End User Permissions

Similar Messages

• End user permission ignored

  Hello,
  I have a problem with an end user permission that seems to get ignored: I wanted to demonstrate the usage of the end user permission and assigned a role to a User (for simplicity's sake as an entry point, no worksets, pages etc. involved) and enabled end user permission on the role for that particular user.
  Now when that user logs in he gets to see the according entry in the navigation bar as expected. However if I disable the end user permission, log out and again log in the user, he stills sees the link. The end user permission setting is simply ignored. Can someone shed light onto this, could there be something wrong with the installation)?
  I don't think this is an issue of permission inheritance (the role permissions are set explicitly anyway) or overlapping permissions due to membership in several groups - the user is only member of the single standard  group 'authenticated users'.
  Regards,
  Sebastian
  P.S. What's the use of a role assignment to a user without end user permission anyway (I mean why the option)? What happens if you don't add permissions on a Role for a certain user at all (I tried it, but the effect is the same as described above - end user permission seem to be irrelevant)?

  Hi Robert,
  thanks for your answer and for the link (and I thought I had read everything). I am not so sure however if I really understand the term 'runtime environment' for a user. I thought runtime vs. design-time meant the difference between the content a user sees when he is actually using the portal and the content an administrator has access to in the portal content catalog, i.e. a meta-environment accessible only through certain tools like the permission editor or similar.
  I don't understand what you want to express with "<i>It's used to restrict ... end user runtime environment</i>" and why the "Page Personalization" is an example.
  I realize that for roles the availability for a user is solely defined by the assignment of that role to the user - end user permissions have no effect on this. Confusing, because I tought this availability (i.e. showing links in the toplevel or detailed navigation) was what was meant by 'runtime environment' but I seem to be wrong here.
  The docu says "<i>for roles the end user permission setting does enable you to define which users/groups/roles are able to preview the role content using the portal design-time tools</i>". Again, I am confused, I thought this was exactly the meaning of design-time environment.
  Great if you or someone else could comment on this..
  Regards,
  Sebastian

• End users get blank result from VC model calling an R/3 BAPI.

  Hello everyone.
  We have build a VC model calling a Z*BAPI that we built in the R/3 backend.  Everything works fine through DEV and QAS.  However in our production environment when an end user attempts to run the VC application and search for a record they get a blank table result.  However if one of our core support team users runs the application it returns the search result successfully.
  There are no authorizations on the BAPI itself.
  I have tried to trap a security trace (ST01) in PRD but have not been able to capture a security trace for a failed attempt.  There is no dump (ST22) and nothing in the sys log to indicate a problem (SM21).
  Can someone tell me or point me to where I can determine all the authorizations an end user needs in order to run a VC model using a R/3 BAPI?
  We are running on EP 7.0 and ECC 6.0.
  Thanks,
  -Jon

  Hi Shay,
  When you ask "Have you tried adding the user to the permission list?".  Can you be more specific.
  Are you talking about the medium level security zone permissions in System Administration -> Permissions -> Portal Permissions -> sap.com/NetWeaver.Portal/medium_safety
  For the following objects in the medium_safety folder, assign End User permissions:
  com.sap.vc.mmcompiler
  com.sap.visualcomposer
  com.sap.visualcomposer.portalconnector
  If so we have set the permissions to the Authenticated User Group to be "none" and "end-user".
  We have also assigned end user rights to the Everyone group to the following PCD folders...
  Assign End User permissions to VC Role for the following content:
  pcd:portal_content/templates/pages/portalpagetemplate
  pcd:portal_content/templates/pages/wdProxyPage
  pcd:portal_content/templates/layouts/fullWidth
  pcd:portal_content/templates/iviews/wdProxyiView
  It still does not work unless the person has content admin assigned.  Is there any other permissions (ACLs, PCDs, security zones, etc.) that a person needs in order to use a VC model?
  -Jon

