Dynamic Access Policy ACL Logging

We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.

When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)? These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
Also, is your default policy at that bottom of this list deny access?

Similar Messages

Dynamic access policy ACL not beeing applied to user

Hi all
I have just configured my ASA for ssl vpn
I have created a dynamic access policy with an ACL in it.
The user connects fine, and I can see on the logs that the DAP policy has applied to the user
However when I click on monitoring, it says no acl is applied to this session, and the client cannot get anywhere
why would this be?
cheers
Carl

When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)? These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
Also, is your default policy at that bottom of this list deny access?

Dynamic Access Policy Customization for Antivirus issues??

I am trying to configure when an employee logs in it scans to verify first that Antivirus is installed in our case Sophos, and that it is running, and has been updated DAT file wise with in the last 10 days, if not go to our server for the update before allowig them to logon. If Sophos is not detectable then a message would be given to the user that "Sophos AV can not be detected please make sure it is installed and running, if you need help please contact the Help Desk"
If I set this up VPN stops working, also when Sophos is not running it goes to the default message that the user is not part of the correct AD group even though they are.
Help.. getting frustrated..
JJ

you can run the following 2 debug commands to see what is happening during the DAP processing
debug dap trace
debug dap errors

LDAP (openldap) authorization with DAP (dymamic access policy)

Hello,
We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

Hi
I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
Hth
Herbert
Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

Access policy Issue

Hi all,
I am trying to add a EBS responsibility automatically when creating a new user in OIM.
I created the rules, group and access policy needed. In the access policy I selected EBS responsibility as the resource to provision.
To test the new access policy I created a new User in OIM. The status of the resource is in ready state.
Any suggestions on why this is happening.
Thanks,

This is the error in the log file.
ERROR,09 Aug 2010 22:33:32,832,[XELLERATE.APIS],Class/Method: tcFormInstanceOperationsBean/getObjectFormVersion encounter some problems: A version of form for object instance with key '50133' does not exist.
ERROR,09 Aug 2010 22:33:32,849,[XELLERATE.APIS],Class/Method: tcFormInstanceOperationsBean/getObjectFormDataData encounter some problems: Error occurred while getting form data for object instance with key '50133'.
ERROR,09 Aug 2010 22:33:32,849,[XELLERATE.APIS],Class/Method: tcFormInstanceOperationsBean/getObjectFormDataData encounter some problems: com.thortech.xl.dataaccess.tcDataSetException: Cannot convert 'EBSHF-APPS12' to a long: For input string: "EBSHF-APPS12"
com.thortech.xl.dataaccess.tcDataSetException: com.thortech.xl.dataaccess.tcDataSetException: Cannot convert 'EBSHF-APPS12' to a long: For input string: "EBSHF-APPS12"
     at com.thortech.xl.dataaccess.tcDataSet.setString(Unknown Source)
     at com.thortech.xl.dataobj.tcDataSet.setString(Unknown Source)
     at com.thortech.xl.dataaccess.tcDataSet.setString(Unknown Source)
     at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormDataData(Unknown Source)
     at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormData(Unknown Source)
     at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.getObjectFormData(Unknown Source)
     at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.getObjectFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1420)
     at Thor.API.Operations.tcFormInstanceOperationsClient.getObjectFormData(Unknown Source)
     at sun.reflect.GeneratedMethodAccessor366.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(Unknown Source)
     at weblogic.security.Security.runAs(Security.java:41)
     at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
     at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
     at $Proxy67.getObjectFormData(Unknown Source)
     at com.thortech.xl.webclient.actions.UserDefinedFormAction.prepareObjectForm(Unknown Source)
     at sun.reflect.GeneratedMethodAccessor362.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
     at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
     at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
     at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
     at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
     at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(Unknown Source)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
ERROR,09 Aug 2010 22:33:32,849,[XELLERATE.WEBAPP],Class/Method: UserDefinedFormAction/prepareObjectForm encounter some problems: Error occurred while getting form data for object instance with key '50133'.
Thor.API.Exceptions.tcAPIException: Error occurred while getting form data for object instance with key '50133'.
     at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormDataData(Unknown Source)
     at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormData(Unknown Source)
     at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.getObjectFormData(Unknown Source)
     at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.getObjectFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1420)
     at Thor.API.Operations.tcFormInstanceOperationsClient.getObjectFormData(Unknown Source)
     at sun.reflect.GeneratedMethodAccessor366.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(Unknown Source)
     at weblogic.security.Security.runAs(Security.java:41)
     at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
     at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
     at $Proxy67.getObjectFormData(Unknown Source)
     at com.thortech.xl.webclient.actions.UserDefinedFormAction.prepareObjectForm(Unknown Source)
     at sun.reflect.GeneratedMethodAccessor362.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
     at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
     at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
     at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
     at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
     at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(Unknown Source)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Not able to get the AD organizations list while creating access policy

