanic has the same role(s) as the
  original mechanic and be done with it. Or what if a
  mechanic gets promoted? Instead of having to add and
  remove all the accompanying permissions, just set or
  add the new roles.Well, there will also be Groups, to which the mechanics can be assigned, but it is not a necessity for them to be under a group.
  A mechanic can be an individual with individual rights, or can be a part of a group which has certain permissions. In my case, everything needs to be highly configurable. Creating a single user(with specific permissions) or creating the group(with specific permissions) and then assigning mechanics to the group, will really be the admins choice, who will set the users up.
  If you realy, really, really can't think of any roles
  that make sense, you can pretend each mechanic
  defines his own special role (the role is the same as
  the mechanic) and still use those frameworks.hmmm... I have typically assigned URLS with wildcard chars. like /admin/*.* with ROLE_ADMIN thing.
  In this case,I will probably have to have many relative URLS mapped with a singular ROLE. However, how I can change/update these URLs based on the admins input, still remains a mystery to me.
  Any other suggestions ?

• Mail Session configuration authorization

  Hi,
  I hava deployed the confirmer app from tutorial.
  I got exception when sending a message saying I have to use authorization.
  I know how to do it the hard way (in code obtain other mail session)
  I tried to add a single property to the mail session, but it deletes all properties from java mail session ! (mail-from for example)
  Why the container doesn't use auth info I give when setting user and pass in JNDI reference ?
  How to add this property, so other aren't affected ?
  Thanks.

  I am not sure I totally understand your question. Are you saying that if you follow the instructions in the tutorial for the confirmer app, it does not work?
  Please clarify if possible.

• Sap ccms configure "authorizations "

  Hi all
                   Please help me how to configure ccms alert to monitor authirization failures
  Thanks
  in advance
  kumar

  Hi
  Follow the links
  http://help.sap.com/saphelp_nw04/helpdata/en/c4/3a5dba505211d189550000e829fbbd/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/c4/3a5dba505211d189550000e829fbbd/frameset.htm
  Regards
  Bhaskar

• How to configure ACS 5.2 for policy condition on TACACS+ Service

  In https://supportforums.cisco.com/message/3953175#3953175 thread, I was able to get the ACS 5.2 work with SRX for both SSH CLI and J-Web TACACS+ accounts. However, I found the behavior is different on our production environment. I found our ACS 5.2 was configured authorization rule with condition "TACACS+ Service" = "junos-exec". I don't know how to configure this on my ACS 5.2 Please guide me how to configure this.
  I found there was NO TACACS+ "Authorization Request" when access via J-Web in our production SRX and ACS. However, there were TACACS+ "Authorzation Request" when access via J-Web in our production SRX and ACS. The difference between my lab ACS and production ACS is the authorization rule condition. In my condition, I configure with all "SRX" Device Type. but in our production ACS 5.2, it was configure to TACACS+ Service=junos-exec. so I like to test it in our lab to find out the difference. Thanks.

  I would suggest you to go through the below two link.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/migration/guide/Migration_Configure.html
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/common_scenarios.html

• Regarding Authorization in OBIEE

  Hello Experts,
  I am having trouble rather confusion with Authorization in OBIEE. We have configured Authorization using external table and it is working fine.
  Scenario is:
  We have hierarchy like Senior Managers-> Horizontal Head->ORG Head-> Team Leads
  I created their respective groups for each of them in RPD and in Presentations services.
  Senior Manager Group (SR_Manager) has NO restrictions, all other 3 groups(Horz_Group, ORGH_Group, TL_Groups) have data level security they can view data for Process_ID aligned under them. This we are maintaining in external table.
  My doubt comes in when a Senior Manager is member of other groups as well.
  Let say ABC is Senior Manager as well as Horizontal Head and as a Horizontal Head his access is restricted to 5 Process_IDs.
  My Doubt is shouldn’t ABC see all the data as he part of Senior Manager Group, Senior Manager Membership should supersede all other membership? As per documentation OBIEE should apply LEAST RESTRICTIVE PERMISSIONS?
  Kindly suggest if my doubt is valid.
  Thanks
  Ankita

  Hi Amith,
  Thanks for your reply.
  I would like to confirm from what you replied. You asked to change the scenario for our senior most group.
  For our scenario, Sr_Manager group has no restrictions. Hence, all data should be viewable to members of this group. We have now kept all members belonging to Sr_Manager group to this group only and no other group membership has been provided. This works fine and is giving expected results.
  I would like to bring this to notice that, this problem was not coming initially when all the groups had been created. Any member from Sr_Manager, belonging to other lower groups could view all data as per his least restrictive group membership. But, I am not sure why this is failing now.
  Could you pls suggest any cause of this problem?
  Regards
  Ankita

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Configure AAA on 5508 WLC's

  Dear All,
  I am new to wireless,very keen on learning this technology.I have got a few questions from the situation which i have come across.How do we proceed with the same, Thanks in advance
  1>Customer wanted to configure two 5508 HA WLC's, he wanted to configure AAA
  2>Configuration of AP as Network access device
  3>Implementation of Cisco ISE ( For Wired and Wireless users
  Remote Installation  of Cisco Identity Service Engine
  Setting up Virtual ISE Appliance on VMware platform Licence update
  Installation of  ISE policy server
  Configure Policy module
  Configure Administration module
  Configure Monitoring moduleAuthentication (Integration with Active Directories)Integrate with Active directoryImport Active directory groups Authorization - Creation of policies pertaining to users and groups Define and configure authorization policyDefine and configure authorization conditionsDefine and configure authorization results

  Hello Saurav,
  Thank you so much for getting back, in error i rated this post only 1, 
  I have few more questions.Thanks for your help
  ISE Integration with Wireless LAN Controllers
  Integration of ISE with WLC – Pre-shared Key exchange
  Integration of ISE with Access Point  - Network Access Device
  Installation/Configuration of ISE supplicant on end-points
  Guest on-boarding portal – Design  
  Define Guest portal – Cisco template/Customised
  Define policy and access for Guest Vlan
  Integration of ISE and wireless networking into Cisco Prime

• Authorization on PIX

  What's the correct way to configure authorization on PIX?
  By following the steps in:
  http://cco/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml
  The PIX always hangs and has to be rebooted.

