Granting/Revoke Access Rights

I have a desktop application which is more of a db management thing. I have different user roles accessing it. Two roles that i am using are as follows:-
NOVICE
ADMIN
Till now, ive implemented:
adding new users,
Logging in for existing users
Ive done this by storing data about users in a table as follows::
NAME
PASSWORD
TYPE ie ADMIN / NOVICE
Now i want to add another functionality. Granting/revoking access rights and priviledges to users. I think a new person,who wants to add himself as ADMIN or NOVICE, would be allowed to do so only if he requests for such a role and is accepted by a SUPER user. This was a thought that came to my mind. Pls guide me in the right direction.
Thanks
Dexter

It's hard to interpret what you're trying to do. However I set up such an access control system recently which might point you in the right direction.
Basically there are three tables. One is a table of users (for efficiently most of these tables have "synthetic keys", unique numeric identifiers for references). In this would probably be the user's name and, perhaps, e-mail address etc.., And a digest of the username and password combined. You don't store the actual password text for security reasons (see MessageDigest class).
The second principal table is a list of roles or actions that are protected, each with a name and description.
Permissions are granted in a third table which is an intersection table between users and roles, each row granting one role to one user (can contain further constraints).
One of these roles is, of course, the ability to grant roles. A user with that permission can grant or revoke a role for another user (or some subset of other users) providiing they have the permission itself.
In the java program you can create a class which extends java.security.Permission, when the user logs in, store them in a PermissionCollection. Then you use the "implies" method when you want to test if the current user has a given permission.
Hope this is something to do with what you're trying to do.

Similar Messages

  • Grant the access rights to manager run the work flow history report without edit /delete rights

    I found that only Team Member / Workspace creator / Administrator can run
    the work flow history report. However, we have a Purchase Order request
    which need ask the supervisor for 1st approval and manager for 2nd approval.
    But those managers want to see who prepare the P.O. and supervisor done the
    first approval before their 2nd approval. How can I can grant the access
    right to the manager to run the work flow history report for this purpose? I
    tried grant the role "team member" to those manager, however, it will also
    allow them to modify or delete the entry as they are the team member, but we
    only want allow those managers can approve the entry and view the work flow
    history without other acces such as add/delete/edit to prevent the human
    mistake.
    Pls advise how can I do this? Thanks!
    Regards

    Create a new role in teaming can fulfill this requirement. Thanks!
    "Joey" wrote in message news:_Cvqo.66903$[email protected]. .
    I found that only Team Member / Workspace creator / Administrator can run
    the work flow history report. However, we have a Purchase Order request
    which need ask the supervisor for 1st approval and manager for 2nd approval.
    But those managers want to see who prepare the P.O. and supervisor done the
    first approval before their 2nd approval. How can I can grant the access
    right to the manager to run the work flow history report for this purpose? I
    tried grant the role "team member" to those manager, however, it will also
    allow them to modify or delete the entry as they are the team member, but we
    only want allow those managers can approve the entry and view the work flow
    history without other acces such as add/delete/edit to prevent the human
    mistake.
    Pls advise how can I do this? Thanks!
    Regards

  • Granting full access rights to archiving reports

    Hi,
    During Monitoring Reports deployment, I've unintentionally granted ReadOnly permission to user administrator. Now I access to https://servername/reports and only view directories. I don't have any buttons, such as "new folder" or "new data
    source". I tried to rerun Monitoring Reports deployment - no result. In SQL management console for administrator user I unchecked ReportsReadOnlyRole for databases where this role exists. And also granted administrator user dbowner for all databases -
    no result.

    Hi,
    Is there any update on the issue?
    If the issue persists, you can also post the issue on SQL Reporting Services forum as the issue is also related to SQL Report Server permission issue. Thank you for your understanding.
    http://social.technet.microsoft.com/Forums/sqlserver/en-US/home?category=sqlserver
    Kent Huang
    TechNet Community Support