Hi All,
Had created IT Resource for AD server, and was able to successfully connect to it. And Now when I try to create a access policy, where I am not able to view any organization from AD.
Can someone please let me know how to resolve this.
Thanks in advance.....
Regards
Arun

Please check the error log which I am getting when I ran the schedule job
======= Start Stack Trace =======================>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <Description : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecu
rityContext error, data 52e, vece ]>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.exception.ConnectionException: [LDAP: error code 49 - 80090308: LdapErr: D
SID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:384)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <================= End Stack Trace =======================>
Based on which I had checked the credentials I provided, and they are correct. I am able to connect to AD with same credentials when I create new IT Resource.
Not sure what went wrong
Regards
Arun

Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

I love iTap Mobile. Paid for the app. Sorry to see them discontinue it, but now I know why. Microsoft bought them out! But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
Policy (TS_RAP). Please contact your server administrator. (2147965402). I worked with iTap to fix this so I guess they sold Microsoft their older buggy code... Microsoft, please fix!
PS: This is the Android version. Mac and iOS are both okay.
EDIT: After an update a few months ago, iOS is no longer working. Not sure if the problem is related to the Android MSRDP issue.
UPDATE - Relevant posts (need Android RDP software engineer to fix):
Event Viewer Log when using Android client:
The user
"DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
is most likely for logging into RD Web - icons shows up).
The
user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
The following error occurred: "23002". (This is after clicking on any
of the icons).
I
think the Android MS RDP client is providing the incorrect resource. It shouldn't be "localhost".
It should be the RD Connection Broker's hostname, I believe.
Here's what it should look like (connected using a Windows PC going
through the RD Web portal via Internet Explorer):
The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
to resource "rdsfarm.domain.com".
Stephan,
Do you have any way to contact the software engineer who worked on the Android version of the RDP client? Please
have them read this thread. They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
the same host name.
Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
This is a problem specific to the Android RDP app.
PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
below to read the post in context.

Thanks for the bumps, everyone. I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond. Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
Just to give you an update, iOS users started having issues connecting a few months ago. I don't remember what version started this. I'm not sure if it's the same problem.
Also, the newest version now gives a slightly different error message: RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator.
For Android users, I am starting to recommend Xtralogic Remote Desktop Client. It's a paid app, but it works great. I don't know of any alternative for iOS.
MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
We need a software engineer from MS to read my first post. All the information that will point to a fix is there. I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
name.
Here's that info again (copied/pasted). It doesn't take an engineer to understand the issue. If you know how to decipher Event Logs, you can see where the problem is.
Event
Viewer Log when using Android client:
The
user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
is most likely for logging into RD Web - icons shows up).
The
user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
The following error occurred: "23002". (This
is after clicking on any of the icons).
I
think the Android MS RDP client is providing the incorrect resource. It shouldn't be "localhost".
It should be the RD Connection Broker's hostname, I believe.
Here's
what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
The user "DOMAIN\testuser", on client computer "10.x.x.x",
met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
The user "DOMAIN\testuser", on client computer "10.x.x.x",
met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
The user "DOMAIN\testuser", on client computer "10.x.x.x",
connected to resource "rdsfarm.domain.com".

