How to restrict a VPN user with a specific anyconnect profile?
I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:
- Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.
- Use the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.
I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.
Thanks.
Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.
Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea?
Similar Messages
-
Please explain how to restrict a normal user from getting connected as sys user in sqlplus.Even though I have revoked the sysdba and sysoper priveleges, I am able to get connected as sysdba in sqlplus. Is there any way to restrict the normal user.
Regards
Vijay KumarThat are the 2 ways, how to connect as sysdba:
Password Authentication
Unless a connection to the instance is considered 'secure' then you MUST use a
password to connect with SYSDBA privilege.
Users can be added to a special 'password' file using either the 'ORAPWD'
utility, or 'GRANT SYSDBA to USER' command.
Such a user can then connect to the instance for administrative purposes using
the syntax:
CONNECT username/password AS SYSDBA
Operating System Authentication
If the connection to the instance is local or 'secure' then it is possible to
use the operating system to determine if a user is allowed SYSDBA access.
In this case no password is required.
The syntax to connect using operating system authentication is:
CONNECT / AS SYSDBA
Oracle determines if you can connect thus:
On MS Windows NT/2000/2003/XP:
On MS Windows the OSDBA groups is a hard coded group thus:
Group Name Oracle uses this as...
~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
ORA_DBA OSDBA group for all instances
When you issue a 'CONNECT / AS SYSDBA' , Oracle checks if your MS Windows logon is a
member of the 'ORA_DBA' group.
If you don't want OS authentication, remove the ORA_DBA group from the logon id. But automatic database startup at boot time won't longer work.
Werner -
How to map the bulk users with the required roles in portal at one time
Hi,
Would anyone tell me how to map the bulk users with the required roles in portal at one time?Thanks for all the reply.
<b>I need to assign 1 or 2 group to n((eg) 1000)number of users</b>
I tried the first option like
[group]
gid=
gdesc=
user=
Thr problem with this is I could n't put more no of users in the notepad.
I would be able to put only 150 users in the single line of notepad. If it goes to next line it is not working.
I tried creating seperate notepad but in Import it says "exists"
I'm not sure about LDAP. Would anyone explain me the best approach to do this. -
How to create full new user with all privileges
how to create full new user with all privileges?
and how to delete existing users?
Thanks in advance..Common solution is probably to use sudo for privilege elevation, wiki should help
-
How to know the forms associated with a specific transaction
Hi..
Can anyone please suggest me how to know the forms associated with a specific transaction.
For Example In Finance module.
I came to know from SDN the form associated with F.64 as F140_acc_stat_01.
But i need the steps how to track the form name.
Regards..
VinodhHi,
1.We cann't find the forms associated with a specific transaction.
2.But,based on requirement we can go for the form selection.
3.Suppose in account payable and receivable , we have different forms like customer statement, Dunning and Chek form etc.
4.The functional people can find the form name in SPRO and give the details of the requirement.
5.If u have the output type or formname u can go for the TNAPR and TTXFP tables and u can search for the respect object.
6.For FI u can directly find in the SPRO, by searching it with the form name.
Regards,
If helpful reward with points(Don't forget). -
How to Control authorization for users with certain status for level 2 WBS Element
Dear All,
Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
Pre-requisite:
There is only 2 level of project i.e.
Lev_ WBSE_______Description
1___ 7-14.E_______summay outage controller
2___ 7-14.E.2310__ Plant/unit # 2310
2___ 7-14.E.2310__ Plant/unit # 2220
Project Controller (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
User ID_ Plant #
123345_ 2310
122455_ 2220
Issue:
After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
Solution required:
Can any one tell how to control this scenario either by standard or enhancement available to control authorization
BR
Saqib UsmanHi,
Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
Thank you and regards,
Varshal Kachole
The SCN Rules of Engagement -
How to deliver MM02 to user with only Bin Location editable.
My user wishes to have access to change only the Bin Location field in MM02. How can we achieve this? or in other words how can we deliver MM02 to user with only the Bin Location field editable.
My basis guy sees a possibility if we can some how provide the authorization objects of all the fields of MM02.Shall that be a practical approach. if yes, what is the way of finding the authorization objects?
Regards,
Alok.Hi,
You can create a transaction variant in SHD0 for MM02.
[Transaction variants|http://help.sap.com/saphelp_nw70/helpdata/en/7d/f639f8015111d396480000e82de14a/content.htm] simplify transaction flow by:
-Inserting default values in fields
-Hiding and changing the ready for input status of fields
-Hiding and changing the attributes of table control columns
-Hiding individual menu functions
-Hiding entire screens
Transaction variants are actually made up of a series of screen variants. The field values and field attributes for each screen in a transaction variant are stored in screen variants. Each variant is assigned to a transaction. Variants may, however, contain values for screens in multiple transactions, if transaction flow makes this necessary. The transaction the variant is assigned to serves as its initial transaction, whenever you start the variant.
Both client-specific and cross-client transaction variants exist. Screen variants are always cross-client; they may, however, be assigned to a client-specific transaction.