• DPM 2012 Failed to update permissions used in end-user recovery

  Hello everyone,
  I'm going to try the clearest way possible to describe the problem.
  Our test server is Windows Server 2012 with DPM 2012 SP1 CU2 (BKP-SRV01) with a Remote SQL server 2012 (PBASC)
  I protected a share folder on a DC on Windows Server 2008 R2 (PAD)
  When I activate End-User Recovery I get a warning in the monitor tab that say this
  Failed to update permissions used for end-user recovery on pad. Permissions update failed for the following reason: (ID 3123)
  DPM is unable to enumerate contents in pad_PartageTest on the protected computer BKP-SRV01. Recycle Bin, System Volume Information folder, non-NTFS volumes, DFS links, CDs, Quorum Disk (for cluster) and other removable media cannot be protected. (ID 38 Details:
  the end user recovery is working, but i do not know if it affect other things. I also get that message when i try to browse on the DPM server when creating a protection group
  When I go see the DPM Server / File and Storage Services / Shares on Server Manager i get  "Failed to retrieve folder permission" in the properties of the Protected server share.
  I tried to search for almost 2 days without finding anything about that particular issue.
  Is there a way (clean way) to fix the issue?
  Thanks in advance for the help!

  Closing for housekeeping.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's not very helpful. I've got the same issue :(
  Comes up for servers where a protection group related to it errors out (recovery point failure usually).

• Failed to update permissions used for end-user recovery on . Permissions update failed for the following reason: (ID 3123)

