Grant-VMConnectAccess

Experts,
Grant-VMConnectAccess - Grants a user or users access to connect to a virtual machine or machines.
As get-help didnt give much details, I am posting it here.
How should the end user access a VM if I have granted access using this commandlet?
HyperV Manager?
Cheers !
Shaba
Shaba

Brian, thank you for your reply.
I tried two things in order to provide my users with the ability to use Enhanced Session mode:
- I used Grant-VMConnectAccess for a VM on a domain joined host for a particular user. That user
gets: "You do not have permission to do this task. Please contact administrator of the authorization
policy for the computer", same as /Jd. The computer (Win 8.1) he's connecting from is in the same domain as the host.
- I tried to use AzMan to provide the same user access to the host, by following a couple of guides (which
were for 2012), and they don't appear to work for 2012 R2, the user is unable to connect.

Similar Messages

Usage of Grant-VMConnectAccess

Hi,
Can someone please clarify the usage (and any extra steps) of Grant-VMConnectAccess?
I have attempted to run this cmdlet and while the Get-VMConnectAccess does show that the permissions have been granted, using any of the tools that the technet article suggests (Hyper-V manager, Hyper-V VM Connection) do not work for that user, I get the
error:
"You do not have permission to do this task. Please contact administrator of the authorization policy for the computer 'localhost'"
There are some articles that suggest after using this cmdlet that you need to add the user to the “Hyper-V Administrators” group, and while I have tried that and it works, it voids the purpose of the cmdlet because it gives the user full access to all VMs
on that machine.
Has anyone successfully used this cmdlet to apply security to a subset of VMs on a Hyper-V host? The TechNet description appears that this is what it is designed for.
Thanks.

It only grants the user access to access the console of the VM, nothing more.
It is not used in conjunction with the Hyper-V VM Console application. It does not secure a subset of VMs.
Hyper-V once allowed granular VM access using Authorization Manager. This is gone in 2012 R2, with a reliance on SCVMM to provide that granular control (no different than VMware).
Anyone who manages VMs needs to be a member of the Hyper-V Administrators local security group on the Hyper-V Server. That alone is supposed to be enough. (I say supposed to because I have seen situations where various group policies foil this).
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Disclaimer: Attempting change is of your own free will.

Error while granting BPMOrganizationAdmin role to SOAOperator.

Error Starting While starting SOA server. Please advise.
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.services.organization> <BEA-000000> <Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
        at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.common> <BEA-000000> <Exception
BPM-70692
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:324)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:29)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
        at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>

Hi user,
Can you give us some information on the version you are using and your security setup? Are you using an external security provider? Because to me it sounds that you are using an external LDAP server.
Antonis

Replication of a BP in CRM as a FI Vendor in ECC for Grants Management

Hi,
We are implenting SAP CRM 7 with SAP ECC for Grants Management, integrated with FI AP (we're not using PSCD).
For BP replication we followed the next steps, however something looks it is incorrect because my BDOC still shows errors:
The middleware settings had been completed between the CRM and the ECC system.
- Site, Suscription and replication from CRM to SAP ECC are in placed
   -The next replication object are activated:
    -All Business Partners (MESG)   (BUPA_MAIN)
    -All Busines Partner Relationships (MESG) (BUPA_REL)
    -All Business Transactions (MESG)
    -Grantor Program Management
Also we implemented the next steps:
1) Define the number ranges for BP groupings in CRM: This number range would be internal in CRM and External in ECC.
CRM (IMG) -> Customer Relationship Management -> Cross-Application Components -> SAP Business Partner -> Basic Settings ->
Number Ranges and Groupings
2) Since the BP would be replicated as a BP in ECC we define the same number ranges in ECC too:
ERP (IMG) -> Customer Relationship Management -> Cross-Application Components -> SAP Business Partner -> Basic Settings ->
Define Groupings and Assign Number Ranges
3) Activate the post-processing framework: (Business processes CVI_02 and CVI_04 in Component AP-MD)
ERP (IMG) -> Cross-Application Components -> General Application Functions ->Postprocessing Office -> Business Processes->
Activate Creation of Postprocessing Orders
4) Activate PPO Requests for Platform Objects in the Dialog:
ERP (IMG) -> Cross-Application Components -> Master Data Synchronization -> Synchronization Control -> Synchronization
Control -> Activate PPO Requests for Platform Objects in the Dialog
Edited by: Lyda Osorio on Oct 9, 2009 7:25 AM

