Granting users

Similar Messages

• How can I grant users the ability to pause/resume printing without a "print operators group" password.

  Greetings,
  We are running 10.8.5 on 30 machines in an active directory environment (graphics lab). The clients are experiencing a persistant error when pausing or resuming print jobs. Each time something is paused, it requires an administrator password to resume the job. Administrators are not always present so designers are locked out of all of the printers until we come in (or remote in) to authenticate.
  I spoke with Apple today and they said they would not support active directory accounts and that the account must be edited by the department that created the account because the restrictions come from the Active Directory account preferences.
  On the other hand, I ALSO read that I can edit this in the CUPS interface or modify it with the terminal command below, locally.
  dseditgroup -o edit -u admin_name -p -a user_name -t user _lpadmin
  "dseditgroup" adds the user_name to a group (in this case, _lpadmin).
  And admin_name is the name of your administrator's account.
  a) Must this be modified on the Active directory account or CAN I modify this on the local machine via CUPS or terminal?
  b) If so, how would I grant users the ability to resume printing without an admin password?
  c) If not, exactly what must be modified in the active Directory account to allow pause/resume without an admin password.
  I have seen a terminal command that adds users to the print operatiors group (Ipadmin) and I have seen some info on editing the CUPS interface, If i must edit the CUPS interface to allow this, can anyone point to detailed instructions on how to make this change.
  I also saw info on editing the CUPS interface but the suggestion lacked details as to how and how to return to default if it does not work.
  I also saw a post with these suggestions below but without detail as to how one would carry this out.
  /etc/cups/cupsd.conf
  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
  AuthType Default
  *#Require user @SYSTEM*
  *Require valid-user*
  Order deny,allow
  </Limit>
  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
  AuthType Default
  *#Require user @AUTHKEY(system.print.operator) @admin @lpadmin*
  *Require valid-user*
  Order deny,allow
  </Limit>
  /etc/authorization
  +The system.print.operator key is new to Snow Leopard and seems to control resuming and pausing a printer queue among other things.+
  <key>system.print.admin</key>
  <dict>
  <key>allow-root</key>
  <true/>
  <key>class</key>
  <string>user</string>
  <key>group</key>
  <string>staff</string>
  <key>shared</key>
  <true/>
  </dict>
  <key>system.print.operator</key>
  <dict>
  <key>allow-root</key>
  <true/>
  <key>class</key>
  <string>user</string>
  <key>group</key>
  <string>staff</string>
  <key>shared</key>
  <true/>
  </dict>
  I have read all posts on this subject and I still am not clear on how to proceed, please assist.
  Thanks in advance,
  V

  Hello again.  For AD environments you can run the following command on each workstation:
  sudo dseditgroup -o edit -n /Local/Default -u localadmin -p -a "Domain Users" -t group _lpadmin
  This command assumes you are typing this interactively on the machine.  Obviously change localadmin to the Mac's local admin's name.  When running you will be prompted for password twice.  Once to elevate permissions (sudo) and once to validate you are localadmin.
  If you are using Apple Remote Desktop (or JAMF or other management suite), you can push this command out while embedding the localadmin's password. 
  sudo dseditgroup -o edit -n /Local/Default -u localadmin -P yourpass -a "Domain Users" -t group _lpadmin
  Please note, if your password uses special characters (/-\) this may fail over ARD.
  In Mavericks, AD groups are cached once they are referenced.  If you are dealing with a lot mobile users (laptops) you might want to replace Domain Users with everyone
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Expert help needed-grant user permision in Applet

  Hi
  im writing an Applet that needs to read and write files on user's local machine.
  As far as i know i guess i need to grant users permissions. I would like to do it in the easiest way for him(so he wouldnt need to change his policy file manualy, but clic on 'ok')
  First of all, is it the only way to do that?
  And above all, how to do that?
  Could anybody tell me exactly how do i get my applet signed step by step?
  Please, a beginer needs help here, it would be great if anybody could tell me how to do that STEP BY STEP.
  I have read several post about it, but none was clear enought for me.
  If someone could give a hint or a sample code it would be very appreciated.
  thanx a lot :)

  see http://java.sun.com/docs/books/tutorial/jar/sign/signing.html
  To summarize:
  1) Use keytool to generate a key
  keytool -genkey -keystore mystore -alias myaliasFollow the instructions given, i.e, fill all the blanks.
  2) Use jarsigner to sign your jar
  jarsigner -keystore mystore my_jar_file.jar myaliasBut you are really skipping everything which you need to understand.

