ICommand utility and security best practice

Similar Messages

• Users And Security Best Practice

  Dear Experts
  I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
  Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
  or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
  Please advice
  thanks
  Manish Sawjiani

  You would normally create a single schema to own the
  objects and 50 users to use them. You would use roles
  and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
  The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
  Some things to consider:
  1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
  2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
  3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
  4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
  5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
  6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
  Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
  Hope that clarifies your options a bit.
  ~Dietmar.
  Message was edited by:
  Dietmar Aust
  Corrected a typo in (5): Approach B instead of approach A , sorry.
  Message was edited by:
  Dietmar Aust

• SAP and BOBJ XI 3.x Integrated Security Best Practice

  I am trying to find any information around SAP and BOBJ XI 3.x Integrated Security Best Practice.
  So far i think it is uninversally agred that you should :
  1. Utilise the Business Objects platform security model to secure applications, folders and reports.
  2. Use BEx queries as the data source for Business Objects Universes and keep the number BEx queries to a minimum
  3. Use SAP authorisations over the BEx queries to secure report data at a row level.
  Has anyone seen any formal SAP Best Practice document or have any info to add ?
  Andrew

  Hi,
  those three items are all correct. In terms of security you can find lots of material in the standard BW help.
  in terms of query design / universe:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/008d15dc-f76c-2b10-968a-fafe5a121129
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0320722-741c-2c10-afab-93b5c0fc7e96
  ingo

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• Remoting Security: Best Practice

  I am exploring Remoting and I am curious about security best practice. By default, Enable-PSRemoting will configure an HTTP listener that listens to all addresses. Initially I thought this address was the addresses of the computer making
  the demoting request, but it isn't, it's the address on the local machine that is doing the listening. My reason for thinking this was the controller machine IP was that I thought I might want to limit successful remote requests to just the one machine. From
  a security standpoint this seemed better than letting any machine initiate a remote session. I know that the remote session is limited by the permissions of the user initiating, so any real threat is only because I have already been breached anyway. But still,
  I wonder if there is a way, and value, in limiting remoting to a subset of machines?
  Or is the default here really fine from a security standpoint as well?
  Thanks!
  Gordon

  It is most secure to configure remoting and restrict it using Group Policy.  GP will let you define subnets for both ends of the conversation network wide.
  \_(ツ)_/

• HTML and CSS Best Practices for Eloqua?

  Hello Topliners Community,
  My name is Ben and I am a Web Designer. I am currently looking for any guidance on HTML and CSS best practices when working with Eloqua. I am interested in the best practices for e-mail and landing pages.
  Thank you,
  Ben

  Personally I like to upload my custom created html/css into Eloqua instead of using the WYSIWYG.
  But if you must then right clicking on text boxes and click edit source is the way to go.
  There was a good discussion on editing your forms with CSS:
  Energize Your Eloqua10 Forms with CSS
  created by Ryan Wheler on Nov 2, 2012 8:44 AM, last modified by Greg Stotler on Sep 19, 2013 2:00 PM
  Version 2
  CSS can be used to heavily customize the layout of forms in Eloqua10.  In this article we will provide sample cover some common formatting use cases on Eloqua10 Landing Pages.  Further details about uses of CSS in Eloqua10 form templates can be found here: EE12 - Do It - Eloqua - Energize E10 Forms
  Eloqua10 Forms HTML Structure
  Below is an outline of the structure of the HTML generated by Eloqua when a form is added to a landing page.  By targeting the HTML classes highlighted below, we can control the layout of any form on your landing page.
    For the rest of page: http://topliners.eloqua.com/docs/DOC-3015

• Oracle Identity Manager - automated builds and deployment/Best practice

  Is there a best practice as for directory structure for repository in version control system?
  Do you recommend to keep the whole xellerate folder + separate structure for xml files and java code? (Considering fact that multiple upgrades can occur over the time)
  How custom code is merged to the main application?
  How deployment to Weblogic application server occur? (Do you create your own script or there is an out of the box script that can be reused)
  I would appreciate any guidance regarding this matter.
  Thank you for your help.

