Identify elevated process for non-admin

Similar Messages

• Acrobat 7 requires admin password at every launch for non admin users?

  acrobat 7 requires admin password at every launch for non admin users?
  any one with a solution or similar problem?
  thanks for any help.

  I've been avidly following all of the threads regarding this issue...yet none of the solutions have worked for me. I've got 11 Mac users that do not use the Creative Suite..only Acrobat, Quark, etc. I've tried installing and re-installing through both Admin and User accounts, I've tried the AdobeBib XML change, I've tried enabling Root and installing, changing permission on the Acrobat folder, etc. all to no avail. I still get asked for Admin Authentication every time Acrobat and Distiller are opened (except on the Admin account side). This is happening on one particular Mac (G4, 1GB Ram, OS 10.4.3) for both Acrobat Standard 6 and 7 as well. The biggest issue that also happens in tandem with the Acrobat installs is the inability to print from Quark. I get the following error when printing: "The process "pictwpstops" terminated unexpectedly on signal 6." Because of the necessity to print Quark documents, I have uninstalled all Acrobat on the machines until we can get a fix. This resolves the printing problem with Quark. The only option left is to set up all users as Admin accounts - which I really do not want to do. Any other suggestions out there? I've got more information available if needed.

• Trust ALL root Certifications in Windows not working for non-Admins on Terminal Server

  I have been trying to setup a verification process that will allow us to us Active Directory Certifications to verify signatures. I have finally found the setting to use the Windows Store after not getting Adobe to query our Certificate Authority. It works great on our local desktop where users have Admin access, but when users do it on our Terminal Server it does not allow it. I thought the issue was access to a configuration file in the Adobe directory, but I found the setting in the Registry set correctly. But does not work correctly. One additional note is I had noticed that after I enabled it on a Non-Admin, is Adobe would say it crashed after I shut it down.
  My question is what type of privilege do you need, or maybe Adobe need to access the Windows Cert Store from a Terminal Server with a non-Admin because it is not validating after confirming the Setting is enabled.
  Thanks,
  Donavan  

  hello, since version 26 firefox is able to auto-update on windows even for non-admin users (when the mozilla maintenance service is getting installed in the original configuration): http://www.mozilla.org/en-US/firefox/26.0/releasenotes/#whatsnew
  those would be the auto-updates provided by mozilla directly - so i'm not sure if this is something that would fit in your environment. installing the .exe file of a new version (available at [https://www.mozilla.org/firefox/all/]) on top of an older version will also update the program.

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.

• Outlook Connector shared calendar lookup doesn't work for non-admins

  First the version info:
  JMS 6.2-8.04, Directory Server 5.2, Connector 7.2.402.1
  Non-admin users are not able to retrieve a list of users from the GAL with Outlook Connector. I, as an admin, do get the list. Here is the the access log for a non-admin user. Note that in the RESULT, nentries is always zero.
  mwilson=535258100062018 (non-admin)
  -bash-3.00$ grep -i "conn=425940" access.20080923-112603
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=-1 msgId=-1 - fd=93 slot=93 LDAP connection from 209.152.33.8 to 10.10.3.3
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=0 msgId=1 - BIND dn="uid=535258100062018,ou=people,o=pcc.edu,o=cp" method=128 version=3
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=535258100062018,ou=people,o=pcc.edu,o=cp"
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="cn mail uid objectClass"
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - SORT cn
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - VLV 1:1:1:0 2:19201 (0)
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - SORT cn
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - VLV 0:8:0:0 1:19201 (0)
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
  [23/Sep/2008:11:39:26 -0700] conn=425940 op=3 msgId=4 - UNBIND
  [23/Sep/2008:11:39:26 -0700] conn=425940 op=3 msgId=-1 - closing - U1
  [23/Sep/2008:11:39:26 -0700] conn=425940 op=-1 msgId=-1 - closed.
  Next, I followed the steps outlined in http://docs.sun.com/app/docs/doc/819-5200/gbnse?l=en&a=view&q=shared+calendar+ldap+lookup.
  I set service.wcap.userprefs.ldapproxyauth = "yes"
  I have the ACI entries as specified in that document.
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar administrators to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(groupdn = "ldap:///cn=Calendar Administrators, ou=Groups, o=cp");)
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;
  acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";
  allow (read,search)
  (userdn = "ldap:///uid=*,ou=People,o=pcc.edu,o=cp")
  The only oddity I see is that the ACI entries are not passed down to the next directory levels.
  Any thoughts?
  David.

