ISupplier: Multiple ICX_SUPPLIER_ORG_ID Securing Attribute

Similar Messages

• Security Attributes with Multiple/NULL values

  I have a couple of situations where I can't seem to get the authorization component working as I need it to work for a database source.
  1) In the first case, I have two attributes set for "grant security attributes" in the data source, one of which has a single attribute value, and the other which has multiple values, e.g.
  I want to set "grant security attributes" to something like "client_id role_id" where for my dataset, client_id will always be a single numeric value, but I might have multiple role_ids that can view this record. How do I specify in my data source query those multiple attribute values? I tried separating them with spaces, e.g.
  SELECT ...
  'A B' role_id
  FROM
  where "A" and "B" represent unique values (looking to match A OR B). I also tried delimiting them with commas, but neither spaces nor commas seems to work consistently.
  On the authorization end, using oracle.search.plugin.security.auth.db.DBAuthManager as the authorization plug-in, I have the authorization query set as
  SELECT client_id, security_lvl as role_id from test_user_id where user_id = ?
  Each user may have more than one role, so in the above query, security_lvl could be something like "B C"; I'm assuming from the documentation that the delimiter for attribute values in this case should be a space.
  The crawler logs make it appear that everything is getting indexed, so I suspect the issue is on the authorization front.
  2) In the second case, one of my security attributes for the data source may be NULL, meaning that there's no particular authorization restriction on a particular record, so to use the same example as in #1,
  role_id might be NULL for some records, in which case, I want those records returned in the search if the client_id matches, but I can't get the records with the NULL role_id to be returned at all. Again, the crawler logs indicate that everything is being indexed, and I'm not sure if there's a log where I can further troubleshooting authorization issues.
  Any guidance would be appreciated.
  Thanks

  1) The security attributes are OR'd together so if the user has any ONE of the attributes (either client ID or role ID), the document can be seen by the user. What I would try is to create a view to call rather than directly against the table. The view can then leverage a PL/SQL function and encapsulate the logic behind the security tokens to return.
  So the view would look like this...
  CREATE OR REPLACE VIEW USER_SECURITY_V AS
  SELECT
  USER_T.ID,
  MY_SECURITY_FUNCTION(USER_T.ID) AS AUTH_ID
  FROM
  USER_T
  The PL/SQL function would look something like this...
  CREATE OR REPLACE FUNCTION MY_SECURITY_FUNCTION(USER_ID NUMBER) RETURN VARCHAR2 IS
  -- Do whatever you need to do to build a single space-deliminted list of tokens for both Client and Role ID "CLIENTID4 ROLEID5 ROLEID9" then return
  END;
  The data source authorization query then would look like this...
  SELECT AUTH_ID FROM USER_SECURITY_V A WHERE A.ID = ?
  Using a PL/SQL Function to control the tokens gives you the flexibility of modifying security without having to touch the data source directly
  2) I don't quite follow. If any ONE of the tokens match, the document is returned. If the role ID is null, you might try stamping each document a "master" security token indicating it's open to everyone such as "ALL". Then in the PL/SQL Function, return "ALL" in front of the actual values.
  The crawler logs will only tell you what is indexed at crawl time, not how searching is actually working. Try checking the server logs. These should be under something like oracle/ses/seshome/search/base_domain/servers/AdminServer/logs
  Hope this helps!

• Adding PDF Security attributes while PDF Merge

  Hi,
  I am trying to merge multiple pdf document and want to secure the output using pdf security attributes.
  Is there a way to achieve this while pdf merge ?
  (I am able to do so while generating the pdf using FO Processor but not while merging existing pdf files.)
  Thanks in Adavance
  ~neeraj

  Hi Neeraj
  What API are you using to merge the documents ?
  If you are using PDFDocMerger you can use the setConfig method on the API to set the password.
  Regards, Tim

• SAP Cookies does not have secure attribute

  Cookies remain without Secure Attribute after changing ticket_only_by_https = 1, SystemCookiesHTTPSProtection=true, and ume.logon.security.enforce_secure_cookie=True.
  1.)ABAP: sap-appcontext cookies
  2.)Portal: com.sap.engine.security.authentication.original_application_url   
  Security guidelines advice us to put all cookies into secure flag.
  1.) What are these cookies, the information it contain and how are they use?
  2.) Is it necessary to set this cookies to secure flag? If not is how does SAP handles possible cookie hijacking?