• Granting users Site admin to All site collections and/or Adding an o365 group by email to site admin group on all Site collections

  We will have 1000s of site collections.
  Why doesn't SharePoint Online 2013 offer a way to grant a user or a group Site admin rights to all site collections?
  And.. if we must add the user to every single site, can this be done by an o365 or ADFS group using it's email?
  We'd like to run this script to add a group to site collection admin on all sites, but Groups can't be referenced by an email?
  Get-SPOSite|foreach{Set-SPOUser -Site $_.Url -LoginName [email protected] -IsSiteCollectionAdmin $True}
  produces an error.  And if we try to add the group by email manually through the UI it can't find it either.   We've tried this with o365 groups and  ADFS groups.
  Any way to reference these groups from PowerShell?
  Is this limitation there for a reason? 

  bump.. anybody?

• Dynamic grant user role issue

  Hi friends,
  I created a role in oracle 10 and can be granted to user one by one. it works.
  But I try to grant the role to all users and get error.
  my code as (copy and modify from OTN)
  ====
  DECLARE
  l_schema VARCHAR2(30) := 'SCHEMA_OWNER';
  BEGIN
  FOR i IN (SELECT USERNAME
  FROM all_users
  WHERE username not in ('SYS','SYSTEM','OUTLN','DMSYS','TSMSYS','XDB','CTXSYS','WMSYS','DBSNMP','DIP','OLAP','OLAPSYS','MDSYS','EXFSYS','MDSYS'))
  LOOP
  BEGIN
  EXECUTE IMMEDIATE 'GRANT USERS_SELECT ||' TO i.USERNAME;
  EXCEPTION
  WHEN OTHERS THEN
  NULL;
  END;
  END LOOP;
  END;
  ORA-06550: line 10, column 41:
  PLS-00103: Encountered the symbol "TO" when expecting one of the following:
  * & = - + ; < / > at in is mod remainder not rem return
  returning <an exponent (**)> <> or != or ~= >= <= <> and or
  like LIKE2_ LIKE4_ LIKEC_ between into using || multiset bulk
  member SUBMULTISET_
  The symbol "* was inserted before "TO" to continue.
  SQL>
  I double check syntax is OK. what is wrong?
  Thanks for help!
  Jim

  Try:
  EXECUTE IMMEDIATE 'GRANT RAC_SELECT TO '|| i.USERNAME;And remove this part, which is for 99.99% a bug:
  EXCEPTION
  WHEN OTHERS THEN
  NULL;
  ENDOnly catch errors you expect...

• How to grant user permission to create "Credential" and "Proxies"

  Hi Team,
  Kindly let me know how to grant permission for user to create "Credential" and "Proxies" on server:
  Thanks in advance
  Santosh

  Can I revoke this permissions once I grant?
  You can use DROP and REVOKE commands to do the opposite.
  USE [msdb]
  GO
  ALTER ROLE [SQLAgentOperatorRole] DROP MEMBER [TestLogin1]
  GO
  USE [msdb]
  GO
  ALTER ROLE [SQLAgentReaderRole] DROP MEMBER [TestLogin1]
  GO
  USE [msdb]
  GO
  ALTER ROLE [SQLAgentUserRole] DROP MEMBER [TestLogin1]
  GO
  use [master]
  GO
  REVOKE ALTER ANY CREDENTIAL TO [TestLogin1] AS [sa]
  GO
  Cheers,
  Vaibhav Chaudhari
  [MCTS],
  [MCP]

• Is it possible to grant users to create views only?

  We are using SQL Server 2008 R2.
  Some advanced users have been working on the database to retrieve data from tables and alter existing views for years. Now we would like to give them permissions to create their own views.
  It is not supposed to give them too much rights such as creating tables. Is it possible to do that, such as creating new schema for that purpose. Thanks.