  I reviewed the document and I believe the VLV browsing indexes are setup and functional. I've also checked the ACI entries and they look correct. (The document doesn't mention the ACI entries for proxy authentication.) As I said, an admin user can retrieve names from the GAL, a non-admin user cannot. The only difference in the access log is the returned nentries value.
  ./ldapsearch -h vmpt1 -p 389 -D "uid={uid},ou=People,o=pcc.edu,o=cp" -w {passwd} \
  -b "ou=People,o=pcc.edu,o=cp" -x -s "sub" -S "cn" \
  -G "1:1:dpelinka" "pdsRole=Employee" uid
  results for admin user
  -bash-3.00$ grep "conn=838261" access
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=-1 msgId=-1 - fd=165 slot=165 LDAP connection from 10.10.3.5 to 10.10.3.3
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=0 msgId=1 - BIND dn="uid=311914191753070,ou=People,o=pcc.edu,o=cp" method=128 version=3
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=311914191753070,ou=people,o=pcc.edu,o=cp"
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - SORT cn
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - VLV 1:1:dpelinka 4799:19235 (0)
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - RESULT err=0 tag=101 nentries=3 etime=0
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=2 msgId=3 - UNBIND
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=2 msgId=-1 - closing - U1
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=-1 msgId=-1 - closed.
  results for non-admin user:
  -bash-3.00$ grep "conn=839346" access
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=-1 msgId=-1 - fd=226 slot=226 LDAP connection from 10.10.3.5 to 10.10.3.3
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=0 msgId=1 - BIND dn="uid=299899598658566,ou=People,o=pcc.edu,o=cp" method=128 version=3
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=299899598658566,ou=people,o=pcc.edu,o=cp"
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - SORT cn
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - VLV 1:1:dpelinka 4799:19235 (0)
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=2 msgId=3 - UNBIND
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=2 msgId=-1 - closing - U1
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=-1 msgId=-1 - closed.

• New IR's not appearing in Views for non-admins

  We are in pre-production testing for SM 2012 SP1.  We only have a few user roles beside the built in roles.  We have a 'standard' group
  which has access to just about everything except for sensitive items relating to user termination, legal, etc.  We have a group which can see those sensitive items, and then we the built in administrators.  <o:p></o:p>
  When non-admins create an IR or SR, it sometimes takes up to 5 minutes for the item to show up a custom “all open incidents”
  view, or in a custom “my incidents” view.  In a few isolated cases, the work item did not appear for over an hour.  However, admins can see all of these work items immediately in any view that should, by criteria, be displaying it.<o:p></o:p>
  What would cause a work item to display immediately in all appropriate views for admins, but not for non-admins?<o:p></o:p>

  Sorry for the delay in updating.  Our management team got very frustrated with the performance and nearly killed the whole project.  I got them to give SM another chance with R2, hoping that some of issues would be resolved.  This issue was
  not resolved.
  So, I have continued testing.  I cleaned up our Queues, so we only have 4 now in the Queues list.  When I open the properties of the our custom user role, the Queue section displays our 4 queues, plus one called Work Item Group from the System
  Work Item Library.  I started with selecting just 1 Incident queue, for this user role.  I created a new IR as this user, and it took nearly 15 minutes for the IR to appear in the view.  
  I then modified the user role and selected the "All work items can be accessed" radio button.  I created another IR and it appeared in the view immediately.  Now, this is where it gets interesting.   I went back to the user role and set it
  back to display a single queue, and the IR disappeared from the view.  It didn't appear again for another 10 minutes.
  The queue that is this IR should be assigned to is quite simple.  Right now, I want it to display all incidents.  It is not looking at an advanced class, just incident.  Initially, I did not upt any criteria on it at all.  I then tried
  setting it to just Active Incidents, and still the IR's takes 10-15 minutes to appear.
  I still don't understand what an aggressive queue is.  Does my queue sound 'aggressive?'  The view is looking at Incident (typical), not advanced.  I don't see any obvious problems in the Workflow Status section of the Admin pane.  What
  should I be looking for next?  I need to have the ability to filter queues by user roles, but it will cripple productivity if new IRs do not appear for 10-15 minutes.

• Allowing Shockwave Player to run for non-admins

  Hi all, I see the following problem on and off for years now, with Adobe Flash and in particular Adobe Shockwave Player.
  I have a school that has a Windows 7 lab. Shockwave Player 11.6 is installed as part of the base image. It shows up in "Programs and Features"
  After it was initially installed, I tested the plug-in by going to http://www.adobe.com/shockwave/welcome and it worked fine.
  The problem I'm having is with non-admin users. Our students aren't local admins. Say they go to a website that has Shockwave content, for example, http://www.pbs.org/wgbh/aso/tryit/dna/index.html
  When I (with a non-admin student account) click on the link to play the Shockwave content, a pop-up window appears. Then IE 9 displays a message "This webpage wants to run the following add-on: "Adobe Shockwave Player 11.6" from Adobe Systems Incorporated. Allow/Allow for all websites?" I don't want to see this again, so I click Allow for All websites. Then I get another window: "Adobe Shockwave Player is now installing....Installing compatibility components." So far, so good. The problem is, once the installation progress bar gets to the end, Windows User Access control pops up prompting for an admin user account and password to complete the install. Since they don't have an admin account, the install can't complete.
  How do I get Shockwave Player to "just work" for non admin users? I see for Flash there is this document at http://forums.adobe.com/thread/987370 about registry permissions, etc. Is there a similar solution for Shockwave Player?
  Please help, thanks,
  Sir_Timbit

