IManager error editing Role Based Entitilements
Hi,
A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
iManager version is 2.7.4
Identity Manager Version is 3.6.1
When I try to edit a role based entitlement I get the error:
"Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
I have tried deleting the iMKS file and importing the certificate manually as detailed here:
https://www.novell.com/documentation...a/bx8g5g8.html
There are plenty of other pages showing the same method of resolving this issue but none have worked.
Any ideas?
Thanks.
Hi,
A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
iManager version is 2.7.4
Identity Manager Version is 3.6.1
When I try to edit a role based entitlement I get the error:
"Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
I have tried deleting the iMKS file and importing the certificate manually as detailed here:
https://www.novell.com/documentation...a/bx8g5g8.html
There are plenty of other pages showing the same method of resolving this issue but none have worked.
Any ideas?
Thanks.
Similar Messages
-
Error in Role Based security using weblogic 9
Hi All,
Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>/form.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
So can any one provide me the solution for the above problem.
Thanks in advance.
By,
Sandip PradhanHere is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.
-
IManager & Role Based Entitlements
I'm re-posting this here as I didn't get any response from the original post linked below:
https://forums.novell.com/showthread...-Entitilements
Hi,
A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
iManager version is 2.7.4
Identity Manager Version is 3.6.1
When I try to edit a role based entitlement I get the error:
"Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
I have tried deleting the iMKS file and importing the certificate manually as detailed here:
https://www.novell.com/documentation...a/bx8g5g8.html
There are plenty of other pages showing the same method of resolving this issue but none have worked.
Any ideas?
Thanks.For some reason I cannot find your old post via NNTP, though I see it on
the web interface. Perhaps the gateway had a problem, which would have
limited your responses. Either way, for future reference, you may want to
post questions on the RBE features in the iManager or IDM forums, both
located on https://forums.netiq.com/ (same looking page, same account,
just focused on the NetIQ products, including those moved over from
Novell). Also, for iManager problems, same thing: try the iManager forum
specifically on the NetIQ site. Considering you've been with Novell for a
while, it's definitely understandable that you'd look here for those
forums, though, as they used to be on this site.
The vast majority of iManager functions use NCP exclusively; adding users,
modifying them, associating with groups, setting up file services
(CIFS/SMB/AFP/NSS), managing most of IDM, configuring LDAP services
provided by eDirectory, etc.. eDirectory, after all, is NCP-based and
LDAP is an interface added to it to do things that work better via LDAP.
Thus, most things work just fine no matter what you do via LDAP.
In your case you are describing one of the few services where iManager
actually needs to work with eDirectory via LDAP. Other examples including
working with Universal Password (UP) under the Passwords role. In these
cases iManager uses eDirectory to find appropriate LDAP services and then
connects to those as well for specific operations. As a result, we look
at LDAP as it sounds like you have already done. TID# 7008836 seems to
have very similar instructions to the documentation link you posted, but
you may find it useful in some way.
You mentioned recreating your CA and server certificates (Key Material
Objects, or KMOs). Doing this SHOULD have made it so all certificates you
created (presumably after the CA change) would be minted by the new CA, so
if you browse to those certificates you should see them with a Trusted
Root of the new CA, which should have (by default) an expiration ten years
from its creation (individual KMOs expire by default two years after
creation). With this verified, your LDAP Server object (for which there
is usually one per NCP/eDirectory server) will also have a link to one
KMO. If you did not delete old certificates, it is very possible that the
LDAP Server is still pointed to an old KMO and using it happily even
though the rest of the tree is using new data, and the old KMO may be
expired causing issues with clients (like iManager). Be sure to check
that. If pointed to an old KMO, point it to a new one and then restart
eDirectory (or maybe just the LDAP module).
Other things you may try include setting up iManager Workstation 2.7 SP7;
it runs on your workstation and then otherwise acts like the server in
most areas. Getting old IDM 3.6.1 plugins on there may be the hardest
part, but really should not be that hard if you have the IDM media
somewhere. With this you can test pointing to your enviornment to see if
anything works there, ruling in/out a weird iManager problem.
