Effective permissions for LDAP user that is a member of multiple groups?

We use AD and LDAP group maps to authenticate to UCS, and I'm trying to understand the effective permissions when a user is a member of multiple LDAP groups, each with different UCSM permissions.
I expected that UCS would grant access based on the union of the effective permissions specified in UCS, but instead it appears to use the permissions of just one of the groups, and it's unclear whether the selection is random or deterministic. If this is expected behaviour, is there a way to affect the selection process?
Cheers,
Paul

Hi,
I tested the issue on SharePoint server 2013 without sp installed. It worked and I used global security group. I will test the issue on SharePoint 2013 sp1 later, and please provide more information to narrow down the issue.
Please go to site settings > site permissions > check permission, type in domain\user1, and post the result here.
If the user has been granted permission, please try logging on another machine to test if Windows credential casues the issue.
Did the issue occur to one site collection? Please test on other sites or web applications?
Please create new user to test the issue again.
Regards,
Rebecca Tu
TechNet Community Support

Similar Messages

  • How to check whether a file got read permissions for perticular user

    Problem: Let JRE is running with some x as effective user in LINUX then while checking file permission it is checking permission on that file for that x user.
    File f = new File(�file name�)
    if(f.exists())
         System.out.println(�exists�);
    Else
         System.out.println(�does not exists�);
    The above code prints exists only when x user have permissions on that file
    Requirement: I would like to check whether a file got read permissions for particular user i.e. whether y user got permissions on that file.
    Any help is appreciated

    In Linux a user has to have read permission on a file to even see that it exists. As a result, if a user (or a group to which they belong) doesn't have read access to the file File.exists() will return false. Windows which doesn't have as tightly controlled access to files will admit that a file exists whether it can be read or not.
    PS.
    This is proof that I should never answer a question off the top of my head when I haven't had my red bull yet. This is wrong. You will be able to see it if you have read and execute on the directory.
    thumps self in head
    Message was edited by:
    puckstopper31

  • Files to download without any permissions for guest user.

    Hello, i have created a KM Navi Iview, with path to /documents/.../...
    When i go to
    http://portal/irj/portal/anonymous i see a list of files, but i can copy,delete and rename files (permissions for guest are: read), how can i solve this, if i need only download permissions for guest?

    Hello Artem,
    Please do not remove the Guest User from its groups.
    The Guest User is an integral part of the "Anonymous Users" group which ultmately falls under "Everyone" Group. How did you remove Guest User as only Config tool allows you to do that.
    What I suggest is make a Portal Group of Users and add all your regular users to it. Give Read/Write permission to this group. Then add only Read permissions for Anonymous Users Group.
    Hope this helped.

  • Is it possible to save System preference settings for every user that logins to a Mac OS X?

    I work at a school and we have iMacs running Mavericks 10.9 in our environment.  We have them binded to our Windows domain so that way students can use their own login to access the Macs.  I have a number of System preference settings that I would like to take a effect, but I only see that these settings take effect for every user.  So even if I login as the Main administrator account and set settings in System Preferences, such as not allowing the Wifi symbol to show, the next user that logins will still see the wifi symbol because the setting isn't taking effect for their System preferences.  Does anyone know a way to get System Preference settings to take affect for every user that logins? Maybe a script?

    Modifying the user template is not supported. You can Google for people who have done it in the past. I would recommend going to official route, if possible. Here are a couple of training documents. I'm sure there is more available though more official channels.
    http://training.apple.com/pdf/wp_osx_configuration_profiles_ml.pdf
    https://www.apple.com/education/docs/l521219b_osx_deployment_guide_030513.pdf
    http://training.apple.com/pdf/wp_integrating_active_directory_mav.pdf

  • How can I set the default home page in Firefox 4 for all users that login to a PC on a Win 7 PC?

