Impersonate a user

I'v written a add-on that till recently worked perfectly but due to the users messing around to much in the SAP forms (particularly invoice but others as well), we had to look for a way to restrict there actions.
Since SAP only provides a 'do not open ' / 'write' / 'read-only' option we decided to make a small screen of our own to enter the relevant data and give the user only the 'read-only' rights.
But this mend that my add-on stops working (since it logs into the company with users rights), I solved this by making the add-on log in with the manager (or any other superuser account with the necessary rights).
But now every document they create is created by this user (kind of logical), is there any way I can still log into the company with the manager account but on creation of the document (invoice) say who is creating it? (I know who is logged in (username))

HI,
You can use the "User Authorization Form" to create additional authorizations. Easy to use, and you do not have to add only few extra lines inside your code:
When you creating the form, you can try to set the form mode to add_mode, and if it is fails, you set find_mode or ok_mode.
I am always using this solution with Try/Catch segment.
Regards,
J.

Similar Messages

Error in BAM active studioOnly an adminstrator can impersonate another user

Hi
I have installed Oracle BAM on XP and tried to create a simple report using BAM Active studio. I have selected an object from sample folder ('Employees') and selected a simple report layout.I have done all the necessory steps mentioned in Developer user guide and when i clicked the 'Finish' Button I 'm getting the following error.
Only an adminstrator can impersonate another user
Details...
Exception Message Only an administrator can impersonate another user.
Stack Trace Server stack trace: at Oracle.BAM.ReportCache.Server.ReportCacheServer.OpenViewSet(ViewSetBuilderBase oViewSetBuilder) at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(MethodBase mb, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Oracle.BAM.Middleware.ReportCache.IReportCache.OpenViewSet(ViewSetBuilderBase oViewSetBuilder) at Oracle.BAM.Middleware.ReportCache.RemoteReportCache.OpenViewSet(ViewSetBuilderBase oViewSetBuilder) at Oracle.BAM.ReportServer.DataManager.OpenViewSet(String strModifier, ViewSetBuilderBase oViewSetBuilder, String strUserName) at Oracle.BAM.ReportServer.List.RenderList(String strViewsetId, String strDataset, String strXmlModifier, String strXmlProperties, Boolean bActive, String strInEditor, Boolean bEmail, String strUserName, Int32 iRecordsLimit, Int32 iClientWidth, Int32 iClientHeight, Int32 iBrowserTimezoneOffset, String strActiveDataDelay, String strActionButtonsXML) ...
Debugging Information Only an administrator can impersonate another user. [ErrorSource="ActiveDataCache", ErrorID="ADCCannotImpersonate"] Debugging information: Oracle.BAM.ActiveDataCache.Common.Exceptions.CacheException: Only an administrator can impersonate another user. Server stack trace: at Oracle.BAM.ReportCache.Server.ReportCacheServer.OpenViewSet(ViewSetBuilderBase oViewSetBuilder) at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(MethodBase mb, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Oracle.BAM.Middleware.ReportCache.IReportCache.OpenViewSet(ViewSetBuilderBase oViewSetBuilder) at Oracle.BAM.Middleware.ReportCache.RemoteReportCache.OpenViewSet(ViewSetBuilderBase oViewSetBuilder) at Oracle.BAM.ReportServer.DataManager.OpenViewSet(String strModifier, ViewSetBuilderBase oViewSetBuilder, String strUserName) at Oracle.BAM.ReportServer.List.RenderList(String strViewsetId, String strDataset, String strXmlModifier, String strXmlProperties, Boolean bActive, String strInEditor, Boolean bEmail, String strUserName, Int32 iRecordsLimit, Int32 iClientWidth, Int32 iClientHeight, Int32 iBrowserTimezoneOffset, String strActiveDataDelay, String strActionButtonsXML) ...
ReportType tiled
DataSet EMPLOYEETEST
ViewsetId NOT_INITIALIZED
ViewId view1
Properties <Properties ContentType="StreamingList" datasetId="_EMPLOYEE_TEST"> <Title display="true" color="#ffffff" font-family="Tahoma" font-weight="Bold" font-size="11" underline="false" overline="false" line-through="false" capitalize="false" uppercase="false" lowercase="false" background-color="#7B97C0" text-align="left"> <Text bUseViewName="true"> </Text> </Title> <Body alt_increment="1" alt_color="#dfdfdf" font-family="Tahoma" font-size="11px" color="black" background-color="transparent"> <Border color="#000000" width="1px" style="solid"/> </Body> <Headings background-color="#c7c7c7" underline="true" display="true" font-family="Tahoma" font-size="11px" color="black"/> <Empty display="false" text="No Values" text-align="left" font-family="Tahoma" font-size="11px" color="black"/> <ActiveData newColor="#FFE299" newTimeSeconds="1"> </ActiveData> </Properties> ...
ModifierXml <Modifier id="0" dataset="_EMPLOYEE_TEST"><FieldRefs><DatasetField fieldRefID="2" datasetField="_Dept" dataType="INTEGER" order="0"/><DatasetField fieldRefID="0" datasetField="_employee_id" dataType="INTEGER" order="1"/><DatasetField fieldRefID="3" datasetField="_Job_id" dataType="INTEGER" order="2"/><DatasetField fieldRefID="1" datasetField="_Name" dataType="STRING" order="3"/><DatasetField fieldRefID="4" datasetField="_Salary" dataType="INTEGER" order="4"/></FieldRefs><RecordFields><RecordField fieldRefID="2" datasetField="_Dept" dataType="INTEGER" fieldID="0" order="0"/><RecordField fieldRefID="0" datasetField="_employee_id" dataType="INTEGER" fieldID="1" order="1"/><RecordField fieldRefID="3" datasetField="_Job_id" dataType="INTEGER" fieldID="2" order="2"/><RecordField fieldRefID="1" datasetField="_Name" dataType="STRING" fieldID="3" order="3"/><RecordField fieldRefID="4" datasetField="_Salary" dataType="INTEGER" fieldID="4" order="4"/></RecordFields></Modifier> ...
InEditor true
IsInViewMode false
ActiveDataDelay 0
TimezoneOffset 240
ActionButtons <ActionButtons></ActionButtons>
clientWidth 961
clientHeight 522
Assembly ReportServer
State Oracle.BAM.ReportServer.StreamingList
Event Initialize
Could you please help me to resolve this issue.
Thanks
Laj

