Identify role based on query

Similar Messages

• BPMON Alert Inbox - role based custom query

  Hello experts,
  I have a requirement from my customer in BPMON alert inbox to build a custom queries and distribute them to end-users based on security access or other kind of assignment.
  Say for example, we have a monitoring object "purchase requisition" defined for all company codes (regions).
  We do not want region A to see BPMON alerts for region B.
  So far what I have found is:
  1) the alert inbox shows all alerts to everyone who has access to BPO work center, cannot find an authorization object to restrict this.
  BPM_DETAIL kind of supposed to do the trick, but it only checks the authorizations when "Detail info" button hit - way pass the initial alerts list.
  We want to restrict the alerts visibility even before they come to hit the "Detail" button.
  2) Query to view alerts: seems that STANDARD query is available to everyone, and the standard query shows ALL alerts. The Filter would work, and we can create a new query to see only partial alert list, but this query is not "custom" but actually "user-specific", i.e. only person who created it can see it.
  We want the ADMIN person to create queries centrally for all regions, and be able to assign those queries to the regional people, so that they can only see the query that contain data pertaining to the region.
  And by the way - the "standard" query should be only assigned to ADMIN (not to everyone).
  Is it possible to achieve ?
  Appreciate any comments.
  Thank you
  Elena

  yes, you're correct. Basically "Associate assigned security roles with specific security scopes and collections" is required when you've more than one security role. However, do you think it's worth a try  "login
  into console with respective administrative user and check the required access."
  Also would that be possible to paste the screenshots of security scope properties of administrative users? That would also give some more idea. 
  I've noted down some of the issues in the following link ( I don't think nothing is directly related to your issue but it may give some clues) http://anoopcnair.com/2013/02/18/configmgr-sccm-2012-sp1-rba-implementation-gotchas-and-troubleshooting-tips/
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

• BW Security roles based on query

  Hello All,
  If a User 1 needs to have access to ZQUERY_1 restricted by a company code AB11 and need to have full access (without restriction to AB11) to a different query ZQUERY_2.
  Similarly if a User 2 needs to have access to ZQUERY_1 restricted by a company code AB22 and need to have full access (without restriction to AB22) to a different query ZQUERY_2.
  ZQUERY_2 has company code as one of the characteristics.
  This is what I canu2019t do (I think):
  1)     Create an authorization object Z_RS_AB11 through T Code RSECADMIN to include the company code AB11. And then create a role with ZQUERY_1 and ZQUERY_2 as the only query that the role will give access to. Using RSU01, insert the authorization object Z_RS_AB11 (for the Company Code AB11) and assign it to User 1.
  This wonu2019t work, because with restriction to User 1u2019s profile on, User 1 would not be able to run ZQUERY_2 for all company codes.
  Or
  2)     Create a role where the authorization object S_RS_AUTH includes only company code AB11.
  This wonu2019t work either because User 1 would not be able to run ZQUERY_2 for all company codes due to restriction in the role to company code AB11.
  What are the possible solutions? Any thoughts...

  These queries are based on many Cubes/DSOs. 0COMP_CODE are in both the queries. We are not using 0COMPANY in any of the queries. Restricting access on a single InfoObject would not allow the users to view the other query where there should be no restriction.
  A Potential Solution (not sure if it could work though):
  Possible solution:
  Create role 1 for ZQUERY_1 and include AB11 in S_RS_AUTH.
  Create role 2 for ZQUERY_2 and include 0BI_ALL in S_RS_AUTH.
  Create role 3 for ZQUERY_1 and include AB22 in S_RS_AUTH
  Assign user 1, role 1 and role 2
  Assign user 2, role 2 and role 3
  Any thoughts on this...

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• What is the mean of using Portal with Role Based security as entry point

  Hi Experts we have requirement of integration of Portal and MDM
  I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
  1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
  2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
  Please give me the clarity of what is the meanin of second point
  Regards
  Vijay

  Hi
  It requires the entire land scape like EP server and MDM server both should be configured in SLD.
  Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
  Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
  Please go through this link
  http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
  You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
  The estimation involves as per your requirement clearly
  Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
  Regards
  Kalyan

• EAM ID based or Role based? Why settle for just one?

