Dynamic Access Control : Suggested Value Claim

Similar Messages

• Dynamic Access Control from PowerShell

  Hi Guys 
  Please I need your help, I am working with AD Dynamics Access Control (AD DAC)  and Windows Powershell (PS), the Idea is create a menu for AD DAC in PS, Everything is OK but I have a problem when I create  a new  ClaimType, because from AD DAC
  windows  Menu you can select an AD Attribute and there is a Column naming  "Value Type" , but in my Script I Don't know how to get this to show in OUT-GridView, I dont know what is the correct property. 
  My Code:
  Get-ADObject -SearchBase ((Get-AdRootDSE).SchemaNamingContext) -SearchScope 1 -filter *  -Property name, Ldapdisplayname | out-gridview -outputmode Single
  Sorry But I can't put my image here 
  Thanks in advance 

  Hi,
  Change the -Property parameter to a wildcard and check the output. Once you know what property you need (assuming it is actually listed), you can add it to your current list.
  As for posting screenshots, you'll need to post in the current verification thread stuck at the top of this forum here:
  https://social.technet.microsoft.com/Forums/en-US/home?forum=reportabug
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Dynamic Tab Access Control?

  Is there a way to set up dynamic tab access control? For instance if I wanted a professor to only have Shared access to a particular tab in a course page is there a way to define the credential to indicate which tab they should have access to?
  Thanks,
  Jason

  Is there a way to set up dynamic tab access control?
  For instance if I wanted a professor to only have
  Shared access to a particular tab in a course page
  is there a way to define the credential to indicate
  which tab they should have access to?
  I haven't tried this, but I think you could create a new course template that uses the instructor and student roles, and set the access control option in that to allow an instructor shared access to a given tab. New courses based on that template would use the same permissions. I don't think there's any need to include access control information in the credential itself (as the credential is just used for authentication; iTunes U itself decides what you get to).
  Or am I missing something in your question?
  Ken

• The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'null' is therefore not allowed access.

  Hello. I added custom http response headers to my SP site web config file as follows: 
  <httpProtocol>
        <customHeaders>
               <add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS" />
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type,Authorization" />
        </customHeaders>
      </httpProtocol>
  When I try to call any web service, i get these headers two times each: 
  HTTP/1.1 200 OK
  Cache-Control: private, max-age=0
  Transfer-Encoding: chunked
  Content-Type: application/atom+xml;type=entry;charset=utf-8
  Expires: Sat, 01 Mar 2014 19:11:37 GMT
  Last-Modified: Sun, 16 Mar 2014 19:11:37 GMT
  ETag: "3"
  X-SharePointHealthScore: 0
  SPClientServiceRequestDuration: 20
  SPRequestGuid: b4e77d9c-bfc3-a050-493a-ca5d251d1a72
  request-id: b4e77d9c-bfc3-a050-493a-ca5d251d1a72
  X-FRAME-OPTIONS: SAMEORIGIN
  Persistent-Auth: true
  Access-Control-Allow-Methods: POST,GET,OPTIONS
  Access-Control-Allow-Origin: *
  Access-Control-Allow-Headers: Content-Type,Authorization
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Access-Control-Allow-Methods: POST,GET,OPTIONS
  Access-Control-Allow-Origin: *
  Access-Control-Allow-Headers: Content-Type,Authorization
  MicrosoftSharePointTeamServices: 15.0.0.4569
  Date: Sun, 16 Mar 2014 19:11:37 GMT
  and that gives me error from ajax: The 'Access-Control-Allow-Origin'
  header contains multiple values '*, *', but only one is allowed. Origin 'null' is therefore not allowed access.
  The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
   Origin 'null' is therefore not allowed access.
  Any idea???