  I patched 2012 to the SP1 level and now I'm getting these warnings on many servers.
  It seems to be considering these items as removable media?
  DPM 2012, SP1, version 4.1.3313.0
  Failed to update permissions used for end-user recovery on skutter.pmuk.net. Permissions update failed for the following reason: (ID 3123)
  Affected area: skutter.pmuk.net
  Occurred since: 11/01/2013 09:04:43
  Description: Failed to update permissions used for end-user recovery on skutter.pmuk.net. Permissions update failed for the following reason: (ID 3123)
   DPM is unable to enumerate contents in 2aad3f75a7e54a0f91b640d7f158f00a , 5702fef3756e4ca8af0554013951f32d , 78f9e6070fbd43aeb328700a88a3c926 , aquaria.pmuk.net_MTATempStore$ , ariel.pmuk.net_MTATempStore$ , atlantis.pmuk.net_downloads , atlantis.pmuk.net_MTATempStore$
  , atlantis.pmuk.net_print$ , capricorn.pmuk.net_MTATempStore$ , CCM.pmuk.net_IvrDirectory , CCM.pmuk.net_MTATempStore$ , CHIRON.pmuk.net_MTATempStore$ , cpeserv-i03.pmuk.net_IMAGING , defiant.pmuk.net_idsc , defiant.pmuk.net_MTATempStore$ ,firebird.pmuk.net_Accts_serve
  , firebird.pmuk.net_case , firebird.pmuk.net_Control ,firebird.pmuk.net_Fuel Cell , firebird.pmuk.net_HADCAD , firebird.pmuk.net_haddesign , firebird.pmuk.net_hadendurancelab , firebird.pmuk.net_HADEngCad , firebird.pmuk.net_HADPCLGainspeed ,firebird.pmuk.net_HADPCLProjects
  ,firebird.pmuk.net_HADPCLQuality  , firebird.pmuk.net_HADPCLStandards , firebird.pmuk.net_hrXerox , firebird.pmuk.net_hs , firebird.pmuk.net_ITXerox , firebird.pmuk.net_JunHigashimura , firebird.pmuk.net_MTATempStore$ ,firebird.pmuk.net_office  ,firebird.pmuk.net_OMPM
  , firebird.pmuk.net_Outplacement ,firebird.pmuk.net_personal , firebird.pmuk.net_PJSESCANNER  ,firebird.pmuk.net_pmuk ,firebird.pmuk.net_pwa ,firebird.pmuk.net_pwa2 , firebird.pmuk.net_scanfret ,firebird.pmuk.net_Siebel8  ,firebird.pmuk.net_Spares 
  ,firebird.pmuk.net_test   ,firebird.pmuk.net_TVDC ,firebird.pmuk.net_xeroxcpe$  ,firebird.pmuk.net_xeroxrd$ , HALLEY.pmuk.net_MTATempStore$ ,legion.pmuk.net_dfs ,legion.pmuk.net_MTATempStore$ , legion.pmuk.net_NETLOGON  ,legion.pmuk.net_SYSVOL
  , nemesis.pmuk.net_KEvin  ,nemesis.pmuk.net_MTATempStore$ , PLEIDES.pmuk.net_Archive , PLEIDES.pmuk.net_DGHOME , PLEIDES.pmuk.net_MTATempStore$  ,PLEIDES.pmuk.net_print$ , roosevelt.pmuk.net_ARCserve$ ,roosevelt.pmuk.net_CHEYALERT$ , roosevelt.pmuk.net_HADQCEOLP
  ,roosevelt.pmuk.net_home3 , roosevelt.pmuk.net_MTATempStore$ ,roosevelt.pmuk.net_smssource , roosevelt.pmuk.net_WindowsEasyTransfer ,roosevelt.pmuk.net_XeroxScan , sagittarius.pmuk.net_MTATempStore$ ,sagittarius.pmuk.net_print$ , sakura.pmuk.net_MTATempStore$
  ,scorpia.pmuk.net_MTATempStore$ ,scorpion.pmuk.net_chandleram, scorpion.pmuk.net_Control  ,scorpion.pmuk.net_CPE ,scorpion.pmuk.net_Digital  ,scorpion.pmuk.net_Electrical , scorpion.pmuk.net_MTATempStore$ , scorpion.pmuk.net_NASUtils ,scorpion.pmuk.net_Personal
  ,scorpion.pmuk.net_QA ,scorpion.pmuk.net_QC , scorpion.pmuk.net_Technical , silverberg.pmuk.net_dfs  ,silverberg.pmuk.net_MTATempStore$ ,silverberg.pmuk.net_NETLOGON , silverberg.pmuk.net_SYSVOL ,skutter.pmuk.net_dfs , skutter.pmuk.net_MTATempStore$ ,skutter.pmuk.net_NETLOGON
  ,skutter.pmuk.net_sharepoint-saver ,skutter.pmuk.net_SYSVOL , tempest.pmuk.net_MTATempStore$ , tempest.pmuk.net_Quarantine ,tempest.pmuk.net_SiteBackups , tempest.pmuk.net_tsdp , titania.pmuk.net_MTATempStore$ , valiant.pmuk.net_domino , valiant.pmuk.net_hadprod
  , valiant.pmuk.net_MTATempStore$ ,valiant.pmuk.net_oracle ,vindaloo.pmuk.net_MTATempStore$ , virgon.pmuk.net_faxclient ,virgon.pmuk.net_FxsSrvCp$ ,virgon.pmuk.net_MTATempStore$ , xavier.pmuk.net_Address ,xavier.pmuk.net_downloads ,xavier.pmuk.net_drivers ,
  xavier.pmuk.net_Exchange IS Starter ,xavier.pmuk.net_ExchangeOAB , xavier.pmuk.net_ExchangeUM , xavier.pmuk.net_MTATempStore$ , xavier.pmuk.net_out-arch , xavier.pmuk.net_Resources$ on the protected computer tower.pmuk.net. Recycle Bin, System Volume Information
  folder, non-NTFS volumes,  DFS links,  CDs,  Quorum Disk (for cluster) and other removable media cannot be protected. (ID 38 Details: )
  Any Ideas? backups are OK, recovery points/sync's etc.
  Mark.

