CSS - NAT, Groups and ACLs

Similar Messages

• Role based security and ACLs

  Hello,
  I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
  Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
  So:
  1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
  2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
  3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
  Your response is appreciated.

  Hello,
  I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
  Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
  So:
  1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
  2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
  3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
  Your response is appreciated.

• Help with some NAT and ACL

  Hi all,
  We have been provided with a range of public IP addresses by our ISP. I want to configure some static NAT in and dynamic NAT out for our SIP based PBX. I also want to put an ACL on the outside interface so only my ITSP can talk to the public IP assigned to the PBX. I want all other hosts on my network to be able to NAT out using the WAN address assigned to the router.
  Obviously the addresses are fictional!
  4.4.4.3 – Default gateway to the internet
  4.4.4.4 – Public IP of my router
  4.4.4.5 – Public IP for the PBX
  10.1.1.0/24 – PBX subnet
  192.168.1.0/24 – LAN subnet
  1.1.1.1 & 1.1.1.2 ITSP addresses
  10.1.1.2 - PBX LAN Address
  Can someone take a look at my config, would this work!?
  Thanks
  Matty
  interface GigabitEthernet0/0
  description *** Internet ***
  ip address 4.4.4.4 255.255.255.192
  ip access-group 111 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip nat pool PBX_POOL 4.4.4.5 4.4.4.5 netmask 255.255.255.192
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip nat inside source list PBX_SUBNET pool PBX_POOL overload
  ip nat inside source static tcp 10.1.1.2 5060 4.4.4.5 5060 extendable
  ip nat inside source static udp 10.1.1.2 5060 4.4.4.5 5060 extendable
  ip route 0.0.0.0 0.0.0.0 4.4.4.3
  ip access-list extended PBX_SUBNET
  permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 permit ip 192.168.1.0 0.0.0.255 any
  access-list 111 permit ip host 1.1.1.1 host 4.4.4.5
  access-list 111 permit ip host 1.1.1.2 host 4.4.4.5
  access-list 111 deny   ip any host 4.4.4.5
  access-list 111 permit ip any any

  Matty
  Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
  1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
  2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
  3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
  ip access-list extended PBX_SUBNET
  permit ip 10.1.1.0 0.0.0.255 any      <-- note the last octet of the wildcard mask is 255.
  Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
  Jon

• ASA 5520: Retrieve user, group -and- lanlist (ACL) from openldap

  hi,
  while migrating from a VPN Concentrator 3000 to ASA 5520 (IOS 8.0.4), we'd like to put all VPN-related configuration settings in an openldap server (2.3.27).
  We have trouble finding ways to put group settings, LanLists (as they were called on the Concentratror, or ACLs) and Lan2Lan configurations in LDAP.
  Authenticating users through openldap works, and there seems to be a aaa-server command "ldap-group-dn-base", but it seems this is only used in conjunction with Active Directory, while we only use openldap.
  Furthermore, ACL's seem to be indices refering to ACLs locally stored on the ASA: how to put the complete ACL in LDAP?
  Preferred LDAP configuration:
  VPN-users: ou=users,dc=vpn,dc=COMPANY,dc=com
  VPN-groups: ou=groups,dc=vpn,dc=COMPANY,dc=com
  VPN-L2L: ou=lantolan,dc=vpn,dc=COMPANY,dc=com
  How to refer the ASA to an entry in ou=groups,... from an entry residing in ou=users?
  Same question for LanLists. Is this possible?

  Thank you. I did find the attribute map option, but the manuals and explanations that describe this feature all refer to group-settings (ACLs etc) that are _already configured_ on the ASA. They refer to a groupname or ACL-name that is "known" in the ASA configuration.
  What we'd like to do is put -all- possible group, ACL, lan2lanlists, data in ldap. So when a user authenticates:
  1. his user-credentials are checked against LDAP and relevant configurations (using attribute maps) are loaded into the ASA
  2. his group-credentials are checked against LDAP and relevant group-configurations (using attribute maps) are loaded into the ASA
  3. possible lan/network-lists to which his group-information refers, are loaded from LDAP into the ASA.
  Perhaps I'm missing something, but I've found only ways to put the _name_ (/ID) of these settings in LDAP, referring to settings/configurations already existing in the ASA. I'd like to put _all_ the settings/configurations in LDAP as well.