  Hi Jason,
  The cookie "com.sap.engine.security.authentication.original_application_url" is used to remember the originally called URL, when - to retrieve this URL - a logon is needed. After the successful login, it is used to redirect to the originally called application URL (and will be deleted then).
  It is also (mis)used to interpret for the SPNego login module if there already was a failed approach to login via SPNego. So if the auth request sees this cookie, it does not try to run SPNego but skips it.
  The value is encoded; only the information if the initial request was GET or POST is put in clear text in front of the value, separated by a "#" char.
  The code setting the cookie can be found in class com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler in line 1200++ - there someone could add the secure flag.
  Hope it helps
  Detlev

• Bursting with translation and security attributes?

  Hi folks,
  I've been lurking on the forum for a while and despite not always finding a solution, existing threads normally pointed me in the right direction - so thanks :)
  I'm working on EBS 11.5.10 with the latest Bi-Publisher 5.6.3 (5472959) and bursting (5968876) patches installed.
  I have successfully done the following individual AR Invoice Bi-Publisher tasks:
  1. translated an invoice RTF template by attaching an xliff file to the data definition,
  2. applied security attributes to the template to restrict updates on the resulting PDF,
  3. burst a custom AR invoice print and emailed the resultant pdf's.
  The PDF generated by the combined Invoice print correctly applies the translation and security attributes; however when I run the "XML Publisher Report Bursting Program" to the XML file the resultant burst PDF's do not apply the translation or security attributes. I assume this a limitation of bursting control files? If so, is this on the list of future enhancements to Bi-Publisher?
  Here's an example of my control file document entry, I have included locale and pdf-security entries - these don't cause an error but equally don't generate the desired result (p.s. I know I'm emailing on a PRI filter - it's just a test):
  <xapi:document output-type="pdf" delivery="att_email">
  <xapi:template type="rtf"
  location="/usr/tmp/xxxINVOICE3.rtf"
  locale="fr-US"
  pdf-security="true" pdf-encryption-level="1" pdf-permissions-password="xxxxxx"
  filter=".//G_INVOICE_HEADER[PRINTING_OPTION='PRI']" >
  </xapi:template>
  </xapi:document>
  Thanks
  Dave

  =================
  ==Properties Idea's
  =================
  You would have happened to try applying the security stuff in the application for your template? Try that and see if the pdf properties get set.
  If that doesn't work your left with two options:
  1. create a java concurrent program and set the properties manually.
  2. Log a tar.
  =================
  ==local idea's
  =================
  Are you sure you don't have to create template config for the locale? i suspect that's why it's not applying the xliff translation. Also, your NLS_LANG needs to be set to FRENCH for the approriate template to be applied. If your logged-in as english your french format template will not be applied, neither will the translation. As an example you can query vl table and you'll only get american (us) but if you alter your session you'll get the translation for that language when your query the table.
  location="xdo://xxxAR.xxx_XML_PRINT.fr.US"
  try it out and see if that works. Note: This will only work if your session NLS_LANG is set to FRENCH.