For CRM I had the following FM activated:
BPOUT     BUPA     100000     CRM_BUPA_OUTB_RENTED_ADDRESS     X
BPOUT     BUPA     200000     BUPA_MWX_BDOC_CREATE_MAIN     X
BPOUT     BUPA     300000     CRM_BUPA_OUTB_MARKETING_ATTR     X
BPOUT     BUPA     400000     VEND_MWX_CREATE_MAIN_BDOC     X
BPOUT     BUPA     1000000     BUPA_OUTBOUND_MAIN     X
BPOUT     BUPR     100000     BUPA_MWX_BDOC_CREATE_REL     X
BPOUT     BUPX     1000000     MDS_BUPA_OUTBOUND     X
CLEAR     BUPA     1000000     BUPA_OUTBOUND_CLEAR_FLAGS     X
CRMIN     BUAG     100000     CRM_BUAG_MWX_PROCESS_EXT_STRUC     X
CRMIN     BUPA     90100     CRM_BUPA_INBOUND_SET_BUAG_FLAG     X
CRMIN     BUPA     1000000     BUPA_INBOUND_MAIN_CENTRAL     X
CRMIN     BUPA     1100000     CRM_BUPA_INBOUND_MAIN_MD     X
CRMIN     BUPA     1200000     CRM_BUPA_BDOC_MAP_MAIN     X
CRMIN     BUPA     1400000     CRM_BUPA_KOREA_INBOUND_MAP     X
CRMIN     BUPA     2000000     ABA_FSBP_INBOUND_MAIN     X
CRMIN     BUPR     1000000     BUPA_INBOUND_REL_CENTRAL     X
CRMIN     BUPR     1100000     CRM_BUPA_INBOUND_REL_MD     X
CRMIN     BUPR     1200000     CRM_BUPA_BDOC_MAP_REL     X
CRMOU     BUAG     100000     CRM_BUAG_MWX_FILL_EXT_FROM_MEM     X
CRMOU     BUPA     1000000     BUPA_OUTBOUND_BPS_FILL_CENTRAL     X
CRMOU     BUPA     1200000     CRM_BUPA_OUTB_BPS_FILL_MD     X
CRMOU     BUPR     1000000     BUPA_OUTBOUND_BPR_FILL_CENTRAL     X
CRMOU     BUPR     1200000     CRM_BUPA_OUTB_BPR_FILL_MD     X
CRMOU     BUPR     1300000     CRM_BUPA_BDOC_BPR_FILL_DATA     X
EXTR     BUAG     100000     CRM_BUAG_MAIN_GET_ID_LIST     X
MERGE     BUPA     1000000     MERGE_BUPA_CENTRAL     X
MERGE     BUPA     2000000     MERGE_BUPA_FINSERV     X
MERGE     BUPR     1000000     MERGE_BUPR_CENTRAL     X
PXYIN     BUPA     1000000     BUPA_INBOUND     X
R3AOU     BUPA     100000     BUPA_MWX_BDOC_UP_CURRSTATE_SET     X
XIIN     BUPA     1000000     ABA_BUPA_MAP_PROXY_TO_DDIC     X
XIIN     BUPA     2000000     ABA_FSBP_MAP_PROXY_TO_DDIC     X
XIIN     BUPA     2100000     ABA_FSBP_MAP_PROXY_TO_DDIC_1     X
XIIN     BUPR     1000000     ABA_BUPR_MAP_PROXY_TO_DDIC     X
XIOUT     BUPA     1000000     ABA_BUPA_MAP_DDIC_TO_PROXY     X
XIOUT     BUPR     1000000     ABA_BUPR_MAP_DDIC_TO_PROXY     X

Sql server grants access to specific login to database.

