Data Security Issue

Similar Messages

• SAP BOBI 4.0: Data Security Profile Issue

  Consider the below scenario :
  We have two environments(SAP BOBI 4.0): Dev and Prod
  Schemas used are test and testABC in DEV and Prod respectively. And structure (table
  names and column names) inside both the schemas is same.
  We have created several data security profiles in Dev
  environment. So now when we migrate via Promotion Management, the universe from Dev to Prod, “data
  security profiles” also gets migrated.
  So once migrated we change schema name from test to testABC
  in data foundation layer which makes our dfx to point to testABC schema in
  Prod.
  Once above process is done when we go to data security
  profiles, table names gets changed from test to testABC But inside WHERE
  Clause, schema name is still test it doesn’t gets changed to testABC.
  Now question is  :
  Is there any way so that schema name inside
  WHERE Clause should get changed automatically from test to testABC?
  Is there any way we can restrict Data Security
  profiles to get migrated when we are migrating the universe?

  What is your data source? Did you try to edit the security profile in where clause?
  Is there any way we can restrict Data Security
  profiles to get migrated when we are migrating the universe? - You can only exclude to promote User/Folder/Object security, not inside the Universe.

• HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

• OBIEE-EBS data security integration

  Hi all,
  I am trying to implement the HR-Org based data security in EBS-OBIEE integration.
  After creating the initialization blocks EBS Single Sign-on Integration,Get Oracle EBS Security Context,Group-EBS Responsibility I have created a new initialization block HR Organizations to populate the session variable "HR_ORG" and I am using the following the query.
  Even though the session variables GROUP and USER are getting their values correctly and integration works fine, the variable HR_ORG says "has no value definition".
  [nQSError: 10058] A general error has occurred. [nQSError: 23006] The session variable, NQ_SESSION.HR_ORG, has no value definition. (HY000)
  SQL Issued: SELECT "Per Business Groups"."Business Group Id", VALUEOF(NQ_SESSION.HR_ORG) FROM HR
  Please help me for implementing the data security after the EBS-OBIEE integration..
  For populating HR_ORG variable by row wise initialization:
  SELECT DISTINCT 'HR_ORG',TO_CHAR(SEC_DET.ORGANIZATION_ID)
  FROM
  SELECT
  'HR_ORG', ASG.ORGANIZATION_ID
  FROM
  FND_USER_RESP_GROUPS URP
  ,FND_USER USR
  ,PER_SECURITY_PROFILES PSEC
  ,PER_PERSON_LIST PER
  ,PER_ALL_ASSIGNMENTS_F ASG
  WHERE
  URP.START_DATE < TRUNC(SYSDATE)
  AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_DATE) END) >= TRUNC(SYSDATE)
  AND USR.USER_NAME = ':USER'
  AND USR.USER_ID = URP.USER_ID
  AND TRUNC(SYSDATE)
  BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
  AND PSEC.SECURITY_PROFILE_ID = FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_PROFILE_ID', URP.USER_ID, URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_APPLICATION_ID)
  AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
  AND PER.PERSON_ID = ASG.PERSON_ID
  AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
  AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
  -1, URP.RESPONSIBILITY_ID,
  NULL, URP.RESPONSIBILITY_ID,
  FND_GLOBAL.RESP_ID)
  UNION
  SELECT DISTINCT 'HR_ORG',
  ORGANIZATION_ID
  FROM PER_ALL_ASSIGNMENTS_F ASG,
  FND_USER USR
  WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
  AND USR.USER_NAME = ':USER'
  AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
  AND ASG.PRIMARY_FLAG = 'Y'
  ) SEC_DET
  Thx!

