Enforce access control permission

Which is better place to enforce access control permission Application or Database?
DN

Hi,
Did you not decide yet ?
Re: access control permission
Cheers

Similar Messages

Issue while enabling Access Control for a Coherence server node

Hi
Im trying to enable access control for a Coherence server node, using the default Keystore login method shipped with Coherence. When i start the server i get the error "java.security.AccessControlException: Unsufficient rights to perform the operation". Please see below for the sequence of steps I've followed to enable access control. I just need to be enable Authentication (not authorization) at this stage
1. I have added the following entry in the Coherence Operational override file
<security-config>
 <enabled system-property="tangosol.coherence.security">true</enabled>
 <login-module-name>Coherence</login-module-name>
 <access-controller>
 <class-name>com.tangosol.net.security.DefaultController</class-name>
 <init-params>
 <init-param id="1">
 <param-type>java.io.File</param-type>
 <param-value>keystore.jks</param-value>
 </init-param>
 <init-param id="2">
 <param-type>java.io.File</param-type>
 <param-value>permissions.xml</param-value>
 </init-param>
 </init-params>
 </access-controller>
 <callback-handler>
 <class-name>com.sun.security.auth.callback.TextCallbackHandler</class-name>
 </callback-handler>
 </security-config>
2. The following is the entry in the Permissions.xml
<?xml version='1.0'?>
<permissions>
<grant>
<principal>
<class>javax.security.auth.x500.X500Principal</class>
<name>CN=admin,OU=Coherence,O=Oracle,C=US</name>
</principal>
<permission>
<target>*</target>
<action>all</action>
</permission>
</grant>
</permissions>
3. The following is the content of the Login configuration file "Coherence_Login.conf"
Coherence {
com.tangosol.security.KeystoreLogin required
keyStorePath="keystore.jks";
4. The following is the command line tag for starting the server
java -server -showversion -Djava.security.auth.login.config=Coherence_Login.conf -Xms%memory% -Xmx%memory% -Dtangosol.coherence.cacheconfig=PROXY-cache-config.xml -Dtangosol.coherence.override=FOL-coherence-override.xml -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.authenticate=false -Dtangosol.coherence.security=true -cp "%coherence_home%\lib\coherence.jar" com.tangosol.net.DefaultCacheServer %1
Following is the output on the Console when running the command. It asks for a username and password for the JKS store (If i provide the wrong password, it gives a different error, which shows that it is able to authenticate aganst the Keystore). After i put in the password, it throws the error as shown below "java.security.AccessControlException: Unsufficient rights to perform the operation"
D:\Coherence\FOL_CacheServer>fol-cache-server
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)
Username:admin
Password:
Exception in thread "main" java.security.AccessControlException: Unsufficient ri
ghts to perform the operation
at com.tangosol.net.security.DefaultController.checkPermission(DefaultCo
ntroller.java:153)
at com.tangosol.coherence.component.net.security.Standard.checkPermissio
n(Standard.CDB:32)
at com.tangosol.coherence.component.net.Security.checkPermission(Securit
y.CDB:11)
at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeC
luster.CDB:6)
at com.tangosol.coherence.component.net.management.Connector.startServic
e(Connector.CDB:20)
at com.tangosol.coherence.component.net.management.gateway.Remote.regist
erLocalModel(Remote.CDB:10)
at com.tangosol.coherence.component.net.management.gateway.Local.registe
rLocalModel(Local.CDB:10)
at com.tangosol.coherence.component.net.management.Gateway.register(Gate
way.CDB:6)
at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluste
r(SafeCluster.CDB:46)
at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.C
DB:2)
at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:998)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureServiceInterna
l(DefaultConfigurableCacheFactory.java:923)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(Defaul
tConfigurableCacheFactory.java:892)
at com.tangosol.net.DefaultCacheServer.startServices(DefaultCacheServer.
java:81)
at com.tangosol.net.DefaultCacheServer.intialStartServices(DefaultCacheS
erver.java:250)
at com.tangosol.net.DefaultCacheServer.startAndMonitor(DefaultCacheServe
r.java:55)
at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:197)

Did you create the weblogic domain with the Oracle Webcenter Spaces option selected? This should install the relevant libraries into the domain that you will need to deploy your application. My experience is based off WC 11.1.1.0. If you haven't, you can extend your domain by re-running the Domain Config Wizard again (WLS_HOME/common/bin/config.sh)
Cappa

Access control exception only on Linux/Debian not on Windows!?