  The commands performed may be controlled locally on the PIX or remotely through TACACS+. RADIUS command authorization is not supported, this is a limitation of the RADIUS protocol. This is quoted from the same document you referred.

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• Documentation on Crystal-specific authorizations

  Does anyone have any additional documentation on how best to configure the various authorizations that are required for using Crystal Reports in an SAP environment. I have found the documentation/directions in the Install and Config guide to be vague and not helpful in trying to understand which authorizations are absolutely necessary for various functions.
  For instance, is the "Crystal Consumer" or viewer role necessary for someone who is only going to view scheduled instances and not view reports on demand? What specific authorization is needed to allow for on-demand viewing? Any help or tips on how to configure authorizations would be appreciated. Thanks!
  Edited by: Mike Garrett on Jan 21, 2009 6:13 PM

  Hi Mike,
  The Install and Admin guide for the Integration for SAP solutions has a section describing what authorizations are required for different connectivity tasks.
  However in the case where the user is viewing an instance, no authorizations are required because this is a report with saved data thus no connection to the database is required.
  In case you are thinking of the publications, I will elaborate further on how this feature works.  When a publication is created for multiple users, the database is hit once per added user to retrieve the record set of that user based on his/her authorizations.  Once this is completed, a report instance is created for each one of these users which only that user has access to.  We describe this type of publication as multipass bursting where data is requested from the database per recipient.
  thanks
  Mike

• Configuring AAA network client on ACS v5.1 using the same atributes from AC

  Hello,
  Actualy i'm new to use ACS v5.1 and i wanted to do the same AAA client configuration as it was configured on my old ACS V3.3 server.
  My old ACS v3.3 AAA clients type are WLC, LAP and Autonomous AP (using RADIUS (Cisco Aironet)) authentication protocol, PIX & a Router (using TACACS+ (Cisco IOS)) authentication protocol.
  I'm using PEAP_MS-CHAP v2 as a RADIUS authentication method.
  Can any one guide me to accomplish this configuration please ?.
  Best regards.
  Posted by WebUser Mourad Lafjer

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• Authorization question

  My stepdaughter downloaded a song from her ipod touch, I hold the main account on my desktop computer.  It is saying that I am not authorized to play this song on my computer.  I went and authorized my computer three times and click on the song and it still says I cant play it, does anyone have any suggestions. 

  Petenugnet,
  The way you have setup wireless is perfect. Understanding the process, RADIUS combines authentication and authorization. The access-accept       packets sent by the RADIUS server to the client contain authorization       information. This makes it difficult to decouple authentication and       authorization so the moment you connect with your credentials is count as a pert of authentication and all other settings like ssid count under authorization. There is not command to configure authorization with radius in wireless. There is something called SSID---WLAN restrction using ACS where we use NAR even that also comes in access-accept.
  HTH
  JK
  Do rate helpful posts-

• AAA authorization exec explanation please....thank you

  If I have this:
  aaa authentication login default grouptacacs+ local line none
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local none
  username localadmin password 7 xxxxxxxxxxxx
  enable secret 5 xxxxxxxxxxxxxxxx
  And all tacacs+ servers are unreachable.
  Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?
  If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?
  If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?
  Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?
  Thanks
  Gene

  Gene
  I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:
  aaa authorization exec default group tacacs+ if-authenticated
  and find that it works well - whether the TACACS server is available or not.
  HTH
  Rick

• Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

  I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
  I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
  I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
  Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
  Issue 1)
  After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
  Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
  I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
  Issue 2)
  I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
  https://support.microsoft.com/kb/2870416?wa=wsignin1.0
  One of the perf counters fails to register using the script from the link above.
  66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
  New-PerfCounters : The performance counter definition file is invalid.
  At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
  +    New-PerfCounters -DefinitionFileName $f
  +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo         
  : InvalidData: (:) [New-PerfCounters], TaskException
      + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
     12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
  But that one seems unrelated to the ones that still throw errors. 
  Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
  Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
  exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
  is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
  The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Issue 3)
  I appear to have some issues related to the healthmailboxes. 
  I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
  SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
  lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
  I reran setup /prepareAD to try and remedy this but I am still getting some.
  Issue 4)
  I am getting an MSExchange RBAC 74 error. 
  (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
  Issue 5)
  I am getting MSExchange Assistants 9042 warnings on both databases.
  Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
  skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
  Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
  If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
  Issue 6)
  At boot I am getting an MSExchange ActiveSync warning 1033
  The setting SupportedIPMTypes in the Web.Config file was missing. 
  Using default value of System.Collections.Generic.List`1[System.String].
  I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

  Hi Eric
  Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3^rd time. 
  I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
  I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
  If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
   So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
  Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
  I then applied an address policy to them and gave it the highest priority. 
  Then I set a default email address policy for the entire organization. 
  After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
  So issue number 3 above has not come up. 
  For issue number one above I have created a new thread:
  https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
  For issue number four I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
  Issue number Five I have managed to recreate and get rid of in more than one way. 
  If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
  If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
  The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
  If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
  So my off hand guess is that these are caused by orphaned system mailboxes.
  For issue number six I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
  So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
  The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
  Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
  Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
  to make them go away if possible.