FBA Not granting access to AD group users

Similar Messages

• You do not have access to any End User Layer tables

  Hello Guru's!
  I'm having an issue with connecting/using EULs on Disco 10g - I have already installed 10g Admin and configured 2 EULs and also imported the sample data - they are all owned by DISCO user -
  When I connect to http://discoserver:7778/discoverer/viewer, I get a connection screen - no connections are listed, so I click create connection - I give it a name, put in disco as my user, put my password in, put db_connect_string into the appropriate field, where db_connect_string is my actual connect string - and it gives me this error:
  Error
  Authentication Failed.
  (You do not have access to any End User Layer tables)
  I have access to these, as I'm the EUL owner - I've also tried this tho with other users that I have granted access to in the admin too (I've even granted access to these EULs to public - still no luck) - should I be using the db user and password or are there other places in 10g that I set up disco users?
  If I should be using the db user and pass, why won't it see my EULs?

  Hopefully CupJr got his answer as it's been over 2 years!
  However, if you're having the same problem ...
  1. is this an Apps EUL and you're connecting as a database user (ie: the owner of the EUL)?
  2. have you set the gateway connection info correctly (again if an Apps EUL)? - found at: Tools -> Options -> Connection.
  Russ

• Progress Reporter. I can't access,not granted access for direct login

  I am trying to Access to Progress Reporter.
  Web Access is running correctly and I got access with "admin" user. But when I am trying to use the admin user for Progress Reporter I got this message:
  Logon denied for[admin]. You are not granted access for direct login,please contact your administrator. Please choose 'OK' to make corrections or 'Cancel' to exit tha application.
  I don't know how to create user for Progress Report if that is the problem. Please help me......I will appreciate your help a lot.
  Thanks

  I have the same problem (p6v7), but the diference with the case mentioned, I have all checkbox marked correctly and all permision to users.
  When I tried to loggin appear the same error
  Have someone any tip???
  Thanks

• Unable to connect End user layer /You do not have access to any end user Layer tables

  I get the following error message in Disco Admin ver 4.1.33.1.6 :
  1)Unable to connect End user layer
  In disco plus I get the follg error:
  a)You do not have access to any end user Layer tables
  This is despite the fact that my userid/passsword combination@databaseid has acess to all tables in Oracle sqlplus SQL*Plus: Release 8.0.6.0.0 -
  Connected to:
  Oracle8i Enterprise Edition Release 8.1.7.1.0 - 64bit Production
  With the Partitioning option
  JServer Release 8.1.7.1.0 - 64bit Production
  Please reply ASAP if anyone has any ideas
  Thanks
  Gurman
  null

  Have u created a EUL for your user through Administration Edition.
  If not login as a user who has DBA rights and create EUL for your user.
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Gurman Sandhu ([email protected]):
  I get the following error message in Disco Admin ver 4.1.33.1.6 :
  1)Unable to connect End user layer
  In disco plus I get the follg error:
  a)You do not have access to any end user Layer tables
  This is despite the fact that my userid/passsword combination@databaseid has acess to all tables in Oracle sqlplus SQL*Plus: Release 8.0.6.0.0 -
  Connected to:
  Oracle8i Enterprise Edition Release 8.1.7.1.0 - 64bit Production
  With the Partitioning option
  JServer Release 8.1.7.1.0 - 64bit Production
  Please reply ASAP if anyone has any ideas
  Thanks
  Gurman
  <HR></BLOCKQUOTE>
  null

• Unable to connect to : eul4_us@VIS, You do not have access to any End User

  Hi all
  I have configured and created EUL in 11.5.10.2 VISION instance on widows 2003,
  When I tried to connect to Discoever4i on 11i VIS instance I am getting the following error :
  Unable to connect to : eul4_us@VIS
  You do not have access to any End User Layer tables
  But I can connect to eul4_us@VIS via TOAD and SQL*PLUS Client, Also Discoverer Administration Edition can connect to eul4_us@VIS.
  Also with the same Discoverer Release 4 Desktop Edition we can connect to the another VIS instance which is running on solaris 9, Only problem with the VIS at Windows2003,
  Please Can any one give some solutions ASAP
  Thanks
  Divyanand