    I work at a community college in upstate NY.
    We use Firefox as the default browser at our institution and we have always set the default homepage to be our homepage for all users that login to the PC. We had a procedure to to that that worked with Windows XP and FF 3 or earlier
    We would do the following:
    1. go to: c:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\<profile_name>\prefs.js
    2. Add the line: user_pref (“browser.startup.homepage”,”http://www.genesee.edu”);
    3. Copy the Folder
    C:\Documents & Settings\Administrator\Application Data\Mozilla
    To
    C:\Documents & Settings\Default User\Application Data\Mozilla
    4. Restart the computer
    We're going to Win 7 and Firefox 4 and things seem to be different in terms of files and file structure. Does anyone know how to accomplish this?
    Thanks in advance.

    Making customisation from the default profile is generally considered poor practice and quite often doesn't work out as planned. (If you're interested in some more information on this, [http://mockbox.net/windows-7/227-customise-windows-7-default-profile.html see here] see here)
    This article should help you with developing and deploying your customised Firefox 4 installation (without touching the Windows 7 default user profile):
    http://mockbox.net/configmgr-sccm/174-install-and-configure-firefox-silently.html

  • Password security - set permissions for different users

    I am using Abobe Acrobat 9 Pro.
    In the HELP menu, there is a security section in the contents, In the overview, it states the following:
    "Each security method offers a different set of benefits. However, they all allow you to specify encryption algorithms, select the document components to encrypt, and set permissions for different users."
    I would like to know how you can set permissions for different users using Password Security.
    I am the only one in the company who has Acrobat 9 Pro and all others have Adobe Reader 8.
    I have created a PDF file in Acrobat 9, this file is accessible to anyone with Abobe Reader. I would like to set different permissions for different users. For example, i would like certain individuals to print the document and other individuals to not be allowed to print. Can this be acheived using Password Security?
    Many Thanks

    I have created a PDF file in Acrobat 9, this file is accessible to
    anyone with Abobe Reader. I would like to set different permissions for
    different users. For example, i would like certain individuals to print
    the document and other individuals to not be allowed to print. Can this
    be acheived using Password Security?
    No.

  • Want to set Reader option in Internet Preferences for all users that login to the workstation

    How can I do this? Is there a config file to edit or a policy object to maintain the perferences settings for all users.  Right now this has to be set manually for each users that would use the system.  Thank you!

    Making customisation from the default profile is generally considered poor practice and quite often doesn't work out as planned. (If you're interested in some more information on this, [http://mockbox.net/windows-7/227-customise-windows-7-default-profile.html see here] see here)
    This article should help you with developing and deploying your customised Firefox 4 installation (without touching the Windows 7 default user profile):
    http://mockbox.net/configmgr-sccm/174-install-and-configure-firefox-silently.html

  • How to get Reports for specific User that how many password has been reset using FIM SSPR in FIM 2010 R2 SSPR

    Hi,
    How to get Reports for specific User that how many password has been reset using FIM SSPR in FIM 2010 R2 SSPR
    Regards
    Anil Kumar

    Hello there Anil,
    A simple way to quickly get a overview is to look at the request history within the portal environment (note that this will expire in a few day based on your environment, after that you would need to FIM Reporting Module - but you could increase this to
    maybe 60 days to so, watch the DB size).
    To do this you could create some custom search scopes of do some custom queries. The creator of the SSPR activities always has the same GUID so you can use that so search.
    In your search scope you can use the following XPath to play with.
    - All Password Reset Requests - /Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation='Put']
    - All Completed Password Reset Requests - /Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and RequestStatus=‘Completed']
    You can play with the "RequestStatus".
    Hope this helps.
    Almero Steyn (http://www.puttyq.com) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer
    faster.]

