CUA still necessary/recommended with Access Enforcer?

Hello forum members,
we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
Thanks for your replies.

This is a question that I'm asked all the time. For some environments, using CUA with AE is really nice. For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
For example:
a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles. So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity). Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems. If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'. When AE is implemented over the top of this, a user only has to request the 'AP Clerk' role (composite). AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems. Very easy from a user point of view as they only have to request one role, which is their job.
b. If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA. In this scenario, a user must request the applicable roles from each of the three systems. It is more flexible, but a little more difficult for the end user.
I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design. A bit of prototyping helps also!

Similar Messages

Connector problem with access enforcer

Hi Guys,
I am facing a really strange problem with my connectors.
We have a test installation of GRC which was down for about 3 months.
During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
Anyhow I still can't modify, test or even create a new connector for access enforcer.
The only error I get is "Action failed".
I tried to analyze the logs but found no help there too.
2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
java.lang.NullPointerException
     at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
     at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
     at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
     at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
     at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
     at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
     at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
     at java.security.AccessController.doPrivileged1(Native Method)
     at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
Did anybody here face a problem like that?
Kind regards,
Bastian
Message was edited by:
        Bastian Schneider
Message was edited by:
        Bastian Schneider

I had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.

CUA vs. Access Enforcer

Can anyone explain the need for implemented both CUA and Access Enforcer?
We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .

Hi Patrick
1) In this scenario the only benefit with CUA i can see is
     a) Password reset
     b) locking and unlocking the user.
2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
    1) User provisioning for SAP and non-SAP system
    2) can be integrated with GRC for Risk analysis and remediation.
    3) Password Management also possible.
        https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
regards
Anand.M

If i associate my apple id with another email will i lose my icloud data or i will still be able to access all my stored data with the new linked to my apple id email address?

hi there
if i associate my apple id with another email will i lose my icloud data or i will still be able to access all my stored data with the new linked to my apple id email address?
i mean i am not signing up for a new account, just changing my old id primary email which is my apple id login into account.
in other words, www.icloud.com will recognize that it is still me if i login on the site? will i be able to see there all my stored information?
and if i change my password, does it automatically changes the @icloud.com password which should be the same as my apple id pass?
thanks

After opening the email it shoud of had you enter the Apple ID and password. Using certian web browser's can cause errors. You can adjust securty settings (big pain) or you use another browser. Using Firefox or Safari should do the trick.
Let me know if using Firefox or Safari resolved it.

Can access enforcer be implemented with going through the SOD check.

Hi All,
I have couple of questions regarding Access enforcer:
1. Can Access enforcer be implemented with going through the SOD check?
2. Can we provision roles for the project team using Access Enforcer (without having a million SOD conflicts which need to be cleared)?
I would really appreciate any insight on these questions.
Thanks

https://websmp103.sap-ag.de/~form/sapnet?_FRAME=OBJECT&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000206624&_HIER_KEY=601100035870000212731&_HIER_KEY=601100035870000210510&_HIER_KEY=701100035871000519581&_SCENARIO=01100035870000000202&#HOME

Can someone explain to me "Recommended WAN Access Speed (with services)?

Looking at this spec sheet:
http://www.cisco.com/c/dam/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/Routing_Poster.pdf
Why offer GE WAN ports on a 1921 if the recommended WAN access speed is only 15Mbps? Can someone provide context? I think I'm misunderstanding the specs.
Thanks!

Photo sync is only one way, computer to iPhone.
To get pictures from the iPhone to the computer, copy them to the computer as you would with any other device.
Pictures saved from emails or instant messages (if done on the device) are in the camera roll.
Pictures previously synced to the device from a computer are not available to be copied off the device. They should already be on a computer.

HT5085 I have nearly filled my iCloud storage with pictures. If I subscribe to iTunes match, will I still be able to access music via the cloud?

I have nearly filled my iCloud storage with pictures. If I subscribe to iTunes match, will I still be able to access music via the cloud, or will I have to buy more storage space? Cheers.

Yes, but... you'll have to first index her music through your iTM subscription. So... you'd have to add her music into your own library first. Which.... would defeat the point of iTM I suspect in your case.

When I sync my iPod with iCloud and I delete pictures off of my iPod will I still be able to access them from iCloud?