We have a rmi server application with a webstart rmi swing client that we have been running successfully on Windows. The client is downloaded and running without any problems on Windows platforms (W2003, Win2K, WinXP). The client webstart jar is signed and all permissions is set in the jnlp file.
As soon as we setup a server on linux/debian sarge we get these access control exceptions when the server tries to send events back to the client. It complains on
file permssions not being set on the server jar file and the strange thing is that the path separator is backslash on linux?
I've tried the following:
1) java.policy. Added All permssions to the server jar file and/or bin the folder.
2) Running without any security manager, i.e., System.setSecurityManager(null)
3) Explicitly setting the policy on the server. Policy.setPolicy(...)
4) Explicitly setting a policy on the client. URL policyUrl = Thread.currentThread().getContextClassLoader().getResource("server.policy");
5) Building the server and client on debian
I'm at my wits end... I've searched these forums and it seems that this is might be a common problem but I've not found a solution yet.
Our system works 100% on Windows without any problems, it's only on linux/debian that we get these access control problems.
2005-sep-19 09:39:19 se.xxx.xxx.admin.AdminManager change
ERROR: java.security.AccessControlException: access denied (java.io.FilePermission \\usr\local\XXX\bin\server.jar read)
java.security.AccessControlContext.checkPermission(Unknown Source)
java.security.AccessController.checkPermission(Unknown Source)
java.lang.SecurityManager.checkPermission(Unknown Source)
java.lang.SecurityManager.checkRead(Unknown Source)
java.io.File.exists(Unknown Source)
sun.net.www.protocol.file.Handler.openConnection(Unknown Source)
sun.net.www.protocol.file.Handler.openConnection(Unknown Source)
java.net.URL.openConnection(Unknown Source)
sun.rmi.server.LoaderHandler.addPermissionsForURLs(Unknown Source)
sun.rmi.server.LoaderHandler.access$300(Unknown Source)
sun.rmi.server.LoaderHandler$Loader.<init>(Unknown Source)
sun.rmi.server.LoaderHandler$Loader.<init>(Unknown Source)
sun.rmi.server.LoaderHandler$1.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
sun.rmi.server.LoaderHandler.lookupLoader(Unknown Source)
sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
java.rmi.server.RMIClassLoader$2.loadClass(Unknown Source)
java.rmi.server.RMIClassLoader.loadClass(Unknown Source)
sun.rmi.server.MarshalInputStream.resolveClass(Unknown Source)
java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
java.io.ObjectInputStream.readClassDesc(Unknown Source)
java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
java.io.ObjectInputStream.readObject0(Unknown Source)
java.io.ObjectInputStream.readObject(Unknown Source)
sun.rmi.server.UnicastRef.unmarshalValue(Unknown Source)
sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
sun.rmi.transport.Transport$1.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
sun.rmi.transport.Transport.serviceCall(Unknown Source)
sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
java.lang.Thread.run(Unknown Source)
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
sun.rmi.server.UnicastRef.invoke(Unknown Source)
se.xxx.xxx.client.XXXApplication_Stub.notify(Unknown Source)
)

I have two suggestions. The first is that you didn't indicate the permissions of the file and the directories above it along with the user you're running the program as. In Unix it is easier to get an access issue as you're probably not running as root. In a traditional Windows environment everything runs with admin permission allowing access to anything. While the error comes from the security manager it has nothing to do with traditional J2SE security - it may be an O/S level thing.
But the second suggestion touches on the other question you have - why is this showing up as backslashes? Is there perhaps an issue with the JNLP file? Is there any code that should be using System.getProperty( "file.separator") and is instead just using the backslash?

Is Compliance Calibrator the same as GRC Access Control?

I have been asked to look at Compliance Calibrator and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "SAP GRC Access Control" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
"SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts automatically."
None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called Access Enforcer but have no info on this... can anyone enlighten me?

SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.

Role Based Access Control in Java

Hi,
we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
Does any1 have any comments on this? Thnx
Dave

Hi David,
Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
Rajesh

War file and access control with WebLogic

I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
 <session-config>
 <session-timeout>30</session-timeout>
 </session-config>
 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>admin</web-resource-name>
 <url-pattern>index.jsp</url-pattern> </web-resource-collection>
 <auth-constraint>
 <role-name>ppuseradmins</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>WebLogic Server</realm-name>
 </login-config>
 <security-role>
 <role-name>ppuseradmins</role-name>
 </security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJ

In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ?

War file and access control

 I am trying to put some access control on different files in my war-file, but just
 can't get it to work... It seems like all roles defined in weblogic.properties
 gives the user access to all files in the war. I just don't understand the connections
 between the security realm, the weblogicURL.policy file and the web.xml file...
 If I do not specify a weblogic.security.URLAclFile, no access control is done
 at all.
 This is how my weblogic.properties file looks like:
 weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
 weblogic.password.koko=kokokoko
 weblogic.password.arnebelinda=arne1234
 weblogic.security.group.ppuseradmins=arnebelinda
 and my weblogicURL.policy:
 deny Principal weblogic.security.acl.GroupImpl "everyone" {
 Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
 and finally, my web.xml-file:
 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
 "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
 <web-app>
 <session-config>
 <session-timeout>30</session-timeout>
 </session-config>
 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>admin</web-resource-name>
 <url-pattern>index.jsp</url-pattern> </web-resource-collection>
 <auth-constraint>
 <role-name>ppuseradmins</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>WebLogic Server</realm-name>
 </login-config>
 <security-role>
 <role-name>ppuseradmins</role-name>
 </security-role>
 </web-app>
 it does not matter which user is part of the ppuseradmins group. The user koko
 is not a member, but is given access to my whole .war anyway (after submitting
 correct username/password). Omitting the <realm-name> does not seem to work either;
 the default realm is not used, instead null is used.
 Does anybody have a clue? I would really appreciate it!
 I am using WebLogic 5.1 sp 9
 best regards,
 PJ


In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ?

"Access Control - Do Not Inherit" Grayed out when setting up a backup on Server 2008 R2 when trying to use remote NAS

I see one response here:
http://social.technet.microsoft.com/Forums/en-US/c99eead0-e2fc-4c83-8cb2-959d03512667/server-2008-r2-dc-backup-greys-out-do-not-inherit-option-for-file-share-backup
But it makes no sense to me. Running that command doesn't do anything.
How do I make the box stop graying out when setting up a backup with the GUI interface? This should be really simple I would think and for some reason the backup utility is graying out the "Do Not Inherit" option so I can backup to the NAS
device that has access control enabled in order to backup to the NAS.
Thanks in advance!

Hi,
From this article, it mentioned that it is by design that we cannot choose "do not inherit" in backup schedule when backup target is a remote shared folder.
Checklist: Schedule Automatic Backups
http://technet.microsoft.com/en-us/library/cc732540.aspx
If you use a remote shared folder, make sure that the folder is available, that you have write access to the folder, and that you are a member of the Administrators group or Backup Operators group on the computer hosting the folder. Each time you create
a backup, it will overwrite the older backups so that you will only have one backup at a time.
The backup will inherit the access control list (ACL) permissions of the folder.
For the account it required, as mentioned above, it should be "a member of Admin group or Backup Operators group, and it should have write permission on target folder".
Also map a network folder as a drive will not help show the mapped drive letter in backup destination. It is still a remote shared folder.
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