  • Script to find users that are a member of more than one of a list of specific groups

    Hi,
    I need to generate a list of users that are members in more than one group, out of a list of specific security groups.  Here's the situation:
    1) We have about 1100 users, all nested under a specific OU called CompanyUsers.  There are sub-OUs under CompanyUsers that users may actually be in.
    2) We have about 75 groups, all directly under a specific OU called AppGroups.  These groups correspond to a user's role within an internal line of business application.  All these groups start with a specific character prefix "xyz", so the group
    name is actually "xyz-approle".
    I want to write a script that tells me if a user from point 1) is a member in more than one group in point 2).  So far, I've come up with a way to enumerate the users to an array:
    $userlist = get-qaduser -searchroot 'dq.ad/dqusers/doral/remote' | select samaccountname |Format-Table -HideTableHeaders
    I also have a way to enumerate all the groups that start with xyz that the user is a member of:
    get-QADMemberOf -identity <username> -name xyz* -Indirect
    I figure I can use the first code line to start a foreach loop that uses the 2nd code line, outputting to CSV format for easy to see manual verification.  But I'm having two problems:
    1) How to get the output to a CSV file in the format <username>,groupa,groupb,etc.
    2) Is there any easier way to do this, say just outputting the users in more than one group?
    Any help/ideas are welcome.
    Thanks in advance!
    John

    Here is a PowerShell script solution. I can't think of way to make this more efficient. You could search for all groups in the specfied OU that start with "xyz", then filter on all users that are members of at least one of these groups. However, I suspect
    that most (if not all) users in the OU are members of at least one such group, and there is no way to filter on users that are members of more than one. This solution returns all users and their direct group memberships, then checks each membership to
    see if it meets the conditions. It outputs the DN of any user that is a member of more than one specfied group:
    # Search CompanyUsers OU.
    strUsersOU = "ou=CompanyUsers,ou=West,dc=MyDomain,dc=com"
    $UsersOU = New-Object System.DirectoryServices.DirectoryEntry $strUsersOU
    # Use the DirectorySearcher class.
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = $UsersOU
    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"
    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
    $Searcher.PropertiesToLoad.Add("memberOf") > $Null
    # Filter on all users in the base.
    $Searcher.Filter = "(&(objectCategory=person)(objectClass=user))"
    $Results = $Searcher.FindAll()
    # Enumerate users.
    "Users that are members of more than one specified group:"
    ForEach ($User In $Results)
        $UserDN = $User.properties.Item("distinguishedName")
        $Groups = $User.properties.Item("memberOf")
        # Consider users that are members of at least 2 groups.
        If ($Groups.Count -gt 1)
            # Count number of group memberships.
            $Count = 0
            ForEach ($Group In $Groups)
                # Check if group Common Name starts with the string "xyz".
                If ($Group.StartsWith("cn=xyz"))
                    # Make sure group is in specified OU.
                    If ($Group.Contains(",ou=AppsGroup,"))
                        $Count = $Count +1
                        If ($Count -gt 1)
                            # Output users that are members of more than one specified group.
                            $DN
                            # Break out of the ForEach loop.
                            Break
    Richard Mueller - MVP Directory Services

  • Can we set User roles/permissions for a content that is stored in Contentspace at the end of Process

    Friends,
    I have a requirment where a set of approvers approve a form and at the end of the process i store the form as a pdf in the contentspace.
    My requirment is that, can we set roles/permission for the file that i store in the contentspace and allow only the people who have approved the form to view/edit the content the the contentspace.
    If possible what is the workbench activity should i use and how should i use it in the process?
    Thanks for your support
    -Ashok Deivasigamani

    There is  a read/write permissions service in the Content Services category in workbench that will allow you to control the access to the space or th efile that you write intp CS.
    Paul

  • Sharing and Permissions for Admin Users Home Folder

    Staff user group deleted from Admin User home folder.  User groups listed are the user as read/write, admin as read and everyone as read.  If you create a new Admin user the group "staff" is listed instead of "admin"????  How do i get it back to how it was?  It also seems to be effecting stored passwords in my keychain and other apps.