When I sync my iPod with iCloud and I delete pictures or other data off of my iPod will I still be able to access them from iCloud?

- Syncing with iCloud does not move anything from the the iPod to iCloud. Some items like contacts, calendar and some app date gets synced to the cloud continuously.
- If you backup to iCloud it backs up the photos in your iPOd's Camera Roll album. If you delete some of those photos and then backup the previous backup gets overwritten with the changes and thus you can't get them back.
- You can get the last 30 days worth of phtos in the CamerRoll form your PhotoStream
iOS: Importing personal photos and videos from iOS devices to your computer

If I delete photos on my computer, will I still be able to access them with Time Machine?

If I delete photos on my computer, will I still be able to access them through time machine? My computer is running very slowly and I need to free up some space.

Time Machine is intended for recovery of accidentally deleted items, not as a primary storage method. If you delete items from your computer, they will be deleted from the backup when the drive or partition holding it runs out of space.
(58421)

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

Upgrade of scvmm 2012 sp1 to scvmm 2012 r2 fails with "Access to the path 'C:\ProgramData\VMMLogs\SetupWizard.log' is denied"

I had a working scvmm 2012 sp1 installation, and am attempting to upgrade to 2012 r2.
The old SCVMM product was removed (retaining the database), as well as ADK 8.0. I then installed ADK 8.1.
The install fails after a number of minutes with "Access to the path 'C:\ProgramData\VMMLogs\SetupWizard.log' is denied". From my reading of the log, that was the only obvious failure, and that the VMM server MSI installed successfully.
It doesn't appear to get so far as to upgrade the database.
The OS is Windows Server 2012 R2 Standard, with all updates applied. I have tried the install many times, noticed that the McAfee virus scanner was pushed to the box at some point, so I removed it, but still no dice.
12:18:58:LaunchMSI: MSI C:\Users\mscott\Desktop\mu_system_center_2012_r2_virtual_machine_manager_x86_and_x64_dvd_2913737\amd64\setup\msi\Server\vmmServer.msi succeeded.
12:18:58:Doing Postinstall task for PangaeaServer
12:18:58:ProcessInstalls: Install Item VMM management server was successful. We will launch the post process delegate.
12:19:47:Windows feature RSAT-Clustering-PowerShell already enabled, skipping
12:20:15:Windows feature WindowsStorageManagementService already enabled, skipping
12:20:41:Windows feature UpdateServices-API already enabled, skipping
12:23:31:VMMPostinstallProcessor threw an exception: Threw Exception.Type: System.UnauthorizedAccessException, Exception.Message: Access to the path 'C:\ProgramData\VMMLogs\SetupWizard.log' is denied.
12:23:31:StackTrace:   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath,
Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
   at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize)
   at System.IO.StreamWriter..ctor(String path, Boolean append)
   at System.IO.File.AppendText(String path)
   at Microsoft.VirtualManager.SetupFramework.CommonLogger.Log(String trace)
   at Microsoft.VirtualManager.SetupFramework.CommonLogger.Log(LogLevel level, String trace)
   at Microsoft.VirtualManager.SetupFramework.Trc.Log(LogLevel level, String trace, Object parameter1, Object parameter2, Object parameter3)
   at Microsoft.VirtualManager.SetupFramework.Trc.LogException(LogLevel logLevel, String customMessage, Exception exception)
   at Microsoft.VirtualManager.Setup.DBConfigurator.ExecuteScript(SqlContext ctx, String fileName)
   at Microsoft.VirtualManager.Setup.DBConfigurator.UpgradeDatabaseTables()
   at Microsoft.VirtualManager.Setup.VirtualMachineManagerHelpers.CreateDB()
   at Microsoft.VirtualManager.Setup.InstallItemCustomDelegates.PangaeaServerPostinstallProcessor()
12:23:31:ProcessInstalls: Running the PostProcessDelegate returned false.
12:23:31:ProcessInstalls: Running the PostProcessDelegate for PangaeaServer failed.... This is a fatal item. Setting rollback.
12:23:31:SetProgressScreen: FinishMinorStep.
12:23:31:ProcessInstalls: Rollback is set and we are not doing an uninstall so we will stop processing installs
12:23:31:****************************************************************
12:23:31:****Starting*RollBack*******************************************
12:23:31:****************************************************************
12:23:31:SetProgressScreen: StartMinorStep.
Mark E. Scott Jr.