  You left out an important step that we failed to mention: you muist change the order of the schema. This is required, or else ownership chaining will void all security checks.
  In script below, you get a permission error trying to create the first view, but comment out the ALTER AUTHORIZATION statement and it will not.
  Using a loginless user and EXECUTE USER is an execellent way to test a permission setup on database level.
  CREATE DATABASE yngve
  go
  USE yngve
  go
  CREATE SCHEMA torsten
  go
  CREATE USER ulrik WITHOUT LOGIN WITH DEFAULT_SCHEMA = torsten
  GRANT SELECT ON SCHEMA::torsten TO ulrik
  GRANT ALTER ON SCHEMA::torsten TO ulrik
  GRANT CREATE VIEW TO ulrik
  ALTER AUTHORIZATION ON SCHEMA::torsten TO ulrik
  go
  CREATE TABLE dbo.alfa(a int NOT NULL)
  INSERT dbo.alfa(a) VALUES (88)
  go
  EXECUTE AS USER = 'ulrik'
  go
  CREATE VIEW torsten.albin AS SELECT a FROM dbo.alfa
  go
  SELECT * FROM torsten.albin
  go
  CREATE VIEW torsten.alfons AS SELECT getdate() AS today
  go
  SELECT * FROM torsten.alfons
  go
  REVERT
  go
  USE tempdb
  go
  DROP DATABASE yngve
  Erland Sommarskog, SQL Server MVP, [email protected]
  Thanks. I have tried to create a login less account.
  CREATE USER [testuser] without login WITH DEFAULT_SCHEMA=[SchemaTest]
  GOGRANT SELECT ON SCHEMA :: SchemaTest TO  [testuser]
  GO
  GRANT ALTER ON SCHEMA :: SchemaTest TO  [testuser]
  GOGRANT CREATE VIEW TO  [testuser]
  GO
  ALTER AUTHORIZATION ON SCHEMA :: SchemaTest TO [testuser]
  GO
  Without "ALTER AUTHORIZATION" statment, user can create SchemaTest.v_MyView and select all data.
  With "ALTER AUTHORIZATION" statment, user can still be able to create SchemaTest.v_MyView, but unable to select retrieve data from the view. The error is as below.
  The SELECT permission was denied on the object 'MyTable', database 'ViewTest', schema 'dbo'.
  Maybe I still miss something. But at least user cannot retrieve protected data.

• Grant user to user......

  I thought that at one point I had heard of the ability to grant all privileges that one user had to another user and I'm trying to figure out if that was a figment of my imagination or not. The scenario that I have is that I have two users that have certain privileges granted to them as well as privileges on their own objects that I would like to grant to a third user (e.g. something like granting two roles to a user). I can write a script to go and find all of their privileges and grant them to the third user but I was hoping there was a shortcut. Anybody got an idea?

  This might be a feature or capability of the 10g database console tool but it is not a native database command.
  It would not be that hard to write the queries necessary to generate a list of all object privileges and all system privileges granted to one user and grant the privileges to another user.
  HTH -- Mark D Powell --

• Grant user admin rights, install itune, ungrant rights?

  On Windows XP, installing iTunes requires admin rights. However, it is not good to use an admin account for regular work. For the Palm Desktop, the workaround was to grant admin rights to the user account, install the application using the user-turn-admin account, then ungrant admin rights. Will this last step cause problems for iTunes, or does iTunes require admin rights for its regular operation (outside of being installed)?

  Actually, I can't find the thread! But the solution is that installing it as Admin still lets it be used by other user accounts, and each user account.

• GRANT user privilages

  I have created a system admin in oracle xe 10g edition. I attempted to create a user defined type and got the insufficient priviliges error.
  I need help with GRANT sql statements that will aloow me to create these types.
  Any help much appreciated.