Hi
This issue has been resolved.
Fix :- Earlier i have defined all the BAM services as Localy.Modified those services to run it from my user id.
thanks
Laj

Impersonate a User using PRC

Hi,
Can i impersonate a user using PRC? How do i do that? I have only the user name of the user (to be impersonate). Can you plz help me out?
Thanks,
Bharat

NO, impersonation is only for server api as the admin user.

Impersonate domain user to call MessageQueue.Create() to create a private queue throw exception "Msmq service is not available".

The code impersonate a domain user to create a private messaging queue on local machine, using MessageQueue.Create(".\\myqueue").
When the current user is a member of local administrators, it works well.
When the current user is a member of local users, it throw exception "Msmq service is not available."

Hi Psun,
In my opinion, this thread is related to MSMQ forum. So please post thread on that forum for more effective response. Thank you for understanding. Please refer to the following link.
http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=msmq
Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

How to impersonate user in 10G

Hi Team,
How to impersonate the user if the user A will login into the webserver i want to know the details of that user A for which objects he as accessed in his session.How can we achieve this one.
Thanks,

Easy approach would be using URL parameters
0) If you are logged into BI application then log-out.
1) go to URL as following parameters.
http://servername/analytics/saw.dll?Dashboard?impersonate=target_user_name
2) Provide Super User(How as presentation Admin access typically Administrator user) credentials on logon screen.
3) You will be logged in as TAREGET_USER.
Second approach implement proxy user feature.
http://santoshbidw.wordpress.com/2010/11/14/act-as-proxy-user-obiee-10g/

Impersonate User: Mimic another user similar to the Default Profile

I'm looking for a way as an Administrator to impersonate another user similar to the way you can login to the portal using the Default Profiles.
Example: I select a user to impersonate and then click a button. I'm then in the portal as that user.
There may be a problem opening documents, etc, but I'm more interested in making sure that I see the content that the other person is seeing.
It would be a great help to diagnose security problems such as "Why can't I see this portlet, etc."
One solution I thought of was to switch ID's in the PTUSERS table. This solution wouldnt' want to go any further than dev though. I don't really like this solution because if you forget to switch them back or they are in the portal when you switch them......there's a problem.

I think that changing the PTUsers table is unlikely to do what you want. It's likely to break the system because there are a number of other tables that contain data about users, and you have not changed those tables. Additionally, information may be cached in memory, so changing the tables would not change that information.
I think that there is a significantly easier way to do this, though it may still not be easy. The IPTSession interface supports a function called ImpersonateUser. If you are logged into the Portal as an Administrator, you can call ImpersonateUser to switch your session over to that of another user- from then on, the Server will treat you as the second user.
This is a very easy call to make, but it's only half the story- the UI also has to know to treat you as the new user (e.g. use the correct language settings, flush cached session info, etc.) This is basically like doing a login. I don't know the details of how this would be done (a discussion forum about UI customization would be more useful here), but I could imagine doing something like copying the login screen logic to a second, "hidden" login screen which takes in a username, but no password. The page would only operate if you were already logged in as an Administrator, but it would perform the "standard" login logic, except that it would do Session.ImpersonateUser on the pre-existing session instead of creating a new session and logging in as the new user.