• Errors found when using tar and ACL's

  Having difficulties with TAR and ACLs, and wondering if anyone had seen this before.
  Here's the scenario: create a few directories and a few files. Tar it up and extract the files. Now assign some ACL's to them (some default for directories), tar it up, and extract the files. Permissions should remain the same. Under most circumstances they are.
  Now repeat the procedure, but put a default directory ACL on the parent directory where the TAR is created. What happens is that the group permissions for anything un-tared gets trashed.
  Here's a script to test it out.
  Create a dummy user (I called mine foobar) -- required for setting ACL's. Run the script with the "-d" option at first. Things appear good. You can compare the permissions on the bottom for each file/directory.
  Run the script with the "-s" option setting default ACL's on the parent.
  #!/usr/bin/sh
  ROOTDIR=/export/home/christian/config
  TESTDIR=/export/home/christian
  USER_X="oam"
  # Run the script once with normal permissions (no ACL's) in the test directory (where tar is located)
  # --> ./test.sh -d
  # look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
  # They should be relatively the same:
  # --> rwxrwxrwx permissions on directories
  # --> rw-rw-rw- on files
  # Now run the script but set the parent directory of the script (where the TAR's are located) to have default ACL's
  # --> /opt/MMSsyscnf/sub2dir/test/test.sh -s
  # Now look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
  # They are COMPLETELY skewed. Both times we tried to untar the files, ACL's wound up
  # all over the place and permissions were not set correctly.
  # --> rwxrwxrwx permissions ONLY on original directory (not the product of an UNTAR)
  # --> rwxr--rwx permissions on directories created by untar
  # --> rw-rw-rw- on files ONLY on original directory (not the product of an UNTAR)
  # --> rw-r--rw- on files created by untar
  # ****** Why is group affected by this, but "other" is not?! It's gotta be a bug!
  # MAIN
  ACTION="NOPREP"
  while [ -n "$1" ]
  do
  if [ "ABC$1" = "ABC-d" ]; then
  #flag set to try and remove default directory ACL's
  setfacl -d u:$USER_X $TESTDIR
  setfacl -d d:u:$USER_X $TESTDIR
  setfacl -d d:u::,d:g::,d:m:,d:o: $TESTDIR
  elif [ "ABC$1" = "ABC-s" ]; then
  setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $TESTDIR
  setfacl -r -m d:u:$USER_X:rw- $TESTDIR
  setfacl -r -m u:$USER_X:r-x $TESTDIR
  fi
  shift;
  done
  # clean up previous run of the test
  rm -r $ROOTDIR
  # create files/directories
  mkdir $ROOTDIR
  mkdir $ROOTDIR/sub1dir
  mkdir $ROOTDIR/sub1dir/sub2dir
  mkdir $ROOTDIR/sub1dir/sub2dir/sub3dir
  #set permissions
  chmod 777 $ROOTDIR
  chmod 777 $ROOTDIR/sub1dir
  chmod 777 $ROOTDIR/sub1dir/sub2dir
  chmod 777 $ROOTDIR/sub1dir/sub2dir/sub3dir
  # create files
  echo "" > $ROOTDIR/sub1dir/sub2dir/file1.txt
  echo "" > $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
  chmod 666 $ROOTDIR/sub1dir/sub2dir/file1.txt
  chmod 666 $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
  # tar/zip the files:
  /usr/bin/tar -cvf $ROOTDIR/tarBeforeACLs.tar $ROOTDIR/sub1dir
  /usr/bin/gzip $ROOTDIR/tarBeforeACLs.tar
  # move the directory (so we keep the original as a template of what things should look like)
  mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_orig
  # untar/zip the files:
  /usr/bin/gunzip $ROOTDIR/tarBeforeACLs.tar
  /usr/bin/tar -xvf $ROOTDIR/tarBeforeACLs.tar
  ls -lR $ROOTDIR
  # Ok. These have been tested to be the exact same.
  echo "********************************************************************************"
  echo "********************************************************************************"
  echo "********************************************************************************"
  # Let's try using ACL's now
  # --> directories (owned by root) must be acessible to OAM user.
  # --> files (owned by root) must be read/writable by user OAM when created in the directories
  setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir
  setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir
  setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir/sub3dir
  setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/file1.txt
  setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
  setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir
  setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir
  setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir
  setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir
  setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir/sub3dir
  setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir
  # here are things as they stand
  ls -lR $ROOTDIR
  echo "********************************************************************************"
  echo "********************************************************************************"
  echo "********************************************************************************"
  # tar/zip the files:
  /usr/bin/tar -cvfp $ROOTDIR/tarAfterACLs.tar $ROOTDIR/sub1dir
  /usr/bin/gzip $ROOTDIR/tarAfterACLs.tar
  # move the directory (so we keep the directory that was applied ACL's)
  mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_acl
  # untar/zip the files:
  /usr/bin/gunzip $ROOTDIR/tarAfterACLs.tar
  /usr/bin/tar -xvfp $ROOTDIR/tarAfterACLs.tar
  # here are things after we've untared them
  ls -lR $ROOTDIR
  echo "********************************************************************************"
  echo "********************************************************************************"
  echo "********************************************************************************"
  getfacl $ROOTDIR/sub1dir_orig $ROOTDIR/sub1dir_acl $ROOTDIR/sub1dir
  echo "********************************************************************************"
  getfacl $ROOTDIR/sub1dir_orig/sub2dir $ROOTDIR/sub1dir_acl/sub2dir $ROOTDIR/sub1dir/sub2dir
  echo "********************************************************************************"
  getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir $ROOTDIR/sub1dir_acl/sub2dir/sub3dir $ROOTDIR/sub1dir/sub2dir/sub3dir
  echo "********************************************************************************"
  getfacl $ROOTDIR/sub1dir_orig/sub2dir/file1.txt $ROOTDIR/sub1dir_acl/sub2dir/file1.txt $ROOTDIR/sub1dir/sub2dir/file1.txt
  echo "********************************************************************************"
  getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir_acl/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
  echo "********************************************************************************"
  Any ideas?