Also, is it safe to assume that eDirectory 8.8 SP6 is the latest version
in your tree? If 8.8 SP8 exists there is a change in LDAP configuration
data, specifically the ldapInterfaces attribute on the LDAP Server object,
which can cause LDAP-using plugins to have a hard time finding 8.8 SP8
servers specifically.
Lastly, especially if you have iManager Workstation or if you have
iManager on a non-eDirectory box, getting a LAN trace could help us see
exactly what iManager is doing on the wire, and then isolate better why it
is failing.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Xml form...editing on role based
Hi ,
I want to put edit button in show form which is generated by xml form builder. but the problem is , this button should work on role based. Is this possible....?
regadrs
RamHi Ram,
> searched for proxy iview but couldnt find detail documentation
There is no "detailed documentation" (there is in the meantime, my slides from TechEd 2006; but these are not public, I think). Anyhow, you can find a short description more than one time here in the forum, I'll repeat it once again:
Implement an AbstractPortalComponent, implement an empty doContent method, overwrite doOnNodeReady, and at the end of this method call <i>request.redirect(...)</i> with the navigation component (com.sap.km.cm.navigation, you can get this from the KM URLGenerator) as the new target, passing the component parameters as URL parameter (so, among others, "rndLayoutSet=YourLayoutSet1" or the second, dependent on the role the user has got, which is the logic to be implemented in your method). The isloation level of the iView built out of this component must be URL isolated (otherwise the redirect does not work).
Hope it helps
Detlev
PS: Please consider rewarding points for helpful answers on SDN. Thanks in advance! -
JHeadStart Security problem-error page cannot be found- role based security
JHeadStart Security problem-error page cannot be found- role based security
Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
To remind you my steps I paste the following again:
JHeadStart Security problem-error page cannot be found- role based security
Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much. -
To run OHS at port 80 using solaris role based access control
Hi.
I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
/etc/user_attr:
oracle::::type=normal;defaultpriv=basic,net_privaddr
Change OHS httpd.conf Listen from port 8888 to port 80.
However, opmnctl startproc process-type=OHS
failed as below with nothing showing in the diag logs:
opmnctl startproc: starting opmn managed processes...
================================================================================
opmn id=truffle:6701
0 of 1 processes started.
ias-instance id=asinst_1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ias-component/process-type/process-set:
ohs1/OHS/OHS/
Error
--> Process (index=1,uid=187636255,pid=25563)
failed to start a managed process after the maximum retry limit
Thx,
KenJust to add my two cents here.
The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
# usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
Restart the opmnctl daemond.
After that OHS/Apache user can bind to lower TCP ports.
Regards.
Edited by: Tuelho on Oct 9, 2012 6:05 AM -
Role based data visibility is not working in Round manager
I am looking for role based data visibility in Syclo round manager application where technician will see the data which is assigned to his name only (not all the data) I have created one custom role in SAP system and it's working fine .It's showing the below message :
Now I want to implement the same in syclo round manager .So I went to the SAP configuration panel and set the same user role on the security setting in class handler .Z_SYCLO_RM_ROLE is the custom role which I mentioned earlier .I tried with different option in this tab but it's not working .
Please let me know if I missed something to mention or is there any other process I need to follow .
Tags edited by: Michael Applebyis not working Insufficient information. In what way is it "not working"? The page doesn't render as required? There's an error message? The browser crashes? The server room has been trampled into dust by a herd of buffalo?
>
I am unable to make it as page form / report.
v1 := v1 || ' ' ||'<input inline type =submit style="color:BLUE;background-color:RED" value='||c2.plot_id||'>';
...It is not possible to generate form elements in an APEX page in this way. The [APEX_ITEM API|http://download.oracle.com/docs/cd/E14373_01/apirefs.32/e13369/apex_item.htm#CACEEEJE] is the only way to create APEX items in PL/SQL. However it contains no procedures to generate button items, so an alternative design is required in this case, e.g. a report with links.
(Also what is the intention of "inline" in the above code? [There is no *inline* attribute|http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.4].) -
Role-Based CLI Views with AAA method
Hi,
I'm configuring Role-Based CLI Views on a router for limiting access to users.