Change in Access Control components on the Service Marketplace

Hello GRC community:
We would like to inform you that as of yesterday (5/30) the Access Control components for support messages/SAP Notes have been changed (they have actually been replaced so all messages/notes logged under the old component will be moved/replaced to the new).
The main 4 components are now:
New: GRC-SAC-ARA     Access Risk Management
Old: GRC-SAC-SCC          Risk Analysis & Remediation (formerly Compliance Calibrator)
New: GRC-SAC-ARQ     Access Request
Old: GRC-SAC-SAE          Compliant User Provisoning (formerly Virsa Access Enforcer)
New: GRC-SAC-EAM     Emergency Access Management
Old: GRC-SAC-SFF          Superuser Privilege Management (formerly Virsa Firefighter)
New: GRC-SAC-BRM     Business Role Management
Old: GRC-SAC-SRE          Enterprise Role Management (formerly Virsa Role Expert)
There are also NEW components specific to areas of functionality. If you are not sure of what component to log your message under, please use the main components above.
GRC-SAC-ADS          Directory Services
GRC-SAC-BI             Access Control BW
GRC-SAC-CONF       Configuration
GRC-SAC-DAS          Dashboard
GRC-SAC-REP          Repository
GRC-SAC-RPT          Reporting
GRC-SAC-UAR          User Access Review
GRC-SAC-UPG          Installation & Upgrade
GRC-SAC-WF           Workflow
Ramelyn Paredes
AGS Primary Support

Hello COmmunity,
To Summarise in Short: New features introduced to V10.0 : GRC 10.0 is ABAP based, so extraction of data from users is fast & analysis as well.
As usual, the names for the Access control tool has been changed
A. Access Risk Analysis (RAR)
1. USOBT & object information will be automatically updated with GRC rather than manual upload (earlier version)
2. Mass Users can be imported from .CSV file for risk analysis, Role analysis etc.,
3. Variant creation / reuse for any report analysis
4. Option of having multiple rule sets & simulating users across multiple rule sets at same time
5. Risk analysis for CUA, Composite roles
6. Mitigation by system, risk id, mass mitigation for users, audit trail etc.,
7. Risk analysis for HR objects
B. Emergency Access Management (SPM)
1. Mass reporting for all FF users, Ids, Executions
2. Centrally maintained for all systems rather than individual ERPs.
C. User Access Management (CUP)
1. Customizable Access request forms
2. HR based role assignment for position, org unit
3. IDM integration using GRC Web services
D. Business Role Management (ERM)
1. Concept of Business role mapping for Technical roles.
2. Audit Trails & PFCG Change history.
Finally, the look, reporting format has been changed to provide additional information for analysis.
More important - GRC V5.3 support is till 2015 & SAP has planned to push the customers to upgrade to 10.0. Eventually SAP is also planning to release GRC 11.0 by mid next year. So we have to wait & watch the show

Cannot remove the access control entry object on the object because the ACE isn't present

Hello,
I am very new to using Powershell and Exchange Management Shell, and have no prior experience using either of these tools. However, the software I am installing requires me to use the EMS tool in order to set certain permissions for a user in Exchange, which
will be like the admin account.
The command I am attempting to run follows as:
Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False
This throws me an error saying:
cannot remove the access control entry on the object because the ACE isn't present. I've done some research, and have found that this error is quite common, but the solutions do not apply to what I am specifically trying to accomplish. I am simply trying
to remove the Receive-As permission for the admin user that I just created.
Once again, I am very new to Exchange and Powershell, but if there is any advice anyone has, it would greatly appreciated.

I ran this command, and a very long list was displayed, it looks like everything is there.
The weird thing is that I was able to run a previous command which granted Receive-As access to the user I am creating:
Get-ExchangeServer | Add-ADPermission -User $newusername -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin -Confirm:$False
The description for the commands to run read to 'grant permissions and to revoke denies, if present'. I'm not sure what this means, but the second part of this pertains to the second command that I am having trouble with:
Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False

Project Admin & Contributor cource code access control

I am setting up access control on a TFS 2013.2 TFSVC project
To deny access by default I added the Contributors group in the root of the source tree and set all permissions to deny, then on individual source folders I set the permissions for specific groups. So far so good, members of those groups can see the code
I want them too and only that code.
The problem is for project admins.
All teams are members of the contributors group so that they get team functionality such as team email alerts. If someone in the Project Admin VSO group is added to a team they therefore become part of the contributors group due to inheritence and their
code access to the top of the source tree is denied by default.
Is it so that project admins canot be members of teams? This would be a problem because often the project admins also are the leads who define and administer the teams in TFS. If no-one is able to see the top of the source tree, whould be able to create
a new sub-folder?