    Hi, i think it depends who are you serving for, if you are just serving for a small office or home server or a big organization. The following quick thinking just came to me:
    I think cups set automatically a system  user of its own, and runs as it, so no trouble there. Cups also has the option to set users and it uses the system users as default, i think it depends in in how many printers/users your have in your server.Users that can manage cups are in the lp group. 
    For nfs every user should have their home, samba is also a good option if you have  windows computer in your network and it integrates better with graphical file  managers like nautilus in the clients side, but it is a hassle to configure.
    You should run the web server (owncloud ) as it own user, maybe you can manage to set something up for owncloud in the filesystem, but owncloud uses a database, and the users for owncloud are stored in there, and they are not system users.
    You can configure ssh for local use only enabling the corresponding subnets in your /etc/sshd.conf and optionally but recommended you can set a firewall and permissions. You can use iptables but i prefer ufw for simple setup.
    I think you should read the wiki:
    https://wiki.archlinux.org/index.php/users_and_groups
    and the other respective topics in the wiki.
    Also as an advice i know that arch linux is a great distribution, but you have to do more work to mantain a stable server. I would recommend debian or another more conservative distro, but of course it is your choice.
    Last edited by hydrosIII (2014-11-06 06:26:45)

  • Creation of Public Sector Planning application fails for LDAP user

    The environment is on Windows 2008 R2 & EPM 11.1.2.2.302 of Planning. The creation of "general" planning applications works fine, regardless of the method of creation, Native User/LDAP User or Classic/EPMA. The creation of Public Sector Planning application using Classic Administration fails when using an LDAP user.
    It works when using a Native User. It also works fine if EPMA is used, for both Native as well as LDAP users.
    Our developers are not comfortable with EPMA yet, so want/need the ability to create the applications using Classic Administration.
    Looking at the Planning sysout log, the only error message indicates a timeout with Calculation Manager:
    Calc manager rules initialization failed. Please load and deploy the rules from Calc Manager UI
    ERROR:Error while loading rules in Calc Manager. <HTML><HEAD><TITLE>Weblogic Bridge Message</TITLE></HEAD> <BODY><H2>Failure of server APACHE bridge:</H2><P><hr>No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.<hr> </BODY></HTML>
    Calculation Manager itself seems to be working fine.
    Any suggestions/thoughts anyone?
    Thanks,
    Andy

    Hi Vivek,
    The LDAP port is open to all the servers in the environment. LDAP users have no issues logging in to any of the tools that they have access to.
    I think it has something to do with how Classic Planning passes the security token to Calculation Manager for an LDAP user. For a "general" Planning app, there is no evidence of such a transfer, because the Rules are created after the app has been created. And there the user logs in directly to Calculation Manager to create the rules.
    When using EPM Architect, it would lead to reason that such a token is also passed, however, that mechanism does not seem to have any trouble.
    This is the first time I am using a pre-packaged application like PSB, and have so far worked with only with "general" Planning apps. Wanted to see if anyone else has created PSB apps using external users successfully, so I can trade environment notes and may be come to a cause/solution.
    Thanks,
    Andy

  • Permissions for Linux user accessing Leopard share

    We have a very simple networking setup at our video post production facility. Basically, files are shared everywhere and to everyone. No open directory or DNS serving. Just AFP and SMB.
    Our Linux based Smoke/Flame/Lustre system needs access to the files severed/shared by an Xserve with a big attached RAID. It has no problem connecting or seeing the files. However, it typically is denied write permissions. When the Smoke operator creates a folder on the share he can't access the folder until I grant the Others/Everyone group read and write perms. The Linux user logs in with the same user account that everyone else uses.
    Some time ago, the always smashing Gerrit DeWitt gave me some terminal commands to set ACLs for users/groups of this shared RAID. They work beautifully and I have had no permissions issues since applying them. Except for this Linux system.
    Would it be good practice to use this command to set the Everyone group permissions for this share?
    sudo chmod -R +ai "group:everyone allow readattr,readextattr,readsecurity,\
    list,search,read,execute,writeattr,writeextattr,delete,\
    append,write,deletechild,add_file,addsubdirectory,\
    fileinherit,directoryinherit" "/Volumes/RAIDH/Smoke_InfernoStorage"
    Also, is there some configuration change I could make to the Linux system to make it a little more Mac compatible in this area?
    Thanks