  UFSDUMP has some limitations, including being on a file system that is read-only. Yes, I could force it on a read-write FS, but I normally stay away from big sticker labels found in man pages when I encounter them. :-(
  What I was originally after was a script that makes a backup of application configuration files before I modify them. Thus, I tar/zip the directory.
  These config files/directores have ACL's attached to them to allow various roles to access them (group permissions are not fine-grain enough). However, when I ran through a couple of tests, I came across a scenario that overwrote the original permissions. Tested it on Solaris 10 and Solaris 9, and both fail.
  So now (very late into the feature design) I'm VERY concerned about using ACL's on Solaris, and wonder what other side-effects there are that I'm not aware of. Can't seem to find a bug report on it, so I thought I'd ask around to see if it was just the behaviour of the TAR/ACL that I'm not quite getting, or if it really is a bug.
  /chris

• Edit GUID for Group? ACLs from old server no good

  Hi, we're trying to upgrade from an old server running OSX Server 10.4.11 to a new Mac Mini running Lion Server. Our 'hopes & dreams' were to be able to keep everything the same so we could just switch over and keep working with no interuption.
  Our needs are pretty basic, with only using 6-8 local user accounts (no network accounts), 2-3 main groups, and mostly file sharing and VPN.
  So I tried to setup the users and groups with the same long names, shortnames, passwords and UID/GIDs as our old server. Then for our main old shared files drive, we cloned the entire contents to our new RAID drive using SuperDuper, making sure to check 'retain ACLs'. We were 'hoping' to retain all of the ACLs so we wouldn't have to reapply them to thousands and thousands of files/folders. Even with only a couple groups and not too many ACLs, it would still be a pain.
  Unfortunately, when I examing the permissions for files & folders on the new drive, instead of the group short names for the ACE's it is listing a long number which I believe is a GUID?!? (instead of the group name 'sales' it might say 'A4688EB67-6478-AADE-AA97-006545897979' for the User or Group). But the actual ACE's applied are correct, so those did in fact stay intact.
  - So am I understanding correctly that setting the same GIDs for the groups was not enough, there was a hidden 'GUID' that I was not aware of that is now out-of-sync?
  - If so, is there any way to edit this number for a group so that the ACLs will find the proper groups again?
  - If THIS is possible, how would I find the GUIDs for the old groups in Tiger Server so I could port them over???
  - Any other options other than resetting all of the ACLs from scratch???
  THANKS!