  Hi,
  You can use any IDE (Eclipse, Netbeans) for development.
  For, Getting started with OIM API's using Eclipse, please follow these steps
  1. Creating the working folder structure
  2. Adding the jar/configuration files needed
  3. Creating a java project in Eclipse
  4. Writing a sample java class that will call the API's
  5. Debugging the code with Eclipse debugger
  6. API Reference
  1. Creating the working folder structure
  The following structure must be created in the home directory of your project (Separate project home for each project):
  <PROJECT_HOME>
  \ bin
  \ config
  \ ext
  \ lib
  \ log
  \ src
  The folders will store:
  src - source code of your project
  bin - compiled code of your project
  config - configuration files for the API and any of your custom configuration files
  ext - external libraries (3'rd party)
  lib - OIM API libraries
  log - local logging folder
  2. Adding the jar/configuration files needed
  The easiest way to perform this task is to copy all the files from the OIM Design Console
  folders respectively in the <PROJECT_HOME> folders.
  That is:
  <XEL_DESIGN_CONSOLE_HOME>/config -> <PROJECT_HOME>/config
  <XEL_DESIGN_CONSOLE_HOME>/ext -> <PROJECT_HOME>/ext
  <XEL_DESIGN_CONSOLE_HOME>/lib -> <PROJECT_HOME>/lib
  3. Creating a java project in Eclipse
  + Start Eclipse platform
  + Select File->New->Project from the menu on top
  + Select Java Project and click Next
  + Type in a project name (For example OIM_API_TEST)
  + In the Contents panel select "Create project from existing source",
  click Browse and select your <PROJECT_HOME> folder
  + Click Finish to exit the wizard
  At this point the project is created and you should be able to browse
  trough it in Package Explorer.
  Setting src in the build path:
  + In Package Explorer right click on project name and select Properties
  + Select Java Build Path in the left and Source tab in the right
  + Click Add Folder and select your src folder
  + Click OK
  4. Writing a sample Java class that will call the API's
  + In Package Explorer, right click on src and select New->Class.
  + Type the name of the class as FirstAPITest
  + Click Finish
  Put the following sample code in the class:
  import java.util.Hashtable;
  import com.thortech.xl.util.config.ConfigurationClient;
  import Thor.API.tcResultSet;
  import Thor.API.tcUtilityFactory;
  import Thor.API.Operations.tcUserOperationsIntf;
  public class FirstAPITest {
  public static void main(String[] args) {
  try{
  System.out.println("Startup...");
  System.out.println("Getting configuration...");
  ConfigurationClient.ComplexSetting config =
  ConfigurationClient.getComplexSettingByPath("Discovery.CoreServer");
  System.out.println("Login...");
  Hashtable env = config.getAllSettings();
  tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,"xelsysadm","welcome1");
  System.out.println("Getting utility interfaces...");
  tcUserOperationsIntf moUserUtility =
  (tcUserOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
  Hashtable mhSearchCriteria = new Hashtable();
  mhSearchCriteria.put("Users.First Name", "System");
  tcResultSet moResultSet = moUserUtility.findUsers(mhSearchCriteria);
  for (int i=0; i<moResultSet.getRowCount(); i++){
  moResultSet.goToRow(i);
  System.out.println(moResultSet.getStringValue("Users.Key"));
  System.out.println("Done");
  }catch (Exception e){
  e.printStackTrace();
  Replace the "welcome1" with your own password.
  + save the class
  To run the example class perform the following steps:
  + Click in the menu on top Run, and run "Create, Manage, and run Configurations" wizard. (In the menu, this can be either "run..." or "Open Run Dialog...", depending on the version of Eclipse used).
  + Right click on Java Application and select New
  + Click on arguments tab
  + Paste the following in VM arguments box:
  -Djava.security.manager -DXL.HomeDir=.
  -Djava.security.policy=config\xl.policy
  -Djava.security.auth.login.config=config\authwl.conf
  -DXL.ClientClassName=%CLIENT_CLASS%
  (please replace the URL, in ./config/xlconfig.xml, to your application server if not running on localhost or not using the default port)
  + Click Apply
  + Click Run
  At this point your class is executed. If everything is correct, you will see the following output in the Eclipse console:
  Startup...
  Getting configuration...
  Login...
  log4j:WARN No appenders could be found for logger (com.opensymphony.oscache.base.Config).
  log4j:WARN Please initialize the log4j system properly.
  Getting utility interfaces...
  1
  Done
  Regards,
  Sunny Ajmera