Perhaps relevant, perhaps not. This error shows up right after the above log snippet. I assumed it was an error with the rollback routine, but just in case, here it is:
12:23:31:SetProgressScreen: StartMinorStep.
12:23:31:ProcessInstalls: Install Item VMM management server has a Preprocessing delegate of PangaeaServerPreinstallProcessor. Launching it now.
12:23:31:GetSqlLoginName: TThe login name for the vmm server service is [DGSLAB\tfs-vmm]
12:24:49:no HAVMM name detected in DB. Doing VMM Uninstall
12:24:53:Start setspn.exe parameters -D SCVMM/tfsvmm1.dgslab.com DGSLAB\tfs-vmm
12:24:56:Start setspn.exe parameters -D SCVMM/tfsvmm1 DGSLAB\tfs-vmm
12:25:00:DBConfigurationHander.SetupAsVMMServerRole() CarmineException : Threw Exception.Type: Microsoft.VirtualManager.Utils.FailedToAcquireLockException, Exception.Message: Unable to perform the job because one or more of the selected objects are locked by
another job.
To find out which job is locking the object, in the Jobs view, group by Status, and find the running or canceling job for the object. When the job is complete, try again.
12:25:00:StackTrace:   at Microsoft.VirtualManager.Utils.CarmineObjectLock.ExecuteAcquireLockSP(CarmineObjectLockType lockType)
   at Microsoft.VirtualManager.Utils.CarmineObjectLock.AcquireLockWithRetries(CarmineObjectLockType lockType)
   at Microsoft.VirtualManager.Utils.CarmineObjectLock.AcquireLock(CarmineObjectLockType lockType, Boolean doNotWaitForLock)
   at Microsoft.VirtualManager.DB.Adhc.AgentServer..ctor(RemoteServer server, Guid serverID, Version agentVersion, VersionState agentVersionState, AgentPackageType agentPackageType, Boolean wsManOverSSL, Int32 wsManPort, Nullable`1 complianceStatusID,
Nullable`1 mostRecentTaskID, Nullable`1 mostRecentTaskUIState, Guid taskID, CarmineObjectLockType lockType)
   at Microsoft.VirtualManager.DB.Adhc.AgentServer..ctor(SqlRow row, Guid serverID, Guid taskID, CarmineObjectLockType lockType)
   at Microsoft.VirtualManager.DB.Adhc.AgentServer.<>c__DisplayClass4.<GetInstance>b__3(SqlRow row)
   at Microsoft.VirtualManager.Engine.DbAccessHelper.GetFromCommand[_RetTy,_ColumnsTy](ReadOption readOption, SqlRetryCommand cmd, GetFromCommandWorker`1 worker)
   at Microsoft.VirtualManager.Engine.DbAccessHelper.HandleReadErrors[_RetTy](DbAccessDelegate`1 func, ErrorInfo notFoundErrorInfo)
   at Microsoft.VirtualManager.DB.Adhc.AgentServer.GetOne(String computerName, GetFromCommandWorker`1 ctor, ConnectionProperties properties)
   at Microsoft.VirtualManager.Setup.DBConfigurator.SetupAsVMMServerRole(Boolean isAssociate)
12:25:00:InnerException.Type: Microsoft.VirtualManager.DB.DBCorruptionException, InnerException.Message: Unable to connect to the VMM database because the database is in an inconsistent state.
Contact an experienced SQL administrator whenever this error occurs. In some cases, it may be necessary to restore the VMM database. If the problem persists, contact Microsoft Help and Support.
12:25:00:InnerException.StackTrace:   at Microsoft.VirtualManager.DB.SqlRetryCommand.ValidateReturnValue()
   at Microsoft.VirtualManager.DB.SqlRetryCommand.ExecuteNonQuery()
   at Microsoft.VirtualManager.Utils.CarmineObjectLock.ExecuteAcquireLockSP(CarmineObjectLockType lockType)
Mark E. Scott Jr.

I still have problems with getting my website online. I have defined my server. Then I did the test and there was a connection via FTP. I put my files on the external server and there is a connection with the external server. But when I check to see my we

I still have problems with getting my website online. I have defined my server. Then I did the test and there was a connection via FTP. I put my files on the external server and there is a connection with the external server. But when I check to see my website online (with Firefox, Explorer, Chrome browser) I always get the message 'Forbidden, You don't have permission to access / on this server.' Can somebody help me please? I have to get my website online..Thank you!