  • Access rights in case of a tree-like structure, with inheritance

    Hello,
    the project I've just started to work on should include an easy way (from the user's point of view) to grant/revoke access rights on a tree-like structure with inheritance.
    Basically we are working for several international companies who want to use our application to watch/manage some of their web projects - each project belongs to one company and consisting of several 'campaigns' in several countries (there can be several campaigns per country, but each campaign belongs to exactly one country).
    From our point of view this is a tree-like structure, with a 'root' node at the top level, 'companies' at the first level, 'countries' at the second level, 'campaigns' at the third level, and modules of our application (for example a module to display overall stats of the campaing, and so on) at the fourth level. There could be (and probably will be) some more levels, but that's not important at this point - it will always be a tree-like structure.
    The customer's reqirements are natural - the administrators should be able to grant/revoke access to 'subtrees' of this structure. For example the top managers should be able to see all the data related to their company, the local managers should be able to see all the data related to their company in the country they work in, etc. On the other hand the relular employees should not see some of the modules (with details about clients of the company).
    I wonder whether this can be solved using JAAS in an elegant and flexible manner - from the documents / whitepapers / tutorials I've seen till now it seems to me it seems to me not too suitable.
    All the data will be stored in relational database (Oracle, and in some cases PostgreSQL), and it would be nice to have the access rights stored in the same way (but it's not required). We have some ideas how to solve that using a single table containing paths in the tree, but at this point it's only an idea (not a single line of code written).
    We are sure somebody has already to solve such a problem - maybe using JAAS, maybe some other technology - and we don't want to reinvent a wheel. Do you have an idea how to solve this (using JAAS or something else)?

    Well, I forgot to explain what the 'inheritance' means ...
    We do not want to set the access right on each node of the tree - we prefer (as well as the users) to set/store only as much information as needed. We'd like the nodes to inherit the access rights from their parent nodes. For example we'd like granting access to particular project to mean granting access to all campaigns in all countries (related to the project), without the need to set and store these rights for each of the campaigns/countries.

  • OIM Organization Access Rights Inheritance

    I'm using OIM 9.1.0. I have two Organizations defined in OIM, they are defined as parent and child org. If I assign the access right for the parent org to an OIM group, it seems this group will not automatically be granted the access right for the child org.
    Is it possible to make the group also have the access right to the child org without specifically assign it?

    My suggestion would be request based Enable/Disable/Revoke. You can code an approval task to validate submission of the request based on a group membership and either allow the process to continue or reject the request. Once you give someone access to manage users and access to the menu item, they will have access to all the drop downs for that user. You will need to test the permissions. You can give the group update writes to specific objects, and only read only to others and see if this meets your requirements.
    -Kevin

  • How to define a new user in Enterprise manager with Specific access rights?

    Hi,
    I want to create a new user in OEMS 11g who should be able to access only the scheduler jobs section.
    How can this be acheived?

    You can create new administrators via the Setup --> Administrators page
    You can grant certain access rights to targets, you can not however grant priv to only access the job system
    Take a look at http://download.oracle.com/docs/cd/E11857_01/em.111/e14586/security3.htm#sthref235
    Regards
    Rob
    http://oemgc.wordpress.com

  • Previous Exchange Admin has somehow granted himself inherited Full access rights to All Exchange Mailboxes -AccessRights -InheritanceType

    Good Day,
    There is a previous employee that was a Systems Admin and somehow he granted himself access to Every Mailbox item at one point in time and the cleanup has been a bit messy.
    When this user is listed as "Full Access Granted" in the Manage Full Access Permissions function, and I delete him, I get a confirmation that he was removed, but then an additional item below it.  (This is depicted in the attached photo)
    How do I remove the hierarchical inheritance of this user?
    the commands in the photo show:
    Remove-Mailboxpermission -identity %OU String% -user %user% -inheritancetype 'All' -Accessrights 'FullAccess'
    Add-Mailboxpermission -identity %OU String% -user %user% -Deny -Accessrights 'FullAccess'

    Hello,
    I have removed permission to this user in ADSI Edit Microsoft Exchange Configuration CN and ensured that his name was no where to be found in the ADSI permissions for Exchange.  I was running the following command:
    Get-Mailbox | Remove-MailboxPermission -User %USER% -AccessRights FullAccess,SendAs,Exter
    nalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
    and I get a return warning:
    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,
    WriteOwner, ControlType: Allow] 
    and was ignored on object "CN=%FullAccessUser%"
    How can I ensure that this user had NO permissions at all to the exchange mailboxes?