  Sorry, was easier than I thought. Just haven't worked on the server in a while.
  If it helps anyone for whom this isn't obvious, I exported the users & groups from the Tiger server using Workgroup Manager, then imported them into our Lion Server. This brings all the proper GUIDs with it and now all of our ACLs look correct.
  Note to self: somtimes the easy method actually works (with all the differences, I wouldn't have been certain the Tiger users could be imported directly in).

• LDAP realm for authentication and ACL in Database

  We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
  Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

  Unfortunately, there is no easy way to do this in wls 6.0.
  The only way to handle it is to write your own custom realm
  that uses ldap for users and groups and a database for acls -
  probably not a viable alternative.
  -Tom
  "kevin doherty" <[email protected]> wrote:
  >
  Jeffrey Hirsch <[email protected]> wrote:
  You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
  I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
  Thanks!
  -kd

• Matching Route Patterns with standard Local Route group and Specific Route Group

  Hi
  I have a customer with CUCM 8.6 with few branches
  couple of branches in UK and few in Europe and middle east.
  I configured route patterns with Standard local route group, but using their own Voice gateway, everything was working fine until adding the recent branch with matching pattern 
  UK has a mobile pattern with 9.07XXXXXXXXX (11 digits)
  One Branch has a mobile with 9.07XXXXXXXX (10 digits)
  When branch call 907X..(10digit) number there was a delay and I ticked the Urgent priority to process it quicker, but later realized the UK branch cannot dial 907x.. (11Digit) mobile.
  I created Route List for branch and added the 10 digit pattern to that but still the UK cannot call 11 digit. so i believe when you call out it will check the pattern first and the Route-List and Route-Group and gateway play a part.
  Is there a way to get 07 -10digit call out quickly also allowing the 07 -11digit pattern as well ( without changing the T302 timer)
  Really appreciate your support
  thanks
  shameer

  Yes, they key to managing overlapping centralized dial plans is to be really good with patterns, partitions, and CSSs. You can have 3 different 9.0[2-9]XX-[2-9]XX-XXXX patterns and assign them a different partition, and then assign that to the branch CSS. This will only work if each Branch has a different CSS.
  For example:
  9.0[2-9]XX-[2-9]XX-XXXX @ Egypt-PT ->Routes to Local route group of Egypt.
  9.0[2-9]XX-[2-9]XX-XXX @ UK-PT -> Routes to Local route group of UK
  9.0[2-9]XX-[2-9]XX-XXX @ Germany-PT -> Routes to Local Route group of Germany.
  //PT = partition//
  Then have Egypt-CSS that contains 9.0[2-9]XX-[2-9]XX-XXXX @ Egypt-PT. 
  UK-CSS contains 9.0[2-9]XX-[2-9]XX-XXX @ UK-PT
  Germany- CSS contains 9.0[2-9]XX-[2-9]XX-XXX @ UK-PT
  The other patterns will be invisible to your sites because they are in a different partition that is not in their CSS. 2 overlapping patterns in the same PT will cause you to wait for the inter-digit timeout unless you press #.
  Thanks,
  Frank

• I want to delete a group on my iChat list, but it doesn't go away when I right click and delete it. No ones in the group and I tried the plus button on the bottom left of the list and I can't find "edit groups"

  I want to delete a group on my iChat list, but it doesn't go away when I right click and delete it. No ones in the group and I tried the plus button on the bottom left of the list and I can't find "edit groups"