  If SW is trying to install compatibility components, be sure to run the full installer before creating your base image

• Majority of reports missing for non admin users

  I have followed the instructions here (SCCM 2012–Reporting in console for non-admins (Reporting User Role) v2) to allow non admin users the ability to view
  reports in the console. So far, so good. However, when viewing the reports with the non admin user, only about 100 of the 400+ reports appear.
  Am I missing something here?

  The custom reporting one in the link I provided, and also modified versions of the following:
  OS Deployment manager (removed rights to All driver related items (drivers and driver packages), Boot image packages (except read access), Operating system installation packages).
  Application Administrator (removed Application>Approve; Distribition Point>Set Security Scope; Distribution Point Group>Set Security Scope; Global Condition>Set Security Scope)
  The reports missing we care about primarily are Software ones (companies and products and files).

• QuickTime fails to initialize for non-admin users (Error 63441)

  I have installed iTunes 6.0.4 (including QuickTime 7.0.4) on my XP PC. iTunes and QuickTime work fine for the Admin users, but not for non-Admin accounts.
  iTunes crashes with the generic Microsoft 'send error report' message; QuickTime gives "QuickTime failed to initialize. Error # 63441".
  Any help / suggestions appreciated.

  Eventually fixed it!
  As mentioned in numerous other posts this came down to an issue with registry keys.
  Updated the permissions for HKEYLOCALMACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime to give 'Full Control' to 'Everyone'.
  Initially had a lot of difficulty accessing the Apple Computer, Inc. branch - kept getting 'access denied'. This turned out to be because there was no owner set for the key. Once I had made myself owner I was able to make the other changes.

• How to hide the page ribbon and quichlaunch for non admin users

  HI
  1 ) how to hide the ribbon in a page in sharepoint 2010 for non administrator users  
  2) how to hide quicklaunch also for non admin users
  in quick lanuch i want to hide links for all site content also.
  i used Document Center Template to create my web application.
  adil

  HI
  i did not get how i use this control 
  <Sharepoint:SPSecurityTrimmedControl
  runat="server"
  PermissionsString="FullMask">
  2
    <div>
  3
      <SharePoint:SPLinkButton
  id="idNavLinkViewAll"
  runat="server"
  NavigateUrl="~site/_layouts/viewlsts.aspx"
  Text="<%$Resources:wss,quiklnch_allcontent%>" AccessKey="<%$Resources:wss,quiklnch_allcontent_AK%>"/>
  4
    </div>
  5
  </SharePoint:SPSecurityTrimmedControl>
  adil

• Will Firefox be configured to update for non-admins on windows 7/8

  We are considering allowing Firefox in our 5000 user hospital and are currently all Internet Exploder. None of our users are admins on the hospital systems so, is it possible to push updates to windows 7/8 systems? I am not looking for help doing the push, just wanting to know if the updates available for download as MSI or EXE?

  hello, since version 26 firefox is able to auto-update on windows even for non-admin users (when the mozilla maintenance service is getting installed in the original configuration): http://www.mozilla.org/en-US/firefox/26.0/releasenotes/#whatsnew
  those would be the auto-updates provided by mozilla directly - so i'm not sure if this is something that would fit in your environment. installing the .exe file of a new version (available at [https://www.mozilla.org/firefox/all/]) on top of an older version will also update the program.

• User Interface Access Customisation for non admin users

  Hi,
  It is understood that for non-admin users, some features of the Planning Interface is not enabled and this can be controlled by proper access permissions. But, is it possible to extend the customization to provide some additional features in the menu bar for an user?
  For example, if View User wants to manage task lists. Is it possible by some sort of customization? Please advise.
  Thanks.

  Hi,
  You can create right click menus, and you can also create links on the tools page. Would any of these help you?
  Here is the doc on those subjects:
  Creating and Updating MenusAdministrators can create right-click menus and associate them with data forms, enabling users to click rows or columns in data forms and select menu items to:
  Launch another application, URL, or business rule, with or without runtime prompts
  Move to another data form
  Move to Manage Approvals with a predefined scenario and version
  The context of the right-click is relayed to the next action: the POV and the Page, the member the user clicked on, the members to the left (for rows), or above (for columns).
  When designing data forms, use Other Options to select menus available for Data Form menu item types. As you update applications, update the appropriate menus. For example, if you delete a business rule referenced by a menu, remove it from the menu.
  To create, edit, or delete menus:
  Select Administration, then Manage, then Menus.
  Perform one action:
  To create a menu, click Create, enter the menu's name, and click OK.
  To change a menu, select it and click Edit.
  To delete menus, select them, click Delete, and click OK.>
  Specifying Custom ToolsAdministrators can specify custom tools, or links, for users on the Tools page. Users having access to links can click links from the Tools menu to open pages in secondary browser windows.
  To specify custom tools:
  Select Administration, then Application, then Settings.
  For Show, select Advanced Settings.
  Click Go.
  Select Custom Tools.
  For each link:
  For Name, enter the displayed link name.
  For URL, enter a fully qualified URL, including the http:// prefix
  For User Type, select which users can access the link.
  Click Save.

