EAM ID based or Role based? Why settle for just one?

Similar Messages

• Why cant i use a bought call-tone bought through I-tones for calling tones for just one of my contacts?

  Why cant i use a bought call-tone bought through I-tones for calling tones for just one of my contacts?

  What makes you believe that you can't? To set a custom ringtone (or SMS tone) for a contact, go to that contact entry, tap the Edit button in the upper right. You can then edit both ringtones and SMS tones for that contact.

• Why is it taking like 2-3 mins for just one song to go onto my iPod?

  I thought my iPod was fixed completely last night, when I was on the phone with apple for 2 hours. My iPod was "corrupted", it wouldn't open in my iTunes and it kept freezing it. We tried changing the disk letter, blah blah. We finally solved the problem by uninstalling iTunes and reinstalling it. Then it finally opened in iTunes..restored and everything. I'm trying to put music on it and it's not cooperating with me.

  There are 2-3 things that could be happening..
  Some folks on here might say that you are experiencing the corruption problem with the classic... Which may be possible...
  There may be something happening with your iPod's HDD causing it to check the drive each time a new files goes in
  Third, you didn't describe where your music was stored... If its not on your computers C drive it may take it a few minutes to travel off of an external or netowrk drive.
  Additionally, remember that the iPod's HDD (based on the model you own) is not a HDD like the ones in your computer... They have a slower transfer rate...
  While your waiting for it, tell us more about your setup so that we can better help you identify what's going on...

• Why is Verizon charging me monthly for my cellular iPad access when I signed up for just one month? Who do I contact?

  I signed up for Verizon's month to month plan for cellular access and just discovered they are automatically renewing my monthly charges without my permission. Who and how can I contact Verizon to stop this and refund one month of unused cellular access? Please advise.

  Well then I stand corrected. I bought my iPad with a Verizon MIFI2200 WiFi hotspot directly from Verizon Wireless when they were running a promo last October. Verizon had just started selling the iPad and they came out with this deal and I took advantage of the offer. My plan is also a month to month access plan, but as far as I know, you still have to contact Verizon to stop the service. I know with my plan, unless I specifically cancel the plan, it carries over to the next month. The advantage to this plan is that there was no contract to sign and I can cancel at anytime without any early termination fee. However, I still have to cancel the service if I don't want it to continue.
  The bottom line is that the plan will continue month to month - there is just no contract to hold you to a two year agreement. You may have misunderstood or maybe you got bad information from the Apple rep, but what Verizon is doing is not being done without your permission - AFAIK. That is how month to month plans work.
  If you really feel that the Apple rep misrepresented this to you, then why don't you go back to him/the store - whatever and plead your case with him/her/the store?

• Why wont my imessage work for just one contact

  For some reason my iPhone wont let me imessage with just one of my contacts... it works with all the other ones but that contact stays regular sms text! Tried rebooting the phone and turning my imessage on and off... dont get it!

  I have the same problem as SWatson12, and the person I'm texting has an iPhone 4S like me and is in my house - so there isn't a question of coverage area or type of phone.
  But iMessage still works with this person if I text via my Mac or iPad.
  This has been a problem since last night. At first, when I updated to 10.8.2, it worked great!

• How to setup the security based on roles in Organization.

  Hi,
  How to setup the security based on roles in Organization.
  For example:Few users are Manager and a few user are Non Manager .Manager should have access to all work data including Non Manager and Non Manager should access based role.How to setup this? How OBI server identify the user role?
  kindly let me know.
  Regards.,
  CHR

  Hi,
  You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
  And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
  Hope this will solve your problem.
  Regards
  MuRam

• Why Role based Firefighter

  Hello Folks,
  What is the difference between Role based and Firefighter Id based Firefighting from an organization point of view.
  The general practice is to go with Firefighter ID but I want to know a situation when Firefighter Role based strategy can be an advantage over the other.
  In the user guide it is not mentioned when and why Role based Firefighter should be used.
  Thanks in advance,
  Amol Bharti

  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Error in Role Based security using weblogic 9

