Granting/Revoke Access Rights

Similar Messages

• Grant the access rights to manager run the work flow history report without edit /delete rights

  I found that only Team Member / Workspace creator / Administrator can run
  the work flow history report. However, we have a Purchase Order request
  which need ask the supervisor for 1st approval and manager for 2nd approval.
  But those managers want to see who prepare the P.O. and supervisor done the
  first approval before their 2nd approval. How can I can grant the access
  right to the manager to run the work flow history report for this purpose? I
  tried grant the role "team member" to those manager, however, it will also
  allow them to modify or delete the entry as they are the team member, but we
  only want allow those managers can approve the entry and view the work flow
  history without other acces such as add/delete/edit to prevent the human
  mistake.
  Pls advise how can I do this? Thanks!
  Regards

  Create a new role in teaming can fulfill this requirement. Thanks!
  "Joey" wrote in message news:_Cvqo.66903$[email protected]. .
  I found that only Team Member / Workspace creator / Administrator can run
  the work flow history report. However, we have a Purchase Order request
  which need ask the supervisor for 1st approval and manager for 2nd approval.
  But those managers want to see who prepare the P.O. and supervisor done the
  first approval before their 2nd approval. How can I can grant the access
  right to the manager to run the work flow history report for this purpose? I
  tried grant the role "team member" to those manager, however, it will also
  allow them to modify or delete the entry as they are the team member, but we
  only want allow those managers can approve the entry and view the work flow
  history without other acces such as add/delete/edit to prevent the human
  mistake.
  Pls advise how can I do this? Thanks!
  Regards

• Granting full access rights to archiving reports

  Hi,
  During Monitoring Reports deployment, I've unintentionally granted ReadOnly permission to user administrator. Now I access to https://servername/reports and only view directories. I don't have any buttons, such as "new folder" or "new data
  source". I tried to rerun Monitoring Reports deployment - no result. In SQL management console for administrator user I unchecked ReportsReadOnlyRole for databases where this role exists. And also granted administrator user dbowner for all databases -
  no result.

  Hi,
  Is there any update on the issue?
  If the issue persists, you can also post the issue on SQL Reporting Services forum as the issue is also related to SQL Report Server permission issue. Thank you for your understanding.
  http://social.technet.microsoft.com/Forums/sqlserver/en-US/home?category=sqlserver
  Kent Huang
  TechNet Community Support

• Access rights in case of a tree-like structure, with inheritance

  Hello,
  the project I've just started to work on should include an easy way (from the user's point of view) to grant/revoke access rights on a tree-like structure with inheritance.
  Basically we are working for several international companies who want to use our application to watch/manage some of their web projects - each project belongs to one company and consisting of several 'campaigns' in several countries (there can be several campaigns per country, but each campaign belongs to exactly one country).
  From our point of view this is a tree-like structure, with a 'root' node at the top level, 'companies' at the first level, 'countries' at the second level, 'campaigns' at the third level, and modules of our application (for example a module to display overall stats of the campaing, and so on) at the fourth level. There could be (and probably will be) some more levels, but that's not important at this point - it will always be a tree-like structure.
  The customer's reqirements are natural - the administrators should be able to grant/revoke access to 'subtrees' of this structure. For example the top managers should be able to see all the data related to their company, the local managers should be able to see all the data related to their company in the country they work in, etc. On the other hand the relular employees should not see some of the modules (with details about clients of the company).
  I wonder whether this can be solved using JAAS in an elegant and flexible manner - from the documents / whitepapers / tutorials I've seen till now it seems to me it seems to me not too suitable.
  All the data will be stored in relational database (Oracle, and in some cases PostgreSQL), and it would be nice to have the access rights stored in the same way (but it's not required). We have some ideas how to solve that using a single table containing paths in the tree, but at this point it's only an idea (not a single line of code written).
  We are sure somebody has already to solve such a problem - maybe using JAAS, maybe some other technology - and we don't want to reinvent a wheel. Do you have an idea how to solve this (using JAAS or something else)?

  Well, I forgot to explain what the 'inheritance' means ...
  We do not want to set the access right on each node of the tree - we prefer (as well as the users) to set/store only as much information as needed. We'd like the nodes to inherit the access rights from their parent nodes. For example we'd like granting access to particular project to mean granting access to all campaigns in all countries (related to the project), without the need to set and store these rights for each of the campaigns/countries.

• OIM Organization Access Rights Inheritance

  I'm using OIM 9.1.0. I have two Organizations defined in OIM, they are defined as parent and child org. If I assign the access right for the parent org to an OIM group, it seems this group will not automatically be granted the access right for the child org.
  Is it possible to make the group also have the access right to the child org without specifically assign it?