i have created website for intranet and hosted it on server. for that i needed to create login "IIS APPPOOL\hi" in sql server 2008 for my application
to access my "reportdb" database. "IIS APPPOOL\hi" has sysadmin and public server roles in sql server 2008. And i have default login"sa" same
as "IIS APPPOOL\hi". these are working correctly. Now I want these two logins to access"reportdb" for all
operations in database and remaining all logins should be denied to access"reportdb". My Sql Server 2008 is having mixed mode (windows authentication and Sql authentication). plz help me

I think what Tauseef is requesting is to keep access for the 2 sysadmins & deny access to everyone else, correct?
As Uri mentioned, by being part of sysadmin role, “IIS APPPOOL\hi” & “sa” would have access to everything in the server, and nobody else should have access to the DB unless explicitly being granted access.
If you would really deny anyone else access to the database, you can potentially deny connect to public, and only sysadmins (who override permissions) would be able to connect; although I would strongly recommend against such practice.
Something else I would like to recommend against is the usage of sysadmin for what may not be a DBA role (IIS appPool). Following the least-privilege principle, I would recommend having a non-administrator user for applications that has enough capabilities
to perform the tasks needed.
The main risk is that a SQL injection (SQLi) bug in your application would lead to a complete compromise of your SQL server.
If there are app tasks that would require elevated permissions, I would recommend encapsulating the logic in a stored procedure and either use impersonation or digital signatures to accomplish a controlled elevation of privileges instead. If you have any
question on this topic I will be glad to assist.
I hope this information helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights.

How can I grant Application access to a user via API ) programattically

how do I grant access to a portal user from API
I want to grant access to a user from an API, ie I need a
command to grant "SCOTT" access to "EXAMPLE_APP" APPLICATION as
an end user?

Hi,
I am assuming that you have already updated the EUL in the Administrator Edition, correct? If not, open Discoverer Administrator and login to the database you want to connect to. You must use your EUL user name which I assume has already been created and assigned the correct privileges in the database. You will be asked to update your EUL. Follow the prompts.
Once logged into the EUL, go to Tools \ Privileges and find the user that you want to give administrator access to.
Hopefully, this answers your question.
Regards,
Nancy

Dynamic SQL and GRANT CREATE ANY TABLE

hi gurus,
i have a dynamic SQL in a procedure where a table will be created from an existing table without data.
strSQL:='create table ' || strTemp || ' as select * from ' || strArc || ' where 1=2';
execute immediate strSQL;
without GRANT CREATE ANY TABLE for the user, *"ORA-01031: insufficient privileges"* error during execution.
Is there a way to tackle this issue without providing GRANT CREATE ANY TABLE privilige?
many thanks,
Charles

ravikumar.sv wrote:
The problem is not because of dynamic sql...It probably has something to do with dynamic SQL or, more accurately, dynamic SQL within a stored procedure.
From a SQL*Plus command prompt, you can create a table if your account has the CREATE TABLE privilege either granted directly to it or granted to a role that has been granted to your account. Most people probably have the CREATE TABLE privilege through a role (hopefully a custom "developer role" that has whatever privileges you grant to users that will own objects but potentially through the default RESOURCE role). That is not sufficient to create tables dynamically via a definer's rights stored procedure. Only privileges that are granted directly to the user, not those granted via a role, are visible in that case.
I expect that the DBAs are granting the CREATE ANY TABLE privilege directly to the account in question rather than through whatever role(s) are being used which is why that appears to solve the problem.
Justin

How can I grant users the ability to pause/resume printing without a "print operators group" password.