  Duplicate post see Re: obiee-ebs  data  security integration

• Security issues for Discoverer 10g apps 12i

  gurus,
  I have couple of things to get it done at client.
  We are on Oracle Apps rel 12i with dicoverer 10g.
  Did anyone setup MOAC to be enabled and operational in business areas?
  Setting up secure responsibilities in discoverer for MOAC?
  Any setup needs to be done for custom report security in discoverer ?
  thx

  Hi,
  I did setup new MOAC security profiles and assigned multiple organizations to that profile for testing purpose.
  After this, I did run concurrent program "Security List Maintennce" etc...
  Tested Upding profile at user level or responsibility level.
  On APPS side fine.
  I need the some basic steps on setup of security issues for discoverer side.
  1) Business areas (any security steps need to be followed in order to access data for single or multi-org)
  2) Custom Reports ( any security setup or any moac security profile setting against responsibilty for accessing single or multi-org data)
  Since we dont have default operating unit parameter as specified in the concurrent program, how do you restrict data?
  3) Reconciling security approach r12 with discoverer (any steps need to be followed here after r12 configuration with security issues)
  4) Custom Views ( any steps to be followed for single or multi-org data as security aspect)
  Looking for info on these setups.
  Thx

• Security Issue in Planning. Unable to write to particular Year member

  Hello Everyone,
  I am currently facing a strange security issue in our PRD environment. I am unable to lock and send any data or punch the data in directly through a dataform for a particular Year, Scenario and Version combination. I have all the write access set up on these dimensions directly from planning interface and configured myself as Admin through Shared services.
  Dimensions are as follows:
  Year
  -FY11
  -FY12
  -FY13
  Scenario
  -Forecast
  Version
  -Working
  I can key in the data for FY11+Forecast+Working BUT all the cells in the dataform appear to be green for below combination:
  FY12+Forecast+Working and FY13+Forecast+Working
  I am not sure whats happening here as I have right security setup and Forecast is setup correctly too, from FY11 to FY13 for all the months(Jan:Dec).
  Please Help
  Thanks

  Hi John,
  Yes the months are setup correctly. I resolved the issue. We had a replicated partition connected to it, which pushes data to my application for FY12 and FY13. The partition needed to be dropped. Now I can see the cells in yellow.
  Thanks

• Ip phone and pc VLAN security issue - ISE 1.0

  Hello there.
  We are about to implement IP phones to our current network and during testing I have found 2 issues.
  1- ip phone connects to a protected port using ISE mab authentication for the data network.
  The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
  Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
  2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
  Let me know your thoughts...thanks
  Port config info....below
  interface GigabitEthernet0/2
  description Extra port by Camilos Desk
  switchport mode access
  switchport voice vlan 220
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  authentication event fail action next-method
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  mls qos trust cos
  snmp trap mac-notification change added
  auto qos trust
  spanning-tree portfast
  end

  On # 1
  You have the make sure that
  "authentication host-mode multi-domain" command is under each port
  This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
  On #2
  I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
  On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
  Hope this helps.

• Does introduction of HADB add any security issues?

  Did the introduction of HADB for providing reliable state introduce any
  security issues? If so, what options are available for the user?

  Firstly the application tier would typically run behind the DMZ, so it
  would have the same protection as any other business logic running in
  this tier. Additionally, if highly sensitive data is stored in
  HttpSession then the HADB tier can be pushed further into the corporate
  network (i.e. behind further layers of protection).

• Security issue with connecting to Microsoft Live

  I currently use StudioCloud for my studio management software. However, I'm unable to use the email features of the software as they state "**Adobe Air has a security issue connecting to Windows Live and, as such, StudioCloud can not work with Windows Live/Hotmail at this time.**" (http://app1.studiocloud.com/support/index.php?/article/AA-00265/0).
  Are there any plans on resolving this issue?
  As a small business owner, I need to streamline my processes.  If there is a possibilty of this being fixed in the near future, then I won't look at other options, but if it isn't, then I need to determine if I will be moving my email to another host, or using a different studio managment software, or finding a different method of handing my email communications with my clients which is efficient and meets my needs. 
  Thank you.
  Catherine Bowser

  Reported via a live chat.  I must say that the guy was very helpful and said he'd reported the issue together with the tracert data I had provided.
  Afraid I lose the will when trying to speak to BT by phone!