Exchange 2007 Experts - Impersonate user help please

Hello,
We use Exhcange 2007 (2 x CAS & 2 x MBX servers)
We have 2 issues:
1.)
We are trying to get our a hosted CRM sysem called ForceManager to Impersonate some users. What is strange I create a new user and then run these commands and Exchange accepts them:
Add-ADPermission -Identity "forcetest" -User "forcemgnsync" -ExtendedRights ms-Exch-EPI-May-Impersonate
WARNING: Appropriate ACE is already present on object
"CN=forcetest,OU=Test,OU=Spain,DC=contoso,DC=local" for account
"CONTOSO\forcemgnsync".
Identity User Deny Inherited Rights
CONTOSO.LOCAL/Spain... CONTOSO\forcemgnsync False False ms-Exch-EPI-May-Im...
Get-Mailbox -Identity forcetest | Get-ADPermission -User forcemgnsync | fl
User : CONTOSO\forcemgnsync
Identity : CONTOSO.LOCAL/Spain/Test/forcetest
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-EPI-May-Impersonate}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : CONTOSO\forcemgnsync
Identity : CONTOSO.LOCAL/Spain/Test/forcetest
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-EPI-Impersonation}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
But ForceManager say the account still doesn't have rights to impersonate, any ideas?
2.)
If I try the same commands on an existing user (have tried many) it can't even find them:
Add-ADPermission -Identity "bill" -User "forcemgnsync" -ExtendedRights ms-Exch-EPI-May-Impersonate
Add-ADPermission : bill was not found. Please make sure you have typed it correctly.
At line:1 char:17
+ Add-ADPermission <<<< -Identity "bill" -User "forcemgnsync" -ExtendedRights
ms-Exch-EPI-May-Impersonate
+ CategoryInfo : NotSpecified: (0:Int32) [Add-ADPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : D5B1825B,Microsoft.Exchange.Management.Recipient
Tasks.AddADPermission
Hope you guys can help, I'm really struggling as I'm not really an Exchange guy.
Regards

same issue, trying with another user via the CAS servers:
get-mailbox anovo
Name Alias ServerName ProhibitSendQuo
ta
Alejandro Novo anovo ccf-exch-vmbx unlimited
Add-ADPermission anovo -User "forcemgnsync" -ExtendedRights ms-Exch-EPI-May-Impersonate
Add-ADPermission : anovo was not found. Please make sure you have typed it corr
ectly.
At line:1 char:17
+ Add-ADPermission <<<< anovo -User "forcemgnsync" -ExtendedRights ms-Exch-EPI
-May-Impersonate
+ CategoryInfo : NotSpecified: (0:Int32) [Add-ADPermission], Mana
gementObjectNotFoundException
+ FullyQualifiedErrorId : D5B1825B,Microsoft.Exchange.Management.Recipient
Tasks.AddADPermission

CryptAcquireContext failing with ERROR_FILE_NOT_FOUND (2L) when user not logged on Windows 8.1

I am having a hard time migrating a C++ CryptoAPI-based application that currently runs on Windows Server 2008 to Windows 8.1. The scenario is:
This application is eventually triggered by WatchDog.exe, which in its turn is triggered when the computer is started by Windows' Task Scheduler.
Task Scheduler uses the following rules to start the WatchDog.exe:
A Administrator User Account;
Run Whether user is logged on or not;
UNCHECKED: Do not store password. The task will only have access to local resources;
Run with Highest Privileges;
Configure for Win 8.1;
Triggered at system startup.
The server sits there, nobody logged, until in a given scenario WatchDog.exe starts the application. Application log confirms that the owner of the process (GetUserName)
is the very same user Task Scheduler used to trigger WatchDog.exe.
It turns out that this application works fine in Windows Server 2008, but in windows 8.1 a call to CryptAcquireContext fails
with return code ERROR_FILE_NOT_FOUND (2L). The odd thing is that the application will NOT fail if, when started, the user is physically logged
on the machine, although it was not the user who started the application manually.
I took a look at the documentation and
found:
"The profile of the user is not loaded and cannot be found. This happens when the application impersonates a user, for example, the IUSR_ComputerName account."
I had never heard of impersonification, so I made a research and found the APIs LogonUser,ImpersonateLoggedOnUser and RevertToSelf.
I then updated the application in this way:
HANDLE hToken;
if (! LogonUser(L"admin", L".", L"XXXXXXXX", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, &hToken))
logger->log (_T("Error logging on."));
else
logger->log (PMLOG_LEVEL_TRACE, _T("Logged on."));
if (! ImpersonateLoggedOnUser(hToken))
logger->log (_T("Error impersonating."));
else
logger->log (_T("Impersonated."));
err = XXXXXXXXX(); // calls function which will execute CryptAcquireContext
if (! RevertToSelf())
logger->log (_T("Error reverting."));
else
logger->log (_T("Reverted."));
Excerpt with the call to CryptAcquireContext:
// Get the handle to the default provider.
if(! CryptAcquireContext(&hCryptProv, cryptContainerName, MS_ENHANCED_PROV, PROV_RSA_FULL, 0))
DWORD e = GetLastError();
_stprintf_s (logMsg, 1000, _T("Error %ld acquiring cryptographic provider."), e);
cRSALogger->log (logMsg);
return ERR_CCRYPT_NO_KEY_CONTAINER;
cRSALogger->log (_T("Cryptographic provider acquired."));
As the result, I got the log:
[2015/01/08 20:53:25-TRACE] Logged on.
[2015/01/08 20:53:25-TRACE] Impersonated.
[2015/01/08 20:53:26-ERROR] Error 2 acquiring cryptographic provider.
[2015/01/08 20:53:26-TRACE] Reverted.
That seems to show that impersonation is working properly, but still I get Error 2 (ERROR_FILE_NOT_FOUND) on CryptAcquireContext.
Summary:
On Windows Server 2008, the very same application runs properly even without the calls to LogonUser/Impersonate/Revert.
On Windows 8.1, the application, with or without the calls to LogonUser/Impersonate/Revert, will only work properly if the user is logged on (which
is not acceptable).
Any thoughts where I can run to in order to get this working on windows 8.1?
Thank in advance,
Dan