  G'Day All,
  I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
  ID-Based Firefighting vs. Role-Based Firefighting
  So this is where I am at this point:
  From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
  - Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
  Only one user at a time can use a FFID.
  Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
  Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
  Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
  Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
  Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
        ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
        ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see  the FFIDs assigned to you
  - Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID. 
  Multiple users can use the FFROLE at once.
  Firefighter has to exist in every system assigned to them - so multiple logons.
  Hard to differentiate between FF tasks and normal tasks as no login required  So easy to slip up
  Time consuming to track FF tasks - No Specific log reports. No Reason Codes
       R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
       R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
  So based on this there are pros and cons in both however according to SAP only one can be used. To me personally,  it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
      . Really critical tasks -> FFID
      . Normal EAM tasks -> FFRole
  Alessandaro from the original post pointed this out:
  "Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
  Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
  However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
  So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
  What is stopping us from using it when ID based is the default?
  If I were to do the following does it mean I can use both ?
      . Config Parameter: 4000 = 1 (GRC System) -> ID Based
      . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
  Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
     . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
  However for ID based, it is a Central Logon, so the following is a must:
      . Config Parameter: 4000 = 1 (GRC System) -> ID Based
  Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
  Cheers
  Leo..

  Gretchen,
  Thank you for thoughts on this.
  Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
  My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
  My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
  Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
  Scenario
  I've created the following:
  FFID
  FFROLE
  Assigned them to, two end users
  John Doe
  Jane Doe
  I set the Configuration Parameters as follows: 
  IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
  IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
  User1
  John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
  User2
  Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
  So all I want to know is if this scenario is possible? if the answer is No, then why not?
  I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
  Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
  So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
  Regards,
  Leo..

• Role-Based CLI Views with AAA method

  Hi,
  I'm configuring Role-Based CLI Views on a router for limiting access to users.
  My criteria:
  - There should be a local user account on the router that has the view 'service' attached to it
  - If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
  My configuration:
  aaa new-model
  enable secret 1234
  username service view service secret 1234
  aaa group server radius my_radius
  server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
  server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
  aaa authorization console
  aaa authentication login mgmt group my_radius local
  aaa authorization exec mgmt group my_radius local
  line con 0
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport input ssh
  The ERROR
  Now I want to go configure the cli view 'service'...
  # enable view
  Password: 1234
  *Jun  1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
  *Jun  1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
  The Questions
  Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
  Can you change this behaviour to always use the enable secret?
  The TEMP Solution
  If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
  aaa authentication login VIEW_CONFG local
  line vty 0 4
  login authentication VIEW_CONFG
  Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
  Thanks so much for the suggestions
  /JZN

  hi,
  You have the following configured:
  aaa  authentication login mgmt group my_radius local
  aaa authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  logging synchronous
  login  authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport  input ssh
  Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
  You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
  enable seceret will be locally defined. but you have the following configured:
  aaa  authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  line  vty 0 4
  authorization exec mgmt
  Hence exec mode will also be done via radius server.
  when you configure:
  aaa  authentication login VIEW_CONFG local
  line vty 0 4
  login  authentication VIEW_CONFG
  You are making the authentication local, hence it is working the way you want.
  In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Role based Firefighter approach in AC 10

  I am in the process of implementing "role based" FF (ID based approach not implemented as users are not comfortable to login to GRC system to execute the tcodes).  I have a query about it.
  If we maintain the role based FF logins, and we run risk report, still all the conflicts are found associated with that FF ids as they have the conflicting role assigned to them in SU01.  So is it ok, to live with these conflict found related to FF ids.  what will be the case during audit, will they accept these risks occuring for the FF can be ignored.

  Hello,
  I think the best approach is to mitigate the risk as Alexander describes here:
  Why Role based Firefighter
  Cheers,
  Diego.

• GRC 10 Role based firefighter multiple users

  Hi All
  We are using GRC AC 10 SP12 and have Role based EAM implemented. We are looking at way to prevent the same user from being assigned multiple firefighters or a way for approver to know that another Firefighter ID is already assigned to this user?
  Thanks in advance
  Regards
  Vijaya

  Hi Vijaya,
  You can train approvers to Click on existing assignment button(in Access Request) to know the roles already assigned.
  And if in your environment, FF roles has distinguished naming convention then it can easily be identified
  by role owners.
  Thanks,
  mamoon

• Role based oracle adf security and filtering data

  while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization?
  it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...

  Hi,
  it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...
  ADF Security is a JAAS based security implementation to protect resources (like entities). It is nota security provider like OPSS or OID which you can use for user provisioning and self service (if you code against the IDM APIs). ADF Security only checks for whether a user is authenticated and if the user has the permission to perform a task.
  However, you can use groovy to access the security context from Groovy, which allows you to add the authenticated username to a query - for example to filter recrds out that match the username in one of its attributes.
  For example, you could create a ViewCriteria that for example filters the query by a specific attribute. Say that managers can see data starting from department 10 whereas employees can see data starting from department 100. The ViewCriteria would reference a bind variable with the following default setting
  adf.context.securityContext.isUserInRole('manager')? 10 : 100
  Frank

• OIM 11.1.1.5 provisioning role based objectclasses and attributes

  TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
  Some background:
  I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
  My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
  Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
  Should I create a child form containing the objectclasses and try to provision them?
  Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
  Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
  Any help will be greatly appreciated and thank you in advance

  It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
  Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
  There may be a smarter and more out of the box way to do it but this will work.
  Martin

• Reseeding cache for users with role based security

  I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

  I have created an ibot with the following:
  General - Normal Priority, Personalized (recipient's data visibility)
  Conditional Request - example_report
  Schedule - some schedule
  Recipients - Me(administrator) and User1
  Destinations - Oracle BI Server cache
  when the ibot runs 2 cache entries are created (for the 2 recipients).
  I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
  After the ibot runs:
  When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
  On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
  The User1 has a data level security.
  Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
  Thanks for your inputs.