Greetings,
We are running 10.8.5 on 30 machines in an active directory environment (graphics lab). The clients are experiencing a persistant error when pausing or resuming print jobs. Each time something is paused, it requires an administrator password to resume the job. Administrators are not always present so designers are locked out of all of the printers until we come in (or remote in) to authenticate.
I spoke with Apple today and they said they would not support active directory accounts and that the account must be edited by the department that created the account because the restrictions come from the Active Directory account preferences.
On the other hand, I ALSO read that I can edit this in the CUPS interface or modify it with the terminal command below, locally.
dseditgroup -o edit -u admin_name -p -a user_name -t user _lpadmin
"dseditgroup" adds the user_name to a group (in this case, _lpadmin).
And admin_name is the name of your administrator's account.
a) Must this be modified on the Active directory account or CAN I modify this on the local machine via CUPS or terminal?
b) If so, how would I grant users the ability to resume printing without an admin password?
c) If not, exactly what must be modified in the active Directory account to allow pause/resume without an admin password.
I have seen a terminal command that adds users to the print operatiors group (Ipadmin) and I have seen some info on editing the CUPS interface, If i must edit the CUPS interface to allow this, can anyone point to detailed instructions on how to make this change.
I also saw info on editing the CUPS interface but the suggestion lacked details as to how and how to return to default if it does not work.
I also saw a post with these suggestions below but without detail as to how one would carry this out.
/etc/cups/cupsd.conf
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
*#Require user @SYSTEM*
*Require valid-user*
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
*#Require user @AUTHKEY(system.print.operator) @admin @lpadmin*
*Require valid-user*
Order deny,allow
</Limit>
/etc/authorization
+The system.print.operator key is new to Snow Leopard and seems to control resuming and pausing a printer queue among other things.+
<key>system.print.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>group</key>
<string>staff</string>
<key>shared</key>
<true/>
</dict>
<key>system.print.operator</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>group</key>
<string>staff</string>
<key>shared</key>
<true/>
</dict>
I have read all posts on this subject and I still am not clear on how to proceed, please assist.
Thanks in advance,
V

Hello again. For AD environments you can run the following command on each workstation:
sudo dseditgroup -o edit -n /Local/Default -u localadmin -p -a "Domain Users" -t group _lpadmin
This command assumes you are typing this interactively on the machine. Obviously change localadmin to the Mac's local admin's name. When running you will be prompted for password twice. Once to elevate permissions (sudo) and once to validate you are localadmin.
If you are using Apple Remote Desktop (or JAMF or other management suite), you can push this command out while embedding the localadmin's password.
sudo dseditgroup -o edit -n /Local/Default -u localadmin -P yourpass -a "Domain Users" -t group _lpadmin
Please note, if your password uses special characters (/-\) this may fail over ARD.
In Mavericks, AD groups are cached once they are referenced. If you are dealing with a lot mobile users (laptops) you might want to replace Domain Users with everyone
R-
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Splitting on customer defined fields in Grants Management

Hi All,
I am implementing a grants management solution where funds are drawn down from the sponsor using resource related billing based on payments. As part of the reporting to the sponsor we are required to report information from the grants management ledger (payment documents) with information from a third party system which triggered the initial expenditure against the grant. The join between the information is a reference number passed from the interfaced system.
My solution is to put the reference number in a customer field in the coding block and have updated the GM field movement to populate the field in GMIA. I would like to put this field in the splittng rules in grants management so that for the reporting to sponsor can be a straight forward join on the interfaced system and the data from payments in GMIA (rather than splitting in the general ledger then joining GMIA, flex GL data and the interfaced system).
The fields which can be used in splitting in GM seem to be a predefined list. I have traced this in debug and found a function module GM_SPLIT_T8G40_FIELDS which is defining the list of fields availale and translating the the field name. Any field for which it cannot find a new field name in this function module is being deleted from the list of valid fields. Therefore, customer fields are deleted from the available fields for splitting.
Can anyone suggest a way around this?
Kind regards,
Geoffrey

OK, it's something along the lines of:
Vendor Invoice posted in GL:
Entry view:
CR Vendor                                         1000 GBP
DR Expense/Customer field A              600 GBP
DR Expense/Customer field B              400 GBP
GL View (splitting on customer field):
CR Vendor/Customer field A                 600 GBP
CR Vendor/Customer field B                 400 GBP
DR Expense/Customer field A               600 GBP
DR Expense/Customer field B               400 GBP
GM document (not possible to split on customer field)
Value type 54 CR Vendor                            1000 GBP
Value type 99 DR Expense/Customer field A 600 GBP
Value type 99 DR Expense/Customer field B 400 GBP
Payment Posted:
GL Entry Veiw
DR Vendor            £1000
CR Bank Clearing £1000
General Ledger View (split on customer field)
DR Vendor/Customer field A                 600 GBP
DR Vendor/Customer field B                 400 GBP
CR Bank Clearing/Customer field A       600 GBP
CR Bank Clearing/Customer field B       400 GBP
GM Document (not possible to split on customer field)
Value Type 54 DR Vendor            £1000
Value Type 57 CR Bank Clearing £1000
In GM, there is no link back to the values in the customer fields when the payment is made as the field movement from GL to GM is based on the line items and values in the the entry view and not the split general ledger view. If the split GL data were used to populate the GM tables, then the data would already be split by the customer field by the time it reaches GM, negating a need to split on the customer field once in GM.
It still feels, however, that the simplest solution would just be to have the GM ledger split by customer fields. I have tried raising a customer message with SAP, but this query falls outside of their support remit.
Kind regards,
Geoffrey