  Hi,
  In general, with an Apps mode EUL I would expect that you will get the the "You do not have access to any End User Layer tables" when you connect to desktop as the EUL owner. This is because the EUL owner does not have (and does not need) privileges to the Apps tables and functions. You should connect to Desktop as an Apps user.
  Rod West

• Grant access to help desk users to add members to distribution and security groups

  Hello,
  I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users.  We want it to bypass owner approval and essentially allow this group to add or remove members
  in the FIM Portal and flow it down to ADS.
  This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins.  We have added the help desk team to the  Security Group Users and Group Users set as
  well as MPR "Security group management: Users can read selected attributes of group resources".
  The help desk users can update users in the Portal with no issue.  The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
  Any help is greatly appreciated.
  Thanks!

  I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
  which was added a minute ago) he gets Access Denied:
  The
  request included members which the requestor is not authorized
  to add and/or remove from this group."
  It is caused by default MPR:
  Group management workflow: Validate requestor on remove member
  Question is how this activity validates this request - any insight?

• App Role Not Granting Access

  Hello,
  We are currently using OBIEE 11.1.1.6.2 BP1, I had to create a new dashboard and created a custom app    with open access (read and execute).  After setting this up I added it to catalog permissions however this app role grants access to everything but the dashboard.  The end user can open the catalog and navigate to folder location where the reports are stored but is unable to see the dashboard.  I have veried the app role is properly created in the Enterprise Manager.  The custom app role granting full control for my power users works as expected.
  Has anyone seen this type of issue?  Any help would be greatly appreciated.

  Yes everything is good in this regard and did not need to change anything.  I am unsure of what was happening but this group all of a sudden started working.  It have never taken that long for permissions to take effect before.

• GRANT ACCESS with sys user

  hi
  i have an user with objects, tables, views and procedures but it doesn't´t have dba privileges... how can i grant access to all the user to these objects? (with the sys or system user).
  thanks for your help.
  alex

  Hello,
  Every user in database has its objects and DBA privileges are not for everyone.
  how can i grant access to all the user to these objects? (with the sys or system user)<<<<<<Can explain these lines ?? What's your requirment ?? Please state clearly...
  As far as i got your problem, you require that all other users of databse should be able to access the objects of user (lets say A) which you specified in first line.
  For this purpose create public synonyms for all objects of user A and grant. So, everyone can use the objects of "A's" schema.
  Please update..... if you got the point or not...

• Can not login access manager

  mail server version is JES messaging Server 6 2005Q4 :
  My Access Manager:http://hostname:8080/amserver
  last week, i login access manager, under the web label or configuration label�F
  in "ldap" item�Ci add new dc=xx,dc=xx,dc=xx�C
  then save configuration.
  but after that i can not login access manager.
  when i user admin login,it print:"
  Authentication failed".
  what should i do to restore access manage?
  thanks!

  javatoall wrote:
  Hi,
  I login Access Manager, access sample "realm" -> Authentication->
  Advance Properties -> User profiles and then I choiced "Dynamic with user Alias".
  Then I only configure JDBC authentication with mysql database that I don't used ldapservice.
  When I created a one new user in MySQL, I can login into web application that i security as "sample.war" successfull but new user don't right access resource that i protected before.
  When i login access manager with amdmin user, I can not find user that i has been created it in MySQL database. t
  When the users are created through the dynamic profile, the default cn/sn are set to "default" , after creation you need to login to amconsole as amadmin and change/add proper values for these attributes.
  Alternatively you can set the protected resource's policy subject to Authenticated users. This will work but not sure will meet your requirement
  >
  When i login access manager console with new user, it login successful, and view Profile of new user that I has been created.
  Can you tell me How to manage new user that I has been new in MySQL by Access manager console ?
  I want to configure access proteced resourse for that user. How to configure that ?
  read above use the authenticated users subject
  Thank for every help.
  VinhND.