• Security issues in Mavericks 9.04

  I just had a secure scan done on my Mavericks server. The main issues seem to be:
  OpenSSL Running Version Prior to 0.9.8za Upgrade to OpenSSL version 0.9.8za or newer.
  Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities (Upgrade to Apache version 2.3.2 or newer.)
  Given that upgrading these would mean compiling and installing Apache and OpenSSL(which I'm not really keen to do) I'm wondering what experienced admins think of these threats.

  pkmusic wrote:
  Dumb question - so a self-signed SSL cert doesn't use Open SSL?
  Certificates are used with ssh and SSL/TLS and such, yes.  Most of OS X uses Secure Transport for its certificate- and SSL/TLS-related processing, but Apache does not.  Apache is linked against OpenSSL.
  Self-signed certificates lead to a different security issue.  
  An HTTPS site with a self-signed certificate will be considered untrusted by accessing web clients and the web browser will usually issue diagnostics before allowing access to the site or a diagnostic before marking the certificate as trusted, or that you've set up your own certificate chain and installed your own root certificate.  That you're asking this question implies the former; that you're not really running HTTPS with a trusted certificate chain.   Which generally means you can just shut off SSL/TLS.
  As for the original question, here's how the scanner is likely detecting the down-revision versions — if you look at the server details being returned to the client, you'll see some information on Apache and OpenSSL versions embedded in the response:
  $ telnet foo.example.com 80
  Trying 10.1.3.1...
  Connected to foo.example.com
  Escape character is '^]'.
  HEAD / HTTP/1.0
  HTTP/1.1 301 Moved Permanently
  Date: Sun, 20 Jul 2014 14:40:11 GMT
  Server: Apache/2.2.26 (Unix) PHP/5.4.24 mod_ssl/2.2.26 OpenSSL/0.9.8y DAV/2
  Location: http://foo.example.com/
  Cache-Control: max-age=1209600
  Expires: Sun, 03 Aug 2014 14:40:11 GMT
  Connection: close
  Content-Type: text/html; charset=iso-8859-1
  Connection closed by foreign host.
  $
  That won't get fixed without replacing Apache et al or one of the other options, as described in my earlier reply.
  For completeness, some folks will manually configure the server to not return these details.  That'll derail the the vulnerability scanner, certainly.  It might not have the intended result, too, as the remote attackers can simply decide to throw every attack they have at your server — the attackers are not short on CPU cycles and network bandwidth, after all; unintended consequences.
  As for using a self-signed cert and given you probably aren't providing file-level access to other folks, I'd not (personally) be particularly concerned about that vulnerability scan — one of the limitations with using vulnerability scanners is that you then have to go off and figure out if you're actually vulnerable to whatever the scanner is reporting.  It's an issue certainly, but then you'll have to decide if your backups are complete and current and with copies kept off-site, and if your other security practices and password policies and such are also all up to date and secure, and at what else you might risk if the server is breached — if configuring a DMZ for your server might be appropriate, for instance, to isolate the server from the rest of your network should the server be breached.

• Security Issues with workbook

  Hello All,
  When I log into discoverer with some responsiblity "a" i am able to see the output of the particular workbook.
  But when the same work book ran by other user with differnet responsbility "b" and with with same parameters , he is geting the message as "'The query caused no data to be returned" .
  There seems to be some security issues. Can any one kindly explain the process why the user is not able to view the output. In order to overcome this what are the actions i need to do.
  Thanks for your support.
  Best Regards,
  Kumar.