  Hi Ann,
  Please check whether there are duplicate custom headers in your code.
  Similar issue for your reference:
  http://social.msdn.microsoft.com/Forums/office/en-US/b79b75f4-b46b-46ae-ae29-17a352b6b90b/custom-http-response-headers-for-sp-2013-shown-2-times?forum=sharepointdevelopment 
  Regards,
  Rebecca Tu
  TechNet Community Support

• How to allow multiple domains under Access-Control-Allow-Origin

  Hi,
  We have a domain where will get CORS request from another domain hosted on seperate DC. We can't set
  Access-Control-Allow-Origin as * due to security concerns & IIS can't take more than 1 value at a time. Kindly suggest how to pass multiple httpheader  for
  Access-Control-Allow-Origin.
  Regards,
  Dhiraj

  Hello Dhiraj,
  This is not the suitable forum for your question, you may post in
  IIS forums for more help.
  Thanks for your understanding.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-24
  FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
  =======================================================================
  PURPOSE
  row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
  <bul 23026>에 제시하였다.
  이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
  정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
  자세히 살펴보도록 한다.
  Explanation & Examples
  dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
  이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
  value를 주면 된다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  > object_schema => 'SCOTT', -
  > object_name => 'EMP', -
  > policy_name => 'POL1', -
  > function_schema => 'SYS', -
  > policy_function => 'PREDICATE', -
  > statement_types => 'SELECT', -
  > static_policy => false, -
  > policy_type => DBMS_RLS.DYNAMIC
  > long_predicate => false);
  1. FGAC의 version별 특징
  (1) sec_relevant_cols/sec_relevant_cols_opt : 10G
  위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
  parameter로 다음 두 parameter가 존재한다.
  이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
  것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
  및 예제를 확인 가능하다.
  - sec_relevant_cols
  - sec_relevant_cols_opt
  (2) long_predicate : 10G
  default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
  될 수 있다.
  (3) statement_types : 10G부터 INDEX type추가
  9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
  있었으나, 10g부터는 INDEX type도 지정 가능하다.
  index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
  자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
  확인할 수 있다.
  (4) EXEMPT ACCESS POLICY 권한 : 9i
  특정 user가 모든 fine-grained access control policy의 영향을 받지
  않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
  소개되었다.
  SQL> grant exempt access policy to scott;
  와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
  metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
  (5) synonym에 대한 policy설정 : 9.2
  synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
  것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
  조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
  (6) static_policy : 8.1.7.4
  static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
  반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
  즉, policy function이 매번 object를 access할때마다 실행된다.
  8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
  해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
  cache되어 있으면 재실행없이 그대로 사용된다.
  10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
  이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
  policy_type을 dbms_rls.static 으로 지정하면,
  9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
  (7) policy_type: 10g
  다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
  - STATIC
  policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
  않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
  경우에는 사용하면 사용하면 문제가 될 수 있다.
  static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
  이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
  결과를 그대로 사용한다.
  - SHARD_STATIC
  STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
  사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
  STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
  대해서만 cache된 값을 사용한다.
  - CONTEXT_SENSITIVE
  한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
  WAS(web application server)를 사용하는 경우 connection pooling방법을
  기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
  교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
  주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
  session_user등의 값을 다시 계산하게 되는것이다.
  jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
  <Note 110604.1>에서 확인가능하다.
  - SHARED_CONTEXT_SENSITIVE
  context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
  대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
  cache되어 있는지를 먼저 살펴본다.
  존재하면 session private application context가 변경되기 전까지 그 predicate의
  결과를 그대로 사용한다.
  - DYNAMIC
  이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
  영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
  재 실행하여 환경에 맞는 값을 return하여 준다.
  아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
  predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
  2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
  (a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
  (1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) 다음과 같이 predicate function을 scott user로 만들어둔다.
  SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
  2 return varchar2 is d_predicate varchar2(2000);
  3 begin
  4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
  5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
  6 else d_predicate := 'sal>=3000';
  7 end if;
  8 return d_predicate;
  9 end predicate;
  10 /
  (3) pol1을 새로 add시킨다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => TRUE, -
  policy_type => NULL);
  (4) adams user에서 scott.emp를 조회해 본다.
  단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
  SQL>grant select on emp to king;
  SQL>!date
  Thu Nov 24 14:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
  king user는 같은 값을 emp table에 대해서 return한다.
  SQL>!date
  Thu Nov 24 14:10:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  (b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
  (1) 기존의 policy를 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
  변경한다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => flase, -
  policy_type => dbms_rls.dynamic);
  (3) king user에서 조회해본다.
  predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
  즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
  SQL>!date
  Thu Nov 24 15:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분 이후가 되어 다시한번 king user에서 실행해본다.
  SQL>!date
  Thu Nov 24 15:10:13 EST 2005
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  RELATED DOCUMENTS
  <Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
  in DBMS_RLS.ADD_POLICY Procedure
  <Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
  to 10g

