Does "Access Enforcer" only support "role" based SOD analyse?

Similar Messages

• Does access manager only support uid as rdn?

  I am deploying 2005q4 access manager and my directory does not use uid as the rdn for user entries. Does access manager only support uid as the rdn in user entries? I am trying to test JES with mail and calendar etc and trying to figure out how to use my data design.

  no, it can support any attribute for the naming attribute. For LDAP authentication there are usually two directories involved: the LDAP server where authentication occurs and the LDAP server where user profiles are stored.
  If you only need to authenticate against an LDAP server where the RDN is not uid (for AD is samaccountname), you simply need to change the naming attribute in the LDAP authentication module
  if you the LDAP server where user profiles is stored does not use UID, you may have a little more work on your hands. If you are using AM 7 in realm mode you simply need to create a new LDAPv3 user store configured for your needs. If you are using AM 7 in legacy mode or < AM 7 you will need to modify the DAI service and quite possibly the amUser and amConsole services.

• Does Huawei router NE40 support Class-Based QoS?

  As I know Class-based QoS defines traffic classifiers based on certain rules and associates traffic classifiers with certain traffic behaviors, forming certain traffic policies. After
  these policies are applied to interfaces, class-based traffic policing, traffic shaping, congestion management, and precedence re-marking are implemented.
  Does Huawei router NE40 support Class-Based QoS？

   The NE80E/40E supports DiffServ and provides standard forwarding services such as EF and AF for users by using the following traffic management measures:
  1 Traffic classification
  2 Traffic policing
  3 Traffic shaping
  4 Congestion avoidance
  QoS of the NE80E/40E supports traffic policy with the above measures and mapping between the QoS fields in the IP header and the MPLS header.
  And more information about router NE40, please visit:
   http://www.huanetwork.com/huawei-router-ne40e-series-price_c89

• Does weblogic 5.1 support form based authentication of servlets

            Hi,
            Does weblogic 5.1 support form based authentication?
            If yes is any setup need to be done?
            <HTML>
            <BODY>
            This is a test for form based authentication
            <FORM action="j_security_check">
            <input type="j_name" value="hi">
            <input type="j_password" value="hi">
                 <input type="submit" value="hi">
            </FORM>
            </BODY>
            </HTML>
            If i submit a form to j_security_check, weblogic throws "404 file not found error".
            thanks
            

            you must add this to yor web.xml file:
            <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>LDAPRealm</realm-name>
            <form-login-config>
            <form-login-page>/logon.jsp</form-login-page>
            <form-error-page>/logonerror.jsp</form-error-page>
            </form-login-config>
            </login-config>
            greetings
            "Cameron Purdy" <[email protected]> wrote:
            >Yes. You have to specify in web.xml per spec.
            >
            >Peace,
            >
            >--
            >Cameron Purdy
            >Tangosol, Inc.
            >http://www.tangosol.com
            >+1.617.623.5782
            >WebLogic Consulting Available
            >
            >
            >"antony" <[email protected]> wrote in message
            >news:[email protected]...
            >>
            >>
            >> Hi,
            >>
            >> Does weblogic 5.1 support form based authentication?
            >> If yes is any setup need to be done?
            >>
            >> <HTML>
            >> <BODY>
            >> This is a test for form based authentication
            >> <FORM action="j_security_check">
            >> <input type="j_name" value="hi">
            >> <input type="j_password" value="hi">
            >> <input type="submit" value="hi">
            >> </FORM>
            >> </BODY>
            >> </HTML>
            >>
            >> If i submit a form to j_security_check, weblogic throws "404 file not
            >found error".
            >>
            >> thanks
            >>
            >
            >
            

• Does the SLM224G switch support port-based VLAN's?

  I am looking for a simple solution to create two LAN's. One for my own and one for my customers, who will be able to use desktop PC's with internet access. I have only one internet connection (DSL over ISDN) and wil not getting another just for my customers.
  My own network should not be accessible or visible to users who are using the customers-PC's. The other way around is allowed, but not really necessary. My setup requires me to hook up the switch to the (ISP) router, and that router just has one LAN port not able to do anything related to VLAN's.
  I read about port-based VLAN's here, where it is stated that creating seperate LAN's is just putting ports into VLAN's on the switch, nothing else needs to be done... However, they used a NetGear smart switch.
  I checked out Cisco's SLM224G as it is affordable, has 24 ports (instead of 8 for the NetGear) and should support VLAN's. I have read a lot about VLAN's, including:
  "- Port-based VLAN's means that you can reconfigure ports to be in different VLAN's. Port-based VLAN's do not confirm 802.1q VLAN support.
  - 802.1q VLAN's means that you can tag VLAN's with 802.1q headers to create a trunk between two devices that carries frames for multiple VLAN's. 802.1q VLAN's confirm that there is also Port-based VLAN support."
  I known from the spec sheets that the SLM224G supports 802.1q (tagged) trunking. So it should, given found text above, also support port-based VLAN's.
  My question is whether it indeed will support port-based VLAN's?
  Am I able to use it directly behind my ISP's router and create two seperate LAN's?
  If so, one extra question: how are the PC's behind the switch (inside the two VLAN's) get their IP-adresses from the ISP-router? Or will it service only one of the two LAN's and should I install a DHCP-server in the other LAN?
  Any information is very welcome!
  Thank you.