  • Beginner question about granting access rights

    Hi, am a total beginner, just a very simple question. I have created a number of tables with my admin account that I would like user accounts to be able to see (they should only be allowed to see these few tables)
    I then created a user account called EDWARD with just the basic connect access right (I don't want them to be able to create/delete tables etc, just to be able to query the tables I have created above and to add rows to these tables)
    Google searching has lead me to the grant statement, so I tried this from the admin account:
    grant select, update, insert on CUSTOMERS to EDWARD;
    This statement executes correctly but when I log in the EDWARD account I cannot do any of these things, instead I get the error: ORA-00942: table or view does not exist
    Any ideas?
    Thanks

    >>Would it be better to create a separate account called 'ADMIN' perhaps that I use for
    my application admin and then grant them appropriate access to confidential tables
    rather than logging them in as the SYSTEM?
    Yes, this is what I would advise, since SYSTEM (like SYS and several others...) is not user like other, it's better do not work and create object under this one. Keep it for Oracle administration usage only, not for application administration, create your own schema for this.
    Nicolas.

  • Repository Access Rights

    There are several right you can grant on a workarea
    -Administrate Grant, revoke or delete access rights on a repository
    object
    -Compile Refresh a workarea
    -Delete Delete an object (or perform force delete or purge if they have
    the necessary repository privileges)
    -Insert Create an object
    -Select Query an object
    -Update Modify an object
    -Update Spec Redefine a workarea
    -Version Check out/check in an object
    What Access Rights are usually applied to a developer in a shared
    workarea?
    null

    Hi,
    Typically, you would want to grant all of those except administrate and delete/purge. But it depends on your own team's security policies (for example, you might decide that developers are not allowed to alter the spec of a shared workarea so that other team members are not affected by changes).
    Brian

  • URL access rights of a partner application for different user groups

    I have deployed an application in OC4j_Portal, enabled the SSO feature by doing the required entry in mod_osso file.
    Now I want a certain group of users to be able to access the URL of my application and not the others.
    Right now every valid user of the OID can access it.
    How should i restrict the access?

    If this is a Portal application you could define the access in Portal. Otherwise you might need to change your code and check if the logged in user is a member of the group you want to grant the access.
    Otherwise a custom LoginManager might solve your problem (JAAS). Check out http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
    cu
    Andreas

  • OAM- "You do not have sufficient access rights" message with Master Admin

    Customer has configured the OAM system to have both the primary and the secondary side for failover purposes. The back end directory server on both systems are in sync. The primary side of the systems works well as far as this issue is concerned.
    On the secondary side, if you login with the MASTER administrator of the system and click 'Identity System Console' or click any of the configurations under the Configurations in the User Manager, you get the error message saying "You do not have sufficient access rights". However, if they navigate to the Access system on the same browser and access the "Access System Console", and then navigate back to the Identity system, the Master Administrative rights are granted and now have a full access to the system.
    We tried following things to resolve the issue, but could not resolve it:
    1) Tried deleting 'cookieencryptionkey' which is found under "obcontainerid=encryptionkey,o=oblix" and restarted both the Identity Servers.
    2) Confirmed that the OAM administrator is present in cn=Web Masters,o=Oblix,<> and cn=Directory Administrators,o=Oblix,<> from the LDAP.
    3) Under the apps=PSC node, checked the Advance Properties for the 'obuniquememberStr' attribute:
    - Master Web Resource Admins (cn=master web resource admins, obapp=PSC, o=oblix, ...)
    Made sure that the values for the 'obuniquememberStr' attribute has the correct value there.
    4) Reconfigured the Secondary Identity Server.
    None of the above really helped to resolve the issue.
    Could anybody please help here to get rid of this issue.
    -Amol