Update to IOS 6 has been a nightmare. Facebook would allow me to save pictures unless I granted access to my foto album. Does this mean my pictures are going be planted all over the web? The safari keeps crashing and loading is slow.

update to IOS 6 has been a nightmare. Facebook would allow me to save pictures unless I granted access to my foto album. Does this mean my pictures are going be planted all over the web? The safari keeps crashing and loading is slow. Most infuriating is that YouTube was deleted from my entertainment apps and I now have to pay for it if I want it back!! This is a bloody disgrace.

Back up all data.
Boot into Recovery by holding down the key combination command-R at the startup chime. Release the keys when you see a gray screen with a spinning dial.
Note: You need an always-on Ethernet or Wi-Fi connection to the Internet to use Recovery. It won’t work with USB or PPPoE modems, or with proxy servers, or with networks that require a certificate for authentication.
When the OS X Utilities screen appears, follow the prompts to reinstall the OS. You don't need to erase the boot volume, and you won't need your backup unless something goes wrong. If your Mac was upgraded from an older version of OS X, you’ll need the Apple ID and password you used to upgrade, so make a note of those before you begin.

How to grant new user permission when the acct is created from application?

Our application team will randomly create users in DB. But the new user need to have the permission of "execute on DBMS_SNAPSHOT, DBMS_STAT, DBMS_SYSTEM" being granted from sys. We need to grant it automatically after the user is created. I was thinking about using DDL "create" trigger or just DDL database trigger. Once the trigger is fired off, issue the grant statement. We can capture the create even for the user, but got error when running the grant in the trigger or from the procedure called by trigger. My guess is that the "grant" is a DDL and DDL trigger cannot start another DDL statement. I also think about put the insert trigger on the sys.user$. But oracle would not let trigger being created on the sys tables or views.
What can we do now? The other option, I am wondering if there is a system package that can call external program (like Unix shell script) from the DDL trigger, to let the shell script do the grant, since this may not be considered as the same execution tree. Do we have such package to call from database to the UNIX shell script? Or for such need, do we have any other option?
Thanks for help!
Edited by: user5973955 on Oct 6, 2010 3:51 PM

The application teams do not have the sys permission. If the application has privileges to CREATE USER, it can then issue GRANT
Change the privileges.
But they want this being resolved from DBA.DBA did NOT make this problem.
The flawed application created the problem.
Alternatively CREATE PROCEDURE that can issue GRANT & have application call this new procedure.

How To Modify Privileges For APEX Objects Granted To PUBLIC?

I have searched this forum but couldn't any threads relating to this...
We have APEX 3.0.1 installed in some 10g (10.2.0.2) databases that host GIS data. I was informed by a GIS administrator that when using ESRI tool to search for data, the objects that belongs to FLOWS_030000 schema and ones that were granted to PUBLIC are shown. He would like to know if there is a way to hide these objects so they don't show up on the list? There are about 176 objects granted to public from the flows_030000 schema.
Could we establish a different security scheme that could accomplish the same thing? Maybe we need to create a new account and a role. Grant all of the privileges for flows_030000 to public to the new role. Then grant the role to the new account and the flow_files schema?
Our goal here is to make the flows_030000 objects hidden from the ESRI tools and still have APEX working properly.

If you look at the grants, you'll see that there are over 170 objects from the FLOWS_030000 granted to PUBLIC:
SQL> select count(*) from dba_tab_privs where owner= 'FLOWS_030000' and grantee = 'PUBLIC';
173
If we were go grant these privileges to a role, called APEX_APP_RU, and grant this role to APEX_PUBLIC_USER and any schemas an application is linked to (Workspace to Schema), would that be a workable solution?
The only problem I see right off hand that this might not work is that PUBLIC has synonyms created for the FLOWS_030000 objects. If we revoke the underlying privileges, because of the synonyms, this might not work.
SQL> select COUNT(*) from dba_synonyms where table_owner = 'FLOWS_030000' and owner = 'PUBLIC';
176
Does anyone else have any ideas?