  WordPress is in a class of it's own.  It began it's open source life as a blogging system but it has evolved into a powerful, feature-rich CMS (content management system).  In short, if you elect to use WordPress on your domain, you might just as well use it for your entire web site.
  To work with WordPress, you will need a firm understanding of HTML, CSS and how PHP includes work.
  WP requires you to set-up a dynamic work environment (see links below)
  Find a WP Theme you like that won't require much customizing on your part.
  Related Links:
  http://wordpress.org/
  Get one of the following testing servers for your OS and follow the installation instructions.
  WAMP for Windows
  http://www.wampserver.com/en/
  XAMPP for Windows
  http://www.apachefriends.org/en/xampp-windows.html
  XAMPP for Mac
  http://www.apachefriends.org/en/xampp-macosx.html
  MAMP for Mac
  http://www.mamp.info/en/downloads/index.html
  Setting up a PHP development environment for Dreamweaver
  http://www.adobe.com/devnet/dreamweaver/articles/setting_up_php_05.html
  Creating a WordPress Theme in DW
  http://www.adobe.com/devnet/dreamweaver/articles/creating_wordpress_theme_with_dreamweaver _pt1.html
  Best of luck,
  Nancy O.
  Alt-Web Design & Publishing
  Web | Graphics | Print | Media  Specialists
  http://alt-web.com/
  http://twitter.com/altweb
  http://alt-web-design.blogspot.com/

• Groups and permissions

  I'm preparing a script where some local groups need to be created then domain groups added to them. Also it'll create some folder structure and assing my local groups with the right permissions. I thought that rather than hardcodding all that it would be
  better to make it more general so if groups need to be changed or folder structure modified it can be easily done. Hence I decided to use it as a good opportunity to learn to work with functions to extend my beginner's PS skills.
  I started with creating text files with what will be needed later. So I have folders.txt, LocalG.txt and DomainG_A.txt DomainG_B.txt all put in variables
  $folders = Get-Content .\folders.txt
  $LocalG = Get-Content .\LocalG.txt
  $DomainG_A = Get-Content .\DomainG_A.txt
  $DomainG_B = Get-Content .\DomainG_B.txt
  #######  Functions   #################
  # Test if folders exist and if not create them
  Function TestFolders ($folders){
                foreach($folder in $folders){
                         if((Test-Path $folder) -eq $False){
                              New-Item -Path $folder -ItemType Directory -Force
  # Remove all ACLs from existing folder structure in case it's incorrect
  Function RemoveACL ($folder) {
  $acl = Get-Acl $folder
  foreach($access in $acl.Access){
           $acl.SetAclAccessRuleProtection($True, $True)
           $acl.RemoveAccessRuleAll($access)
  Set-Acl $folder $acl
  # Create Local Groups
  Function AddLocalGroups ($Groups){
  foreach ($group in $Groups){
           $cn = [ADSI]("WinNT://$env:computername")
           $gp = $cn.Create("Group", "$group")
           $gp.setInfo()
  # Here I would like adding domain groups A and B to some of my local groups
  Function AddTo_A_Group ($AGroups){
  foreach($gp in $AGroups){
             $gr = $gp.Replace('\','/')  # as we will likely see domain\group format in the text file
              $objGroup = [ADSI]"WinNT://$gr"
              $objGroupA1 = [ADSI]("WinNT://Test Group 1 A")
              $objGroupA1.PSBase.Invoke('Add',$objGroup.PSBase.Path)
              $objGroupA2 = [ADSI]("WinNT://Test Group 2 A")
              $objGroupA2.PSBase.Invoke('Add',$objGroup.PSBase.Path)
  Function AddTo_B_Group ($BGroups){
  foreach($gp in $BGroups){
                $gr = $gp.Replace('\','/')
                $objGroup = [ADSI]"WinNT://$gr"
                $objGroupB1 = [ADSI]("WinNT://Test group 1 B")
                $objGroupB1.PSBase.Invoke('Add',$objGroup.PSBase.Path)
                $objGroupB2 = [ADSI]("WinNT://Test group 2 B")
                $objGroupB2.PSBase.Invoke('Add',$objGroup.PSBase.Path)
  }  # surely this can be done better
  # To add a group and assign e.g. read and execute permissions
  Function ModifyACL($folder,$group){
  $acl = Get-Acl $folder
  $rule = New-Object System.Security.AccessControl.FileSystemRule -ArgumentList @(
                 $group.Name,
                 "ReadAndExecute",
                 "ContainerInherit, ObjectInherit",
                 "None",
                 "Allow"
  $acl.AddAccessRule($rule)
  Set-ACL $folder $acl
  AddLocalGroups($LocalG)            # create local groups based on the contents of LocalG.txt
  AddTo_A_Group($DomainG_A)     # add A domain groups to Local groups with A in their name
  AddTo_B_Group($DomainG_B)     # add B domain groups to Local groups with B in their name
  foreach ($folder in $folders){
             TestFolders($folder)          # test if folders exists and create as needed
             RemoveACL($folder)          # remove all current permissions
             foreach($group in $LocalG){
                     if($group -match "A"){          # for all groups with A in their name
                              ModifyACL($folder, $group)      # add group and give it R&E permissions
  Running the above Local groups get created and this is as far as it gets :)
  When the script gets to AddTo_A_Group function it throws an exception calling Invoke with 2 arguments: Unknown name(0x80020006 (Disp_E_UNKNOWNNAME) on my $objGroupA.PSBase.Invoke('Add',$objGroup.PSBase.Path)
  Some help would be much appreciated.
  yaro