My criteria:
- There should be a local user account on the router that has the view 'service' attached to it
- If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
My configuration:
aaa new-model
enable secret 1234
username service view service secret 1234
aaa group server radius my_radius
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
aaa authorization console
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
The ERROR
Now I want to go configure the cli view 'service'...
# enable view
Password: 1234
*Jun 1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
*Jun 1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
The Questions
Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
Can you change this behaviour to always use the enable secret?
The TEMP Solution
If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
Thanks so much for the suggestions
/JZNhi,
You have the following configured:
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login authentication mgmt".
You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
enable seceret will be locally defined. but you have the following configured:
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
line vty 0 4
authorization exec mgmt
Hence exec mode will also be done via radius server.
when you configure:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
You are making the authentication local, hence it is working the way you want.
In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Role based authorisations in the Integration Directory
We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
I created a role in the ID that allowed editing of any object.
I assigned the role to my userid in NWA useradmin
I am unable to edit ANY object in the ID
When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
Any advice you can offer would be appreciatedResolved this issue.
The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation. -
Reseeding cache for users with role based security
I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.
I have created an ibot with the following:
General - Normal Priority, Personalized (recipient's data visibility)
Conditional Request - example_report
Schedule - some schedule
Recipients - Me(administrator) and User1
Destinations - Oracle BI Server cache
when the ibot runs 2 cache entries are created (for the 2 recipients).
I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
After the ibot runs:
When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
The User1 has a data level security.
Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
Thanks for your inputs. -
ERM error: Field ROLE not a member of INPUT
Hi Experts,
After upgrade to 11.2 I'm having this error.
It appears at the Define Authorization stage after I chose transactions and clicking continue.
The connectors and JCos are working.
Please assist.
Thx,
Vit V
edit: All XMLs reloaded and system restarted.
2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Current Module: |RE| Conversation: |cnvRole| Screen: |scrSearchTransaction|
2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Module#RE#Conversation#cnvRole#Screen#scrManageAuthorization#Action#continueTCodeSearch#
2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Changing Screen: FROM: scrSearchTransaction TO scrManageAuthorization
2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearScreenRep : : 6 entries cleared from screen repositiory
2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Handler found:class com.virsa.re.role.actions.AuthAuthorizationDataAction
2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG SAPConnectorDAO.java@365:com.virsa.comp.connectors.dao.jdbc.SAPConnectorDAO.findByConnectorName()connectorId: 5; lngId: 1
2010-04-20 11:59:05,590 [SAPEngine_Application_Thread[impl:3]_39] DEBUG SAPConnectorDAO.java@365:com.virsa.comp.connectors.dao.jdbc.SAPConnectorDAO.findByConnectorName()connectorId: 5; lngId: 1
2010-04-20 11:59:05,590 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.service.sap.SAPConnectorHelper : getClientFromSLD : : INTO the method SapConnectorDTO :com.virsa.service.sap.dto.SapConnectorDTO@3e0a2020[conClass=,system=COD200,appId=COD200,host=consit-sap,systemNo=00,client=200,userId=codcom,SystemLang=EN,sysId=cod,messageServerGrp=default,messageServerHost=consit-sap,password=xxxxx,type=ECC600,userName=,description=COD200,isSLD=true,isActive=true,isHRSystem=false]
2010-04-20 11:59:05,590 [SAPEngine_Application_Thread[impl:3]_39] ERROR Field ROLE not a member of INPUT
java.lang.Throwable: Field ROLE not a member of INPUT
at com.sap.mw.jco.JCO$MetaData.indexOf(JCO.java:9534)
at com.sap.mw.jco.JCO$Record.setValue(JCO.java:14923)
Edited by: Vit Vesely on Apr 20, 2010 12:10 PMHi guys,
The problem is finally resolved.
1. Implement SNOTE 1441463
2. Implement SNOTE 1443612
3. Register key for object /VIRSA/RE_OBJ_INFO
4. In SE03 >> Administration >> Set System Change Option. Change /VIRSA/ to modifiable
5. In Se11 open data type /VIRSA/RE_OBJ_INFO in change mode with the key from p. 3
6. Edit structure according to Note 1452772. Save and activate.
7. Implement SNOTE 1452772
8. Restart grc~reear (or the server)
...or wait for VIRSANH patch 12
Hopefully it will work for you aswell.