• [JSF 1.2] - Role Based Web Application: Whats the correct way of doing it?

  Hello,
  i have a web application that in some pages is role based. I have two database tables, Role and Permissions. Role can have 1..N Permissions and vice versa.
  In one page i need to render some forms depending on user role.
  What is the best approach to this?
  1. I have a sessionBean and on login load all the permissions (it's less secure but faster) based on user role;
  2. Everytime i use rendered="#{sessionBean.checkPermissions['can-create']}" i query the database. This checkPermissions gets the user role and retrieve all permissions of that user on demand;
  The first option is faster but while the user is logged if permissions changes we might have problems.
  The second, if i user 3 rendered attributes i do 3 queries to the database.
  Is rendered attribute the correct implementation?
  Regards.

  Yes, the rendered attribute is the correct way to accomplish this.
  As to the question of caching the result or querying the database each time, that is something that needs to be answered on an application by application basis.

• Privileges and Roles Based Views

  Hello,
  I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
  Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
  How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
  I hope someone can help with the config:
  Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
  Priv3 radius user settings
  cisco av-pair cli-view-name=priv3
  Priv 15 or root user settings
  cisco av-pair shell:priv-lvl=15
  cisco av-pair shell:cli-view-name=root
  Config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 3750
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  logging console informational
  logging monitor informational
  enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
  username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
  username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default line
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  system mtu routing 1500
  udld aggressive
  no ip domain-lookup
  ip domain-name CB-DI
  login on-failure log
  login on-success log
  crypto pki trustpoint TP-self-signed-3817403392
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3817403392
  revocation-check none
  rsakeypair TP-self-signed-3817403392
  crypto pki certificate chain TP-self-signed-3817403392
  certificate self-signed 01
    removed
    quit
  archive
  log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
  spanning-tree mode rapid-pvst
  spanning-tree extend system-id
  spanning-tree vlan 10 priority 8192
  vlan internal allocation policy ascending
  ip ssh version 2
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/24
  interface Vlan1
  description ***Default VLAN not to be used***
  no ip address
  no ip route-cache
  no ip mroute-cache
  shutdown
  interface Vlan10
  description ****
  ip address 10.10.150.11 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  ip default-gateway 10.10.150.1
  ip classless
  no ip http server
  ip http secure-server
  logging trap notifications
  logging facility local4
  logging source-interface Vlan10
  logging 10.10.21.8
  logging 172.23.1.3
  access-list 23 permit 10.10.1.65
  snmp-server community transm1t! RO
  snmp-server trap-source Vlan10
  radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
  radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  exec-timeout 60 0
  logging synchronous
  line vty 0 4
  access-class 23 in
  exec-timeout 60 0
  logging synchronous
  transport input ssh
  line vty 5 14
  access-class 23 in
  no exec
  transport input ssh
  parser view priv3
  secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
  ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
  commands interface include shutdown
  commands interface include no shutdown
  commands interface include no
  commands configure include interface
  commands exec include configure terminal
  commands exec include configure
  commands exec include show ip interface brief
  commands exec include show ip interface
  commands exec include show ip
  commands exec include show arp
  commands exec include show privilege
  commands exec include show interfaces status
  commands exec include show interfaces Vlan10 status
  commands exec include show interfaces Vlan1 status
  commands exec include show interfaces GigabitEthernet2/0/12 status
  commands exec include show interfaces GigabitEthernet2/0/11 status
  commands exec include show interfaces GigabitEthernet2/0/10 status
  commands exec include show interfaces GigabitEthernet2/0/9 status
  commands exec include show interfaces GigabitEthernet2/0/8 status
  commands exec include show interfaces GigabitEthernet2/0/7 status
  commands exec include show interfaces GigabitEthernet2/0/6 status
  commands exec include show interfaces GigabitEthernet2/0/5 status
  commands exec include show interfaces GigabitEthernet2/0/4 status
  commands exec include show interfaces GigabitEthernet2/0/3 status
  commands exec include show interfaces GigabitEthernet2/0/2 status
  commands exec include show interfaces GigabitEthernet2/0/1 status
  commands exec include show interfaces GigabitEthernet1/0/12 status
  commands exec include show interfaces GigabitEthernet1/0/11 status
  commands exec include show interfaces GigabitEthernet1/0/10 status
  commands exec include show interfaces GigabitEthernet1/0/9 status
  commands exec include show interfaces GigabitEthernet1/0/8 status
  commands exec include show interfaces GigabitEthernet1/0/7 status
  commands exec include show interfaces GigabitEthernet1/0/6 status
  commands exec include show interfaces GigabitEthernet1/0/5 status
  commands exec include show interfaces GigabitEthernet1/0/4 status
  commands exec include show interfaces GigabitEthernet1/0/3 status
  commands exec include show interfaces GigabitEthernet1/0/2 status
  commands exec include show interfaces GigabitEthernet1/0/1 status
  commands exec include show interfaces Null0 status
  commands exec include show interfaces
  commands exec include show configuration
  commands exec include show
  commands configure include interface GigabitEthernet1/0/1
  commands configure include interface GigabitEthernet1/0/2
  commands configure include interface GigabitEthernet1/0/3
  commands configure include interface GigabitEthernet1/0/4
  commands configure include interface GigabitEthernet1/0/5
  commands configure include interface GigabitEthernet1/0/6
  commands configure include interface GigabitEthernet1/0/7
  commands configure include interface GigabitEthernet1/0/8
  commands configure include interface GigabitEthernet1/0/9
  commands configure include interface GigabitEthernet1/0/10
  commands configure include interface GigabitEthernet1/0/11
  commands configure include interface GigabitEthernet1/0/12
  commands configure include interface GigabitEthernet2/0/1
  commands configure include interface GigabitEthernet2/0/2
  commands configure include interface GigabitEthernet2/0/3
  commands configure include interface GigabitEthernet2/0/4
  commands configure include interface GigabitEthernet2/0/5
  commands configure include interface GigabitEthernet2/0/6
  commands configure include interface GigabitEthernet2/0/7
  commands configure include interface GigabitEthernet2/0/8
  commands configure include interface GigabitEthernet2/0/9
  commands configure include interface GigabitEthernet2/0/10
  commands configure include interface GigabitEthernet2/0/11
  commands configure include interface GigabitEthernet2/0/12
  ntp logging
  ntp clock-period 36028961
  ntp server 10.10.1.33
  ntp server 10.10.1.34
  end
  Thanks!!!!