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Dynamic action with set value on date field

  Hi,
  I'm using APEX 4.02
  I'm trying to calculate the age based on the date of birth dynamically on a form. I'm trying to do this with a (advanced)dynamic action with set value.
  I'm able to get this kind of action working based on a number field etc, but NEVER on a date field.
  I've read all posts on this subject but so far no solution. Even if I try to simply copy the value over to another date field or typecast it to a string ( to_char function ) it does not work. So for me the problem seems to be in the source field being a date field.
  I've tried using the source value as is in a select statement :
  select :P33_GEBOORTEDATUM from dual;
  and also type casted based on the date format :
  select TO_DATE(:P33_GEBOORTEDATUM,'DD-MON-YYYY') from dual
  but still no luck.
  On the same form I don't have any issues as long as the calculation is based on number fields, but as soon as I start using dates all goes wrong.
  Any suggestions would be greatly appreciated. If you need any extra info just let me know.
  Cheers
  Bas
  b.t.w My application default date format is DD-MON-YYYY, maybe this has something to do with the issue .... ?
  Edited by: user3338841 on 3-apr-2011 7:33

  Hi,
  Create a dynamic action named "set age" with following values.
  Event: Change
  Selection Type: Item(s)
  Item(s): P1_DATE_OF_BIRTH
  Action: Set value
  Fire on page load: TRUE
  Set Type: PL/SQL Expression
  PL/SQL Expression: ROUND( (SYSDATE - :P1_DATE_OF_BIRTH)/365.24,0)
  Page items to submit: P1_DATE_OF_BIRTH
  Selection Type: Item(s)
  Item(s): P1_AGE
  Regards,
  Kartik Patel
  http://patelkartik.blogspot.com/
  http://apex.oracle.com/pls/apex/f?p=9904351712:1

• After trying to set up access control, my Airport Utility is no longer able to find my Base Station.  My PC still sees my wireless network but I can't connect to it.

  A friend told me he was able to access my network from a different device with no password so I decided to set up an access control.  Following the prompts, I entered my IP address, and then my Airport stopped working.  I tried uninstalling it and reinstalling it, but got the same thing.  The screen I get is that "Airport Utility was unable to find any Airport wireless devices", and askes me if I want to rescan.  When I rescan I get the same message.  My Airport light is green and my PC recognizes the network, my software just can't connect to it.  A friend suggested I entered the wrong IP address (which I found on my computer under "connections", but even after I tried a different one which is supposed to be from the network, I still get the same error message.  What am I doing wrong?

  A friend told me he was able to access my network from a different device with no password so I decided to set up an access control.
  This could be bullsh!t on your friend's part perhaps? Do you ever recall seeing a blue-light on the base station?
  Following the prompts, I entered my IP address, and then my Airport stopped working.
  The acces control list is where you put in your Mac Address, this is not the same thing as an IP.