  From the following e-book:
  Oracle® Database SQL Reference
  10g Release 2 (10.2)
  Part Number B14200-02
  Prerequisites:
  To create a type in your own schema, you must have the CREATE TYPE system
  privilege. To create a type in another user's schema, you must have the CREATE
  ANY TYPE system privilege. You can acquire these privileges explicitly or be
  granted them through a role.
  To create a subtype, you must have the UNDER ANY TYPE system privilege or the UNDER object privilege on the supertype.
  The owner of the type must be explicitly granted the EXECUTE object privilege in
  order to access all other types referenced within the definition of the type, or the
  type owner must be granted the EXECUTE ANY TYPE system privilege. The
  owner cannot obtain these privileges through roles.
  If the type owner intends to grant other users access to the type, then the owner
  must be granted the EXECUTE object privilege on the referenced types with the
  GRANT OPTION or the EXECUTE ANY TYPE system privilege with the ADMIN OPTION. Otherwise, the type owner has insufficient privileges to grant access on
  the type to other users.
  Greetings....
  Sim

• Best Method of Granting User Dtrace Privs

  Our customer (oracle DBA's) are wanting to use dtrace as the Oracle user. We currently use sudo for other root access.
  Can dtrace be granted using sudo (ie: just a blanket granting of access to sudo w/o hard-coding every form of the command) or is there another mechanism for doing this with little maintenance overhead? (we really don't wanna go down the rbac/pprivs road if we can avoid it)
  Thx,CC

  The easiest method is to use Setup Assistant that automatically starts the first time you use a new Mac. It will offer you the opportunity to migrate all users or just those you select.
  Mike Osborn wrote:
  ... Are there any "gotchas" I should be aware of before moving everything over?
  If you do not use Setup Assistant, you can always use Migration Assistant later. However, this can easily become confusing if you already created a user account on the new Mac. Most people won't have the patience to use Setup Assistant and understandably want to use their new Mac right away. If you elect to do that, don't create an account with the same name as one you wish to migrate. Instead, create a user account that you plan to erase after you migrate your existing accounts. The reason is that if you create a brand new account named, for example, "Mike Osborn", you will be unable to migrate to another account with that name.
  Use a wired connection. Wireless can take an unacceptable amount of time (days).
  Don't create a brand new Apple ID either. Have your existing Apple ID and password ready and use it, so you don't make the mistake of creating an Apple ID with no pedigree.
  Register your new Mac (and all your other Apple equipment, if you have not yet done so) using this link:
    https://supportprofile.apple.com/
  This provides for a convenient database of all your Apple equipment's serial numbers, service history, and warranty eligibility.

• Hide tables to "SELECT ANY TABLE" granted users

  Hi everybody
  Where I work, I need to create a manteniance table with reserved data and we have several users granted with "SELECT ANY TABLE". I would like to hide that table to everyone else that the owner. Is it possible?
  Bye Alessandro

  Are you jokeing? Do it for yourself but don't give such suggestion please! Do you imagine what could happen if someone thinks it's right? Keep disastrous ideas for your own please.
  SQL> set hea ON feed ON ver ON
  SQL> ttitle ON
  SQL>
  SQL> drop user eavesdropper cascade;
  Utente eliminato.
  SQL> drop table reserved cascade constraints;
  Tabella eliminata.
  SQL>
  SQL> create table reserved (
    2          username varchar2(30) not null,
    3          password varchar2(30) not null,
    4          constraint reserved_PK primary key (username)
    5  );
  Tabella creata.
  SQL>
  SQL> insert into reserved values ('administrator of the bank','password of the administrator');
  Creata 1 riga.
  SQL> commit;
  Commit completato.
  SQL> select * from reserved;
  Mar Nov 14                                                           pagina    1
                               select * from reserved
  USERNAME                       PASSWORD
  administrator of the bank      password of the administrator
  Selezionata 1 riga.
  SQL>
  SQL>
  SQL> create user eavesdropper identified by eavesdropper;
  Utente creato.
  SQL> create synonym eavesdropper.reserved for reserved;
  Sinonimo creato.
  SQL> grant resource, connect, select any table to eavesdropper;
  Concessione riuscita.
  SQL> revoke all on reserved from eavesdropper;
  Revoca riuscita.
  SQL> conn eavesdropper/eavesdropper@svi3;
  Connesso.
  SQL> select * from reserved;
  Mar Nov 14                                                           pagina    1
                               select * from reserved
  USERNAME                       PASSWORD
  administrator of the bank      password of the administrator
  Selezionata 1 riga.
  SQL>Message was edited by:
  alessandro.miami

• How can I grant users to access/modify system folders (C:/Windows/Fonts) by using GPO in Win7 ?