  Hi All,
  Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Success</web-resource-name>
            <url-pattern>/form.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>admin</role-name>
       </auth-constraint>
       <user-data-constraint>
  <transport-guarantee>INTEGRAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
       <role-name>admin</role-name>
  </security-role>
  When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  So can any one provide me the solution for the above problem.
  Thanks in advance.
  By,
  Sandip Pradhan

  Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

• Role-Based CLI Views with AAA method

  Hi,
  I'm configuring Role-Based CLI Views on a router for limiting access to users.
  My criteria:
  - There should be a local user account on the router that has the view 'service' attached to it
  - If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
  My configuration:
  aaa new-model
  enable secret 1234
  username service view service secret 1234
  aaa group server radius my_radius
  server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
  server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
  aaa authorization console
  aaa authentication login mgmt group my_radius local
  aaa authorization exec mgmt group my_radius local
  line con 0
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport input ssh
  The ERROR
  Now I want to go configure the cli view 'service'...
  # enable view
  Password: 1234
  *Jun  1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
  *Jun  1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
  The Questions
  Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
  Can you change this behaviour to always use the enable secret?
  The TEMP Solution
  If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
  aaa authentication login VIEW_CONFG local
  line vty 0 4
  login authentication VIEW_CONFG
  Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
  Thanks so much for the suggestions
  /JZN

  hi,
  You have the following configured:
  aaa  authentication login mgmt group my_radius local
  aaa authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  logging synchronous
  login  authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport  input ssh
  Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
  You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
  enable seceret will be locally defined. but you have the following configured:
  aaa  authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  line  vty 0 4
  authorization exec mgmt
  Hence exec mode will also be done via radius server.
  when you configure:
  aaa  authentication login VIEW_CONFG local
  line vty 0 4
  login  authentication VIEW_CONFG
  You are making the authentication local, hence it is working the way you want.
  In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Role based Firefighter approach in AC 10

  I am in the process of implementing "role based" FF (ID based approach not implemented as users are not comfortable to login to GRC system to execute the tcodes).  I have a query about it.
  If we maintain the role based FF logins, and we run risk report, still all the conflicts are found associated with that FF ids as they have the conflicting role assigned to them in SU01.  So is it ok, to live with these conflict found related to FF ids.  what will be the case during audit, will they accept these risks occuring for the FF can be ignored.

  Hello,
  I think the best approach is to mitigate the risk as Alexander describes here:
  Why Role based Firefighter
  Cheers,
  Diego.

• GRC 10 Role based firefighter multiple users

  Hi All
  We are using GRC AC 10 SP12 and have Role based EAM implemented. We are looking at way to prevent the same user from being assigned multiple firefighters or a way for approver to know that another Firefighter ID is already assigned to this user?
  Thanks in advance
  Regards
  Vijaya

  Hi Vijaya,
  You can train approvers to Click on existing assignment button(in Access Request) to know the roles already assigned.
  And if in your environment, FF roles has distinguished naming convention then it can easily be identified
  by role owners.
  Thanks,
  mamoon

• IManager error editing Role Based Entitilements

  Hi,
  A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
  We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
  iManager version is 2.7.4
  Identity Manager Version is 3.6.1
  When I try to edit a role based entitlement I get the error:
  "Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
  I have tried deleting the iMKS file and importing the certificate manually as detailed here:
  https://www.novell.com/documentation...a/bx8g5g8.html
  There are plenty of other pages showing the same method of resolving this issue but none have worked.
  Any ideas?
  Thanks.

  Hi,
  A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
  We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
  iManager version is 2.7.4
  Identity Manager Version is 3.6.1
  When I try to edit a role based entitlement I get the error:
  "Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
  I have tried deleting the iMKS file and importing the certificate manually as detailed here:
  https://www.novell.com/documentation...a/bx8g5g8.html
  There are plenty of other pages showing the same method of resolving this issue but none have worked.
  Any ideas?
  Thanks.