A specific namespace has been designated for cross-client transaction variants and screen variants and they are both automatically attached to the Change and Transport System. Client-specific transaction variants can be transported manually.
Transaction and screen variants may be created for all dialog and reporting transactions. However, there are certain restrictions that apply to their use, depending on how their corresponding transactions have been realized internally.
Transaction variants may not be created for transactions already containing pre-defined parameters (parameter transactions and variant transactions).
The following sections contain additional information on how to create and maintain transaction variants:
Maintenance
Additional Functions
Transport
Regards,
Srilatha. -
How add Authorization check for user with assigened role for t.code-MIR4
Hi All,
Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4 using ABAP.
In Detail:2) All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
suggest me...
Thanks,
srii..Hi Sri ,
first u need to find out in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
make use of Tcode SUIM to find out all roles which are using this Object.
or
ask ur basis guy to remove authorizations to create/change....
regards
Prabhu -
Remote Access VPN Users with CX Active Authentication.
I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
The CX version we have is 9.3.1.1Have you excluded the VPN traffic from being NATed when traffic is going between clients?
Please post a full sanitised configuration of the router so we can check it for configuration issues.
Please remember to select a correct answer and rate helpful posts -
How to Restrict same portal user from other node
Hi
In my application, we charge customers for each portal user logins. But, i found that, they can share same user logins amongs number of people.
I don't want to allow the same portal user login into the application if that user is already logged in and it's session is still active.
Here is the Scenario :
User A is logged in to the portal from terminal AA. Now, User A agin tries to logg in to the portal from terminal BB. I don't wnat to allow user A to log in from terminal BB bcuz user A has active session from terminal AA.
Can anyone know how to implement this??
thanks in advance.
SriniHi Srini!
We have solved this problem with our own login portlet. Before the final login we've got to check (from the certain table) how many logins there are currently with that username.
But there is a problem. If the user closes the browser without logoff, the session remains active. There is a cleanup job, which removes those session in some hours. Still it is not very elegant.
Regards,
Jari -
Authenticating, Authorizing VPN user with AAA
Hello,
I have ACS1113(4.2) solution Engine and ASA 5550 which have been integrated with ACS. I need to authenticate and authorize the VPN users form ACS.
Also I need to have different access for different group in ACS
please help me in this.
Thanks
RiteshHi,
I am finding one problem. Well I have done the configurations in ASA for Authentication through ACS but when attempt to autehnticate through user then i get autehentication message. here is the command configure in ASA and debug msg
Command:
aaa-server ACSCHN protocol radius
aaa-server ACSCHN (WAN) host 10.132.15.26
key _____
aaa authentication telnet console ACSCHN LOCAL
aaa authentication enable console ACSCHN LOCAL
Debug Msg:
Initiating authentication to primary server (Svr Grp: ACSCHN)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: wipro
Resp:
In localauth_ioctl
Local authentication of user wipro
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 868, pAcb = 1a3363f8
aaa_backend_callback: Error: sorry
AAA task: aaa_process_msg(185f00e8) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: -1 (REJECT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = ACSCHN, author svr = , user pol = , tunn pol =
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
None
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
aaai_internal_cb: handle is 868, pAcb is 1a3363f8, pAcb->tq.tqh_first is 1841ce20
AAA API: In aaa_close
AAA task: aaa_process_msg(185f00e8) received message type 3
In aaai_close_session (868)
Please help why it authenticated with internal server not with ACS server.
Regards
Ritesh -
How can I create a user with rights to install packages on a publish instance?
Hi,
I am trying to create a user with the rights to upload and install content packages on a CQ publish instance and I do not wish to use the admin user. Simply adding a new user to the administrators group does not seem to be enough.
I tried adding a rep:GrantACE node through crx de/explorer but it reported the node as locked. I was able to upload a content package that removed the rep:DenyACE jcr:read for everyone, but this is not safe it seems.
Is there some special privilege that I need to add to my user/group that will allow them to access the /etc/packages tree or do I just need to add some permission somewhere within the tree.
Regards,
ChrisWith some help from David Collie, Alex Klimetschek & Jörg Hoh I have a better idea of what is going on and we've found a solution.
It seems that the admin account always works in these scenarios as it has special privileges in the CRX security system; admin can do anything it likes.
Instead of creating the rep:GrantACE nodes directly, I was able to add a new ACL entry for the administrators group to /etc/packages via the Access Control Editor (http://localhost:4502/crx/explorer/ui/aceditor.jsp?ck=1373027669916&Name=acEditor&Path=%2F etc%2Fpackages&_charset_=utf-8).
Strangely, the administrators account already had some inherited rights on this directory that were overridden by the deny|everyone|jcr:read ACL entry on /etc/packages node. Adding allow:administrators|jcr:read gives any member of that group access to read and write to the /etc/packages. directory.
Now that I have setup this user we can setup a deploy step in out CI build that does not rely on using the admin account.
Thanks
Chris -
How to find if a user with fullaccess permission used a mailbox ?