OIM 11g R2 - AD provisioning based on Role and Access Policy

Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
It's work fine - requested account was fully provisioned.
Can i use this plugins for Role based provisioning?
I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
In diagnostic.log i found.....
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
[oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

Hi, all
I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
Is it possible to use plugins for requests generated based on access policy?
a.

Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
“Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx.
We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference.

System has amnesia about non-admin access to system log

Time Machine Buddy often doesn't show current backups. So I used the tip from Pondini to give my user account system log access. That worked fine.
But it doesn't "stick." I fired up the Console app this morning, and the system log is grayed out.
Any idea why, and what to do?
Thanks,
Harv

Hey James,
I did indeed get a reply in the Unix forum, and it worked fine. Here's the content:
*BobHarris posted "Re: System has amnesia about non-admin access to system log" in "System has amnesia about non-admin access to system log" on Jun 2, 2010 6:21:28 PM.*
*You could try*
*sudo /bin/chmod +a "harv47 allow read,file_inherit" /var/log*
*This assumes that your usename is 'harv47' on your Mac. This also assumes that the log files are created in the /var/log directory.*
*In theory this will make sure that any file created in /var/log will inherit an ACL that allows harv47 read access to that file.*
*However, I have not spent much time working with Mac OS X ACLs, so your mileage may vary.*
*BobHarris posted "Re: System has amnesia about non-admin access to system log" in "System has amnesia about non-admin access to system log" on Jun 2, 2010 8:13:24 PM.*
*Oh yea. You can view the ACL you applied, and see if the inherit_file worked using*
*ls -leO@a /var/log*
*again, assuming /var/log is the directory containing the log you are trying to read.*
The system log continues to be accessible, even after the midnight "rollover."
I'm a happy camper. I'm not sure if it's a coincidence or not, but TM Buddy has so far continued to show the log excerpts after the rollover as well.
BTW, the SpamSieve app (Bayesian spam filter for Mail) is one of those database apps mentioned in your tips. It accounts for about 1 GB every backup.
Thanks!
Harv

AD Access Policy Update or Revoke Not Happening

Hi
Problem:
I am automating the AD user Provisioning through OIM Access Policy. I am able to provision user in AD, But the provisioned user is not visible in Resources tab. If anything is modified OIM attributes and that are not transferring from OIM to AD User Process Form. If I removed User from the Role, The user was not revoked from the AD.
Configuration:
I have created the following task to automate the user provisioning. They are
1) Rule
Name: ALL AD Users
Rule Criteria : User Login != NULL
2) Role
Name : AD Role
Member Ship Rule : ALL AD Users
3) Access Policy:
Access Policy Information Provided
Access Policy Name:      AD Access Policy
Access Policy Description:      AD Access Policy
With Approval:      No
Retrofit Access Policy:      Yes
Priority:1
Resources to be provisioned by this access policy
Resource Name: AD User
Revoke resource and entitlement(s) if no longer applies: Checked
Process Forms: AD User Details
AD User form details are populating through pre-populate adapter in create and Change <FieldName> populating in update Operation.
Role
Name : AD Role
I couldn't see any error in the AD Connector log file.
Do I need to do anything apart from AD Access Policy to view the resource in Resource TAB, and also Updating the user attributes ( Change Process Tasks are configured), and Revoke.
Help is greatly appreciated.