  Hi,
  I assume that you are using Oracle Applications and that the user is connecting with a different apps responsibility.
  In Discoverer, security can be applied at 4 levels; in the workbook, in the EUL, in views and using VPD. Application 11i security is mostly applied through views.
  Now, the security applied depends on the Apps module. GL, AP/AR, PO and FA all have different mechanisms for applying security. Mostly the security applied will be determined by security profiles set up for the responsibilities. But for example, GL, also uses row based (procedural) security based on the flexfield security rules in some of the GL views. If you are using a custom responsibility you will need to ensure that all the security profiles are set up for this responsibility.
  So your first step is to look at what view(s) are used in the report. Then determine which security profiles are checked by this view. So if it is a GL view you need to check the 'GL Set of Books Name' profile is defined for that responsibility.
  Without knowing which modules you are using, which version of Oracle Applications or whether you have custom or seeded responsibilities it is difficult to know why your report does not return data for the responsibility.
  Rod West

• Security issues (ACLs)

  I'm still struggling with ACLs and security issues within iFS.
  We intend to use the iFS as document store. In order to eliminate redundancy no document will be stored twice within the document store.
  iFS Folders act as organizational units. Each department has got its folder as base for their part of the document store.
  Now I need to find a way, so that department a can place the same document in its own folder as department b (for example "link" it via WebUI) while being able to modify the ACL independently of department b.
  The last hint of an oracle guy (forgot the name) was to use agents to adjust the ACLs.
  Now that I've got this solution working I must see that this approach is no solution. It adjusts the ACLs whenever a document is added to a folder. This will delete the changes to the ACLs which were made by department a (assuming the folder belongs to department b).
  Merging two ACLs is not a trivial task (at least for me) and is also unwanted, since I have to remove changes of one department from the whole ACL when the document is removed from the Folder again (which is also an impossible task).
  Since I see no solution without several months of implementation work (adding link objects to iFS which represent a document within a Folder and control its ACL) I'm asking again for some advice.
  I am amazed that no other applications require this functionality. It is a common task to provide different views with different privileges onto the same set of data. Even database is able to do this. Why is iFS unable to do this ?
  Regards,
  Jens
  null

  <BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by Alison Stokes:
  Your statement :
  "being able to modify the ACL independently of department b"
  indicates that you want to maintain two separate ACLs for a single document. This is currently not supported. To allow department a and b to each modify the access privileges to the document, they must share a single ACL. To allow the departments to both modify the ACL, you would grant both departments the 'Grant' permission in the ACL's access control list. Subsequently, they will be able to see and modify the access privileges granted to the members of the other department.
  We are currently considering enhancing the ACL model for a future release. You're input is valued greatly.
  <HR></BLOCKQUOTE>
  At least someone got my point. (seems to be a rather difficult topic to explain)
  Yes. I do not want two departments to able to modify each others ACLs.
  Whenever someone would delete an ACE or even Document of the other department (intentionally or by accident) my phone would asking me why the ACL has been modified without their knowledge. But I want to able to supply the same dokument to more than one department with a separate ACL for each department. (modifiable by the responsible person of the department)
  Regards,
  Jens
  null

• Security issue? BB Bridge 2.1.0.32 and .24

  Hi,
  I don't know if this is a security issue, but I find it strange.
  What happened? 
  I had access to my smartphone's email app from the Playbook and was able to read the mail, before I entered my PIN-code (sim access, not the BB-pin), after reboot of the smartphone (just installed Bridge 2.1.0.32).
  I'm assuming the PIN also should not only protect access to a network, but also to the smartphone itself. 
  This is possible with BB Bridge 2.1.0.32 and .24.
  Should this be 'normal' or not?
  What is RIM's intended design at this point?

  ON the 9800, delete the Bridge app from Options > Device > Application Management.
  Do a simple reboot on the BlackBerry in this manner: With the BlackBerry device POWERED ON, remove the battery for a minute, and then reinsert the battery to reboot.
  Then, download and again install the Bridge app from AppWorld.
  On the PlayBook, delete the current pairing with the 9800,
  Restart the PlayBook by touching the battery icon at the upper right > Restart.
  once the 9800 is rebooted per above, re-pair and try again.
  1. If any post helps you please click the below the post(s) that helped you.
  2. Please resolve your thread by marking the post "Solution?" which solved it for you!
  3. Install free BlackBerry Protect today for backups of contacts and data.
  4. Guide to Unlocking your BlackBerry & Unlock Codes
  Join our BBM Channels (Beta)
  BlackBerry Support Forums Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Possible fix for Word2004 "Date Modified" issue