There are a couple of issues.
Based on the parameters being used in CryptAcquireContext(). A profile needs to be loaded and your app has to be running as the same user who created the keyset. (which is why it works when a user is logged on Windows 8.1) Also, impersonation
does not load your user profile, you need to call LoadUserProfile(). It seems like you should be using a machine keyset for your scenario if you want to do this when nobody is logged on.
Take a look at the following KB article for more information.
https://support.microsoft.com/kb/238187?wa=wsignin1.0
thanks
Frank K [MSFT]

Domain\User Name is not able to connect to Database

We have a service account and we want to run the report using the service account. Users will be accessing the report using their windows authentication, while on connecting to data source service account needs to be used.
We have added the service account in database server and also on physical server as "Allow logon as locally".
While creating the datasource, we are getting this error "logon failed for user domain\username".
We tried with the first checkbox "Use as windows credentials when connecting to the data source", but the error is "Logon Failed. Ensure the username and password are correct".
When we tried with the second checkbox "impersonate authenticated user after the connection has been made to the data source", but the error is "Login Failed for user domain\username".
We have even tried to add this domain\username as execution account in reporting services configuration and its failing.
Kindly let me know wat needs to be done to run the report as a service account and not as windows integrated or sql account.

Hi CrazySam81,
Per my understanding that when you are using one service account to access the report server to run the report you got some error, right?
I assumed that the use have grant the correct permission to access the report server, so the issue can be caused by use don't have grant the right permission to access the datasource or the setting of the credential is not correct.
Use stored credentials or prompted credentials to query external data sources for report data. The credentials can be either a Windows domain account or a database login.
In your scenario, please make use the service account is the Windows domain account or a database login account. please also check details information below:
make sure you have done the setting like below and test connection to see if the username and password is correct：
Go to SQL Server Reporting Services Configuration Manager, make sure the service account have the correct password and username.
Go to Database, Verify that the service account can connect to the database.
More details information about the grant of permission reference to:
How to: Store Credentials for a Data Source (Report Manager)
pecify Credential and Connection Information for Report Data Sources
If your problem still exists, please try to provide more details informaiton in the log file which path like:
C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\LogFiles
Regafrds,
Vicky Liu
Vicky Liu
TechNet Community Support

Can a user with Contribute privileges invoke SPFolder.SubFolders.Add(folder) Sharepoint 2010 API in a Webservice?