  Thanks for your responce, mr. Carr.
  I have read more about vlan's and their setup. I think the article about port based vlan's was lacking some information about the router/firewall. May be it was set up to work with different vlan's from the start. Strangely, in the text it is said that nothing needs to be set up besides the (Netgear) vlan-capable switch.
  So, from your response and other texts I learned I needed a vlan-capable router. I have to say that I need to be able to manage a server on the LAN from the outside (internet). I already tried to set up a Cisco/Linksys WRT54G router behind the ISP's (ZyXel) single LAN-ported router and that would not work at all (even when the Linksys was set in router-mode). I lost the connection to internet setting it up that way. I even tried to setup the Linksys in the DMZ of the ZyXel, with no luck. I was unable to set that up with working internet-access form the LAN. So I was not too happy with the suggestion to set up a (second) vlan-capable gigabit router behind the ISP's router....
  Eventually, I bridged the ZyXel to get rid of the double NAT/gateway mode of the two routers as routing mode did not work on the Linksys. The Linksys is now getting the WAN-ip from the ISP on it's WAN port and I furthermore used DD-WRT's firmware to enable the build-in vlan-capabilities of the Linksys.
  Now I have set up the Linksys with two vlan's and I bought the SLM224G as an inexpensive manageable 24-port vlan-capable switch to provide the number of ports I needed. I devided the SLM in two vlan's and used two wires from the Linksys to the SLM. So the SLM does support port-based vlan's by simply setting up two ranges of ports with different PVID settings. Trunking and 802.1q tagging isn't needed that way. I know I could have used two dumb switches to get two separate subnetted networks, but this way I get just enough ports in a single device where I have ample space to put it.
  Anyway, thanks for helping me understanding the way vlan-capable switches work.

• Access Enforcer and Import Roles

  Hi All,
  I am having issues importing roles that have the exact same name across different systems. This makes it almost impossible to implement Access enforcer across Dev/QA and Production environments at once. I would have thought that AE uses the (System ID, role name) as the key for that particular table used.
  Has anyone managed to find a workaround for this?
  Cheers,
  Cuneyt

  Nevermind i have solved the problem.

• Does ADF now only support Chrome 1?

  from http://www.oracle.com/technetwork/developer-tools/jdev/index-091111.html#Browsers, I found ADF only support Chrome 1.
  Since newest Chrome version is 17, Why ADF just support Chrome 1?

  See, the problem is that as the time of writing the current chrome version 18... They come out too fast to put them all into such a document.
  The doc you state says Chrome 1+, which I read as chrome version 1 and newer.
  By the way, you should update your Chrome to 18
  Timo

• Role Based Risk Analysis Report

  Hello All,
  When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
  However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
  Also, when I click on the Detail Report button, I received object data that does not appear correct.
  Please Help.  Thanks.
  Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

  Hi Babiji,
  Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
  To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
  In section Analysis type, choose Roles and enter the list of roles.
  In section SOD Risk level, choose the appropriate risk.
  Then choose the appropriate report type and report format before executing it.
  This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
  Thanks,
  Saby..

• Does Mapviewer / Oracle Maps support file based raster imagery

  Forum:
  We have 1000's of ortho images that we are attempting to serve - with Oracle Vector data - using Oracle Maps.
  mapviewe supports Georaster, and Image themes - and one can use Mapbuilder rather well to configure the system for these.
  However - is there a way (other than to use a non-oracle WMS server) to serve up ortho images from their disk based locations if you do not want do load all your aerial photography into the database ?
  And again thank you in advance.
  JF