• SAP Business One 2007 - SQL Security best practice

  I have a client with a large user base running SAP Business One 2007. 
  We are concerned over the use of the sql sa user and the ability to change the password of this ID from the logon of SAP Business One.
  We therefore want to move to use Windows Authentication (ie Trusted Connection) from the SAP BO logon.  It appears however that this can only work by granting the window IDs (of the SAP users) sysadmin access in SQL.
  Does anyone have a better method of securing SAP Business One or is there a recommended best practice.  Any help would be appreciated.
  Damian

  See Administrators Guide for best practise.
  U can use SQL Authentication mode Don't tick Remember password.
  Also check this thread
  SQL Authentication Mode
  Edited by: Jeyakanthan A on Aug 28, 2009 3:57 PM

• SAP HANA Security - Best Practice for Access to Schemas??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  Hi,
  I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
  How does bpel know where to look for the xsd-files and how does the mapping still work?
  This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
  Thanks for any clue.
  Bette

• Web application security best practice?

  Hi guys,
  I am developing web app using JSF + Spring + Hibernate. I got a user backing bean which handling user login and logout session. Hence if user sign-in successfully, I will just set userLogIn=true in the userBean.java. I really don;t know if this is the best practice for handling user login session. Any security probelm here? Please advice, Thanks !
  regards,
  kmthien

  hi
  you can also find a lot of info about security handling and JSF if you search the forum.
  thanks.

• Web Intelligence Security Best Practices

  Hi All,
  We are in the process of starting to use web intelligence. I am puttng together a security model for it and I have some questions around best practices. We have a fairly simple two tier security model so far, end users and creators. Creators will be able to create reports in certain folders and everyone else will be able to run and refresh those reports they can see.
  I was going to create a group for all the creators and assign them to a custom access level in the web intelligence application. Then they would also need to be in another creator group for the particular folder. So they would be able to the create reports in that folder and execute reports in another.
  For all the end users, they need to be able to view and refresh reports, drilling, data tracking, etc. if they have access to them. Is the best practice then to just assign the Everyone group the out of the box view on demand access level?
  I have been digging around looking for resources and welcome anyone's input or ideas on the subject.
  Thanks in advance for any assistance provided.

  Thank you for your prompt reply.
  But that means that the same security groups will need to be creaed on both palces, web intelligence application and at the folder level?
  I was thinking if I create a developer group for the web intelligence application level, all developers would go into there. Then at the folder level I could create another folder level security group for developers to access the folder.
  Would that not simplify the maintenance at the application level? Or would that not work?

• Looking for Security Best Practices documentation for Sybase ASE 15.x

  Hello, I'm looking for SAP/Sybase best practice documentation speaking to security configurations for Sybase ASE 15.x. Something similar to this:
  Sybase ASE 15 Best Practices: Query Processing &amp;amp; Optimization White Paper-Technical: Database Management - Syba…
  Thanks!