  My suggestion would be request based Enable/Disable/Revoke. You can code an approval task to validate submission of the request based on a group membership and either allow the process to continue or reject the request. Once you give someone access to manage users and access to the menu item, they will have access to all the drop downs for that user. You will need to test the permissions. You can give the group update writes to specific objects, and only read only to others and see if this meets your requirements.
  -Kevin

• How to define a new user in Enterprise manager with Specific access rights?

  Hi,
  I want to create a new user in OEMS 11g who should be able to access only the scheduler jobs section.
  How can this be acheived?

  You can create new administrators via the Setup --> Administrators page
  You can grant certain access rights to targets, you can not however grant priv to only access the job system
  Take a look at http://download.oracle.com/docs/cd/E11857_01/em.111/e14586/security3.htm#sthref235
  Regards
  Rob
  http://oemgc.wordpress.com

• Previous Exchange Admin has somehow granted himself inherited Full access rights to All Exchange Mailboxes -AccessRights -InheritanceType

  Good Day,
  There is a previous employee that was a Systems Admin and somehow he granted himself access to Every Mailbox item at one point in time and the cleanup has been a bit messy.
  When this user is listed as "Full Access Granted" in the Manage Full Access Permissions function, and I delete him, I get a confirmation that he was removed, but then an additional item below it.  (This is depicted in the attached photo)
  How do I remove the hierarchical inheritance of this user?
  the commands in the photo show:
  Remove-Mailboxpermission -identity %OU String% -user %user% -inheritancetype 'All' -Accessrights 'FullAccess'
  Add-Mailboxpermission -identity %OU String% -user %user% -Deny -Accessrights 'FullAccess'

  Hello,
  I have removed permission to this user in ADSI Edit Microsoft Exchange Configuration CN and ensured that his name was no where to be found in the ADSI permissions for Exchange.  I was running the following command:
  Get-Mailbox | Remove-MailboxPermission -User %USER% -AccessRights FullAccess,SendAs,Exter
  nalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
  and I get a return warning:
  WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,
  WriteOwner, ControlType: Allow] 
  and was ignored on object "CN=%FullAccessUser%"
  How can I ensure that this user had NO permissions at all to the exchange mailboxes?

• Beginner question about granting access rights

  Hi, am a total beginner, just a very simple question. I have created a number of tables with my admin account that I would like user accounts to be able to see (they should only be allowed to see these few tables)
  I then created a user account called EDWARD with just the basic connect access right (I don't want them to be able to create/delete tables etc, just to be able to query the tables I have created above and to add rows to these tables)
  Google searching has lead me to the grant statement, so I tried this from the admin account:
  grant select, update, insert on CUSTOMERS to EDWARD;
  This statement executes correctly but when I log in the EDWARD account I cannot do any of these things, instead I get the error: ORA-00942: table or view does not exist
  Any ideas?
  Thanks

  >>Would it be better to create a separate account called 'ADMIN' perhaps that I use for
  my application admin and then grant them appropriate access to confidential tables
  rather than logging them in as the SYSTEM?
  Yes, this is what I would advise, since SYSTEM (like SYS and several others...) is not user like other, it's better do not work and create object under this one. Keep it for Oracle administration usage only, not for application administration, create your own schema for this.
  Nicolas.

• Repository Access Rights

  There are several right you can grant on a workarea
  -Administrate Grant, revoke or delete access rights on a repository
  object
  -Compile Refresh a workarea
  -Delete Delete an object (or perform force delete or purge if they have
  the necessary repository privileges)
  -Insert Create an object
  -Select Query an object
  -Update Modify an object
  -Update Spec Redefine a workarea
  -Version Check out/check in an object
  What Access Rights are usually applied to a developer in a shared
  workarea?
  null

  Hi,
  Typically, you would want to grant all of those except administrate and delete/purge. But it depends on your own team's security policies (for example, you might decide that developers are not allowed to alter the spec of a shared workarea so that other team members are not affected by changes).
  Brian

• URL access rights of a partner application for different user groups

  I have deployed an application in OC4j_Portal, enabled the SSO feature by doing the required entry in mod_osso file.
  Now I want a certain group of users to be able to access the URL of my application and not the others.
  Right now every valid user of the OID can access it.
  How should i restrict the access?