• Error While creating Security Attributes (QueryFilterPlugin)

  Hi,
  I am developing a QueryFilterPlugin. For this I need to define security attributes over documents fetched from remote repository(during crawl time). When I try to create a security attribute from an instance of DocumentAcl using method addSecurityAttribute("", "") I get following ProcessingException
  EQG-31202: Security attribute not allowed in identity-based access control crawl.
  What configurations should exist on SES before creating a security attribute.
  Need help
  Regards,
  Shakti

  Sorry about the delay in getting an answer on this...
  <p>
  It seems that your crawler manager class has to implement the "UserDefinedSecurityModel" interface. If it does that, then it will run in attribute-based security mode, whereas if it doesn't it will run in identity-based security mode.
  <p>
  So the declaration for your manager will look something like this:
  <p>
  <br>
  public class MyCrawlerMgr implements CrawlerPluginManager, UserDefinedSecurityModel<br>
  {<br>
  ...<br>
  }<br>
  <p>
  See: javadoc
  <p>
  I raised doc bug 6666752 for this issue, since it's not at all well documented. Our apologies for the difficulty this has caused you!
  <p>
  - Roger

• Loader, Unload SWF and Warning: Ignoring 'secure' attribute........

  Hey all
  I was just simply trying to load one swf into another.  in my document class I have the following line of code in my constructor.
  var loadBoard:LoadBoard = new LoadBoard("Directory.swf");
  in my LoadBoard class:
  package com.myproject
       import flash.display.Loader;
       import flash.display.MovieClip;
       import flash.net.URLRequest;
       public class LoadBoard extends MovieClip
            public function LoadBoard(nameOfBoard:String)
                 var boardLoader:Loader = new Loader();
                 addChild(boardLoader);
                 boardLoader.load(new URLRequest(nameOfBoard));
                 trace("swf should be loaded");
  In my console I get the following when I debug"
  [SWF] U:\fullPath\Directory.swf - 69,058 bytes after decompression
  [SWF] U:\fullPath\Directory.swf - 2,067 bytes after decompression
  [SWF] U:\fullPath\Directory.swf - 322,606 bytes after decompression
  [SWF] U:\fullPath\Directory.swf - 112,558 bytes after decompression
  [Unload SWF] U:\fullPath\Directory.swf
  Warning: Ignoring 'secure' attribute in policy file from http://fpdownload.adobe.com/pub/swz/crossdomain.xml.  The 'secure' attribute is only permitted in HTTPS and socket policy files.  See http://www.adobe.com/go/strict_policy_files for details.
  Not sure why I am getting this warning, when I googled it, the erro has to do with trying to load a file from another domain. My Directory.swf file is in the same location as my main swf, the bin-debug folder.  Also the Directory.swf does not seem to load into my main swf as I don't see it show up in the flash player when i run my app.   I am also a little confused on the [Unload SWF], I am not doing anything to tell it to Unload my swf.
  I am using FB to do all my coding and debugging if that matters.
  Does anyone have any ideas.
  thanks,

  Apparently I was, so I changed it to classic text in my Directory.fla and that seemed to remove the weird error.  However it seem that my swf is still not loading.  any Ideas why that might be?
  [EDIT]  Ok, my Directory swf is defenatly loading. but not showing up in the display list. I updated my LoadBoard to the following.
  package com.aces
       import flash.display.Loader;
       import flash.display.MovieClip;
       import flash.events.Event;
       import flash.net.URLRequest;
       public class LoadBoard extends MovieClip
            public function LoadBoard(nameOfBoard:String)
                 var boardLoader:Loader = new Loader();
                 boardLoader.load(new URLRequest(nameOfBoard));
                 boardLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, finishLoading);
            public function finishLoading(loadEvent:Event):void
                 addChild(loadEvent.currentTarget.content);
                 trace("swf should be loaded");
  any Ideas?
  Thanks,

• PlanAhead - unable to open design - security attributes in generated netlist

  Hello,
  I am using ISE and PlanAhead 14.3 and the design goes fine inside just the ISE flow,
  but does not open in PlanAhead at all when I try to analyze or floor plan the device.
  The exact message is:
  ERROR: [Designutils 20-396] Could not read top design file *.ngc because ngc2edif command failed wit the following message:
  ERROR:NetListWriters - The design contains secured core(s). Creation of the output netlist is prohibited. A license for the secure IP is required from Xilinx.
  My third party IP core provider claims that the issue is known in PlanAheadTM 12.4/13.1:
  "PlanAhead can only be used pre-synthesis with the EtherCAT IP Core (e.g. for pin planning), because
  PlanAhead does not support the security attributes in the generated netlist like ISE. Xilinx is aware of
  this issue."
  My question is: Is that issue still not solved?
  This is a crucial issue for me because I can not easily floorplan or use partitions for my design at the moment.
   