Hello Els,
it's well known, that in all these cases you describe I'm not a friend of a detailed Troubleshooting (I see Nancy#s smile already).
To be able to be independent in all this things It is one of the reasons why I prefer an external FTP program. The difficulties with which you have to fight encourage me in this opinion, not least because we always search for experts, we don't charge a "jack of all trades".
To manage several websites or to upload my files and sometimes for the opposite way, for a necessary download from my server or to use a "a site-wide synch", I'm using FileZilla. It simply looks easier for me to keep track of all operations precisely and generate or reflect easily the desired tree structure.
Above all, FileZilla has a feature (translation from my German FileZilla) called "compare file list". Here it's possible to use file size or modification time as a criterion. There is also the possibility to "hide identical files", so that only these files which you want to redact remain visible.
And even if it means you have to install a new program, I am convinced that there is an advantage. Here is the link to get it and where you can read informations about how it works:
http://filezilla-project.org/ and http://wiki.filezilla-project.org/Tutorial#Using_the_site_manager
Mac: Mac OS X (Use: Show additional download options)
http://filezilla-project.org/download.php
Of course, you also need all the access data to reach your server and for MIME issues, you should contact your web host/provider.
Good luck!
Hans-Günter
P.S.
Since I use two screens, the whole thing became even more comfortable.

How to implement Oracle user/role security with Access front end?

Hi,
We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
Can someone give me some assistance or point me in the right direction?
Thanks in advance,
Larry

We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
Larry

I dropped my macbook pro and the screen is broken can i still use it with an external monitor? Or can I or how do I transfer hard drive files to my mac mini?

I dropped my 17" macbook pro and the screen is broken. Can I still use it with an external monitor? When I plugged it into a monitor I had used it with before, I'm not able to see anything on the macbook screen to control it. It came on but I just got the blue screen with nothing else after typing in my password. (Didn't see the password form just assumed it was there somewhere and it did go from space to blue screen but no desktop icons, files, dock strip at top or anything else, just blank blue screen) so I can't access the system preferences.
Or can I / or how do I, transfer hard drive files to my mac mini? If not salvageable as is can I pull out the hard drive and make it an external harddrive? In otherwords is anything salvageable? It seems it's coming on I just can't access anything. BTW I was told it would cost aprox $1000 to replace the screen! I paid almost $4000 for this thing and it was running great - makes me sick to lose it!

I'd like to promise you that everything will be fine if you just get the monitor going - but it's hard to know what the hardware damage might be. It might be the monitor, or the damage might be greater.
Your best solution would be visit your local Apple Store and let them know what your situation is. They have access to diagnostics you don't, and they might be able to the best way to save your data and keep you computing. It's still not covered, but they can tell you what your current options are.
Um, you might consider investing in a backup drive.
And there other repair options, too. Powerbook Medic http://www.powerbookmedic.com/xcart1/pages.php?pageid=67 offers reliable repairs, and quotes prices well under Apple's.

Access Enforcer(error in approving the request) and import roles

Dear all,
error in approving the request at security stage(last)
manager and role owner are successfully approved.
and also importing roles into access enforcer was not successful.
imortstatus : 0 roles imported of 28 records found.
please find the system log:
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:02:28,234 [Thread-47] DEBUG

In Addition to my previous response:
I meant to include the following:
Some of the fields that need to be properly defined with attributes are:
       System: must have the know SAP system defined here
       Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
       Functional Area: need to have all the areas defined that roles will be assigned to
       Company: I only have one company so that's an easy one
Some areas I presently do not use but found they must ne coded and coded properly:
       ResponsibilityID:   N/A (coded as is)
       CommentsMandatory: NO (coded as is)
       Parent Role Owner:   NO
       Business Process: NA (I believe I originally coded N/A and it did not like that)
       Sub Process: NA (again N/A I believe error on me)
       Reaffirm Period: presently I am using 0 (zero)
       LastReaffirm: presently using 12/31/9999
Hope this helps a bit
I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
Jerry Synoga
Ryerson Inc.
630-758-2021

CUA still necessary/recommended with Access Enforcer?

Similar Messages

Maybe you are looking for