  Hi,
  if you have a non-Oracle WMS server that gives access to these images, you may define an external map cache source to access these images. Oracle Mapviewer provides a WMSAdapter class implementation that can be used in this case.
  The follwing example shows the definition of an external map cache for Oracle Maps. Notice the adapter_class (which is shipped with MapViewer) and the properties parameters (which are used to define a WMS request).
  <map_tile_layer name="ESRI_MAP" image_format="PNG" http_header_expires="168.0" concurrent_fetching_threads="3">
     <external_map_source url="http://sampleserver1.arcgisonline.com/ArcGIS/services/Specialty/ESRI_StateCityHighway_USA/MapServer/WMSServer" request_method="GET"
        timeout="15000" adapter_class="oracle.lbs.mapcache.adapter.WMSAdapter" proxy_host="www-proxy.us.oracle.com" proxy_port="80" transparent="false" clipping_buffer="0">
        <properties>
           <property name="version" value="1.1.1"/>
           <property name="srs" value="EPSG:4326"/>
           <property name="layers" value="0,2"/>
           <property name="format" value="image/png"/>
        </properties>
     </external_map_source>
     <tile_storage root_path="C:\mapviewer\oc4j\j2ee\home\applications\mapviewer\web\tilecache\MVDEMO.ESRI_MAP\"/>
     <coordinate_system srid="8307" minX="-180.0" minY="-90.0" maxX="180.0" maxY="90.0"/>
     <tile_image width="256" height="256"/>
     <zoom_levels levels="4" min_scale="199999.0" max_scale="2.5E7" min_tile_width="0.12228761382373739" min_tile_height="15.286028158107968">
        <zoom_level level="0" name="" description="" scale="2.5E7" tile_width="15.286028158107968" tile_height="15.286028158107968"/>
        <zoom_level level="1" name="" description="" scale="4999999.0" tile_width="3.0572050201804664" tile_height="3.0572050201804664"/>
        <zoom_level level="2" name="" description="" scale="999999.0" tile_width="0.6114405148831922" tile_height="0.6114405148831922"/>
        <zoom_level level="3" name="" description="" scale="199999.0" tile_width="0.12228761382373739" tile_height="0.12228761382373739"/>
     </zoom_levels>
  </map_tile_layer>Joao

• HT3621 Does iPad bluetooth only support (connect) to Apple products?

  I have been trying to connect my LG cell phones to my iPad2 and it keeps telling me it (iPad) does not support this device. I assume it will only connect to "i" products. Am I correct.

  Not quite. It will connect to non Apple devices...but only keyboards, microphones and headsets. there is no protocol for file transfer or streaming between devices.

• Can access enforcer be implemented with going through the SOD check.

  Hi All,
  I have couple of questions regarding Access enforcer:
  1. Can Access enforcer be implemented with going through the SOD check?
  2. Can we provision roles for the project team using Access Enforcer (without having a million SOD conflicts which need to be cleared)?
  I would really appreciate any insight on these questions.
  Thanks

  https://websmp103.sap-ag.de/~form/sapnet?_FRAME=OBJECT&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000206624&_HIER_KEY=601100035870000212731&_HIER_KEY=601100035870000210510&_HIER_KEY=701100035871000519581&_SCENARIO=01100035870000000202&#HOME

• Access Enforcer - Role Reaffirmation

  Hi,
  Access Enforcer offers a role <-> user assignment reaffirmation after a defined period.
  My question is, what happens if using the Remove or Hold button in the Role Reaffirm menu entry.
  I tried removing the access, but all that happens is the user entry is marked as "Remove".
  Should an automatic Request for the role removal be triggered or what's the purpose of these two options?
  Thanks,
  Daniela

  I answered the question myself.
  Hold will keep the role in the queue to reaffirm.
  Remove will automatically remove the role from the user once all user-role assignments have either been affirmed or removed.

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• CUA still necessary/recommended with Access Enforcer?

  Hello forum members,
  we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
  What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
  Thanks for your replies.

  This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
  For example:
  a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
  b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
  I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

• Does 10.6.8 support DHCPv6?

  I saw in the release notes for 10.6.8 that IPv6 support was "improved." Unfortunately, I don't see any specifics as to what these improvements were. Has DHCPv6 support been added?
  Anyone who uses OS X with IPv6 on a Cisco router will greatly appreciate not having to manually add their DNS IP address manually.

  Kappy I do appreciate you taking the time to respond to my question, and I don't mean to sound rude, but that IPv6 test doesn't have anything to do with DHCPv6. Everything between your AEBS and your Mac was likely configured using stateless address autoconfiguation (SLAAC,) which is not DHCPv6.
  Here's an explanation of the difference between DHCPv6 and SLAAC from the DHCPv6 wikipedia entry:
  DHCPv6 is the Dynamic Host Configuration Protocol for IPv6. Although IPv6's stateless address autoconfiguration can also be used to acquire IPv6 access, DHCPv6 may be a more suitable solution to assign addresses, nameservers and other configuration information as being done today with DHCP for IPv4. A notable case is Domain Name System servers used on a network, albeit other mechanisms exist for this in the Neighbor Discovery Protocol.[1]. At the time of writing, Microsoft Windows does for example only support the method used with DHCPv6 and not RDNSS with stateless address autoconfiguration.
  The only reason I ask this question now is because IPv6 enhancements were reported in 10.6.8. From what I have seen in the packet captures I've done here, the "managed config flag" bit is set in the router advertisements, which means my MacBook should be using DHCPv6 for additional configuration, however it is not.
  So basically all signs point to 10.6.8 still not supporting DHCPv6, but I was hoping that had changed with 10.6.8's IPv6 "improvements."