Hi,
We used Exchange 2010 in my organisation
We defined a lot of generic mailboxes and some of them have a lot of users with fullaccess permission
We think that some of them don't really used this mailbox
Is it possible to find, with powershell, information of usage of a mailbox by users which have this fullaccess permission ?
ThanksHi,
Get-MailboxPermission <Identity>
or
Get-Mailbox | Get-MailboxPermission | ?{($_.AccessRight
s -eq "FullAccess") -and ($_.User -like 'DOMAIN\user') -and ($_.IsInherited -eq $false)} | ft Id* -
How does one create a user with a null password in iManager?
I'm setting up LDAP authentication and need to create a user with a null password.
If you do not put a password in the password field when creating the user in iManager, a message pops up stating, No password has been defined for this user.
You are given a choice of:
Allow user to log in without a password
- or -
Do not allow user to log in without a password
If you choose Do not allow user to log in without a password, there are no complaints.
When I look at the properties of the newly-created user, however, I note that the "Require a password" checkbox is not filled in.
That would imply that the answer to the question posed during the user's creation is moot; either answer produces a user that can log in without a password.
I can then assign the Common Proxy password policy to the user, which does not dictate a minimum length for a password.
From that point forward, any attempts to leave the password field blank in iManager results in another pop-up message stating:
"Failure to enter a password will allow the user to login without a password."
That implies that no password exists for the user, as opposed to a null password.
Is that correct or are the public and private key for the user object still generated?If you do not specify a password, which is what happens when you select
the 'Do not allow user to log in without a password' option initially, the
user cannot login. A user with no password (meaning no password exists at
all, similar to a 'null' in programming) cannot login with a password
because, of course, they do not have a password.
If you specify a zero-length string as the password you are effectively
(and usually) creating a proxy user, for example to be used for the LDAP
service in eDirectory, and this user can login typing in a password (since
typing would imply one or more characters) but nevertheless there IS a
password, but it happens that it is zero-length, so typing nothing for the
password IS submitting the correct password. This is the option carried
out by eDirectory when you choose, 'Allow user to log in without a
password' (the prompt is a little misleading with its "without a password"
phrase).
Once you assign a UP policy you are telling the system that there SHOULD
be a password on the user (and with common proxy there definitely should
be, probably a strong one at that) so the only option now is whether or
not the password is zero-length or longer. Obviously longer is the
correct option for security reasons.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
How can i create bulk users with system Administrator responsibility in EBS
Hi Gurus
I want to create or Load Bulk users with System Administrator Responsibility in Oracle EBS using simple steps (Concurrent,API,OI,Back end). Is it Possible to create user with system Administrator Responsibility using concurrent/API/OI. Kindly help me in creating users with following details.
Username User Description Employee Name E-Mail ID
Das A R GM Mr. Arup R.Das [email protected]
sandeep.n Sr. Manager - Works Mr.sandeep.Naik [email protected]
sandeep Asst. Manager - Excise Mr.Sandeep Bhosale [email protected]
Thanks in Advance
Hemanth.CLogin to to the Ebiz database with user/paswad app/app and verify the detiled parameter for below DB procedures which are being used to create, update user and responsibility related work
Create User FND_USER_PKG.CreateUser
Disable user FND_USER_PKG.DisableUser
Update USer FND_USER_PKG.UpdateUser
Enable User FND_USER_PKG.EnableUser
Add Responsibility FND_USER_PKG.AddResp
Update Responsibility FND_USER_PKG.AddResp
Remove Responsibility FND_USER_PKG.DelResp
In your case call two method
1.CreateUser pass all parameter
2. add responsibility - for responsibility check the KEY/ID value for System administrator in FND_RESPONSIBILITY table. while calling method pass this ID/KEY
Better put this in EBIZ forum.
Maybe you are looking for
-
TOO many OPEN CURSORS during loop of INSERT's
Running ODP.NET beta2 (can't move up yet but will do that soon) I don't think it is related with ODP itself but probably on how .Net works with cursors. We have a for/next loop that executes INSERT INTO xxx VALUES (:a,:b,:c) statements. Apparently, w
-
Two iTunes accounts on one mac.
My wife and I share a Mac mini with all of our music. We both sync our iPods to the same iTunes, meaning that we don't have different accounts for the computer. She has an apple ID attached to her credit card and I have a separate ID. Sometimes when
-
I am concerned the flash player maybe a virus? how can I tell? I have updated software from Apple... but every time I watch youtube or other sites... a pop up come come from flash player and asks for permission... I always deny... but this is new...
-
Macbook pro (spring -11 ed) cannot find the newly installed harddrive
A month ago my mac broke down. When I restarted it, it showed a folder with a questionmark on it. I restarted it again and tried to reinstall the whole operative system. Though, I found out that it couldn't even find the harddrive at all. Thus, I wen
-
How to convert a Hybrid Sup3 to a Native IOS Sup3
I have redundant 6509's with currently 1 sup 3 board in each. The Sup3's are running Native mode. The Sups are not running redundant to themselves. If I lose a switch, I have to physically move cables from one switch to the other. I have just receive