• Could not save "blablablabla" becuse write access was not granted, this users have full permissions.

  We have several MAC OSX 10.9.3 users that use adobe CC and then having trouble save your files on the network the error is Could not save “blablablabla” because write access was not granted, this users have full permissions.

  Some 10.9.3 links
  -next link says After Effects, but check YOUR permissions !!!
  -http://blogs.adobe.com/aftereffects/2014/06/permissions-mac-os-start-adobe-applications.ht ml
  -Mac 10.9.3 workaround https://forums.adobe.com/thread/1489922
  -more Mac 10.9.3 https://forums.adobe.com/thread/1491469
  -Enable Mac Root User https://forums.adobe.com/thread/1156604
  -more Root User http://forums.adobe.com/thread/879931
  -and more root user http://forums.adobe.com/thread/940869?tstart=0

• Grant access to all the views created in user schema to another schema

  How to grant access for all the views created in own HAGGIS schema to comqdhb schema on the HAGGIS database.
  Oracle Grant Privileges
  ===============
  Object privileges assign the right to perform a particular operation on a specific object
  I read that we can use select 'grant select on' ||view_name||'HAGGIS' user_views where owner='COMQDHB'
  Is this right
  Oracle System Privileges
  ===============
  System privileges should be used in only cases where security isnt important,because a single grant statement could remove all security from the table
  Role based security
  ============
  Role security allows you to gather related grants into a collection-since the role is a predefined collection of privileges that are grouped together.privileges are easier to assign to users.
  [http://www.dba-oracle.com/art_builder_grant_sec.htm]
  can we grant select update to all the views at a time to the other schema.
  Are there any other ways to secure the data other than creating users and assigning roles.
  Thank you
  Edited by: Trooper on Dec 23, 2008 9:24 AM

  I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
  If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
  To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
  Example using SQL to generate SQL
  How do I find out which users have the rights, or privileges, to access a given object ?
  http://www.jlcomp.demon.co.uk/faq/privileges.html
  HTH -- Mark D Powell --

• Removed user from group, user no longer has access to documents even though user is owner of documents

  I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and
  then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to
  the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group
  for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the
  intended outcome. 
  Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do
  need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files
  are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents
  are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal. 
  Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full
  permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..
  Here is the root share. 
  And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.
  Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?