  DBelt --
  Hopefully this example suffices.
  Setup
  SQL> CREATE USER test IDENTIFIED BY test;
  User created.
  SQL> GRANT CREATE SESSION TO test;
  Grant succeeded.
  SQL> GRANT CREATE PROCEDURE TO test;
  Grant succeeded.
  SQL> CREATE ROLE test_role;
  Role created.
  SQL> GRANT CREATE SEQUENCE TO test_role;
  Grant succeeded.
  SQL> GRANT test_role TO test;
  logged on as Test
  SQL> CREATE OR REPLACE PACKAGE definer_rights_test
    2  AS
    3          PROCEDURE test_sequence;
    4  END definer_rights_test;
    5  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END definer_rights_test;
    9  /
  Package body created.
  SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
    2  AUTHID CURRENT_USER
    3  AS
    4          PROCEDURE test_sequence;
    5  END invoker_rights_test;
    6  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END invoker_rights_test;
    9  /
  Package body created.
  SQL> EXEC definer_rights_test.test_sequence;
  BEGIN definer_rights_test.test_sequence; END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
  ORA-06512: at line 1
  SQL> EXEC invoker_rights_test.test_sequence;
  PL/SQL procedure successfully completed.
  SQL> SELECT test_seq.NEXTVAL from dual;
               NEXTVAL
                     1

• Print layout designer for develop report based on query

  Dear Experts/Gurus,
  I am amazing about the manage previous reconciliation report. When I opened it using print layout designer, it looks like the report is not built using query, but I am not sure yet. This is very confusing. I created query similar with manage previous reconciliation (MPR), but when I link the query to print layout and try to make similar format/appearance with MPR report (reconciliation management (system)), it is not success.
  Isn't the MPR report built not based on query ? I appreciate your answer. TIA
  Rgds,

  Hi,
  I am not sure I understand what's the problem:
  Is it the layout that is different or the data?
  Regarding the data you can use SQL Profiler (maybe you did?) to find out what queries are fired, but please note that there are some stored procedures in the DB that are used for some specific functions - not sure whether the "MPR" uses any of these.
  Then you must include some non-default filter in SQL Profiler...
  ...but you can also use the logging functionality in B1 for that purpose:
  Just activate the logging (see the "log" folder in the B1 subdirectory) in the corresponding config file: choose the option to have the SQLs logged in conjunction with the logging being triggered in all cases (not just error).
  Thus you will get all the SQLs - just plain - from the B1 application, but note that it will obviously slow it down!
  HTH,
  Frank