How to grant create table privilege for a user on a specific table

Hi:
I created a user, for a test scenario. I granted this user create any table, and I made the default tablespace as example.
When I connect as the user and try to create a table, I get this:
SQL> create table T1 (NAME varchar2 (500), AGE number(2));
create table T1 (NAME varchar2 (500), AGE number(2))
ERROR at line 1:
ORA-01950: no privileges on tablespace 'EXAMPLE'
How can I grant the necessary privilege to have user create/delete tables on tablespace example?
Thanks.
DA

create user ADAM identified by radge default tablespace EXAMPLE
quota 10M on EXAMPLE;
for example 10Mbytes given to Example tablespace.... or you can write:
.....quota unlimited on EXAMPLE
and
grant connect to ADAM
grant create table to ADAM .....
or
grant connect , resource to ADAM .... although grant resource is not recommended...
....and something else....
you should define temporary tablespace in create user command... otherwise the system would be used...
Greetings...
Sim
Message was edited by:
sgalaxy

How to grant corporate accounts access to the Office store to install the Dictionary in Word 2013 (365)

We are currently migrating from Office 2010 MSI to Office 365 (2013) click to run installation deployed with Configuration Manager. I was curious if there was a way to grant our corporate accounts access to the Office store to pull in the Dictionary
and other tools not baked into Office 2013 (365).
The only way I have been able to do this is to have a separate Microsoft account to install the Dictionary.
Thanks,
Brita

Hi Brita:
With which accounts you set up your Office client, Office 365 subscribe account or your corporation account? Have you set up
directory synchronization for Office 365? Per my experience, if the directory synchronization has been set up, your corporation accounts will be associated with Office, therefore no need extra effort to install apps from Office store,
you can simply insert apps available in Office store to word in your case. If I misunderstood the situation, please let me know, thank you.
For Plan for directory synchronization for Office 365 please refer to
this article

How do I set-up a Shared Folder to automatically grant read

In OS 10.6.8, how do I set-up a Shared folder to automatically grant read & write access to all new MS Office files? Older files are fine. But, when new files are created and saved by one registered user, those files are "read-only" when opened by a different registered user, even though the permissions that are on the "Shared Folder" are read and write for each of the registered user groups. Can't this be changed somehow? The computer is used by two different work groups and some of the WORD or PPTX files are shared by both both work groups and are in the /users/shared folder when one of the user groups creates a new file and saves it to the Shared folder, it can't be edited unless saved with a different name. I need to be able to fix this. I assume it's an Office problem. If I can fix using terminal commands, please be detailed.
Thank you.
dhg

For iPhoto 09 (version 8.0.2) and later:
What you mean by 'share'.
If you want the other user to be able to see the pics, but not add to, change or alter your library, then enable Sharing in your iPhoto (Preferences -> Sharing), leave iPhoto running and use Fast User Switching to open the other account. In that account, enable 'Look For Shared Libraries'. Your Library will appear in the other source pane.
Any user can drag a pic from the Shared Library to their own in the iPhoto Window.
Remember iPhoto must be running in both accounts for this to work.
If you want the other user to have the same access to the library as you: to be able to add, edit, organise, keyword etc.
Quit iPhoto in both accounts. Move the Library to the Users / Shared Folder
(You can also use an external HD set to ignore permissions, a Disk Image or even partition your Hard Disk.)
In each account in turn: Double click on the Library to open it. (You may be asked to repair the Library Permissions.) From that point on, this will be the default library location. Both accounts will have full access to the library, in fact, both accounts will 'own' it.
However, there is a catch with this system and it is a significant one. iPhoto is not a multi-user app., it does not have the code to negotiate two users simultaneously writing to the database, and trying will cause db corruption. So only one user at a time, and back up, back up back up.

Grant-VMConnectAccess

Similar Messages

Maybe you are looking for