We have a Webservice deployed on a Sharepoint 2010 deployment with a method as follows:
public static string ensureParentFolder(SPWeb parentSite, string destinationUrl)
destinationUrl = parentSite.GetFile(destinationUrl).Url;
int index = destinationUrl.LastIndexOf("/");
string parentFolderUrl = string.Empty;
if (index > -1)
parentFolderUrl = destinationUrl.Substring(0, index);
SPFolder parentFolder
= parentSite.GetFolder(parentFolderUrl);
if (!parentFolder.Exists)
SPFolder currentFolder = parentSite.RootFolder;
foreach (string folder in parentFolderUrl.Split('/'))
try
currentFolder = currentFolder.SubFolders.Add(folder);
catch (Exception ex)
FINEOSLogger.Medium(LoggerCategory.FINEOSToSharePointDMS, "User could not create SP folder so elevating permissions");
SPSecurity.RunWithElevatedPrivileges(delegate()
currentFolder = currentFolder.SubFolders.Add(folder);
return parentFolderUrl;
When invoked by a User with only Contribute rights the SubFolders.Add( ) call appears to fail and the
SPSecurity.RunWithElevatedPrivileges
code is invoked, which also fails.
1. So the first question is should you be able to invoke SubFolders.Add() with only Contribute? It works with Design privileges for the Customer. You can add folders on the Sharepoint website as a Contribute user so why not on the API.
Customer raising this as a security concern.
2. Also why would the
SPSecurity.RunWithElevatedPrivileges
part fail, is the syntax incorrect for Sharepoint 2010? We migrated this code from Sharepoint 2007 project.
The error I get when I try run the code as a Contribute user is
com.fineos.ta.dms.external.DMSException: The exception [A SharePoint error occured "An Error occured in SharePoint". For user "FINEOS\bryces" uploading the file "Ru Ext_1501.txt", with title "Ru Ext_1501.txt", to the SharePoint Library "FINEOSDocumentLibrary/2015/02/23/13/18".] was caused by the exception [A SharePoint error occured "An Error occured in SharePoint". For user "FINEOS\bryces" uploading the file "Ru Ext_1501.txt", with title "Ru Ext_1501.txt", to the SharePoint Library "FINEOSDocumentLibrary/2015/02/23/13/18".]., Ta Exception info,Exception Class=class com.fineos.ta.dms.external.DMSException,Root cause ID=10,Root cause host=IEL163,Localized message=A SharePoint error occured "An Error occured in SharePoint". For user "FINEOS\bryces" uploading the file "Ru Ext_1501.txt", with title "Ru Ext_1501.txt", to the SharePoint Library "FINEOSDocumentLibrary/2015/02/23/13/18"
at com.fineos.integration.dms.internal.thirdparty.GenericDMS.add(GenericDMS.java:149)
at com.fineos.frontoffice.documentmanager.DocumentManager.saveToThirdPartyDMS(DocumentManager.java:280)
at com.fineos.frontoffice.documentmanager.fileupload.UploadDocumentWidget.save(UploadDocumentWidget.java:401)
at org.apache.jsp.sharedpages.documentmanager.fileupload.uploaddocumentpage_jsp._jspService(uploaddocumentpage_jsp.java:77)
Caused by: com.fineos.integration.dms.external.services.SharePointDmsException: A SharePoint error occured "An Error occured in SharePoint". For user "FINEOS\bryces" uploading the file "Ru Ext_1501.txt", with title "Ru Ext_1501.txt", to the SharePoint Library "FINEOSDocumentLibrary/2015/02/23/13/18".
at com.fineos.integration.dms.external.services.GenericDMSClient.uploadDocument(GenericDMSClient.java:139)
at com.fineos.integration.dms.internal.thirdparty.GenericDMS.add(GenericDMS.java:132)
... 88 more
Caused by: org.apache.axis2.AxisFault: Error_occured_sharepoint [Message Details = An Exception occurred in SharePoint; System.UnauthorizedAccessException: <nativehr>0x80070005</nativehr><nativestack></nativestack>Access denied.
at Microsoft.SharePoint.Library.SPRequest.AddOrDeleteUrl(String bstrUrl, String bstrDirName, Boolean bAdd, UInt32 dwDeleteOp, Int32 iUserId, Guid& pgDeleteTransactionId)
at Microsoft.SharePoint.SPFolderCollection.AddInternal(String strUrl, Int32 userId)
at FINEOSIntegration.FINEOSToSharePointDMS.SharePointDMSUtilities.<>c__DisplayClass9.<ensureParentFolder>b__5()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at FINEOSIntegration.FINEOSToSharePointDMS.SharePointDMSUtilities.ensureParentFolder(SPWeb parentSite, String destinationUrl)
at FINEOSIntegration.FINEOSToSharePointDMS.FINEOSToSharePointDMS.uploadDocument(String UserName, String FolderPath, String Filename, Byte[] File, DocumentProperties DocumentProperties, Boolean NotifyFINEOS, Boolean NotifyFINEOSSpecified, Boolean OverwriteIfExists, Boolean OverwriteIfExistsSpecified, String& DMSDocType)]
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:512)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at com.fineos.frontoffice.thirdpartydms.operationtypes.ThirdPartyDmsServicesStub.uploadDocument(ThirdPartyDmsServicesStub.java:761)
at com.fineos.integration.dms.external.services.GenericDMSClient.uploadDocument(GenericDMSClient.java:119)
... 89 more
Note that the user SPWeb being passed into the method is from an impersonated user, don't know if that matters.
So the webservice payload contains the id of the user who wants to do the Sharepoint work while the webservice is invoked by anonymous or some other service user. We then impersonate the user specified in the webservice payload like follows and use
that web SPWeb from then on in the webservice methods:
userToImpersonate = currentWeb.AllUsers[user];
site = new SPSite(fileUrl, userToImpersonate.UserToken);
web = site.OpenWeb();
Any help appreciated.
Thanks,
Ruairi.

Ideally, a user with Contribute permissions should be able to add folders. Not sure what is the issue there. But I can see that SPSecurity.RunWithElevatedPrivileges is not written properly. You must create a new SPSite object inside the delegate
because SPSite objects created outside do not have Full Control even when referenced inside the delegate. Use the using keyword to ensure that the object is disposed in the delegate. Example:
SPSecurity.RunWithElevatedPrivileges(delegate()
using (SPSite site = new SPSite(web.Site.ID))
// implementation details omitted
});See this for more information about SPSecurity.RunWithElevatedPrivilegeshttps://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges%28v=office.12%29.aspx?f=255&MSPPError=-2147217396
Blog | SharePoint Learnings CodePlex Tools |
Export Version History To Excel |
Autocomplete Lookup Field

Querying user settings

Hi,
After quite a bit of experience developing ASP gadgets for version 4.5, we've recently moved to Plumtree version 5 and .Net.
One thing we would like to be able to do is provide a web service for use by other applications (outside the portal) which could request the retrieval of a specific User setting for a given user.
I've seen some examples of similar challenges, but still a bit bewildered how to go about this (on the Plumtree side of things, the actual process of building our own web service is fine).
The web service will be built with .Net & WSE, on a server with the Plumtree EDK installed. I've checked and our Plumtree installation also has the PTAPI QueryInterfaceAPI web service available.
Should I use a PRC session, and impersonate the user I need to get the settings for, or will setting up a session as an admin user be sufficient to query the User settings object for another user?
Any help offered would be gratefully received.
Thanks,
Charles