  In our company there are some folks that require often new fonts that they take from the internet. Unfortunately, some of them have offices on in a diferrent country, so going there to insert my admin paswoord is not a solution.
  If you copy the ttf file into the C:/Windows/Font folder is enough, you don't have to also add the registry.
  One way to bypass the window that asks for admin credentials is to insert my crdentials into the bat file (runas). But this is very unsecure, as I am an administrator.
  Is there a way to create a shared folder that can also store fonts that can be used by windows? Can I give them the right to modify files in this folder without making them administrators? Or do you see any solution to this issue? Any help would
  be greatly appreciated.
  Thank you in advance.

  Another solution which will not compromise your security is to create a share folder and have the users to download fonts to the folder. After that a simple schedule task GPO on clients to copy the
  *.ttf files from the folder to the C:\Windows\Fonts folder. Since tha task can be run by administrative privileges I guess there will be no problem.
  Regards.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer
  or to mark this post as
  and helpful to other people.

• SQL 2012 sp2 "The permissions granted to user 'DOMAIN\user' are insufficient ..."

  1st let me set the tone by admitting I am not real familiar with SQL, I'm more of an Operations Admin. So this is not a new question I think, although I am having difficulty finding an applicable solution.  Using SQL Server 2012 sp2 on a Windows
  2012R2 server.  This is configured to be a SCOM DB server; while on the SQL server itself I open IE and attempt to go to the following URL http://scomsql/reportserver_SCOM I get the
  following error.
  Reporting Services Error
  The permissions granted to user 'DOMAIN\user' are insufficient for performing this operation. (rsAccessDenied) Get Online Help
  SQL Server Reporting Services
  I have looked at the Reporting Services Config. Mgr. and it looks like the Report Mgt. URL is set for port 80 and no SSL is configured.  The rsreportserver.config file has the SecureConnectionLevel set to "0"
  My domain account is listed under Security\Logins and holds the 'Server Roles' of public and sysadmin, 'User Mapping' is DBO for the 'ReportServer$SCOM' and 'ReportServer$SCOMTempDB' and the role membership shows db_owner and public for these as well.
  Any assistance with getting this working would be greatly appreciated.
  # When I wrote this script only God and I knew what I was doing. # Now, only God Knows!

  Hi Wasisname,
  The Reporting Services error rsAccessedDenied occurs when a user does not have permission to perform an action. To troubleshooting this issue, please make sure that you have sufficient permission and the report server name is correct.
  In fact, reporting Services uses role-based security to grant user access to a report server, and there are two types of roles: Item-level roles and System-level roles. On a new installation, only local administrators have access to a report server. In order
  to grant access to visit the URL http://server:port/ReportServer to users, a local administrator must create a role assignment to define the tasks a user can perform. To solve this problem, please refer to the
  following steps:
  Start Report Manager by going to URL
  http://scomsql/reportserver_SCOM.
  Click Site Settings at the top right of the page.
  Click Security in the left pane.
  If a role assignment already exists for the user, click Edit.
  Otherwise, click New Role Assignment. In user, enter the user account.
  Select appropriate access, and then click Apply.
  The issue may be caused by the UAC or Internet Explorer security setting, please try to follow this steps:
  1. Open the Internet options of the IE and add the report server URL into trusted site in the Security tab.
  2. Run the IE as administrator.
  Besides, if the user need to have access to reports, folders, models and shared data sources, we can assign Item-level roles on the root node (the Home folder) or on specific folders or items.
  For more information about Configuring a Native Mode Report Server for Local Administration, please refer to the following document:
  http://msdn.microsoft.com/en-us/library/bb630430(v=sql.110).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.
  Wendy Fu
  TechNet Community Support

• When granting a user or a role access to a group of pages, it is best practise to grant that access to what type of file or component?

  My question is same while granting user or role in the application, what is the best practise? How to decide the level of applying role to pagedef's, xml files, or some other file that i have missed out.

  As for my concern I would go for page definition files.