Hi QualityJanitor,
Thanks for your reply.
In your scenario, if you add the team project admin user in team group, he can view the source structure in Source Control Explorer, but he cannot open any file to read. He can create new sub-folder in Source Control Explorer, but he cannot check-in this
sub-folder.
We suggest you create a custom team group in your team project, and add all the users(which you want deny the code access by default, exclude team project admin) in this custom group, then use this custom group instead of Contributors group in the root of
source tree, and set all permission to deny for this custom group.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

VDI Access Control with ISE

Hi Guys,
Can ISE do the Access Control for the VDI users with thinclients like PCs? Now we wanna to setup the 802.1x authentication for the VDI users, but i'm not sure if this can be done by ISE. Do we just need to configure the access switch ports to open 802.1x as usual and the switch then will relay the radius to ISE?

Rodrigo,
You are right if it is using the same IP+MAC, then I don't think the identity-based firewall feature of the ASA will work for you unless you can set the Citrix VDI to use DHCP to give a unique IP for each desktop.
This is how it worked with vmware::
1. Single VDI pool with a unique IP for each desktop assigned by DHCP on the same subnet.
2. User logs in to floating desktop and Windows login server is updated with username and IP
3. Cisco Directory Agent (CDA) gets the username/IP mapping from Windows login server.
4. Cisco ASA is configured to allow access based on Windows AD group X.
5. ASA gets username/IP mapping from CDA and checks AD directly for group assignment.
6. ASA enforces access policy on the IP that is currently used by the user of group X. Users of groups Y and Z would have different policies.
NOTE: Anyconnect is not used with identity-based firewall for Windows devices. If used for 802.1x (wired or wireless) or any other supplicant, it does allow Identity-based firewall to work with non-windows devices. If Cisco would only enhance RA VPN to work when using ISE authentication with windows domain detection or assignment, it would be a complete identity-based solution. RA VPN can work if authenticating directly with AD.

HRMS Data access control

Hi,
Can fine grained access control (VPD) be used to implement access control security policy for HRMS sensitive data. The business requirement is that the HRMS data should not be visible to any querying tool other than Oracle applications core HRMS forms.
What kind of a security policy be enforced to achive this and are there any compatibility issues/limitations of this.
Thanks in advance,
Regards,
Mahesh
null

you are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
[http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
Its a chore to test, but quite easy to maintain and to read IMO.

Disable include statements to access control

Hi,
include statements (@include, not include actions) can include any
resource and are not subject to declarative or programmatic access
control. So access control works for the including JSP but not for the
included resource.
Is there a way to restrict include statements (@include, not include
actions) to mitigate this risk?
Tag library validators don't work because they just get a byte stream
of the XML view of the JSP with expanded include statements.
Security manager policies are difficult because the servlet container
needs access to all resources and FilePermissions paths are not
expressive enough. Something like
grant the jsp engine {
permission java.io.FilePermission "/some-root/-.jsp" "read";
permission java.io.FilePermission "/some-root/-.jspx" "read";
seems not possible.
Do you have any idea how to restruct include statements?
Thanks
Hannes

Hi Private_frazer,
Welcome to the forum, that does sound a bit frustrating. I can get this look into for you. Please could you send me in your details using the link found in the "About Me" section of my profile.
Thanks
Paddy,
BTCare Community Mod
If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)

UWL Integration - Process Control & Access Control

Hello Community,
Has anyone worked on UWL integration of Access Control 5.3 & Process Control 3.0?
Is this feasible by developing UWL custom connectors? Any hints?
(NW2004s - EP7.0)
Thanks!
Dhanz

Hi
Even though you set risk analysis to be done at single in RAR , it will automatically consider following type if done from CUP
1. SOD conflict
2.Critical action
3. Critical Permission
If you want to have only SOD risk analysis ,then deactivate all critical action rules in RAR OR create a new ruleset and assign all SOD risk to it and use with CUP .
Thanks & Regards
Asheesh

Enforce access control permission

Similar Messages

Maybe you are looking for