  I'm having exactly the same problem (can't floorplan due to secured core).
  if I understand this answer record correclty, that workaround will only prevent the warning: it won't solve that PlanAhead doesn't show placement results for secured cores.  This will make it very difficult to verify the floorplanning was successful or any idea of how well its going.  It does not solve the problem.
   

• Security attributes, qfp and un-authenticated users

  Hi,
  I have some observations regarding security attributes, query filter plugins and un-authenticated users that I would like your comments on.
  I am developing a custom crawler, a will be using OID for authentication. Not all users will be authenticated (hence they should only have access to content considered public). Authorization is done by the document source (using the option "ACLs controlled by the source").
  I am quite sure that I have read somewhere that not adding a security attribute for a certain document leads to the document being treated as public.
  Observations:
  A) Query filter plugins will only be called for authenticated users
  B) At crawl-time, not adding a defined security attribute leads to the document not being indexed
  Observation B means that my security attribute has to be added for every document (for the public documents populated with a value representing public access). Observation A means that the query filter will not be invoked for un-authenticated users (hence, they won't see any of the indexed documents, since all have security attributes).
  Question:
  How should I ensure that the documents considered public are available for unauthenticated users?
  Regards,
  Rune

  Hi all,
  I seem to have had inaccurate logging , so my assumption A is false.
  Then I have a simple workaround (add a special security attribute value for public documents), and you can forget about my question.
  regards,
  Rune

• Oracle User Admin -- Securing Attribute list

  Hi... does anybody hv the full list of "Securing Attributes" with explaination of how each of them are used.

  Hi,
  Do we have any profile or securing attribute in oracle that can be changed to force oracle to re-Enter password on selecting
  a particular responsibililty.I do not think such a profile exists, but you can manage the session timeout at the responsibility level -- See (Note: 412224.1 - How To Manage Timeout at Responsibility Level). A good practice is to train the end users not to leave their session open or to lock their workstations before leaving it!
  Regards,
  Hussein

• Drilldown depending on the oracle application user's securing attributes

  Hi all,
  I created a html table and I have a specific column that is allowed to drilldown to details but I would like also make this drilldown be depended on the user's securing attributes. If the person has permission the he will see the value and can enter in details, but if he doesnt have the permission he just see the value.
  Any ideas?!?!
  Thanks in advanced,
  Adolfho

  Hi Adolfho,
  you could try binding the Read Only attribute of this item/region through SPEL. For example, if you have a profile and need to give permission only to users that have the "Y" value on this profile, you can add this to the select clause of your VO:
  SELECT fnd_profile.value("profile_name") = 'Y' AS PROF_VALUE
  and then you can put the following expression on the Read only attribute of the region:
  ${!ProfValue}
  You can also do this on the controller by getting a reference to the respective OA Bean and calling setReadOnly(boolean) or setAttribute(READ_ONLY_ATTR, Object)...
  Hope it helps
  Thiago

• Multiple Cisco Security Notice posted in ISC Diary

  September 2,
  Noitced an item posted in the ISC Diary about a vulnerabilities in Cisco's ASA software, including the memory mgmt, RIP, Web Admin interface....
  My question is....how related is the ASA software to the ISA software.....and has Cisco anounced security patches for these yet?
  below is a link to the ISC article.
  http://isc.sans.edu/diary/Multiple+Cisco+Security+Notice/16487
  Any info would be appreciated.
  Rick

