Downloadable ACL for users only?

Hello all,
in ACS 5.4 I need customized ACL for users only.
My scenario:
There is a way to use some "Downloadable ACLs" in authorization profile but I want to define specific ACLs for some exeptions. For example: User A and user B get autorization profile "X". But user B is not allowed to access on a host. This "Deny rule" I will configure with custom attributes in the internal user store.
Is that possible? How can I implement this rule?
best regards,
Stefan

Hi,
You can do this by following these steps:
1. Set a user defined dictionary attribute under System Administration > Dictionary > Identity >Internal Users name it what you want and make sure the value is string
2. Create the DACL in Named Permission Objects under the policy elements section
3. Under the user account you will now see a filed for the dictionary name you called in step 1, make sure the filed matches the dacl you created in step 2
4. Create your authorization profile under "common tasks" Set Dynamic as the DACL drop down select Internal Users and set the value to the attribute you created in step1.
5 map the authorization policy to the access policy using the conditions that will give you these results.
6. test and you should have what you are looking for.
Thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • SharePoint 2013 allows downloaded even for users with "view only" permissions

    I have a new on premises SharePoint 2013 server and assigned a single user "view only" rights to a document library. In the "permission levels" window, this permission is described as "Can view pages, list items,
    and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded."
    Once I gave the user that permission, I noticed he was able to view documents in the library but the "but not downloaded" part does not seem to be working. The user can still download documents to his local desktop and SharePoint does not prevent
    it. The "download a copy" option appears and the user can use it.
    My goal is to make all documents in this library such that users can only view them in the browser and not download a local copy. How I do that?
    Thanks for your help.

    Not entirely positive :-) 
    However, you have no server-side handlers in place today without WAC installed, so that portion of the View Only permission wouldn't be applicable.
    Note that WAC must be installed on its own server and if your SharePoint server is extranet or public facing, it needs to have a valid, public SSL certificate. Also, WAC should always be run over SSL regardless if it is public facing or not as the token
    sent between the SharePoint server and WAC is the same as having a username and password for the user making the request.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • ITunes 11.1 not downloading artwork for albums only on icloud

    Since updating to 11.1 some more of my artwork seems to be missing. The get album artwork is only getting artwork for downloaded music. If I right click on an album without artwork which is not downloaded and click get album artwork nothing happens. This works fine once at least 1 song of the album has been downloaded. I'm on a mac with mountain lion if that's any help. Any ideas?

    Okay, found it.  In iTunes 11.1, in the left column, under Libraries: click on Podcasts
    Find "settings" at the bottom of the frame. The Automatically Download needs to be set to "Most Recent."  If it's set to "off" then the podcast will be available in the cloud to pull down individually. 

  • CUP user import: what XML field to use to set default ACLs for user?

    Can someone please tell me what XML tags to use within the import file (via CUP) to set the default Document and Folder ACLs respectively to Public and Protected.
    Thanks!
    Brian

    brian,
    did you ever figure out how to assign default ACL to a user using XML? if so, could you show me how to do it? thanks

  • Download speed for iTunes only 26KB

    Hi everbody, I try to download iTunes with 26KB download speed. Is this a temporarally issue? My cable has a bandwidth as of 50.000 Mbit/ download.
    Thanks for quick help and answer.
    Heiko

    Your download speeds are almost entirely dependent upon your ISP. As far as I am aware, Apple does not throttle your download speeds.

  • Hoe to provide a download help for the user

    hi all
    How to provide a download help for users, i.e. if i select download radia button and
    if i place cursor on file path it should provide the user to select what ever the drive and folder he needs can any body help asap.
    regards
    reddy.

    Check this..
    parameters : p_file like rlgrap-filename  .
    at selection-screen on value-request for p_file.
      perform f4_on_filename using p_file .
    *&      Form  F4_ON_FILENAME
          text
         -->P_P_FILE  text
    form f4_on_filename using i_file .
      data:l_maske(100) type c, l_subrc type sy-subrc ,
           w_fileinfo   type ocs_f_info .
      data:t_fileinfo   type  table of ocs_f_info     .
      concatenate 'Text Files (.prn;.txt;*.csv)'(006)
                  '|.prn;.txt;*.csv|'
                  into l_maske.
      call function 'OCS_FILENAME_GET'
        exporting
          pi_mask     = l_maske
        tables
          pt_fileinfo = t_fileinfo
        exceptions
          others      = 6.
      l_subrc = sy-subrc.
      if l_subrc is initial.
        read table t_fileinfo into w_fileinfo index 1.
        concatenate w_fileinfo-file_path w_fileinfo-file_name into i_file.
      else.
        clear i_file.
        message id sy-msgid type 'S' number sy-msgno with sy-msgv1 sy-msgv2
                                                          sy-msgv3 sy-msgv4.
      endif.
    endform.                    " F4_ON_FILENAME
    it will come on F4 help... not by placing cursor. that is not possible. One thing you can do is.. you can disable this file name parameter.. when the radio-button for file load is unchecked.