Sorry - I'm a doofus. I didn't read your post completely.
You're right - if you want to attach to this service w/o going through Plumtree/BEA first to obtain a login ID you'd need to impersonate a user (I'd suggest a secured admin account where the credentials are encrypted).
Try this... (server API)
In your web.config
<appSettings> <add key="UserID" value="administrator" /> <add key="UserPassword" value="" /></appSettings>
Encrypt these or do something to protect them.
Read: How to use the ASP.NET utility to encrypt credentials and session state connection strings
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290
Code Sample for Password Reset (Similar thing)
'//create an admin connection Dim ptAdminSession As IPTSession = New Session 'PortalObjectsFactory.CreateSession ptAdminSession.Connect("administrator", "", Nothing) '//reference web.config values instead
Dim sNewPassword As String = ""
'//start user impersonation Dim ptUserSessionTemp As IPTSession = ptAdminSession.ImpersonateUser(iUserID)
'//get the user's email address Dim sEmail As String = "" sEmail = ptUserSessionTemp.GetUserInfo.GetEmail
If sEmail.Length > 0 Then '//open the user for editing Dim oUser As IPTUser = ptAdminSession.GetUsers().Open(iUserID, True)
'//reset the password oUser.SetPassword(sNewPassword)
'//mungle with server context - don't ask why we do this after we have a handle on the object - I don't know '//there's likely a very good reason for it, I'm sure Dim mySC As IPTServerContext = oUser.GetInterfaces("IPTServerContext") mySC.Store() mySC.UnlockObject()
'//send email
Else '//throw an exception here - return "no email address"
End If

IBots - Delivers: Selected Users and E-Mails based on SA_SYSTEM table

Hi
I have the following request and I am having issues with the setup.
1) A report request that has a columned named Assigned to:
2) Setup Scheduler
3) Need to create an ibot to generate the report from step 1 and email it to selected people
4) Setup SA_SYSTEM table with user information.
a) This does work with reference to updating delivers information when I look at My Account
5) Now I am attempt to do the following:
1) The report listed above will generate a report that has many records that belong to different Assigned To people
2) I would like to have the iBot generate the report(s) based on the Assigned To and that report only have that persons records in that specific report
3) The iBot would have to generate several reports based on the Assigned to
4) Automatically email the report to the correct person based on the email address setup in the SA_SYSTEM table that I created
--- This system table is also been added to the Presentation Layer of the RPD file
5) The users WILL not be subscribing to the ibot
6) The user may never log into OBIEE ... Just receive reports from the iBot
Questions:
1) Has anyone ever done this?
2) Can I do this
3) Can someone help me out
Other things I have done.
1) I have created a simple iBot to create the report... But is has all records
2) I can email the report to "Me"
3) I does run on a regular scheduled basis
Thank for any help
Steve

Rudimentary automated PDF generation using Delivers Hi Steve,
When the iBot runs in personalisation mode it is in essence logging each user into the system. The user that runs the report e.g. Administrator will impersonate the users one by one and run the queries per user. If you are not able to populate the Authentication block you will need to do something a little more "out there" to achieve your goals.
I have submitted a post a couple of days ago explaining a rudimentary method to generate customised pdf's based on session variables when running as a single user. You could modify this approach to achieve your desired result.
Rudimentary automated PDF generation using Delivers
Regards
Chris
Edited by: ChrisMarais on 23-May-2011 20:46

Allow user to select data, see the tables list but not view the table/view/stored procs definition

Hi,
May I know how to achieve the above ? Please enlighten me.
TIA !

So you want users to be able to see the name of the table, but not the definition? I am afraid that this is not possible. You can give users access to a table and hide the definition, but the name is considered part of the definition.
Olaf mentioned VIEW DEFINITION. What he did not say is that when you have SELECT permission (or EXECUTE permission on a stored procedure), the permission VIEW DEFINITION is implied by the stronger permission. For this reason you need to explicitly DENY this
permission as shown in the script below.
In the script I create a user without a login and then impersonate a user. This is an excellent way to test permissions.
[sql]
CREATE TABLE tabbe (a int NOT NULL)
go
CREATE USER usse WITHOUT LOGIN
go
GRANT SELECT ON tabbe TO usse
DENY VIEW DEFINITION ON tabbe TO usse
go
EXECUTE AS USER = 'usse'
go
SELECT * FROM tabbe
go
SELECT name FROM sys.objects WHERE type = 'U'
EXEC sp_help tabbe
go
REVERT
go
DROP USER usse
DROP TABLE tabbe
{/sql]
Note: rather than denying VIEW DEFINITION on an individual object you can leave out "ON tabbe" to deny the permission across the database.
Erland Sommarskog, SQL Server MVP, [email protected]

Apple Releases Security Update 2006-004 (PowerPC and Intel)