• Issue while enabling Access Control for a Coherence server node

  Hi
  Im trying to enable access control for a Coherence server node, using the default Keystore login method shipped with Coherence. When i start the server i get the error "java.security.AccessControlException: Unsufficient rights to perform the operation". Please see below for the sequence of steps I've followed to enable access control. I just need to be enable Authentication (not authorization) at this stage
  1. I have added the following entry in the Coherence Operational override file
  <security-config>
            <enabled system-property="tangosol.coherence.security">true</enabled>
            <login-module-name>Coherence</login-module-name>
            <access-controller>
                 <class-name>com.tangosol.net.security.DefaultController</class-name>
                 <init-params>
                      <init-param id="1">
                           <param-type>java.io.File</param-type>
                           <param-value>keystore.jks</param-value>
                      </init-param>
                      <init-param id="2">
                           <param-type>java.io.File</param-type>
                           <param-value>permissions.xml</param-value>
                      </init-param>
                 </init-params>
            </access-controller>
            <callback-handler>
                 <class-name>com.sun.security.auth.callback.TextCallbackHandler</class-name>
            </callback-handler>
       </security-config>
  2. The following is the entry in the Permissions.xml
  <?xml version='1.0'?>
  <permissions>
  <grant>
  <principal>
  <class>javax.security.auth.x500.X500Principal</class>
  <name>CN=admin,OU=Coherence,O=Oracle,C=US</name>
  </principal>
  <permission>
  <target>*</target>
  <action>all</action>
  </permission>
  </grant>
  </permissions>
  3. The following is the content of the Login configuration file "Coherence_Login.conf"
  Coherence {
  com.tangosol.security.KeystoreLogin required
  keyStorePath="keystore.jks";
  4. The following is the command line tag for starting the server
  java -server -showversion -Djava.security.auth.login.config=Coherence_Login.conf -Xms%memory% -Xmx%memory% -Dtangosol.coherence.cacheconfig=PROXY-cache-config.xml -Dtangosol.coherence.override=FOL-coherence-override.xml -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.authenticate=false -Dtangosol.coherence.security=true -cp "%coherence_home%\lib\coherence.jar" com.tangosol.net.DefaultCacheServer %1
  Following is the output on the Console when running the command. It asks for a username and password for the JKS store (If i provide the wrong password, it gives a different error, which shows that it is able to authenticate aganst the Keystore). After i put in the password, it throws the error as shown below "java.security.AccessControlException: Unsufficient rights to perform the operation"
  D:\Coherence\FOL_CacheServer>fol-cache-server
  java version "1.6.0_20"
  Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
  Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)
  Username:admin
  Password:
  Exception in thread "main" java.security.AccessControlException: Unsufficient ri
  ghts to perform the operation
  at com.tangosol.net.security.DefaultController.checkPermission(DefaultCo
  ntroller.java:153)
  at com.tangosol.coherence.component.net.security.Standard.checkPermissio
  n(Standard.CDB:32)
  at com.tangosol.coherence.component.net.Security.checkPermission(Securit
  y.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeC
  luster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startServic
  e(Connector.CDB:20)
  at com.tangosol.coherence.component.net.management.gateway.Remote.regist
  erLocalModel(Remote.CDB:10)
  at com.tangosol.coherence.component.net.management.gateway.Local.registe
  rLocalModel(Local.CDB:10)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gate
  way.CDB:6)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluste
  r(SafeCluster.CDB:46)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.C
  DB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:998)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureServiceInterna
  l(DefaultConfigurableCacheFactory.java:923)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(Defaul
  tConfigurableCacheFactory.java:892)
  at com.tangosol.net.DefaultCacheServer.startServices(DefaultCacheServer.
  java:81)
  at com.tangosol.net.DefaultCacheServer.intialStartServices(DefaultCacheS
  erver.java:250)
  at com.tangosol.net.DefaultCacheServer.startAndMonitor(DefaultCacheServe
  r.java:55)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:197)

  Did you create the weblogic domain with the Oracle Webcenter Spaces option selected? This should install the relevant libraries into the domain that you will need to deploy your application. My experience is based off WC 11.1.1.0. If you haven't, you can extend your domain by re-running the Domain Config Wizard again (WLS_HOME/common/bin/config.sh)
  Cappa

• Access control exception only on Linux/Debian not on Windows!?