  • Downloadable ACL

    I m trying to configure download able acl in ACS for my remote access vpn user.
    My concentrator is able to authenticate the user via ACS but after getting the ip and authentication client is not able to reach anywhere.
    I have attached the downloadable acl configuration that i did on ACS.
    I want remote vpn user only able to access 172.28.31.171, 170 server nothing else.
    but client only able to connect but cant connect with any of the servers.

    I am able to configure the downloadable acl for remote access vpn user.
    permit ip any host 172.28.65.24
    permit ip any host 172.28.65.25
    deny ip any any
    but when i try to restrict whole network like this
    permit ip any 172.28.65.0 255.255.255.0
    permit ip any 172.28.70.0 255.255.255.0
    deny ip any any
    I am not able to get the results, even user is not able to connect.
    I have tried to do the configuration mention in the link, but this is for firewall and IOS not for concentrator.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_chapter09186a008015ce39.html#2006410
    Please tell me how to allow user to access particular subnet.

  • 40+ VLANs for user isolation ?

    I need to construct a wired network that achieves only two purposes:  a) Allows 40+ users to access Internet only;  b) establishes user isolation preventing any user from viewing the files of others users. There is no LAN to LAN communication. Initial thought is to use VLANs or ACLs for user isolation.  But which 24 port switches and router will support this many VLANs/ACLs?  Need to avoid Enterprise products to minimize cost.  Network does not have a server and computer MAC addresses frequently change.  Already have SLM224G smart switches, if they can be used.

    Hi
    No nothing to be done at the RV082 level.  It sorta like having layer 2 filtering rules built in for each switch port..
    So,  even at routing level at layer 3, the packets might hit the ingress port of the switch from the router,  switch says Oh Oh , you want to go from switch port 1 Host  MAC address  still to switch port 2's Host MAC address, that's a no no.
    PVE  setup is like having 48 seperate Layer 2 untagged  vlans terminating at the untagged uplink port .
    So Ok, it wont take long to test..hang in there............ and I'll test the functionality.
    OK here we go.
    I am using a UC520 Integrated Services Router as my layer 3  WAN router.  My WAN router, ethernet expansion port is connected to switch port  G4 of the SRW248G4P-K9-NA.  As you can see from a screen capture below, this is a POE switch, you probably don't need the POE version.
    I plugged two IP hosts into the switch,
    Host PC 1 = 192.168.10.61  in switch port e31
    Host PC 2 = 192.168.10.14  in switch port e37
    I had a third host plugged into the ISR router switch port, so this Host is on the router and not the switch.
    Host PC 3 = 192.168.10.13  on switch port 0/1/0 of UC520
    Host 3, which is outside the switch  could always ping host 1 and Host 2
    Host 1 could ping Host 2 and 3 before i enabled  protection on  switch ports 1 to 48.
    I left the four Uplink ports unprotected.
    After I protected switch ports 1-48, as you would expect;
    Host 1 could NOT  ping Host 2
    Host 2 could NOT ping Host 1
    Host 1 and Host 2 could ping Host 3 . What follows is the splash screen on my switch so you can see the active ports;
    My system was quickly configured via the GUI, but i copied  the relevant section off the running config and will pasted it below;
    interface range ethernet e(1-48)
    switchport protected-port
    exit
    interface vlan 1
    ipv6 enable no-autoconfig
    ipv6 address 2001:1:1:1::224/64
    exit
    interface vlan 1
    ip address 192.168.10.223 255.255.255.0
    exit
    ip default-gateway 192.168.10.1
    It stops dead the  protected ports from communicating with other protected ports in both a Layer 2 and Layer 3 environment.
    It's Saturday here in Raleigh NC, I gotta get out and pretend to do some gardening.
    regards Dave

  • Download data only for user sync in pda

    Hi,
    I have a device with two user, but when I sync with one of them, DOE download data for the user sync and the other user.
    How can i filter?
    In DM, I have a filter with atribute USER.
    This scenario occur in Generic (JSP) and OCA.
    Thanks,
    Roberto

    Hi,
    Incase data is already loaded in DOE(pushed or delta load) and rule is on device user, the current behaviour is the expected one.
    Do you have Twoway dataobjects where data is loaded from Backend to DOE when device syncs.?
    If this is your scenario then you need to filter data for that syncuser even from backend to DOE.
    Means load only the data for that syncuser from BE to DOE via getlist & getdetail.
    If the getlist signature contains the user field , then in transaction
    SDOE_WB, double click on the backend adapter for this dataobject
    >edit mode
    >default values tab
    >select getlist and the field user
    >select data communication header structure from the drop down
    >map this to send_usr
    >save and activate
    This means that incase of this twoway data object, during sync when getlist is invoked, syncuser will be filled and the bapi wrapper will return only those keys relevant for that syncuser and only that data is loaded to DOE inturn downloaded to device.
    Regards,
    Liji