What do you mean by this statement :
But the provisioned user is not visible in Resources tabDo you mean that when you go to Resource Profile of a user then you can't see AD User is provisioned to that user ?
Check "Auto Save" check box on "AD User" Process Defintion
Add one user into that Role explicitly into that Role/Group
Resources to be provisioned by this access policyI hope you are giving values for AD Server and Organization Name on the process form in this section.
Enable the logs as well whether AD User tasks are getting called or not
And
For sending Modified Attributes to AD, have you create corresponding tasks like Change First Name, Change Last Name etc in AD User Process Defintion and made its entry in Trigger Lookup ?
If yes then it will work only when you'll see AD User in Provisioned/Enables status in User's Resource Profile
Let me know the results

Create Access Policy with OIM API: can't fill child form

Hi!
I'm having a problem with creating OIM Access Policy with API. I'm doing the following:
1. Create a new access policy via AccessPolicyIntf
2. Add a resource object which will be provisioned to all users who are within policy scope
3. Get Resource Object (Parent) Form Definition via FormDefinitionIntf
4. Add data to parent form (AccessPolicyIntf setFormData(FormDefinitionKey))
5. Now I want to add data to the child form, for that purpose I need to know child form definition key, but I can' get one, because there's no method like 'getChildFormDefinitionKey' in FormDefinitionIntf interface.
Please, help me to get child form definition key, knowing parent form definition key and version

See if this code helps:
public String addChildTableValue(long userKey, String group, String objectName, String fieldName tcDataProvider ioDatabase) {
log.debug("addChildTableValue() Parameter Variables passed are:" +
"userKey=[" + userKey + "]" +
"group=[" + group + "]" +
"fieldName=[" + fieldName + "]" +
"objectName=[" + objectName + "]");
try{
tcUserOperationsIntf userIntf = (tcUserOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcUserOperationsIntf");
tcFormInstanceOperationsIntf formIntf = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
boolean roleExists = false;
//Result set of all Object for user
tcResultSet obResultSet = userIntf.getObjects(userKey);
if (obResultSet.isEmpty()){
log.error("User has no provisioned objects");
return "NO_OBJECTS_EXIST";
}else{
for (int ii=0; ii<obResultSet.getRowCount(); ii++){
obResultSet.goToRow(ii);
if ((obResultSet.getStringValue("Objects.Name").equals(objectName)) &&
(!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Revoked")) &&
!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Provisioning")))){
log.debug("Resource object found: " + objectName);
//Process Instance Key of the object
long plProcessInstanceKey = obResultSet.getLongValue("Process Instance.Key");
log.debug("Process instance key: " + plProcessInstanceKey);
//Process Key for the parent for
long plParentFormDefinitionKey = obResultSet.getLongValue("Process.Process Definition.Process Form Key");
log.debug("Parent form definition key: " + plParentFormDefinitionKey);
//Form version of the parent form
int pnParentFormVersion = formIntf.getProcessFormVersion(plProcessInstanceKey);
log.debug("Parent form version: " + pnParentFormVersion);
//Result set of Child Form information
tcResultSet childFormResultSet = formIntf.getChildFormDefinition(plParentFormDefinitionKey, pnParentFormVersion);
//Child form definition key
long plChildFormDefinitionKey = childFormResultSet.getLongValue("Structure Utility.Child Tables.Child Key");
String plChildTableName = childFormResultSet.getStringValue("Structure Utility.Table Name");
log.debug("Child form definition key: " + plChildFormDefinitionKey);
log.debug("Child table name: " + plChildTableName);
tcResultSet childFormData = formIntf.getProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey);
if (!(childFormData.isEmpty())){
log.debug("Searching child table current values");
for (int iii=0; iii<childFormData.getRowCount();iii++){
childFormData.goToRow(iii);
String fieldValue = childFormData.getStringValue(fieldName);
log.debug("Child table entry: " + iii + " | value: " + fieldValue);
if (fieldValue.equals(group)){
roleExists = true;
log.debug("Value already exists in child table");
return "DUPLICATE_VALUE";
log.debug("Value not found in child table");
if (!roleExists){
Hashtable childFormHash = new Hashtable();
childFormHash.put(fieldName, group);
formIntf.addProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey, childFormHash);
log.debug("Value successfully added to table");
return "VALUE_ADDED";
log.debug("Provisioned resource " + objectName + " object not found");
return "OBJECT_NOT_FOUND";
catch(Exception ex){
ex.printStackTrace();
return "ERROR";