  Yeah, PSBase is a sort of great unknown for me. I suppose I use [ADSI] as most of similar code (including your neat one-liner :) ) uses it presumably not to need to have connection with any DC.
  After adding a couple of write-hosts here and there I'm seeing that although the group name $gr looks correct (here contoso.net/GroupA1) in the next line the $objGroup shows up as System.DirectoryServices.DirectoryEntry and same for $objGroupA1
  where I was expecting to see contoso.net/GroupA and contoso/Test Group A 1. $objGroup.Path doesn't show anything but $objGroup.PSBase.Path shows System.DirectoryServices.DirectoryEntry again...
  yaro

• AD Users and ACLs PLEASE HELP

  I'm having issues with AD users getting proper permissions with Photoshop, Illustrator, Office, etc when saving files they didn't create. Adding a local group / local users and assigning ACL thru terminal works great. I'm trying to repeat the command: "sudo chmod +a "AD01\sap mac user allow readsecurity,readattr,readextattr,list,serch,read,execute,writeextattr,writeatt r,delete,deletechild,add_file,add_subdirectory,write,append,file_inherit,directoryinherit,chown,writesecurity" /Volumes/Data/Shared"
  the group being "AMS01\sap mac user" the response
  chmod: Unable to translate AD01\sap to a UID/GID: Invalid argument
  I have tried using the AD group ID that workgroup manager has given me, still the same error
  chmod: Unable to translate 981287631 to a UID/GID: Invalid argument
  Any suggestions? Im about ready to pull my mac clients off AD, I'd rather not.
  I don't have control of any of the AD stuff. I've also tried creating a local group and adding the AD users to that, but they don't get the right permissions on the client side, shows as group "unknown"
  Running 10.4.4 Server/10.4.4 Clients, AD 2000

  Dvd Authoring Info and Tutorials
  Wikipedia
  and
  VideoGuys
  and
  VideoHelp
  and
  at Encore
  Encore Tutorials
  http://www.stevengotz.com/
  http://www.doogs-tutorials.com/
  http://www.adobe.com/designcenter/
  Workflow
  http://www.adobe.com/go/vid0239
  Premiere Tutorials
  http://ppro.wikia.com/wiki/Tutorials_and_articles

• Grouping and Decimal characters in rtf templates.