• IManager & Role Based Entitlements

  I'm re-posting this here as I didn't get any response from the original post linked below:
  https://forums.novell.com/showthread...-Entitilements
  Hi,
  A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
  We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
  iManager version is 2.7.4
  Identity Manager Version is 3.6.1
  When I try to edit a role based entitlement I get the error:
  "Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
  I have tried deleting the iMKS file and importing the certificate manually as detailed here:
  https://www.novell.com/documentation...a/bx8g5g8.html
  There are plenty of other pages showing the same method of resolving this issue but none have worked.
  Any ideas?
  Thanks.

  For some reason I cannot find your old post via NNTP, though I see it on
  the web interface. Perhaps the gateway had a problem, which would have
  limited your responses. Either way, for future reference, you may want to
  post questions on the RBE features in the iManager or IDM forums, both
  located on https://forums.netiq.com/ (same looking page, same account,
  just focused on the NetIQ products, including those moved over from
  Novell). Also, for iManager problems, same thing: try the iManager forum
  specifically on the NetIQ site. Considering you've been with Novell for a
  while, it's definitely understandable that you'd look here for those
  forums, though, as they used to be on this site.
  The vast majority of iManager functions use NCP exclusively; adding users,
  modifying them, associating with groups, setting up file services
  (CIFS/SMB/AFP/NSS), managing most of IDM, configuring LDAP services
  provided by eDirectory, etc.. eDirectory, after all, is NCP-based and
  LDAP is an interface added to it to do things that work better via LDAP.
  Thus, most things work just fine no matter what you do via LDAP.
  In your case you are describing one of the few services where iManager
  actually needs to work with eDirectory via LDAP. Other examples including
  working with Universal Password (UP) under the Passwords role. In these
  cases iManager uses eDirectory to find appropriate LDAP services and then
  connects to those as well for specific operations. As a result, we look
  at LDAP as it sounds like you have already done. TID# 7008836 seems to
  have very similar instructions to the documentation link you posted, but
  you may find it useful in some way.
  You mentioned recreating your CA and server certificates (Key Material
  Objects, or KMOs). Doing this SHOULD have made it so all certificates you
  created (presumably after the CA change) would be minted by the new CA, so
  if you browse to those certificates you should see them with a Trusted
  Root of the new CA, which should have (by default) an expiration ten years
  from its creation (individual KMOs expire by default two years after
  creation). With this verified, your LDAP Server object (for which there
  is usually one per NCP/eDirectory server) will also have a link to one
  KMO. If you did not delete old certificates, it is very possible that the
  LDAP Server is still pointed to an old KMO and using it happily even
  though the rest of the tree is using new data, and the old KMO may be
  expired causing issues with clients (like iManager). Be sure to check
  that. If pointed to an old KMO, point it to a new one and then restart
  eDirectory (or maybe just the LDAP module).
  Other things you may try include setting up iManager Workstation 2.7 SP7;
  it runs on your workstation and then otherwise acts like the server in
  most areas. Getting old IDM 3.6.1 plugins on there may be the hardest
  part, but really should not be that hard if you have the IDM media
  somewhere. With this you can test pointing to your enviornment to see if
  anything works there, ruling in/out a weird iManager problem.
  Also, is it safe to assume that eDirectory 8.8 SP6 is the latest version
  in your tree? If 8.8 SP8 exists there is a change in LDAP configuration
  data, specifically the ldapInterfaces attribute on the LDAP Server object,
  which can cause LDAP-using plugins to have a hard time finding 8.8 SP8
  servers specifically.
  Lastly, especially if you have iManager Workstation or if you have
  iManager on a non-eDirectory box, getting a LAN trace could help us see
  exactly what iManager is doing on the wire, and then isolate better why it
  is failing.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• RBAC (Roles Based Access Control) "Broken" in WCS

  In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
  role0=SuperUsers
  task0=Users and Groups
  task46=Auto Provisioning
  task47=Voice Audit Report
  Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
  The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
  Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

  Hi,
  I believe all your questions are answered in "System Administrator's Guide - Security" manual.
  Applications Releases 11i and 12
  http://www.oracle.com/technology/documentation/applications.html
  You may also review this document.
  Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
  Regards,
  Hussein