  Well, I already saw that there's a patch available for the ASA .....so now I need to know if the ASA software is substantially dissimilar to the ISA's underlying code...
  below is the Cisco link
  http://http://tools.cisco.com/security/center/viewAlert.x?alertId=30607
  thanks in advance, again for any insight offered.
  Rick

• Custom Securing Attribute

  We have Securing Attributes in User Definition Form.
  Navigation: System Administrator > Security > User > Define.
  Is it possible to have a custom value for securing attributes?
  If yes where should I define that?
  Thank You

  Hi,
  Anchorage.India wrote:
  Hi Merlin,
  You can also refer the following ML doc,
  [SECURING ATTRIBUTE: ICX_LEVEL_ALTERED|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=1081522.6]
  Thanks,
  Anchorage :)This document has nothing to do with the question.
  Regards,
  Hussein

• "EQG-31210:Missing security attribute value from document" for crawl CDB

  I am using Secure Enterprise Search to crawl Content Database. But the crawler throws the following exception for all the document the crawler crawled.
  13:18:24:424 INFO     filter_1          submitting doc http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html with status: 200
  13:18:24:425 INFO     filter_1          Processing http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html
  13:18:24:425 ERROR     filter_1     EQG-31210: Missing security attribute value from document: http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html oracle.search.crawler.WebCrawlerException     oracle.search.crawler.URLAccess:processUrlEntry:2759     oracle.search.crawler.CrawlingThread:submitForProcessing:7183     oracle.search.plugin.ocs.cservices.CSBrowse:submit:1727     oracle.search.plugin.ocs.cservices.CSBrowse:processDocument:1334     oracle.search.plugin.ocs.cservices.CSBrowse:processNextItem:1083     oracle.search.plugin.ocs.cservices.CSBrowse:browse:1170     oracle.search.plugin.ocs.cservices.OCSCSPlugin:crawl:154     oracle.search.crawler.CrawlingThread:run:1443

  Hi Juwan,
  Which SES are you using ?
  we had seen such exception in SES 10.1.8 if we try to submit a public document .

• Can I have multiple/separated secure sites/wikis on one server?

  I would like to host several secure wikis on my one iMac running OS X Server (10.8).  I've got the hostname for the primary domain and all of the virtual, primary domains good to go.  It's serving out a secure wiki on servername.domainname.com, which I am also able to access through https://www.domainname.com and/or https://www.otherdomainname.com.  If I replace "domainname" with any of my virtual domains it takes me to the default (hostname) primary domain's secure wiki.  But what I'd really like to be able to do is have multiple such wikis, separated by the different domain names.  Is this possible and how?
  What I've tried, but does not achieve the desired effect is: creating a SSL enabled site.  Doing that actually makes it impossible to get into the default (hostname) primary domain's secure wiki.
  I do have PHP and Python enabled, if that helps at all.
  Thanks in advance.

  niocosys wrote:
  Mark23 wrote:
  You can set the forward to
  www.domain.com/wiki/domain/ in the entry for domain.com
  and
  www.domain2.com/wiki/domain2 in the entry for domain2.com
  Mark23,
  Thanks for the help.  I see what you're saying.  As far as I can tell the address would actually have to be:
  https://www.domain2.com/wiki/projects/domain2/domain_2.html
  That landing page could be treated as a Table of Contents for all pages attached to it.  You're right, it's not as elegant, but it is workable.  That is, until someone simply clicks on "All Wikis" and is taken to the "Table of Contents" (list of all wikis on SSL site) for domain.com.  Still, it's an option.
  I'm going to reply to one of the other options you offered.
  Actually, this wouldn't work as a redirect though because I'd lose the public website, wouldn't I?  The redirect would completely bypass the http: website.  Instead, I'd have to just link each of the secure wikis on the public website for each domain.  Then just tell people not to go into the wikis for the other domains.  Setting up groups and permissions could also take care of that, I guess.