  If this is a Portal application you could define the access in Portal. Otherwise you might need to change your code and check if the logged in user is a member of the group you want to grant the access.
  Otherwise a custom LoginManager might solve your problem (JAAS). Check out http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
  cu
  Andreas

• OAM- "You do not have sufficient access rights" message with Master Admin

  Customer has configured the OAM system to have both the primary and the secondary side for failover purposes. The back end directory server on both systems are in sync. The primary side of the systems works well as far as this issue is concerned.
  On the secondary side, if you login with the MASTER administrator of the system and click 'Identity System Console' or click any of the configurations under the Configurations in the User Manager, you get the error message saying "You do not have sufficient access rights". However, if they navigate to the Access system on the same browser and access the "Access System Console", and then navigate back to the Identity system, the Master Administrative rights are granted and now have a full access to the system.
  We tried following things to resolve the issue, but could not resolve it:
  1) Tried deleting 'cookieencryptionkey' which is found under "obcontainerid=encryptionkey,o=oblix" and restarted both the Identity Servers.
  2) Confirmed that the OAM administrator is present in cn=Web Masters,o=Oblix,<> and cn=Directory Administrators,o=Oblix,<> from the LDAP.
  3) Under the apps=PSC node, checked the Advance Properties for the 'obuniquememberStr' attribute:
  - Master Web Resource Admins (cn=master web resource admins, obapp=PSC, o=oblix, ...)
  Made sure that the values for the 'obuniquememberStr' attribute has the correct value there.
  4) Reconfigured the Secondary Identity Server.
  None of the above really helped to resolve the issue.
  Could anybody please help here to get rid of this issue.
  -Amol

  Hi Vinod,
  Here is the customer's response to your above 2 questions:
  1. We have 4 Directory server profiles for Identity servers; one for user data and one for configuration data for each server.
  I have at least reduced them to two and used only the ones initially used by the primary identity server as our user and configuration data do not reside together. User data is consumed via OVD.
  However, this does not seem to have any effect on the current behavior.
  2. All components except for the access server are on 10.1.4.2 and the access server is on 10.1.4.1
  Also below are the errors from the oblogs:
  dentity Server log
  =============
  2008/03/19@10:04:16.508530 4332 262160 PPP INFO 0x000008C7 obeventcatalog.cpp:183 "Cannot find the action" function^ObEventCatalog::GetActionEntry2Modify() actionName^ENCRYPTION_cookieEncryptionKey
  Access Server Log
  =============
  2008/03/19@10:03:56.329959 13608 1687633 CONNECTIVITY DEBUG3 0x00000201 /usr/abuild/Oblix/1014lwhf/palantir/netlib/src/obmessagechannel.cpp:601 "Received " ipaddr^10.217.209.81 ipport^1853 seqno^12 opcode^1 opcodeStr^IsResrcOpProtected Message^ro=t%253d0%2520o%253d%2520no%253d%2520r%253d%2520nr%253d%2520wu%253d/identity/oblix/apps/admin/bin/frontpage_admin.cgi%2520wh%253d10.217.209.81%2520wo%253d1%2520wa%253d0%2520ws%253d st=ma%253d2%2520mi%253d2%2520sg%253d0%2520sm%253d version=3 pd=
  2008/03/19@10:03:56.340433 3099 802864 AUTHENTICATION DEBUG2 0x00000201 /usr/abuild/Oblix/1014lwhf/palantir/aaa_server/src/aaa_service_server.cpp:2779 "Authorization successful"
  Webgate Log
  ==========
  2008/03/19@10:04:05.661000 5796 4516 HTTP_REQ DEBUG3 0x00000201 \Oblix\coreid1014\palantir\webgate2\src\isprotected.cpp:185 "Resource is protected" ResourceOperation^GET ResourceType^http Resource^//10.217.209.81/identity/oblix/apps/admin/bin/front_page_admin.cgi authnSchemeName^Oracle Access and Identity Basic Over LDAP
  2008/03/19@10:04:14.661000 5796 4516 LDAP DEBUG3 0x00000201 \Oblix\coreid1014\np_common\db\ldap\util\ldap_util2.cpp:537 "MLK-Memory leak for LDAP error information. This will show up as memory leak in LDAP SDK calls." key^25
  2008/03/19@10:04:14.661000 5796 4516 LDAP DEBUG3 0x00000201 \Oblix\coreid1014\np_common\db\ldap\util\ldap_util2.cpp:537 "MLK-Memory leak for LDAP error information. This will show up as memory leak in LDAP SDK calls." key^25
  2008/03/19@10:05:54.552000 5796 5256 CONFIG DEBUG2 0x00000201 \Oblix\coreid1014\palantir\access_api\src\obconfig.cpp:865 "Client configuration not updated"
  2008/03/19@10:05:54.552000 5796 5256 CONFIG INFO 0x0000182D \Oblix\coreid1014\palantir\access_api\src\obconfig.cpp:866 "The Access Server has returned a fatal error with no detailed information." raw_code^302
  I checked the OVD logs but did not find any error in it. Customer also tried to unprotect the /identity and /access URLs but the issue persist.
  Also I do not feel this as a bug, because this environment was working quite for few months without any such issues, also there were no changes made on the OVD/AD configurations. However, the server that hosts the OVD/AD was shut down and when it was restarted, we started experiencing this issue.