  • Problem with Downloadable ACLs on ACS 4.1(1) for Windows

    I'm currently able to logon to my internal network 192.168.4.0/24 but not able to get my incoming ACS downloadable ACL working. Combination:
    PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5.
    This is my list:
    permit ip host 192.168.4.200 any (where any can be 192.168.5.1 - 10)
    deny ip any any
    I'm still able to ping other machines in subnet 4 from source address 192.168.5.1
    I've already checked this link:
    http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=Subscriptions&loc=.2cd2949c/4&forum=Security&topic=Firewalling
    but in my config there is no statement:
    sysopt ipsec pl-compatible
    The only system option that I use is:
    sysopt connection permit-ipsec
    Does anyone have an idea?
    Regards, Peter

    The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS).
    This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOS® Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.

  • RE: Acls for a particular users

    Hi,
    I want to get a list of Acls for a particular users. Can anyone tell me how
    to achieve this. I am using the RDBMS Realm Implementation.
    After user logs in, I want to present the user with a list of applications
    that the user is authorized. To do this, I need to get a list of Acls for
    this user. I tried to implement a method in the DefaultRealmExtender which
    gets all the Acls and then checks for permission "execute". This works fine
    when the jsp is displayed, but if I leave the browser for a while and then
    refresh the page, the entire weblogic shuts down. After debugging, I found
    out that it blows up when it tries to check the permission. Any help will be
    appreciated.
    Thanks,
    Gajendra Sanil

    Hi VB,
    Thanks for your response. But the applicant is still active for some of the Vacancies. I can't delete that person.
    We can do this from the applicant from. NAv: Vacancies--> Applicants--> select the rejected applicants--> In the application tab there is one field called " Reconsider Applicant" If you select the reason you will be able to consider that applicant for that same vacancy but in the applicant tab i am not finding the reason field only for this applicant. I think this applicant perform some different step while he is with drewn the applicantion.
    Joshna.

  • Can I bundle flash player with a free downlodable gaming service that requires flash? Or can I download it for the user without making users to step out  from my product to a completely different flow?

    We have a free downloadable gaming service that requires flash player in order to operate properly.
    I am trying to figure our how can I make users who don't have flash to download it, but I don't want these users to leave my service and start a different download flow in a different website (adobe's) .
    I thought about several different options but don't know what would be considered legal or legit:
    1. download flash along with my product- this means I will have to add another offer screen to my installation? if so, it will damage my conversion.
    2. downloading flash for the user without consent- probably will result with AV alerts
    3. open an iframe for users who don't have flash where I'll ask users to download flash--> that still will redirect users to adobe website to complete the process, which will damage my usage...
    any comments on the above or additional ideas?
    Thanks
    Tom

    Unfortunately, I don't think that our license currently grants the rights that you're looking for.  We do allow for the inclusion of original installers on physical media to address the situation of installation where an Internet connection is not guaranteed to be available; however, the Adobe download center serves an important role in the cost-recovery efforts for the continued development, maintenance and distribution of Flash Player, which is a tremendously expensive undertaking. I think it's unlikely that we would agree to allow the inclusion of Flash Player installers in scenarios where the host installer requires an internet connection.
    Here is a brief summary of the rights granted by this license:
    Licensee is permitted to distribute Adobe Web Players to multiple clients in a closed intranet environment.
    Licensee is permitted to distribute Adobe Web Players to multiple end-users by including the Player installers on CDs, DVDs or other physical media.
    Usage of Adobe Web Players is only permitted for supported platforms; usage rights on non-PC devices or embedded systems are not granted by this license.
    Licensee must use the installers as-is without modification.
    Licensees, at their discretion, are entitled to display the Flash Enabled and/or Shockwave logos on products or intranet sites according to the Style Guide.
    On the plus side, you don't have to worry about serving your users outdated or vulnerable Flash Player versions, and keeping those embedded copies constantly updated would be a lot of overhead.
    Chrome and Internet Explorer on Win8+ always have Flash Player built-in, so those users are generally going to be in good shape (and you shouldn't redirect them to the download anyway, because we'll just give them a message about it already being installed).  IE11 eliminates JavaScript support for conditional comments and various other methods for fingerprinting and targeting IE with IE-specific logic, so you'll want to pay attention to that experience, particularly on Win8+ (i.e. your detection logic might need to be tweaked on this config, if it's depending on isMSIE to do the correct thing... there is a lot of busted Flash detection in the world on this target at the moment...)
    For NPAPI browsers (Safari, Firefox), users are going to have to close the browser to complete the install process, so I don't think that offering the download in an iframe is going to buy you much, and would probably make it more difficult to complete the installation steps, ultimately doing more harm than good. 
    In the case of Safari, the installer re-launches Safari at the end of the installation process, and it does so without reopening all of the previously opened tabs.  I'm hoping that we won't have to live with that issue much longer, but I want to be transparent about the impact to your user experience.  Safari users are going to lose the tab with your site in it during the installation process no matter what. 
    There's also an install mechanism called Express Install, which you can invoke automatically when you detect that Flash Player is not installed, or is below the version that you require.  Off the top of my head, I don't know exactly what happens in every possible install scenario (patch update vs. feature update, by OS and browser).  I think some configs require you to restart and others like IE on Windows don't.  It's all dictated by browser limitations, which are constantly moving targets. 
    In short, we recommend that everyone use SWFObject2 for detecting Flash from JavaScript, and they make it pretty easy to invoke upgrades via ExpressInstall.
    SWFObject: Javascript Flash Player detection and embed script | deconcept