  We have a rmi server application with a webstart rmi swing client that we have been running successfully on Windows. The client is downloaded and running without any problems on Windows platforms (W2003, Win2K, WinXP). The client webstart jar is signed and all permissions is set in the jnlp file.
  As soon as we setup a server on linux/debian sarge we get these access control exceptions when the server tries to send events back to the client. It complains on
  file permssions not being set on the server jar file and the strange thing is that the path separator is backslash on linux?
  I've tried the following:
  1) java.policy. Added All permssions to the server jar file and/or bin the folder.
  2) Running without any security manager, i.e., System.setSecurityManager(null)
  3) Explicitly setting the policy on the server. Policy.setPolicy(...)
  4) Explicitly setting a policy on the client. URL policyUrl = Thread.currentThread().getContextClassLoader().getResource("server.policy");
  5) Building the server and client on debian
  I'm at my wits end... I've searched these forums and it seems that this is might be a common problem but I've not found a solution yet.
  Our system works 100% on Windows without any problems, it's only on linux/debian that we get these access control problems.
  2005-sep-19 09:39:19 se.xxx.xxx.admin.AdminManager change
  ERROR: java.security.AccessControlException: access denied (java.io.FilePermission \\usr\local\XXX\bin\server.jar read)
  java.security.AccessControlContext.checkPermission(Unknown Source)
  java.security.AccessController.checkPermission(Unknown Source)
  java.lang.SecurityManager.checkPermission(Unknown Source)
  java.lang.SecurityManager.checkRead(Unknown Source)
  java.io.File.exists(Unknown Source)
  sun.net.www.protocol.file.Handler.openConnection(Unknown Source)
  sun.net.www.protocol.file.Handler.openConnection(Unknown Source)
  java.net.URL.openConnection(Unknown Source)
  sun.rmi.server.LoaderHandler.addPermissionsForURLs(Unknown Source)
  sun.rmi.server.LoaderHandler.access$300(Unknown Source)
  sun.rmi.server.LoaderHandler$Loader.<init>(Unknown Source)
  sun.rmi.server.LoaderHandler$Loader.<init>(Unknown Source)
  sun.rmi.server.LoaderHandler$1.run(Unknown Source)
  java.security.AccessController.doPrivileged(Native Method)
  sun.rmi.server.LoaderHandler.lookupLoader(Unknown Source)
  sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
  sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
  java.rmi.server.RMIClassLoader$2.loadClass(Unknown Source)
  java.rmi.server.RMIClassLoader.loadClass(Unknown Source)
  sun.rmi.server.MarshalInputStream.resolveClass(Unknown Source)
  java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
  java.io.ObjectInputStream.readClassDesc(Unknown Source)
  java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
  java.io.ObjectInputStream.readObject0(Unknown Source)
  java.io.ObjectInputStream.readObject(Unknown Source)
  sun.rmi.server.UnicastRef.unmarshalValue(Unknown Source)
  sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
  sun.rmi.transport.Transport$1.run(Unknown Source)
  java.security.AccessController.doPrivileged(Native Method)
  sun.rmi.transport.Transport.serviceCall(Unknown Source)
  sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
  sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
  java.lang.Thread.run(Unknown Source)
  sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
  sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
  sun.rmi.server.UnicastRef.invoke(Unknown Source)
  se.xxx.xxx.client.XXXApplication_Stub.notify(Unknown Source)
  )

  I have two suggestions. The first is that you didn't indicate the permissions of the file and the directories above it along with the user you're running the program as. In Unix it is easier to get an access issue as you're probably not running as root. In a traditional Windows environment everything runs with admin permission allowing access to anything. While the error comes from the security manager it has nothing to do with traditional J2SE security - it may be an O/S level thing.
  But the second suggestion touches on the other question you have - why is this showing up as backslashes? Is there perhaps an issue with the JNLP file? Is there any code that should be using System.getProperty( "file.separator") and is instead just using the backslash?

• What is better for security?  WPA2 or Access control

  I have a Airport express and 2 computers; a Mac and a PC.
  When it come to securing your wi-fi connection so you don't get unauthorized clients on your network.
  What is better
  A- Just using encryption like WPA2 or some other password based system or
  B- Just entering the "Airport ID" (MAC) of the computers I want to authorize in my network on the Access control panel.
  Seems to me like the later is easier on the clients since they don't need a password or anything, It's completely transparent for the client. And I believe encryption slows down the connection a bit and create overhead for the computer. But maybe I don't have the full picture of the situation.
  Is there anybody who can illuminated this subject for me?
  thanks
  PowerBookG4 Mac OS X (10.3.9)

  WPA2 is virtually uncrackable only really vulnerable if you use a real word as a password.
  When using access control, MAC addresses are sent unecrypted can be read and spoofed and therefore do not add any security.
  Unfortunately "Closed" networks, MAC access control lists, and reduction in transmission power are all more "feel good" security rather than real security. All these various approaches are dated and mistakenly lead to overconfidence.
  WPA is your friend if you value wireless security.