  Hi David,
  This is something I found on the Sybase site:
  Database Encryption Design Considerations and Best Practices for ASE 15
  http://www.sybase.com/files/White_Papers/ASE-Database-Encryption-3pSS-011209-wp.pdf
  ASE Encryption Best Pracites:
  http://www.sybase.com/files/Product_Overviews/ASE-Encryption-Best-Practices-11042008.pdf
  If these do not help, you can search for others at:
  www.sybase.com > serach box on the top right.
  I searched "best pracitces security"
  Can also run advanced search > I typed in "ssl" into exact phrase.
  Hope this helps,
  Ryan

• HANA Security - Best Practices for Schema??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  >So, if we follow this approach, who should be creating the schema as design time?
  Not sure what you mean by that.  We call this design time because you are creating an artifact in the repository and the catalog object doesn't get created until you activate that design time object.
  > Security Administrator or Developer/Modeler?
  Doesn't really matter. Depends upon your process. However I would say most of the time the developer creates the schema.  The developer doesn't immediately get access to the new schema.  He/She must create a role and that role has to be granted to them before they can see the objects in the new schema.
  >Also, for our current scenario, where developers are doing changes in their own schema, what should be done as a Security Administrator to assign access to a user schema to other developers?
  They shouldn't be creating objects in their user schema.  That user schema is for internal usage - like the creation of temporary objects. It shouldn't be used for any development.

• Security best practices?

  I'm not sure if this is the right group to post this questions but...
  Our current architecture consists of seperate web server (iPlanet) and java server
  (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
  DB. The webserver only has ports 80 and 443 available from the outside and only
  the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
  Our developers are working on a new design with Weblogic 6.1. They have been planning
  on keeping it on 1 server (using weblogic web services). We feel this is a security
  risk to have a server in the outside DMZ talking to a DB server inside our network.
  Does anyone know where I can find a white paper on best practices for security?
  Should we keep it as 2 servers or combine them into 1 server?
  Thank you for your time!
  Brett

  Hi.
  You might have better luck posting this question on the security newsgroup -
  weblogic.developer.interest.security.
  Regards,
  Michael
  BJones wrote:
  I'm not sure if this is the right group to post this questions but...
  Our current architecture consists of seperate web server (iPlanet) and java server
  (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
  DB. The webserver only has ports 80 and 443 available from the outside and only
  the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
  Our developers are working on a new design with Weblogic 6.1. They have been planning
  on keeping it on 1 server (using weblogic web services). We feel this is a security
  risk to have a server in the outside DMZ talking to a DB server inside our network.
  Does anyone know where I can find a white paper on best practices for security?
  Should we keep it as 2 servers or combine them into 1 server?
  Thank you for your time!
  Brett--
  Michael Young
  Developer Relations Engineer
  BEA Support

• What are Printing Security Best Practices for Advanced Features

  In the Networking > Advanced "Enabled Features" what are the best practices settings for security. Trying to find out what all of these are.  Can't find them in the documentation. Particularly eCCL & eFCL?
  Enabled Features
  IPv4 IPv6 DHCP DHCPv6 BOOTP AUTOIP LPD Printing 9100 Printing LPD Banner Page Printing Bonjour AirPrint LLMNR IPP Printing IPPS Printing FTP Printing WS-Discovery WS-Print SLP Telnet configuration TFTP Configuration File ARP-Ping eCCL eFCLEnable DHCPv4 FQDN compliance with RFC 4702
  Thanks,
  John

  I do work with the LAST archived project file, which contains ALL necessary resources to edit the video.  But then if I add video clips to the project, these newly added clips are NOT in the archived project, so I archive it again.
  The more I think about it, the more I like this workflow.  One disadvantage as you said is duplicate videos and resource files.  But a couple of advantages I like are:
  1. You can revert to a previous version if there are any issues with a newer version, e.g., project corruption.
  2. You can open the archived project ANYWHERE, and all video and resource files are available.
  In terms of a larger project containing dozens of individual clips like my upcoming 2013 video highlights video of my 4  year old, I'll delete older archived projects as I go, and save maybe a couple of previous archived projects, in case I want to revert to these projects.
  If you are familiar with the lack of project management iMovie, then you will know why I am elated to be using Premiere Elements 12, and being able to manage projects at all!
  Thanks again for your help, I'm looking forward to starting my next video project.