• Disabling Windows Explorer For Non Admins and Leaving it Enabled For Admins.

  Good evening,
  I am running a Citrix XenApp environment and I need to disable explorer.exe from running for non admin users. My team and I have discovered that exporer.exe can be accessed by any app that is being used by the end user and therefore can grant that user access
  to the XenApp server interface--this is a BIG NO NO!
  The users do not have admin rights when in explorer.exe but they can shutdown the server. I can disable a few areas such as the taskmgr, regedit, cmd, windows+x, and I can prevent the user from shutting down the system by only allowing them to log off,
  and prevent them from making changes to desktop icons, but it would be much preferred to stick it to the users and not allow them to access the XenApp server interface at all,
  I have tested changing the shell for explorer.exe from explorer.exe to iexplorer.exe and this worked fine (it only displayed the desktop wallpaper for the logged on user), but the change was not reversible. Luckily, I took a snapshot of my virtual test system
  before hand. 
  Is there a way to prevent Windows Explorer from running for all non admins and also so that the local administrator account is not affected by the change as well? I have also tried preventing explorer.exe from running via GPO but that didn't work.
  Thanks in advance,

  Hi,
  A more robust and managable way of securing your systems by controlling which applications that can be launched is Software Restriction Policies.
  Check this article for an introduction to Software Restriction Policies:
  http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Itunes hangs for non admin users

  I've got itunes 10.6.3 running on 10.6.8 Macs which are joined to AD and OD for network authentication.
  When starting itunes as anything other than an administrator (local or domain) itunes simply hangs - on the very first run you can Agree to the EULA but after that it hangs at the startup. Sometimes you get the authentication dialogue for our proxy server but not always.
  I've checked and the proxy isn't even receiving any requests, and it works fine for an admin user. I've taken the proxy out of the users preferences and it still hangs.
  So is itunes dead in the water for non admins, or do I have to resort to the Windows 95 days of making everyone an admin of the Mac?

  Fgi42 wrote:
  The backup destination is an OpenSolaris ZFS directory shared with netatalk.
  That doesn't sound like a supported destination for Time Machine backups. See Apple's Disks that can be used with Time Machine.
  You'll probably need to find someone familiar with the OpenSolaris OS.

• Custom resource/attribute not visible in FIM portal for non-admins

  hi all
  I have a problem I am not able to solve and hope somebody can help. We have created an custom Resource in the FIM portal called Customer. It is an User Resource Type and  attribute type customer, data type=reference.
  We have made this attribute visible in the Users Properties by editing the RCDC for Configuration for User Creation, Configuration for User Editing and Configuration for User Viewing. It is now visible for alle users in the FIM Portal.
  But when an non-admin searches for an attribute in that Field, nothing shows up.... only member of the administrator set, are able to display the results.
  I have added the Resource to Filter permission - Administrator Filter permission + non-administrator filter permission.
  I have added the Resource to MPR - General: Users can read non-administrative configuration resources?
  Can anyone help?
  Best regards Andre
  Andre

  Hi,
  To be clear,
  You have create one new resource type 'Customer' and one attribute 'Customer' (Reference, binded to Person object)
  Update RCDC for Person (create/edit/view) to add a picker attribute with those parameters
  UsageKeywords: This is an optional string property. You can define a list of search scopes to be used in the Resource Picker by providing a list of the usage keywords that are supported by the SearchScopeConfiguration structure, where each keyword is separated by a (‘).
  ResultObjectType: This is an optional string property. The resource type is used to render resources in the pop-up dialog-box list. This is used with the Filter to help the Identity Picker identify what resource type is returned by the Filter, and render the data accordingly. This property is mutually exclusive with the UsageKeywords property (see above). When the search scope is applied, this has no effect. The string that is accepted for this property is any single, valid, resource-type name, for example, Person. When the filter is expected to return multiple resource types, Resource is used.
  Modify MPR "User management: Users can read attributes of their own" and "User management: Users can read selected attributes of other users" to add this new attribute
  Create a new MPR to give the right of all users to view new resource 'Customer' on all attributes
  Is that right?
  Regards,
  Sylvain