Denying AAA Clients to a specific user group in ACS v4.1

Similar Messages

• How can I give administration permissions to a specific user+group on wiki?

  How do I give administration capabilities to a specific user for only ONE specific group on my wiki server, not all of them.
  Anyone know the simplest way to do this?

  Really all I'm looking to do is to keep my web site exactly the same but limit the reading and writing capabilities of some users on specific groups/wiki pages/blogs but still allow them to read and write to other specific ones that somehow I would designate.
  For example: I'm setting up a group for multiple users (about 15), and they each have their own page within that group, however i want to give them very limited administration capabilities on the site, all I want them to be able to do is to edit their own page, NOTHING else in the group
  there's gotta be a way to do this without 3rd party software installation that seems complicated enough on it's own, isn't administration capabilities a fundamental part of wikis?
  Someone has to have gone through something similar, any help?

• How to create user in specific user group in Microsoft Active Directory ?

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  Following is the code I am using which adds user to default group Domain Users.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• Restrict metadata field during an update to a specific user group

  Hello everyone,
  I am having some trouble figuring out the best way to restrict permissions to change some metadata fields for 2 different groups of users.
  I have two user groups, A and B. Group A will be checking in documents that the B group will then review for accuracy and quality. Group B will then update an optionlist field called "Status" with either "Recommended" or "Not Recommended".
  This is not a workflow situation as the scope requires that all documents are immediately available for searching. I currently have a CheckIn and Search profile for the content permitting read write access to groups A and B. The "Status" field is hidden on the CheckIn page. Can anyone please suggest a good way to restrict the field "Status" on an Update page to just "B" users? Groups A and B should be able to update all fields with the exception of the B restricted "Status" field.
  Thanks!
  Edited by: user6750815 on Jun 2, 2010 4:11 PM

  Hey rMac,
  I understand it this way you have one profile for A and B user groups. On this profile Status field is hidden.
  If this is your problem you can approach it from two places, while making the rule for hiding the Status field, use rule activation condition. Make it active only for users with Role A . This way even with single profile some of the user with Role B will be able to see the Status field.
  otherwise you can put similar code in Restrict Personalization Link where in you make this hidden field editable and compulsory for Users in B.
  cheers,
  sapan

• Displaying User groups in ACS 4.2

  Is there an easy way to display User groups similar to NDG's?

  Is there an easy way to display User groups similar to NDG's?
  Hi,
  Unfortunately there is no view like viewing NDG in ACS 4.2, Yes you can see different gropus configured in ACS when you go into Group setup and by drag down option you can view the number of groups configured in ACS.
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

• Sharing a folder with specific users/group

  I am trying to make 3 different shared folders for 3 different groups on Windows server 2008 R2. I have tried creating 3 folders in C:\, and then share it with the specific groups. The problem I have is that even though I have only given read and write permissions
  to the specific group members, the other group members(from the 2 other groups) can still read and write in that folder. Which is not supposed to happen. What am I doing wrong and how can I fix this?
  PS: I am quite new to this...

  Hi,
  As all accessing occurs locally, actually Share permission is not involved.
  I assume the purpose is to create a folder which can only be accessed by several members in all 7 users.
  Please noticed that, if all users are local admin (in local Administrators group), this will not work as local admin can always take ownership of a folder for gain accessing rights.
  If you (and other members in that group) are the only local admins on this computer, set NTFS permission will work. 
  Again if one of the excluded members has local admin permission, he/she can take ownership to gain accessing rights. 2 workarounds are "set password with a third party application" and "create a new volumn for saving those files, and enable
  BitLocker encryption on that volume with a password". 
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Recycle bin to show all deleted items on the site collection for specific user group

  hi there, is there any way where a certain sharepoint group (i.e. site collection members) to view and restore deleted items on theentire collection, without giving them site collection rights orgive them more rights than necessary? we wanted to create
  aSP group that has the permission to restore deleted items and give them to selected users so that our users won't have to contact us when they want to restore a deleted item

  I don't believe you can. If an item get's deleted it should go to the first recycle bin @ /_layouts/15/RecycleBin.aspx
  The Recycle Bin gives a site collection administrator
  greater control when users delete files, versions of files, list items, libraries, lists, and folders from a SharePoint site by providing a second stage safety net before an item is permanently deleted from a site. When a user deletes an item from the Recycle
  Bin, the item is sent to a second stage Recycle Bin (also known as the Site Collection Recycle Bin) that the site collection administrator manages. This article focuses on how a site collection administrator can manage the Recycle Bin for a site collection.
  https://support.office.com/en-US/Article/Manage-the-Recycle-Bin-of-a-SharePoint-site-collection-5fa924ee-16d7-487b-9a0a-021b9062d14b
  Ibrahim Sukari, Technical Consultant | SharePoint | Dynamics CRM |
  LinkedIn Profile

• Send mail to a specific user group when an Inbound Idoc processing fails

  I am using standard Message type DEBMAS, but the process code is customed (say ZDEBM as the function module is customed). Can you tell me what configurations are required to activate the error notification message to a user when the inbound idoc fails?