    Hi Vinod,
    Here is the customer's response to your above 2 questions:
    1. We have 4 Directory server profiles for Identity servers; one for user data and one for configuration data for each server.
    I have at least reduced them to two and used only the ones initially used by the primary identity server as our user and configuration data do not reside together. User data is consumed via OVD.
    However, this does not seem to have any effect on the current behavior.
    2. All components except for the access server are on 10.1.4.2 and the access server is on 10.1.4.1
    Also below are the errors from the oblogs:
    dentity Server log
    =============
    2008/03/19@10:04:16.508530 4332 262160 PPP INFO 0x000008C7 obeventcatalog.cpp:183 "Cannot find the action" function^ObEventCatalog::GetActionEntry2Modify() actionName^ENCRYPTION_cookieEncryptionKey
    Access Server Log
    =============
    2008/03/19@10:03:56.329959 13608 1687633 CONNECTIVITY DEBUG3 0x00000201 /usr/abuild/Oblix/1014lwhf/palantir/netlib/src/obmessagechannel.cpp:601 "Received " ipaddr^10.217.209.81 ipport^1853 seqno^12 opcode^1 opcodeStr^IsResrcOpProtected Message^ro=t%253d0%2520o%253d%2520no%253d%2520r%253d%2520nr%253d%2520wu%253d/identity/oblix/apps/admin/bin/frontpage_admin.cgi%2520wh%253d10.217.209.81%2520wo%253d1%2520wa%253d0%2520ws%253d st=ma%253d2%2520mi%253d2%2520sg%253d0%2520sm%253d version=3 pd=
    2008/03/19@10:03:56.340433 3099 802864 AUTHENTICATION DEBUG2 0x00000201 /usr/abuild/Oblix/1014lwhf/palantir/aaa_server/src/aaa_service_server.cpp:2779 "Authorization successful"
    Webgate Log
    ==========
    2008/03/19@10:04:05.661000 5796 4516 HTTP_REQ DEBUG3 0x00000201 \Oblix\coreid1014\palantir\webgate2\src\isprotected.cpp:185 "Resource is protected" ResourceOperation^GET ResourceType^http Resource^//10.217.209.81/identity/oblix/apps/admin/bin/front_page_admin.cgi authnSchemeName^Oracle Access and Identity Basic Over LDAP
    2008/03/19@10:04:14.661000 5796 4516 LDAP DEBUG3 0x00000201 \Oblix\coreid1014\np_common\db\ldap\util\ldap_util2.cpp:537 "MLK-Memory leak for LDAP error information. This will show up as memory leak in LDAP SDK calls." key^25
    2008/03/19@10:04:14.661000 5796 4516 LDAP DEBUG3 0x00000201 \Oblix\coreid1014\np_common\db\ldap\util\ldap_util2.cpp:537 "MLK-Memory leak for LDAP error information. This will show up as memory leak in LDAP SDK calls." key^25
    2008/03/19@10:05:54.552000 5796 5256 CONFIG DEBUG2 0x00000201 \Oblix\coreid1014\palantir\access_api\src\obconfig.cpp:865 "Client configuration not updated"
    2008/03/19@10:05:54.552000 5796 5256 CONFIG INFO 0x0000182D \Oblix\coreid1014\palantir\access_api\src\obconfig.cpp:866 "The Access Server has returned a fatal error with no detailed information." raw_code^302
    I checked the OVD logs but did not find any error in it. Customer also tried to unprotect the /identity and /access URLs but the issue persist.
    Also I do not feel this as a bug, because this environment was working quite for few months without any such issues, also there were no changes made on the OVD/AD configurations. However, the server that hosts the OVD/AD was shut down and when it was restarted, we started experiencing this issue.

  • Access Rights Portal

    Is there anyway to get the access rights information of all pages in Portal and also a way to modify (add or remove) access to all pages (and not to go through each page).
    Thanks in advance
    Remy

    For doing that programatically, take a look at following link: http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/PLSQL/DOC/PLDOC_9026/wwsec_api.html
    To list few as under:
    - Function privilege_list returns an array containing all of the privileges currently granted on a specified object
    - Function grantee_list return a list of users who have been granted privileges on a specific object, given an object type and an object name.
    Try modifying the access to all pages using Global privs. Example below shows how to programmatically grant group MYGROUP with the global privilege to create page groups.
    wwsec_api.set_group_acl(
    p_group_id => wwsec_api.group_id('MYGROUP'),
    p_object_type_name => wwsec_api.ANYSITE_OBJ,
    p_name => wwsec_api.ALL_OBJECTS,
    p_privilege => wwsec_api.CREATE_PRIV
    And similarily, 'remove_group_acl' for removing the privileges.
    Hope above helps....

  • Custom object classes and access rights

    Hi,
    I have added a few object classes to the NDS schema; objects
    belonging to one of them should be able to authenticate against the
    directory and retrieve some attributes. I managed the login part having
    the class inherit from ndsLoginAttributes, but if I login as the object
    itself, I can't retrieve any attributes. I can browse the entry (it's a
    container), but all I get are DNs and objectclass attributes. Is there a
    way to grant the object the right to retrieve its own attributes, or
    some of them, through the Java LDAP interface?
    Thanks,
    Juan
    jheguia
    jheguia's Profile: http://forums.novell.com/member.php?userid=84575
    View this thread: http://forums.novell.com/showthread.php?t=415769