  I'm not sure if anyone else is still dealing with this problem - we discussed it a year ago here:
  http://discussions.apple.com/thread.jspa?messageID=7610823
  But just in case there's someone else out there with the problem - I think I've found a fix (requiring OSX Server 10.5, tested on OSX Server 10.5.6)
  The problem:
  When you have a Word 2004 file (whatever.doc) stored on a server (10.4.0-10.5.6) then you have an annoying Date Modified issue. Whenever someone who is not the owner simply opens the file, the Date Modified date updates. When the owner of the file opens it, the date does not change. So by simply opening the document (and making no changes, and not re-saving it) you trigger an update of the Date Modified field.
  More info can be found following the link above.
  Well. I think I've found a work-around that's better then the current "Have everyone login as the same user" one.
  In OSX Server, setup the permissions for the share with group as "read only" - so the POSIX permissions only give non-owners read-only access. (Everyone should also be RO or None)
  Then you need to apply a Custom ACL. You want to give them Read & Write, but then edit the Write permissions to not allow Write Attributes and Write Extended Attributes.
  So the ACL is:
  [ ] Administration
  [Y] Read
  [-] Write
  --[ ] Write Attributes
  --[ ] Write Extended Attributes
  --[Y] Create Files (Write Data)
  --[Y] Create Folder (Append Data)
  --[Y] Delete
  --[Y] Delete Subfolders and Files
  [Y] Inheritance
  Obviously this means your users cannot write attributes - so for photos and other files where meta-data is critical, this is not a great idea. But for the vast majority of shares, this is fine - they can still "read and write" all the files and folders, but the Date Modified problem does not arise.
  I'd be interested to see if this works for anyone else. Please let me know
  Charles

  Interesting and understood. I always tell people/clients that want to use dates either date created but definitely date modified to add that into the name of the file or call them revisions each time, ie:
  lawsuitJamesrev2
  or
  lawsuitJames_5_1209
  Reason being is depending on the backup system or worse yet disaster recovery you might not see or be able to see modified dates. IF the file is labeled as shown above it makes it easier. Again each person is different but from experience this works best as well as sorting. Also law firms I worked with have a number system since they needed to follow regulations on how to secure content. Again just ideas...hope you find an answer and pass it on

• Security Issues with iMac OS X

  I thought that with previous OS X versions, the problem was bad enough when you set the 'Stealth Mode' to 'On' & the status was not reflected within the System Profiler utility. 
  Now it seems more security blunders....You're able to amend Login Items, e.g. select &/or deselect items (within System Prefs, User Accounts) without being asked to re-enter the users password or keychain password.  If someone gained access to a users computer/account (even if it was padlocked) then they're able to amend/delete/select/deselect anything in the 'Login Items' list. 
  Yet another major security blunder from Apple & I remember it took them months, if not years to resolve the 'Stealth Mode' issue with previous OS X versions.
  Since UNIX is/was meant to be one of the most powerful & secure computer operating systems, they've made it look pretty WeaK!

  Now it seems more security blunders....You're able to amend Login Items, e.g. select &/or deselect items (within System Prefs, User Accounts) without being asked to re-enter the users password or keychain password.  If someone gained access to a users computer/account (even if it was padlocked) then they're able to amend/delete/select/deselect anything in the 'Login Items' list. 
  Well duh. That's a bit like saying if someone can start your car then they can change the radio station. If a person has hacked your account to the point where the can amend the Login items list then that is not a security issue, in fact that's the very least of your worries. If they have that kind of access to your machine then they have everything, your data, your passwords, the whole shooting match. So, I wouldn't worry too much that the can remove an item from your Login list.
  So, not a security issue, not a blunder. You need to worry about something important.