From Macfixit................
Apple has released Security Update 2006-004 for Mac OS X in both PowerPC and Intel versions. This update requires Mac OS X 10.4.7 for either PowerPC or Intel, Mac OS X 10.3.9 or Mac OS X 10.3.9 Server.
This is the fourth major standalone security update for Mac OS X released this year.
Update procedure recommendation First, avoid performing any other operations (in Mac OS X or third-party applications) while the update process is occurring. In addition, before installing this security update, make sure all Apple-installed applications and utilities are in their original locations. Moving one of these applications to a different location on your hard drive can lead to an incomplete update. Also, disconnect any FireWire/USB devices before applying the update (except for your startup drive, if it is FireWire or USB, and your keyboard/mouse), then re-connect the devices one by one (checking for issues created by any particular device) after the update process is complete and the system has restarted.
Enhancements in this release
Of most interest to general end-users:
a fix that prevents maliciously crafted Zip archives from causing condition where arbitrary code can be execute. In other words, prior to Security Update 2006-004 you could download a specially crafted file ending in .zip from a Web site or other location, and it could trigger the execution of malicious code.
a fix that disallows maliciously crafted Canon RAW images from creating a buffer overflow, potentially leading to arbitrary code execution. Prior to Security Update 2006-004, you could download or otherwise receive a Canon RAW file that could allow execution of malicious code on your system.
similar to the above, a fix that prevents maliciously crafted GIF images from causing an integer overflow, potentially leading to arbitrary code execution.
new download validation that will catch certain HTML files defined by Safari as "safe" that may actually contain malicious JavaScript code. After applying Security Update 2006-004, these files will not be automatically opened.
Protection against maliciously crafted HTML documents that can also open the door for arbitrary code execution by accessing deallocated objects.
A full list of enhancements is as follows:
AFP Server
An issue in the AFP server allows search results to include files and folders for which the user performing the search has no access. This may lead to information disclosure if the names themselves are sensitive information. If the permissions of the items allow it, the contents may also be accessible. This update addresses the issue in Mac OS X v10.3.9 by ensuring that search results only include items for which the user is authorized. For Mac OS X v10.4 systems, the issue was addressed in Mac OS X v10.4.7. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9:
The AFP server contains an integer overflow that can be triggered by an authenticated user. A malicious user with access to the AFP server may be able to cause a denial of service attack or arbitrary code execution with system privileges. The AFP server is not enabled by default on Mac OS X. This update addresses the issue by performing additional validation. Credit to Dino Dai Zovi of Matasano Security for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
On Mac OS X Server, the AFP server supports reconnection of file sharing sessions after a network outage. The storage of reconnect keys is world-readable. It may be possible for an authenticated local user to read the reconnect keys, use them to impersonate another user over AFP, and access files or folders with the privileges of the impersonated user. This update addresses the issue by protecting the reconnect keys with appropriate file system permissions. This issue only affects Mac OS X Server. Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.7.
An unchecked error condition exists in the AFP server that may lead to a crash. By carefully crafting an invalid AFP request, an attacker may be able to trigger this condition and cause a denial of service. This update addresses the issue by handling the formerly unchecked error condition. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7
Bluetooth
The security of the Bluetooth Setup Assistant has been improved in this update for Mac OS X v10.4.7. The length of the automatically generated passkey used for pairing has been increased from six characters to eight characters. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Bom
An issue in Bom's compression state handling may cause heap corruption. By carefully crafting a corrupt Zip archive and persuading a victim to open it, an attacker may be able to trigger this condition which could lead to an application crash or arbitrary code execution. Note that Safari will automatically open archives when "Open `safe' files after downloading" is enabled. This update addresses the issue by properly handling such malformed Zip archives. Credit to Tom Ferris of Security-Protocols.com for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
DHCP
A stack buffer overflow exists in bootpd's request processing. By carefully crafting a malicious BOOTP request, a remote attacker may be able to trigger the overflow and cause arbitrary code execution with the privileges of the system. Note that bootpd is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. This update addresses the issue by performing additional bounds checking. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
dyld
Malicious local system users may specify dynamic linker options that cause output to standard error. This output contains informational content and potentially user-specified content. As a result, privileged applications that parse or reuse standard error may be influenced inappropriately. This update addresses the issue by ignoring the problematic dynamic linker options in privileged applications. Credit to Neil Archibald of Suresec LTD for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
An improperly handled condition in the dynamic linker may lead to including dangerous paths when searching for libraries to load into privileged applications. As a result, malicious local users may cause the dynamic linker to load and execute arbitrary code with elevated privileges. This update addresses the issue by properly selecting search paths when executing privileged applications. Credit to Neil Archibald of Suresec LTD for reporting this issue. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
fetchmail
Several issues in the fetchmail utility were discovered. The most serious issue could lead to arbitrary code execution when fetching mail from a malicious POP3 mail server. All issues are described at the fetchmail website (fetchmail.berlios.de). This update addresses the issues by updating fetchmail to version 6.3.4. In addition, fetchmail is no longer distributed as a privileged utility. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
gunzip
A race condition may allow a malicious local user to modify the permissions of files owned by another user executing gunzip. This issue is only exploitable when executing gunzip on files in directories that are modifiable by other users. This update addresses the issue by properly handling files while decompressing. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
A directory traversal vulnerability is present in the command line utility gunzip when it is used with the non-default "-N" option. By carefully crafting a malicious compressed file and persuading a user to open it with "gunzip -N", an attacker may replace or create arbitrary files with the privileges of the victim. This update addresses the issue by properly stripping paths from files when decompressing. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7
Image RAW
By carefully crafting a corrupt Canon RAW image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of Canon RAW images. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7.
ImageIO
By carefully crafting a corrupt Radiance image, an attacker can trigger an integer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of Radiance images. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
By carefully crafting a corrupt GIF image, an attacker can trigger an undetected memory allocation failure which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7.
By carefully crafting a corrupt GIF image, an attacker can trigger an integer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Ferris of Security-Protocols.com for reporting this issue. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
LaunchServices
Download Validation may erroneously identify certain files containing HTML as "safe". If such a file is downloaded in Safari and Safari's "Open `safe' files after downloading" option is enabled, the HTML document will automatically be opened from a local URI. This would allow any JavaScript code embedded in the document to bypass access restrictions normally imposed on remote content. This update provides additional checks to identify potentially malicious file types so that they are not automatically opened. This issue does not affect systems prior to Mac OS X v10.4. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
OpenSSH
Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. This update addresses the issue by properly handling attempted logins by nonexistent users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting this issue. Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
telnet
When connected to a TELNET server, the client may send the contents of arbitrary environment variables to the server if the server requests them. Some environment variables may contain sensitive information that should not be sent over the network. This update addresses the issue by ensuring that only non-sensitive variables and variables that the user has explicitly requested are are shared with the server. Credit to Gael Delalleau and iDEFENSE for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7.
WebKit
A maliciously-crafted HTML document could cause a previously deallocated object to be accessed. This may lead to an application crash or arbitrary code execution. This update addresses the issue by properly handling such documents. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7
AppKit, ImageIO
Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis Ormandy, Google Security Team for reporting this issue. Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7./