    Hello,
    I found a solution which is *almost* the right one. Basically I
    deleted the class and created it again with a default ACL:
    X-NDS_ACL_TEMPLATES ( '2# subtree#[Self]#[All Attributes Rights]' )
    This allows the object to do as it pleases with its own attributes. I'd
    prefer it to be only able to read them, but I haven't found a syntax for
    ACLs. Is there anything I can read to see how to fine tune the access
    rights templates?
    Thanks,
    Juan
    jheguia
    jheguia's Profile: http://forums.novell.com/member.php?userid=84575
    View this thread: http://forums.novell.com/showthread.php?t=415769

  • Overruling inherited access rights does not work properly

    Hello everybody,
    I have encountered an issue when I tried to overrule "Home" level access rights on SSRS (Verion 2009.0100.1600.01).
    The situation is as that there is a third party company which has to setup and edit reports. I created a folder for them and edited security settings there. I confirmed to have different security settings than on parent "Home" level as the third
    party should not have access to the other reports.
    I added the user and assigned "Content Manager" role.
    After that he was able to access the folder, upload reports and data sources.
    BUT: He is not able to edit reports or sources. He always gets the message:
    The permissions granted to user 'XY' are insufficient for performing this operation. (rsAccessDenied) Get Online Help
    I assigned all roles but this did not help.
    Test showed that if the user has the rights inherited from "Home" (added there with Content Manager role) he can edit the reports he uploaded. But in this case he has also access to all other folders (as the inherit also security settings from
    "Home").
    Is it not possible with SSRS to set it up the way I planned? Thanks in advance for any help!
    Br,
    Karsten

    Hi Karsten,
    In Reporting Services, the Content Manager role is a predefined role who has full permission to manage report server content, including the ability to grant permissions to other users, and to define the folder structure for storing reports and other items.
    It contains Manage data sources and Manage reports tasks.
    Besides, if the user has the rights inherited from "Home”, he will have all permissions inherited from “Home” permissions. If we click the “Edit Item Security” button, then we can assign some particular permissions for the user.
    In your scenario, it seems that someone had modify tasks for this predefined role in SQL Server Management Studio. Please change it back. In order to allow the user can only access to the folder, we should create a role with Manage reports task
    in the SSMS, then assign the user with the role in the parent folders. For more details about how to Create, Delete, or Modify a Role in SQL Server Management Studio, please see:
    http://msdn.microsoft.com/en-IN/library/ms156293.aspx
    If there are any other questions, please feel free to ask.
    Thanks,
    Katherine Xiong
    Katherine Xiong
    TechNet Community Support

  • Unable to grant full access permission

    I am trying to grant full access permissions for one user to another users mailbox  when I right click on the user the command does not appear to allow this.  I have tried using the Add-MailboxPermission CMdlet but this is not recognised either.
    My exchange knowledge is relatively limited so it may be something simple, but I would appreciate any assistance.
    best regards
    James

    Turns out someone had saved the wrong credentials in the RDP  connection and I was logging in as the wrong user.

Maybe you are looking for

  • How to automate multiple output file names from a single input image?

    I have about 100 eps cmyk 4000 pixel wide images to process daily.  The website needs several jpeg editions of the same image: 1000 pixel wide, 850 pixel wide, and 80 pixel wide. Question: Can I load the single source and save three differently named

  • [CS3 JS]Get all the tables in the document

    Hello All, I want to return all of the tables in the document, including those in table cells. I am using this: var aTables = app.activeDocument.stories.everyItem().tables.everyItem().getElements(); but it doesn't get tables inside of tables. Is ther

  • Boot Camp or Parrarels to Run Microsoft SQL Server in MBP

    Hi i have this question for you all mac expert here. I'm a switcher , My MBP is my first apple product that i buy (except of few ipods of course :P ) , Anyway i really glad that i made the switch, everything is simple and easy to learn especially wit

  • MSI DR4A Owners READ IN NOW!!!!

    Hi all, Just found this forum because I was looking for the new official DR4A firmware. I purchased my MSI 4 weeks ago for £117 Sterling. After trawling the net looking for good info i've discovered that the MSI unit is made by Sanyo, who apart from

  • ESS BP-50.4 Benefit Enrollment - Dependant Selections

    Hi - I have installed the ESS BP 50.4 and for benefit enrollment all of the screens that all you to select eligible dependants - the check box shows at the top of the screen when the dependant name shows in a table at the bottom of the screen....how/