  I am using DPM 2012 R2, what finally worked to me to resolve my problem with EUR was to:
  In DPM I disabled EUR
  In Computer Management delete all DPM Shares (\\?\c:\Program Files\...)
  Using ADSI edit go to CN=MS-ShareMapConfiguration,CN=System,DC=X,DC=Y (Replace X & Y for your domain)
  Delete all of the mappings within the container
  In DPM enable EUR
  In DPM on a protection group I created a new recovery point and selected “Only synchronize (available only for file data)”
  Related article on ADSI Edit and DPM -
  http://social.technet.microsoft.com/Forums/en-US/e0258384-8422-408c-8839-2580d616a9ec/edsi-edit-related-to-data-protection-manager?forum=dpmfilebackup
  I hope this helps
  JD Young

• How to Allow the End User to Save a Form

  How do I allow an end user to save form after they've filled it out? I understand this can be accomplished using the distribute function where you email the form to people. We don't want to do that. We want to put it on a website and allow them to access it, open it, fill it out, then save a copy to their hard drive (with the data they entered visible). I have searched the forums and cannot seem to find a solution for this.  Thanks, in advance!

  Hi Kyle. Thank you for the reply.  I do have Acrobat Pro, so I will try that. To make sure I understand correctly, the form has to be create in LiveCycle Developer, then you have to open it on Acrobat Pro and set the permissions?

• SP2013 WF works for admin but not end-users

  A simple SP2013 WF calls a SP2010 WF to send email, simple.  Works for me (admin) but when a SP user edits an item on the list (which fires the WF), the WF gets to the 2010 call, and fails with this error...
  RequestorId: f8c56627-e4e5-5a26-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"X-SP-SERVERSTATE":["ReadOnly=0"],"SPClientServiceRequestDuration":["61"],"SPRequestGuid":["f8c56627-e4e5-5a26-97ee-ad70ca4d3291"],"request-id":["f8c56627-e4e5-5a26-97ee-ad70ca4d3291"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["16.0.0.2930"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Wed, 25 Jun 2014 02:44:54 GMT"],"P3P":["CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT
  NAV ONL PHY PRE PUR UNI\""],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]} at System.Activities.Statements.Throw.Execute(CodeActivityContext
  context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager
  bookmarkManager, Location resultLocation) Exception from activity Throw If Sequence Sequence TryCatch Sequence Microsoft.SharePoint.WorkflowServices.Activities.RetryForDurationPolicy HTTPPost_WorkflowInterop_EnableEvents WorkflowInterop DynamicActivity<Guid>
  Then If Working Sequence Flowchart Sequence RCSEmailCst.WorkflowXaml_4f7b53dc_968d_4e22_a812_3178e7b01bad
  Spent an hour on phone with M$ support, only to be told it's my fault and I have to re-design my WF...if my WF gets any simpler I'll have to use carrier pigeons to get messages to customers!
  I've Googled the error message, results suggest that User Profile Syn is out of whack but M$ support swears up & down our sync is working fine.
  Anyone?
  Edit to add: we have a hosted implementation of SP2013, NOT on-prem

  Hi  ,
  According to your description, my understanding is that the SharePoint workflow 2013 does not work for end-users in your environment.
  For your issue, it can be a permission for the user initiating the workflow. Please make sure  site feature Workflows can use app permissions is activated. Go to Site actions > Site Settings >
  Site features > Workflows can use app permissions.  Make sure the user is one member of a SharePoint Group.
  Also please  provide more detail information about the error message  to determine the exact cause of the error. You can have a look at the blog:
  http://ranaictiu-technicalblog.blogspot.com/2013/03/sharepoint-2013-workflow-debugdiagnosis.html
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• How to hide the columns at the end user level thru personalization

  Hi all
  how I can hide the columns that are displayed on the portal. Any personalize option for the end user? Any righ click or some thing?
  I am looking at hiding columns not while developing the iViews / Pages, But in the browsers as the end user.
  i can hide the columns what ever i want while creating the iViews for MDM data. but we cant provide the content administrator role to the end user for hiding the columns what ever they want. they want to hide the columns thru pesonalization option at the end user level.
  Can you please let me know whether we can able to hide the columns at the end user level thru personalization ?? is it posible with standard iViews??
  Regards
  Sunil