    It's worth checking into - let us know what you find. What you describe certainly sounds like a problem with permission propagation settings for SMB / Samba since the AFP side works fine.
    I've seen other posts about problems that crop up because of differences in the versions of Samba employed between systems, so that's a possibility as well. And I'd have no suggestions for you in that regard other than some searching of the web for clues as to how to work with that issue.
    -Doug

  • Enabling Direct Database Request for LDAP User in RPD

    Hi All,
    Can anybody help me out how to set the Direct datasbase parameter in repository for the respective LDAP User.
    Actually I am implementing PROXY USer setup, in this process im encountering the below error
    Odbc driver returned an error (SQLExecDirectW).
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
    [nQSError: 13017] User or group has not been granted the Direct Database Access privilege to access the database 'So n So'. Please verify the User/Group Permissions in the Oracle BI Administration Tool. (HY000)
    http://1.bp.blogspot.com/-NqzXnCsUse0/UT5D2F6SksI/AAAAAAAAA1s/SpygihX4z5A/s1600/3.PNG
    If i create the user in the repository and for him if i set "direct database Request" to "Allow" then he is able to use the PROXY functionality , but in my case i am using LDAP there are no room for the USers.
    Any assistance , greatly appreciated.
    Thank you./
    Siva Budagam.

    Hi All,
    Can anybody help me out how to set the Direct datasbase parameter in repository for the respective LDAP User.
    Actually I am implementing PROXY USer setup, in this process im encountering the below error
    Odbc driver returned an error (SQLExecDirectW).
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
    [nQSError: 13017] User or group has not been granted the Direct Database Access privilege to access the database 'So n So'. Please verify the User/Group Permissions in the Oracle BI Administration Tool. (HY000)
    http://1.bp.blogspot.com/-NqzXnCsUse0/UT5D2F6SksI/AAAAAAAAA1s/SpygihX4z5A/s1600/3.PNG
    If i create the user in the repository and for him if i set "direct database Request" to "Allow" then he is able to use the PROXY functionality , but in my case i am using LDAP there are no room for the USers.
    Any assistance , greatly appreciated.
    Thank you./
    Siva Budagam.

  • Pure-ftpd - different permissions for virtual users?

    I seem not to be able to find out how I could declare different permissions for different virtual users. In /etc/pure-ftpd.conf exists one line to declare permissions using
    #umask file:folder
    umask 133:133
    umask matches the numbers to 'UserGroupOthers'.
    Now that virtual ftp users belong to a real existing unix user / group, I wonder who is Users, Group and Others?
    Users = virtual ftp user ?
    Group = virtual ftp group ?
    Others = anonymous visitors?
    How can I tune it, so one virtual user can add files - f.e. to be used by a scan station - while others shall only read, having anonymous disabled?
    This gives me a headache.

    Ok, let me think.  What did I do? 
    I had different users.  User X, Y and Z.
    Then, I had a shared directory above their home directories.
    While in the system, (not in pure-ftpd) I symlinked.
    (Note that doing something in user X's directory, like ln -s ../shared didn't work---I had to do ln -s /usr/home/ftpuser/shared).
    Then, I ~think I played with the permissions on shared and got what I wanted. 
    Then, after a few hours on this, they changed their minds about what they wanted, everyone was allowed to use shared, but different companies had to have their own directories, so I no longer have that config.
    For what it's worth, you can take a quick look at my page
    http://www.scottro.net/qnd/qnd-pureftpd.html
    but I don't think it covers that situation.
    HTH, though I doubt that it did.

Maybe you are looking for