• Access Rights Portal

  Is there anyway to get the access rights information of all pages in Portal and also a way to modify (add or remove) access to all pages (and not to go through each page).
  Thanks in advance
  Remy

  For doing that programatically, take a look at following link: http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/PLSQL/DOC/PLDOC_9026/wwsec_api.html
  To list few as under:
  - Function privilege_list returns an array containing all of the privileges currently granted on a specified object
  - Function grantee_list return a list of users who have been granted privileges on a specific object, given an object type and an object name.
  Try modifying the access to all pages using Global privs. Example below shows how to programmatically grant group MYGROUP with the global privilege to create page groups.
  wwsec_api.set_group_acl(
  p_group_id => wwsec_api.group_id('MYGROUP'),
  p_object_type_name => wwsec_api.ANYSITE_OBJ,
  p_name => wwsec_api.ALL_OBJECTS,
  p_privilege => wwsec_api.CREATE_PRIV
  And similarily, 'remove_group_acl' for removing the privileges.
  Hope above helps....

• Custom object classes and access rights

  Hi,
  I have added a few object classes to the NDS schema; objects
  belonging to one of them should be able to authenticate against the
  directory and retrieve some attributes. I managed the login part having
  the class inherit from ndsLoginAttributes, but if I login as the object
  itself, I can't retrieve any attributes. I can browse the entry (it's a
  container), but all I get are DNs and objectclass attributes. Is there a
  way to grant the object the right to retrieve its own attributes, or
  some of them, through the Java LDAP interface?
  Thanks,
  Juan
  jheguia
  jheguia's Profile: http://forums.novell.com/member.php?userid=84575
  View this thread: http://forums.novell.com/showthread.php?t=415769

  Hello,
  I found a solution which is *almost* the right one. Basically I
  deleted the class and created it again with a default ACL:
  X-NDS_ACL_TEMPLATES ( '2# subtree#[Self]#[All Attributes Rights]' )
  This allows the object to do as it pleases with its own attributes. I'd
  prefer it to be only able to read them, but I haven't found a syntax for
  ACLs. Is there anything I can read to see how to fine tune the access
  rights templates?
  Thanks,
  Juan
  jheguia
  jheguia's Profile: http://forums.novell.com/member.php?userid=84575
  View this thread: http://forums.novell.com/showthread.php?t=415769

• Overruling inherited access rights does not work properly

  Hello everybody,
  I have encountered an issue when I tried to overrule "Home" level access rights on SSRS (Verion 2009.0100.1600.01).
  The situation is as that there is a third party company which has to setup and edit reports. I created a folder for them and edited security settings there. I confirmed to have different security settings than on parent "Home" level as the third
  party should not have access to the other reports.
  I added the user and assigned "Content Manager" role.
  After that he was able to access the folder, upload reports and data sources.
  BUT: He is not able to edit reports or sources. He always gets the message:
  The permissions granted to user 'XY' are insufficient for performing this operation. (rsAccessDenied) Get Online Help
  I assigned all roles but this did not help.
  Test showed that if the user has the rights inherited from "Home" (added there with Content Manager role) he can edit the reports he uploaded. But in this case he has also access to all other folders (as the inherit also security settings from
  "Home").
  Is it not possible with SSRS to set it up the way I planned? Thanks in advance for any help!
  Br,
  Karsten

  Hi Karsten,
  In Reporting Services, the Content Manager role is a predefined role who has full permission to manage report server content, including the ability to grant permissions to other users, and to define the folder structure for storing reports and other items.
  It contains Manage data sources and Manage reports tasks.
  Besides, if the user has the rights inherited from "Home”, he will have all permissions inherited from “Home” permissions. If we click the “Edit Item Security” button, then we can assign some particular permissions for the user.
  In your scenario, it seems that someone had modify tasks for this predefined role in SQL Server Management Studio. Please change it back. In order to allow the user can only access to the folder, we should create a role with Manage reports task
  in the SSMS, then assign the user with the role in the parent folders. For more details about how to Create, Delete, or Modify a Role in SQL Server Management Studio, please see:
  http://msdn.microsoft.com/en-IN/library/ms156293.aspx
  If there are any other questions, please feel free to ask.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• Unable to grant full access permission

  I am trying to grant full access permissions for one user to another users mailbox  when I right click on the user the command does not appear to allow this.  I have tried using the Add-MailboxPermission CMdlet but this is not recognised either.
  My exchange knowledge is relatively limited so it may be something simple, but I would appreciate any assistance.
  best regards
  James

  Turns out someone had saved the wrong credentials in the RDP  connection and I was logging in as the wrong user.