Right after installing Security Update 2006-004 (Intel) on my macbook pro I am having troubles with my wireless connectivity. Here is the dump from the console:
Aug 3 15:49:43 x-ray /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: WirelessAssociate2() = 88001006 for network RadioActive
Aug 3 15:49:43 x-ray /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: (had password)
Aug 3 15:49:51 x-ray /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: WirelessAssociate2() = 88001006 for network RadioActive
Aug 3 15:49:51 x-ray /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: (had password)
Aug 3 15:49:59 x-ray /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: WirelessAssociate2() = 88001006 for network RadioActive
Aug 3 15:49:59 x-ray /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: (had password)
I can reboot and it will work, but if I put my macbook to sleep it, when I wake it, it will do the same thing again.
I am also getting timeouts waiting for results of 1st wireless scan to complete in console.
Anyone else having this issue?
MBP15-2GHZ Mac OS X (10.4.7)

Select Listener Port Number from which_table?

I'm writing a SQL script that, among other things, disconnects from Oracle and then reconnects to the same instance as a different user. I'm able to query v$database and v$instance to get most of the information I need (host, service name, etc) for the reconnect part. The only part I'm missing is the listener port number. I could hard code it to 1521, but that isn't very flexible. Currently, I'm prompting the user (which is normally me) for the listener port number in the SQL script, but that just seems a little bit lame. So my question is this: is there a view or table somewhere in the sys schema that I could use to view the listener configuration? I'm mostly working with 10gR2+ databases.

cleavitt wrote:
That is possible, but it needs to be a standard Oracle configuration if the script is to remain generic and portable. The script is actually working fine as-is. I was just trying to go the extra mile and determine the port number automatically. I could also prompt for a TNSNames entry as suggested by others, but I don't always have an entry defined for all of the Oracle instances in my company on every workstation that I work from.
Here is the script for anyone that is interested. It started out as a script that I found online, but the original did not work with 11g case-sensitive passwords and it only worked for local connections on the server.
Description:
Allows a DBA user to impersonate another user (without knowing the user's password).
Similar in function to using the SU command in Unix/Linux.
Note:
This script temporarily changes the impersonated user's password and may cause other
connection attempts by that user to fail during the moment that the temporary password is in effect.
WHENEVER SQLERROR EXIT
SET VERIFY OFF
ACCEPT username CHAR PROMPT 'Enter the username: '
ACCEPT listenerport NUMBER DEFAULT 1521 PROMPT 'Enter the listener port [1521]: '
-- Define substitution variables and column mapping.
COLUMN username NEW_VALUE username
COLUMN password_hash NEW_VALUE password_hash
COLUMN host_name NEW_VALUE hostname
COLUMN instance_name NEW_VALUE servicename
-- Populate substitution variables.
SELECT
name AS username,
-- Get the user's password hash(s) and apply appropriate formatting for case-sensitive password if needed (11g+ passwords).
NVL2(spare4, spare4 || ';' || password /* 11g+ */, password /* pre-11g */) AS password_hash
FROM sys.user$
WHERE name = UPPER('&username');
SELECT host_name, instance_name
FROM v$instance;
-- Set the user's password to a temporary value.
ALTER USER &username IDENTIFIED BY TempPass;
-- Use the temporary password to connect to the database as the user.
CONNECT &username/TempPass@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=&hostname)(PORT=&listenerport))(CONNECT_DATA=(UR=A)(SID=&servicename)));
-- Reset the user's password to the original value using the original password hash(s).
ALTER USER &username IDENTIFIED BY VALUES '&password_hash';
SHOW USER
UNDEFINE username
UNDEFINE password_hash
UNDEFINE hostname
UNDEFINE servicename
UNDEFINE listenerport
WHENEVER SQLERROR CONTINUE
SET VERIFY ONAnd by so doing you just kicked the user's password expiration on down the road, negating the benefit of havng a password expiration.
Also, you locked out the legitimate user of this account, until such time as you reset it back to the original. And in the mean time, if this happens to be an account used by some automated process, that process doesn't know the new "temporary" password and runs a risk of locking the account from too many invalid connection attempts. Try to become SYSMAN or DBSNMP from this, and you will very quickly kill OEM.
This has "bad idea" written all over it. What problem is it supposed to be be solving?

Impersonate a user

Similar Messages

Maybe you are looking for