  • Where is the official download page for full version of Firefox? Old one has only stubs now.

    The old page now has stubs only, there is no full version on it:
    https://www.mozilla.org/en-US/firefox/all/
    Separate but valid question: Searching Mozilla Support on this very forum yields no answers as to where to download the full version of the program itself, around which this entire forum has been set up with all the numerous questions in it about the program... yet there is no answer on how and where to actually *GET* the full version of the program... this strongly suggests that the forum administrators went out of their way, to make it difficult to impossible for users to get the FULL VERSION of the program...
    There are many valid reasons for needing the full version of the program, don't you think it's pretty incredible that it has always been difficult to download the full version of Firefox? The old page had it buried in between the Acholi and Xhosa languages, even though English (US) is probably needed by millions of users vs. relatively few for Acholi and Xhosa... Millions of users had to go though gymnastics of finding it buried in between all the worlds languages with every consecutive version, and now they completely removed it even from that page...
    What is the the reason, and you have to agree there is a reason, for Mozilla preventing us from having the full installation file? And what is the reason, even when the full installation file existed on that page, for this forum to make it almost impossible to find that page when searching the forum, or the entire internet for the official full version download page?

    Last time I checked, that page did link to full installers. The format of the links for Windows was:
    https://download.mozilla''.''org/?product=firefox-'''36.0.4-SSL'''&os=win&lang=en-US
    I have bolded the part that currently says '''stub'''. Hand-crafted links in that form still work (but I have broken the link in this post with my formatting).
    I don't have personal knowledge of what's going on with the "all" download page and hope it changes back.
    As for blaming this forum for anything having to do with the "all" download page, you must be kidding. That page was always available from the main page using a link that said Systems & Languages and as the link says, it lists all the available systems and languages.

  • Jabber for windows only allows the logged-in AD user to log into his jabber account only

    Hello gang,  
    I have this strange issue with jabber for windows 10.5.  So if you log into a pc with your microsoft active directory domain account and try to log into jabber with the same user credentials, you can log-in fine. However, if you try to log into another jabber account that is different from the AD account that you are logged into the pc with, you will not be able to log into jabber.  You will just get an error from jabber that says that your credentials are incorrect. I actually deleted the jabber folders in the  local and roming data folders, thinking that maybe it was caching the password but even that did not help.
    Has anyone seen this problem before?

    I've also experienced this.  If you are logged in as a local user on the computer you can switch to any other Jabber user, but if you are logged into your computer with a domain/AD account you cannot login as a different user, only the domain user that is signed into the computer can login to Jabber.  Does anybody know of a workaround or fix?  Is this a setting that can be changed?  

  • Pages Document created on Macbook Air cannot be opened on Ipad Mini. I get a message that reads, "only documents saved in pages '09 may be opened." These devices are one week old and I just downloaded Pages for each.

    I just got a Macbook Air running 10.8.2 and an iPad Mini. I downloaded Pages for both. I created a document in pages on the MBair and tried to save it to the iPad Mini so I could work on it while commuting and the file does not show up on the mini. I have tried to saved the file through iTunes app page and the message keeps telling me I can only transfer files saved in Pages 09. What gives? I can transfer files made in Microsoft word no problem, but files made in the same program do not work. Any help?? Very frustrating.

    You are aware that Pages for Mac and Pages for iPad /iPhone/iPod are 2 different program?
    Looks like you have Pages for Apple mobile devices but not for your Mac.
    If that's the case
    Pages for Mac: https://itunes.apple.com/au/app/pages/id409201541?mt=12
    Pages for iPad/iPhone/iPod touch: https://itunes.apple.com/au/app/pages/id361309726?mt=8

Maybe you are looking for