Kind Regards,
Vit -
Role-based view commands missing from config
Hi All,
I set up a 2960G with IOS 12.2(44)SE6 and created a role-based view to be used by our helpdesk. One of the things they need to do is add rules to a MAC ACL on the switch. I've successfully created a view for them and can include and exclude most commands, however, when I try to include the "commands mac-enacle include all permit" command, I get no syntax error, and there is no line in my configuration reflecting the change. As it stands, from the helpdesk view (named smco) I can get into mac acl configuration mode, but I can't issue any of the sub commands.
Any advice would be greatly appreciated. I tried upgraded to 12.2(55)SE and had the same result.
The current configuration for the parser view is as follows:
parser view smco
secret 5 hashed_pw
commands configure include mac access-list extended
commands configure include all mac access-list
commands configure include mac
commands exec include configure terminal
commands exec include configureAfter I issue the command "commands mac-enacl include all permit" there is no line in my startup or running configuration that says: "commands mac-enacl include all permit" or anything that closely resembles that.
I've tested with multiple local accounts. After authenticating, I issue the "enable view smco". -
Role Based workflows & Sync Options
Hi Team,
I would like to know if the system allows for role based rights in authoring the content. Eg: teachers have right to edit content while the student can only view or download the content.
What are the Sync options available. Does the content automatically get updated when moving from offline to online mode?Hello and welcome to the forum,
Are you a newbie with Captivate? The published version (either SWF or HTML5) cannot be edited, only the 'raw' unpublished CPTX or CPVC files can be edited. So, your teachers should need to have Captivate installed and then they can edit cptx/cpvc files and republish them. For students you upload published output to a LMS or a webserver.
Lilybiri
Sorry forgot about sync, no, since you have to republish when file has been edited. -
Privileges and Roles Based Views
Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great. I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view. I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!! fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers. I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
removed
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
2 AS
3 PROCEDURE test_sequence;
4 END definer_rights_test;
5 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END definer_rights_test;
9 /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
2 AUTHID CURRENT_USER
3 AS
4 PROCEDURE test_sequence;
5 END invoker_rights_test;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END invoker_rights_test;
9 /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
NEXTVAL
1 -
True Role-Based Administration?
I'm sure this has been asked and answered many times, but are there any plans to make the ZCC more iManager-y in terms of Role-Based Administration? I'm trying to create a Report Viewer Role for the Help Desk, and I simply don't want them to be able to click through the rest of the Admin interface. Easy in iManager, why not in ZCC?
Thanks,
HollyHnewman,
we've had quite a few enhancement requests for this -
http://support.novell.com/enhancement you might want to add your
"voice"...
Shaun Pond
Maybe you are looking for
-
Is the file size of a selected image shown on Adobe Bridge CC 2014? If so, where?
Is the file size of a selected image among the filter categories? Or anywhere else? I know I can find it in Photoshop, but that is cumbersome.
-
How to store a mid file in byte[ ]
I used this method to store the song but it does not seem to be working. public byte[] getSongAs_ByteArray() { byte[] data = new byte[50848]; InputStream in = null; try { HttpConnection connection = null; Connector.open("http:
-
Premiere Pro CS4 export problem
I am a new user of PP CS4 and I have created a short 2 1/2 minute clip with no problems. I have selected all the appropriate setting as per Adobe PP CS4 "Classroom In A Book" instructions. Exporting the clip as a MPEG2-DVD, NTSC 720x480, 29.97 Drop F
-
32 GB microSDHC card N97 and 5800
Working great on my unbranded N97 and 5800 handsets (and as I'm in the UK they both have ancient firmware). It also works in my N900 Maemo handset N97: 5800:
-
Activation of Discrete Industries and Mill Products in existing IDES system
Dear Sir, I want to activate Discrete Industries and Mill Products in my existing IDES system (EHP4 FOR SAP ERP 6.0 / NW7.01) Can some one help me with what steps i need to follow. Also does it will effect the existing data in IDES....? Thanks in adv