  Effective Access shows the user has full control of the Desktop folder
  This is a problem with the Effective Access tab when using CREATOR OWNER.  As you have noticed, the user doesn't really have the access that the tab says it does.  This is because of how CREATOR OWNER works.
  CREATOR OWNER is only evaluated when a file/folder is created. 
  IF a user can create a file/folder, then the permissions assigned to CREATOR OWNER are copied to a new permissions entry for that user.
  To see this:
  Logon as an administrator and create a file in the Desktop folder in your screenshot.
  Examine the permissions of the new file.
  You'll see that there is a new entry for the account you logged on with.
  CREATOR OWNER is gone.  CREATOR OWNER would still be there if you created a folder (because of "subfolders and files").
  In the Desktop folder (in your screenshot), only SYSTEM and Administrator can create/access files.
  To fix this, you need to grant the users the ability to list the directory contents and create new files/folders.  This corresponds with the suggestion of Table 1 in the document you found.
  I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue. 
  No, scary!  This will grant those users administrative permission on your server.  They will be able to see any file anywhere on that server.
  If your goal is to provide a place that is private for each user, then the simplest approach is to grant each user permission to their own folder.  Like this for Test User:
  Notes for above:
  I set the user's permission to Modify because there is no good reason why the user should change these permissions
  The owner of this folder is unimportant.  I leave it set to Administrators
  You can, and I do, remove CREATOR OWNER.  It adds no value in this situation and just causes confusion.
  As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files.
  The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders
  and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?
  If this works as you say, then Yes, it should work.  But, I don't see the entries for use M*.  Remember, there should be entries for the M* user that is a duplicate of CREATOR OWNER.
  I suspect that Group Policy is creating the directories (elevated) and then changing the owner to M* afterward.  This does not duplicate the CREATOR OWNER entries as needed.  If this is the case, I consider it a flaw because your permissions do
  not allow user M* to create files/folders, and group policy shouldn't bypass security.
  I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give
  explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and
  folders. 
  When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
  A couple things:
  The article instructed the use of Folder Redirection Users group that had permissions to create files.  Your examples didn't have that.  Because of this, your user could create new files.
  The article assumes that the directories you are creating will be empty.  Existing files will be unreadable to everyone except Admins.
  If you follow the directions in the article, then anyone in the Folder Redirection Users group can write files to anyone else's directory.
  One benefit of the document's approach is that all the users could be redirected to the same folder using the article, and it would work.  A benefit, I guess.
  But, I like my user's separate and unable to see each other's files -- at all.  This is why I recommend replacing CREATOR OWNER with the specific user.
  I believe this document is a "how to get it done" document, not necessarily a best practices document.  I see it as a starting point, and that's why I didn't follow it exactly.
  Lastly, CREATOR OWNER permissions are useful but confusing.  I avoid them unless I have the rare circumstance where they are perfect.
  When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
  To summarize:
  In the user's directory, you need to provide permission to list and create new files/folders, and you need grant the user permission to the existing files.
  -Tony

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Can not assign custom access level with a user login

  Hi,
  I am using Business objects XiR3. When I am loging in with a user having full control access and then I select a folder added a principal from user sercurity and when I am trying to add custom access level it gave me error
  An error occurred at the server during security batch commit: Request 0 of type 38 failed with server error : You do not have sufficient rights to make the requested security changes.
  it allow me to give access to standard access levels. also when I tried to assign custom access level with administrator user, it assigns custom access level to a principal without error.
  Can any body tell me what I am doing wrong?
  Thanks in advance,
  Rajendra

  Hi Rajendra,
  You have to make sure that the user group has the right 'Use access level for security assignment' assigned as granted on the access level you created. You can find this right under System / Access Level. That should do the trick!
  Hope this helps...
  Martijn van Foeken
  Focuzz BI Services
  http://www.focuzz.nl
  http://nl.linkedin.com/in/martijnvanfoeken
  http://twitter.com/mfoeken

• Changing from dev to standard edition causes "Could not obtain information about Windows NT group/user error code 0x6e."

  Hello,
  We recently upgrade our SQL Server 2012 SP1 (64bit) dev edition to standard edition, after we purchased the required licence and it was deployed in production.
  Since the edition change, we are now receiving the following error, with some of our jobs, which have an e-mail step in them, which is causing the jobs to fail.
  Msg 14661,Level 16, State 1, Procedure sp_send_dbmail, Line 517
  Query execution failed: Msg 15404, Level 16, State 19, Server BL-SVR15, Line 1
  Could not obtain information about Windows NT group/user 'BLUELIZARD\savaa', error code 0x6e.
  Any ideas how to fix this issue? We were also having a similar error, when executing the jobs, but changing the job owner to SA has fixed this issue.
  Thanks,
  Andy.

  Hi,
  Which user account you used for SQL Server service, domain account or local account?
  If it is domain account, are you able to log in to a machine with it?
  Make sure that the password of account is not expired.
  Also, grant the user Allowed to Authenticate permission and see how it helps.
  Refer to the below article:
  http://geeks.ms/blogs/ozonicco/archive/2013/01/14/208266.aspx
  Thanks.
  Tracy Cai
  TechNet Community Support