Role getting revoked with Access Policy

Hi,
I have a Access Policy which will provision to a Resource Object with only one special role. Whenever a user belongs to the group according to a rule called USR_UDF_GLOBALSTATUS == Active, automatically user is getting provisioned to the Resource object with that Role as per the access policy.In this access policy, "Revoke if no longer applies" option is disabled for that Resource Object.
Whenever for that user, USR_UDF_GLOBALSTATUS == Active is changed as USR_UDF_GLOBALSTATUS == InActive from reconciliation, the user is removed from that Group. Till here everything is fine. But the Special Role assigned to that user is also getting revoked. I haven't enabled "Revoke if no longer applies" option. But how come the role is getting revoked?
According to my requirement, that special role should still stay even if the user is removed from the group. Please help...
- Pavan

Enable all logging. Check and see if the user was a member of more groups than just the one. There might be more than one access policy for the user, one that gives the resource with a base set of values for the parent form, and then another access policy that has a lower priority that provides the role. Also look at the Xellerate User object and check for any tasks that might be triggered on this change in value as well as other values. Your best bet is to look at the user and all their groups and resources. Then perform your change, and look on their resource profiles both in targets, and on the xellerate user object, and see what all tasks were inserted.
-Kevin

Nexus 3548 ACL Logging

"show ip access-list", IOS displays matches against each statement within the ACL and you can see counters incrementing or not, useful in troubleshooting. Nexus 3548 does not display any counters with the same command!
I must be missing something because I cannot find a logging command that will simply add hits with command "show IP access-list <name>" (Nexus 3548)
Is there an alternative?

After reading Cisco ACL docs I managed to configure and get ACL logging working fine on my lab 3548:
test# sh log ip access-list cache
Source IP        Destination IP     S-Port D-Port    Interface   Protocol          Hits
10.170.x.x    10.x.x.x        0       0         mgmt0      (6)TCP            98
Software
BIOS:      version 1.9.0
loader:    version N/A
kickstart: version 6.0(2)A4(3)
system:    version 6.0(2)A4(3)
Power Sequencer Firmware:
             Module 1: version v2.1
BIOS compile time:       10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
kickstart compile time: 11/21/2014 9:00:00 [11/21/2014 19:29:20]
system image file is:    bootflash:///n3500-uk9.6.0.2.A4.3.bin
system compile time:     11/21/2014 9:00:00 [11/21/2014 21:09:06]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Intel(R) Pentium(R) CPU @ 1.50GHz
with 3805876 kB of memory.
However in my other live Nexus 3548 "show log ip access-list cache" is not available from the command line with the following software version:
-n35# show log ip access-list cache
                           ^
% Invalid command at '^' marker.
Software
BIOS:      version 1.9.0
loader:    version N/A
kickstart: version 6.0(2)A1(1b)
system:    version 6.0(2)A1(1b)
Power Sequencer Firmware:
             Module 1: version v2.1
BIOS compile time:       10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
kickstart compile time: 9/5/2013 14:00:00 [09/05/2013 23:37:16]
system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
system compile time:     9/5/2013 14:00:00 [09/06/2013 03:25:01]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
I've researched the command line reference and found nothing to suggest version 6.0(2)A1(1b) this OAL feature is not supported......anyways the live 3548 I can see statistics per-entry command under each ACL (these ACL's are not bound to any VLAN interfaces). show ip access-list shows no hits against any of the ACL's
My 1st question why is the OAL ACL cache is not supported on my live version?
2nd q - Why there are no hits when the statistics per-entry command is configured under each ACL when I know there are thousands of hits per minute?
NB: The ip access-group in statements are applied to the Interface port number NOT interface VLAN
example
interface Ethernet1/6
description ** hello **
ip access-group test in
switchport access vlan 885
speed 1000
no negotiate auto

[OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.

Hi Gurus,
I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
Any tip on what I should take a look?
Thanks in advance.

Hi all,
I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
Thanks a lot.

Dynamic Access Policy ACL Logging

Similar Messages

Maybe you are looking for