  Hi Sunil,
  I understood your requirement properly and seems valid and I tried this at my end but i didnt get the solution. Field list is not visible in Personalize option. I dont think it is possible with MDM standard iViews.
  I was thinking an alternative is if some how we manage to give the permissions to end user only on Result Set iView but if it would be possible it will not be a good design.
  Lets wait for some inputs from others.
  Regards,
  Jitesh Talreja

• End User Personalization - Mandatory field does not make it mandatory

  I am on GRC 5.3 SP8 and when I set "Company" as "Mandatory" under "End User Personalization", it does not put an "*" next to Company or force the user to fill in the Company field. 
  How can I make sure that the user enters "Company" when doing a "Create Request form"?  I want to make sure a red "*" is next to the field so that they update it.  Right now I have a default value in there but I want to make sure they think about what goes in this field.
  When I create a custom field and use "end user personalization", the red "*" shows up and an error occurs if they don't fill in the field, but the predefined fields don't work the same way. 
  Thanks,
  Peggy

  GRC Experts, please correct me if I'm wrong but from my understanding, the Request Screen in the MyWork tab is for Approvers/Admins/Security i.e. those with UME permissions of some kind. This is not the Request Screen for end users. We actually customize our UME roles to elimate the ability to use this Request Screen. We want all of our security requests to be done in the End User Request Screen.
  Unlike the MyWork Request Screen, the End User Request Screen is customizable under configuration-->End User Personalization. As you've noticed, here you can customize what fields you see on the End User Request Screen, what fields are defaulted, etc. For example, for our company, we do not want end users picking and choosing roles. Our end users are not knowledgable on our roles so we save that step for a stage in which Security Admins choose roles for users based on what they asked for in the Request Reason.
  Another advantage of using the End User Request Screen is that end users can create requests without having UME permissions; they need only to be authenticated against whatever system you have chosen to authenticate them against (for example, SAP) Configuration-->Authentication. As long as they exist in that system, they can create a request.
  Every company is different. For us, we don't like that the MyWork Request Screen is not customizable and requires UME permissions to even access it. So we have essentially taken it away through security (based on the Security Guide provided by SAP).

• How can my end user password-protect a document that has been digitally signed?

  Hello,
  I have seen some threads that indirectly address parts of this question, but am still left unsure about whether this process can be done - and if it can, I could use your help in understanding it - thank you.
  Two of our end users use digital signatures (certificate-based) in Acrobat 9 Pro to sign documents attesting the accuracy & calibration status of lab equipment for use in a legal environment.  These end users are concerned that their documents could be altered or edited, and asked me if password protection can also be applied to their documents that need to be digitally signed.
  Thank you in advance for your advice.

  isakten wrote:
  Do you apply "Open" password or "Permissions" password or both? If you apply "Permissions" password (with or without the "Open" password) make sure that "Changes Allowed" include Filling in form fields and signing existing signature fields" or "Commenting, filling in form fields and signing existing signature fields". If permissions do not allow you to sign, you cannot sign.
  Be aware of the alert that Acrobat pops up when you apply "Permissions" password that all Adobe products respect permissions that you set but that 3rd-party PDF Viewers may not (and many do not).
  That is exactly what I was missing! I apply only "Permissions" password, but had the "Changes Allowed" drop-down set incorrectly - it was set to "None."  After changing that setting to allow "Filling in form fields and signing existing signature fields," the end user was able to digitally sign the document, her desired goal.
  Thank you so much.

• How to sign java applet policy to end user?

  i have putted my applet class on server, i want all end users can access it on server, how to sign the java.policy to there JRE?
  can anyone help me?