  Hi guys and girls,
  I’m really struggling with a problem here regarding the decimal characters for the prices in my output.
  I'm using XML Publisher 5.6.3.
  My goal is to control the grouping and decimal character from my template.
  The numbers in the XML data file can either be 10.000,00 or 10,000.00. The format is handled by the users nls_numeric_characters profile option.
  The output of the template shall be based on the locale and not the data generated by Oracle Reports. For example: Reports to US customers shall show the numbers in the following format 10,000.00. Reports to our European customers shall show the numbers in this format 10.000,00.
  How can I achieve this in my templates? Can it be achieved at all?
  Thank you in advance.
  Kenneth Kristoffersen
  Edited by: Kenneth_ on May 19, 2009 1:30 AM

  Hi,
  Thank you for your reply.
  The problem is that the report is generating the output based on the users profile option nls_numeric_characters.
  I have tried to override the users profile option in the before report trigger without any luck. I can alter selects so the query gets the numbers in the right format but then I would have to go through all queryes and reports which seem a bit wrong? Especially for the standard Oracle reports.
  BR Kenneth

• Sum of LineCount Including Groups and Detail Data On Each Page Used To Generate New Page If TotalPageLineCount 28

  Post Author: tadj188#
  CA Forum: Formula
  Needed: Sum of LineCount Including Groups and Detail Data On Each Page Used To Generate New Page If TotalPageLineCount > 28
  Background:
  1) Report SQL is created with unions to have detail lines continue on a page, until it reaches page footer or report footer, rather than using  subreports.    A subreport report is now essentially a group1a, group1b, etc. (containing column headers and other data within the the report    with their respective detail lines).  I had multiple subreports and each subreport became one union.
  Created and tested, already:
  1) I have calculated @TotalLineForEachOfTheSameGroup, now I need to sum of the individual same group totals to get the total line count on a page.
  Issue:
  1) I need this to create break on a certain line before, it dribbles in to a pre-printed area.
  Other Ideas Appreciated:
  1) Groups/detail lines break inconveniently(dribble) into the pre-printed area, looking for alternatives for above situation.
  Thank you.
  Tadj

  export all image of each page try like this
  var myDoc = app.activeDocument;
  var myFolder = myDoc.filePath;
  var myImage = myDoc.allGraphics;
  for (var i=0; myImage.length>i; i++){
      app.select(myImage[i]);
      var MyImageNmae  = myImage[i].itemLink.name;
      app.jpegExportPreferences.jpegQuality = JPEGOptionsQuality.high;
      app.jpegExportPreferences.exportResolution = 300;
         app.selection[0].exportFile(ExportFormat.JPG, File(myFolder+"/"+MyImageNmae+".JPEG"), false);
      alert(myImage[i].itemLink.name)

• What  is difference between user group and reference user group?

  hi
  guys,
          what  is difference between user group and reference user group? 
  your regards
    p.suresh

  Hi ,
  Chk the link below for your clarifiacation.
  http://help.sap.com/erp2005_ehp_03/helpdata/EN/5c/c1c81c445f11d189f00000e81ddfac/frameset.htm
  Hope it helps.
  Regards,
  Amit
  Edited by: Amit Kotwani on Sep 2, 2008 2:15 PM

• PO Change according to material group and G/L Account no.

  Hi Expert,
  I have a requirement of "PO Change according to material group and G/L Account no.". I am using BAPI_PO_CHANGE.
  But it is giving error.
  "I 06 684 Releases already effected are liable to be reset
  E BA 003 Instance 4500010532 of object type PurchaseOrder could not be changed
  E ME 046 Purchase order item 00010 still contains faulty account assignments
  W ME 039 Goods receipt posted unvaluated due to multiple account assignment
  E ME 083 Enter G/L account no."
  Can any body tell me how to fill this BAPI.......
  Even i am trying to debug standard tocde of PO but it is not calling bapi BAPI_PO_CHANGE.
  Could you please help me on this.
  Regards
  Sanjay Kumar

  Hello,
  To assign material group to G/l account you have to matain valuation class for Material group
  SPRO >> Materials Managment >> Purchasing >> Material Master >> Entry aids for items with out material master.
  Assign this valaution class to G/l in OBYC.
  Regards,
  Shailesh