  hi,
  i think u need to check tcode swu3 for automatic workflow customizing and check in we40 (error AND STATUS PROCESSING) whether the processing code is assigned to the workflow task.
  if it is assigned,the workflow will be automatically triggered and the mail will be sent to the user by itself.
  ALE error handling uses workflow. A standard task is provided for each message type. Task TS20000051 is used for all BAPIs.
  Workflow functions as follows:
  A task (work item) is generated for the error handling and stored as a message in the inboxes of the employees responsible.
  If one of these employees processes the work item, the standard task method for error handling is started. The user can, for example, restart IDoc processing.
  If the IDoc is processed successfully, the work item is deleted from the inboxes of all the employees involved.
  For this procedure to function, the employees responsible for a particular message type and partner (sender or receiver) must be defined as follows:
  1. A hierarchy of organizational units (for example, "sales office") and positions (for example, "customer officer for customer X") is created and employees are assigned to it.
  2. The standard tasks for error handling (for example, an error related to an inbound sales order) are assigned to the relevant organizational units or positions (for example, "sales office").
  3. The organizational unit, position or employee responsible for dealing with the error are specified for each partner and message type in the partner profiles.
  If an error occurs, the system determines:
  1. The employees responsible using the staffing schedule of the organizational unit or position linked to the standard task.
  2. The employees defined in the partner profiles (using position, user ID, or organizational unit).
  3. The employees appearing in both groups represent those who will receive a work item in their inboxes.
  regards,
  pankaj singh

• [Solved] wine: restricting execution to specific user/group safe?

  From what I understand, the way of exploiting a bug in a browser and launching malware in the background won't work with wine as the malware injector calls "some.exe", not "wine some.exe". So using wine is safe unless the person is "dumb" enough to execute a windows executable from an untrusted source, right?
  I have the following situation: there are two users, one should be able to execute windows programs, the other one (who recently got mislead by a "you need to update flash player" malware link -_-) should be unable to.
  What I thought I'd do was to create a group, let's say, called "wine" and change the permissions on the wine executable(s) so that only users of this group get the executable right. Then add users to this group.
  Is this safe? Is changing permissions on wine/wine64 enough, or should I also modify them for wine(64)-preloader? Or is there maybe a better way to do that?
  edit: also, will the permissions be reset when pacman updates wine?
  Last edited by Soukyuu (2014-05-28 15:20:23)

  Ideally, I'd want the user to be able to only execute whitelisted wine programs, but from what I know it's not possible. It's mainly to guard against accidental execution of mal/adware, which happened a few times while this computer was running windows. My parents lack the technical knowledge to try and circumvent those measures, nor do they have a reason. This means they are only using the GUI and call me if something doesn't work. Would using an alias guard against double-clicking on a windows binary?
  The reason I have wine at all is that I still need some windows programs on that PC, and the reason I switched to linux was to free up resources used up by the antivirus. So theoretically I could just launch the programs I need in a VM, but that would just negate any resource gains I got by installing linux...

• Different Password Policy for Different User Groups in ACS 4.2

  Hi All,
  Can some one provide a solution for the below requirement?
  We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?
  It seems that these password policies are global & affects all the users.
  This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.
  For my knowledge, i think that this is not possible. But, thought to cross-check with experts!
  -Jags.

  Hi jags,
  Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users
  Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.
  HTH
  Regards,
  JK

• Time-based access to WLAN/building for specific users using WCS/ACS

  Here's our situation:
  WCS: 7.0.172.0
  ACS: 4.2(1)
  MSE: 6.0.75.0
  For an hour or two each day during an event, we're trying to figure out how to prevent students from connecting to the wireless in a particular building.
  All students are in the same WLAN. Everybody on campus uses the same SSID. We dynamically assign users to WLANs based on who they are through ACS. In addition to 802.1x authentication, MAC address authentication is performed by way of ACS to our in-house NAC system, where all students have registered their computers with us. This currently uses the External ODBC Database option in ACS.
  Our contraints:
  - We want them to be able to access wireless at other campus areas during this time, just not in this one building.
  - Faculty/Staff needs to use the wireless in that building during that time. This prevents me from simply shutting down the radios temporarily.
  Has anybody attempted anything similar? Anybody have any thoughts or ideas?
  Ethan A. Cooper
  Network Administrator
  LeTourneau University

  Currently, IP and IPX extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. Both named or numbered access lists can reference a time range.
  For the further description following URL for the Time-Based Access Lists will help you.
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html#wp10236
  I hope it may help you.

• Select all users of specific APEX Group

  Hello,
  do you know how I can find all users assigned to specific User Group?
  I know there is User Groups Assignments page in APEX Administration panel, but it's very weak. It shows only 500 records, and there is no search option. I also can't find APEX group view in APEX DB.
  I can check all groups of any user, I don't believe I can't check all users of any group.
  Regards,
  Przemek

  Hi Martin,
  thanks a lot! I needed sth similar, but I couldn't have found right views. Thanks to you now I can:
  Select GROUP_NAME, USER_NAME, FIRST_NAME, LAST_NAME from WWV_FLOW_USERS u, WWV_FLOW_GROUP_USERS g where g.USER_ID=u.USER_ID and UPPER(GROUP_NAME) like '%some_name%' order by USER_NAME
  Regards,
  Przemek

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?

• TMG2010 - Exhcange 2010 - Restrict User Groups

  Hey Guys, 
  We have TMG2010 currently reverse publishing OWA however no Pre-Auth is being used, the Exchange 2010 Auth Form is being used. 
  The TMG box is not Domain Joined, however if we joined it to the domain would we be able to use AD Security Groups to restrict access to certain services such as OWA?  Without enabling the "Pre-Auth" Functions of TMG? 
  Thanks, 
  Robert 
  Robert

  Hi,
  yes it is possible to restrict access to specific services like OWA/EAS/OA on the TMG Server for specific user/groups if the TMG Server is a member of the domain. You can also use pre-auth if the TMG Server is a member of a workgroup if you use LDAP
  on the TMG Server:
  TMG publishing:
  http://www.microsoft.com/en-us/download/details.aspx?id=8946
  TMG and LDAP:
  http://www.isaserver.org/articles-tutorials/configuration-general/Microsoft-Forefront-TMG-Using-LDAP-RADIUS-Authentication.html
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570