• ESYU: R12 - Order Management를 위한 Multi Org Access Control(MOAC) setup 방법

  Purpose
  Oracle Order Management - Version: 12.0 to 12.0
  Information in this document applies to any platform.
  R12의 Order Management에 대핸 Multi Org Access Control(MOAC) setup 방법에 대해 알아본다.
  Solution
  일반적인 MOAC Setup:
  1. HRMS에서 Security Profile을 정의:
  a. HRMS Management responsibility 선택
  b. HRMS Manager> Security> Profile로 이동
  c. Security Profile이 정의되어 있는지 확인 (OM responsibility 혹은 Site level로)
  d. 만일 아직 setup 되어져 있지 않다면 Operating Units를 입력
  e. 저장
  Note: 만일 위 d step과 같이 새로운 security profile을 생성하였다면 concurrent program 'Security List Maintenance'를 꼭 실행해야 한다.
  그렇지 않으면 multiple operating units가 OM forms의 LOV에 나타나지 않을 것이다.
  이 program은 multi-org access를 validating 하기 위해 사용하는 table에 data를 생성한다.
  Navigation: HRMS Management> HRMS Manager> Processes & Reports> Submit Process & Report> Security List Maintenance
  2. MO Profile Options setup:
  a. MO: Security Profile - 이 profile setting은 MOAC functionality를 활성화 한다.
  b. MO: Default Operating Unit - 이 Operating Unit는 OM forms과 report에서 default가 될 것이며, 이를 clear 하거나 변경하기 위해 LOV를 사용할 수 있다.
  Keep the MO profiles in sync:
  MO: Security Profile은 site와 responsibility level로 setting 할 수 있다.
  MO: Default Operating Unit은 site, responsibility, user level로 setting 할 수 있다.
  Application이 원하는대로 동작되지 않는것을 발견하면 이 profile options의 setting 값을 확인한다.
  3. OM setup:
  R12 upgrade 시 OM Profile에서 migrate 된 새로운 OM System Parameters를 확인:
  Order Management Super User> Setup> System Parameters> Values
  (See <<NOTE 393646.1>>-R12 Readiness Cheat Sheet: Migrated OM Profile Options)
  4. Form에서 hidden field 'Operatin Unit'를 활성화시키고 default folder로 저장:
  Sales Order and Order Organizer forms
  Quick Sales order and Organizer forms
  Sales Agreement forms
  Pricing and Availability form
  Other forms
  Note: Sales Order form에서 hidden field 'Operating Unit'를 'Show' 하기 전에 fotm안에 이 field를 위한 공간을 만들어 놓아야 한다.
  예를 들면 Customer Number field를 짧게 하거나 Operating Unit field로 이 field를 덮어씌울수 있다.
  Reference
  Note 393634.1

  Hi Larry,
  Have you considered adding the exec apps.mo_global.set_policy_context call to your connection's start-up script?
  Tools -> Preferences -> Database -> Filename for connection startup scriptNot the most flexible approach, so I'm not sure if it is appropriate for your application, but just a thought. You might create distinct connection names with different start-up scripts for each org_id.
  Regards,
  Gary
  SQL Developer Team

• Problems using access control in sender agreement for SOAP adapter 7.1

  I am trying to use Access Control Lists to restrict user access to web services/interfaces which are exposed via PI. This can be configured via the Integration Builder Directory using the u201CAssigned Usersu201D tab of both Communication Components (Business System) and Sender Agreements.
  The configuration is via the above mentioned components. However, I understand that itu2019s the adapters which at runtime are responsible for actually applying these checks.
  I have been having problems getting the access control to work using a setup involving a SOAP adapter of type SAP BASIS 7.10.
  The symptom of the problem is that although the access control works as expected at the Business System level, any settings at the Sender Agreement level appear to have absolutely no effect whatsoever.
  I have confirmed that I have no problems if I use an adapter of type SAP BASIS 7.00. However, I really need to get this working on 7.1.
  I have looked on the SAP support portal but can not find any notes that relate to this.
  Has anyone else had a similar problem? And have you found a fix for it?
  Any suggestions would be welcome.
  Edited by: Malcolm Dingle on Jun 17, 2009 1:08 PM

  Hi Shai,
  Please have a look at the following link and see if it helps you .
  It deals with SOAP adapter installation and activation 
  Re: SOAP adapter installation and activation
  Best Regards
  Edited by: Prakash Bhatia on May 8, 2009 11:51 AM