  I found this some where else. It shows how to sign an applet.
  START OF DOC
  How To Sign a Java Applet
  The purpose of this document is to document the steps required to sign and use an
  applet using a self-signed cert or CA authorized in the JDK 1.3 plugin.
  The original 9 steps of this process were posted by user irene67 on suns message forum:
  http://forums.java.sun.com/thread.jsp?forum=63&thread=132769
  -----begin irene67's original message -----
  These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).
  The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...
  1. Create your code for the applet as usual.
  It is not necessary to set any permissions or use security managers in
  the code.
  2. Install JDK 1.3
  Path for use of the following commands: [jdk 1.3 path]\bin\
  (commands are keytool, jar, jarsigner)
  Password for the keystore is any password. Only Sun knows why...
  perhaps ;-)
  3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
  Enter keystore password: *******
  What is your first and last name?
  [Unknown]: Your Name
  What is the name of your organizational unit?
  [Unknown]: YourUnit
  What is the name of your organization?
  [Unknown]: YourOrg
  What is the name of your City or Locality?
  [Unknown]: YourCity
  What is the name of your State or Province?
  [Unknown]: YS
  What is the two-letter country code for this unit?
  [Unknown]: US
  Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  correct?
  [no]: yes
  (wait...)
  Enter key password for tstkey
  (RETURN if same as keystore password):
  (press [enter])
  4. Export key: keytool -export -alias tstkey -file tstcert.crt
  Enter keystore password: *******
  Certificate stored in file tstcert.crt
  5. Create JAR: jar cvf tst.jar tst.class
  Add all classes used in your project by typing the classnames in the
  same line.
  added manifest
  adding: tst.class(in = 849) (out= 536)(deflated 36%)
  6. Verify JAR: jar tvf tst.jar
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
  849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  7. Sign JAR: jarsigner tst.jar tstkey
  Enter Passphrase for keystore: *******
  8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
  130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
  183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
  920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  (tstkey)
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar verified.
  9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
  (recommended to use HTML Converter Version 1.3)
  10. (Omitted See Below)
  -----end irene67's original message -----
  To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.
  1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
  When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.
  To export request:
  keytool -certreg -alias tstkey -file tstcert.req
  To import response:
  keytool -import -trustcacerts -alias tstkey -file careply.crt
  An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.
  2) For development or otherwise, you may want to just use your self-signed certificate.
  In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
  This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.
  To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
  For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\security
  For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\lib\security
  Import your self-signed cert into the cacerts keystore:
  keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
  (the password is literally 'changeit')
  Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermission setting and all other classes from unsigned jars will run in the sandbox.
  NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.
  The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• Minimal access for the end users to access a page sharepoint.

  I have a list Projects which i have put in a different aspx page by the name ProjectPage.
  I have end users accesing that page where i have applied certian styles for dsplaying in a customized way.
  However, i need to configure their permissions in such a way that they should be able to access any page other than the project page.
  They should not even see the site actions bar and should not be able to access the _layouts/viewlsts.aspx page as well as settings page form the address bar.

  Hello,
  To restrict application page, either you can hide them from UI (but still be accessible by putting direct url) OR create a custom permission and uncheck "view application page" option. Refer this link for more info:
  https://social.technet.microsoft.com/Forums/office/en-US/bc3e9e2e-e606-47a1-ace3-94aadd860e44/is-there-any-way-i-can-disable-site-actions-menu-for-readonly-users?forum=sharepointgeneralprevious
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help
  (On vacation from 16th Oct to 28th Oct 2014)

• Default User Permissions in CCM 5.1

  It seems that CCM 5 user creation has a new step from 4.1.3 It may have been default in 4 but does not appear to be in 5.1.2.
  Is there any way to set the user permissions to Standard CCM End User group by default.
  Furthermore is there a way to set the SUSCRIBE CSS to all new users by default?
  Thanks

  Where do I define that a 'role' is default or selected while I am creating the user account. I do not see any role selection in the user creation page.

• How to set End User Permission to an iView?

  Hi experts,
  can someone tell me how I can set End User Permission to enabled to an iView?

  Hi there,
  From what I have read you want a user to access an iView without an account. To do this you need to configure the J2EE engine for an anonymous user access and set the iView property for authentication to anonymous.
  Because the user has no account you have to assign any roles you want to use for permissions to the anonymous user account configured for anonymous access.
  There is documentation on help.sap.com on how to configure anonymous access.
  Hope this helps.
  Regards
  Christiaan