Label Security Group Hierarchy

Similar Messages

• OLS Label Security: how users can view own level/compartment/group choices?

  I have an application using OLS (Oracle Label Security) Virtual Database (VDB) for security; to allow users to only view rows to which they have access.
  I'm creating a list of values (LOV) to allow the user to change the level or compartment of a database record to a different value for which they still have access. The views that show these values is DBA_SA_USER_LEVELS (and COMPARTMENTS, GROUPS) but this view is only visible to DBA users, not the regular user. We are considering giving regular users access to this view, or granting SELECT_ALL_TABLES as suggested in an article I read. However, this approach seems to loosen security, not maintain it.
  How can I allow a user to get a list of levels, compartments or groups available to them without loosening the security on the DBA_* views?
  thanks,
  Scott

  Bump

• Label Security Limitations

  [10.2.2]
  I've inherited a database that has about 500 groups within one policy. I'm told there is a potential for it to continue to grow at a rate of maybe 10 per year.
  Are there any limitations on the maximum number of groups, categories, etc for label security?

  In
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14267/labels.htm#i1006370
  on 2.2.4 Groups session, we find:
  Groups are optional; a label can contain zero or more groups. Oracle Label Security permits defining up to 10,000 groups.

• How to export "Managed by" field of Distribution and Security groups and import with new values? (Exchange 2010, AD 2003)

  My Active Directory environment is 2003 functional level and we have Exchange 2010.
  I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
  I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
  2010 can be used with "get-distribution" but as our AD environment is 2003 is this correct also?
  Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
  Not really sure that the best way to go about this is.
  Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
  existing managedby values with new ones. In some cases we have multiple users as the owners.
  Appreciate any advice on how this can be best achieved. Thank you.

  Hi,
  We can use the following command in Exchange 2010 to export "Managed by" field of Distribution and Security groups:
  Get-DistributionGroup | Select-object Name,@{label="ManagedBy";expression={[string]::join(“;”,$_.managedby)}},Primarysmtpaddress | Export-Csv
  C:\export.csv
  After you changed the Managed by field in export.csv and saved it as a new file named import.csv, we can run the following command to set with new value:
  Import-Csv C:\import.csv | Foreach-Object{ Set-DistributionGroup –Identity $_.Name –ManagedBy $_.ManagedBy}
  Hope it works.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Using Content Manager with OLS - Oracle Label Security

  There are two entries in this forum with OLS - the last one in 2005.
  Has any one successfully deployed UCM with OLS?
  Thanks,
  Paul

  Yes I have with 10gr3
  It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
  I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
  In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
  It worked flawlessly...not supported though
  Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
  Tim

• Using non-alphabetical symbols in Oracle Label Security API

  I decide to use Oracle Label Security Release 9.0.1 , but I have some problems in realization . When I try to use function sa_policy_admin.apply_table_policy with
  following parameters:
  sa_policy_admin.apply_table_policy(
  POLICY_NAME => 'policy1',
  SCHEMA_NAME => 'domain1\user1',
  TABLE_NAME => 'table1'
  I receive messages :
  ORA-00604: error occurred at recursive SQL level 1
  ORA-00911: invalid character
  ORA-00911: invalid character
  ORA-06512: at "LBACSYS.LBAC_POLICY_ADMIN", line 251
  ORA-06512: at line 2
  Tell me please , may be there are any limitations on parameter SCHEMA_NAME in function ,
  because this function can't understand symbol "\".
  Note 1: It is obligatory to use symbol "\" in schema_name ,
  because I have to connect to DB as external user (user of Windows 2000 Server).
  Note 2: ORA-00911 invalid character
  Cause: Special characters are valid only in certain places. If special characters other than $, _, and # are used in a name and the name is not enclosed in double quotation marks ("), this message will be issued. One exception to this rule is for database names; in this case, double quotes are stripped out and ignored.
  Action: Remove the invalid character from the statement or encl[i]Long postings are being truncated to ~1 kB at this time.

  Yes I have with 10gr3
  It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
  I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
  In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
  It worked flawlessly...not supported though
  Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
  Tim

• NOOB Question Network Security Groups

  It appears I need to use Powershell to create NSG's etc so stupid question is where do I run the powershell to create the NSG from the command "New-AzureNetworkSecurityGroupNew-AzureNetworkSecurityGroup"
  on a particular VM within Azure?

  Hi,
  You could install Azure PowerShell in your Azure VM or in your Local Machine as well.
  Please refer the following link to install PowerShell:
  http://azure.microsoft.com/en-in/documentation/articles/powershell-install-configure/
  I ran the following command in my Local Machine to create a Network Security Group and it worked successfully:
  New-AzureNetworkSecurityGroup-Name"******"-Location"******"-Label"*******"
  Regards,
  Malar.

• Is there a way for an end user to see who has membership in a security group

  Windows Server 2008 R2
  Active Directory Domain
  Windows 7 workstations
  I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
  Is that possible? Any drawbacks or concerns?

  Hi Tod,
  Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
  Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
  However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
  More information for you:
  Viewing the Direct Members of a Group
  http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
  Net group
  http://technet.microsoft.com/en-us/library/cc754051.aspx
  Best Regards,
  Amy

• Not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365

  not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
  Any idea?

  after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
  hope this helps who stuck like me!! :-)

• How to install Oracle Label Security in Oracle Database 10g EE

  Hello All
  I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
  I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
  I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
  M.
  Sorry about my English.

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Project Server 2010: PWA Removing Default Project Site Security Groups When Creating a New Project

  I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
  We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
  groups on the project site upon publishing/syncing:
  <Project Name> Members
  <Project Name> Owners
  <Project Name> Visitors
  <Project Name> Project Managers (Project Web App Synchronized)
  <Project Name> Team Members (Project Web App Synchronized)
  Web Administrators (Project Web App Synchronized)
  Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
  and add a whole list of users in the Site Permissions list without groups. 
  Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
  or publishing. 
  How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
  Thanks in advance.

  Paul,
  Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
  the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies. 

• Security Group for SharePoint 2013 Online Enterprise 3

  I need to copy all the user account names from one SharePoint Security group to a different SharePoint Security group in the same single tenant.
  I can not figure out how to do this.
  Thanks.
  Dawn

  Call your local Microsoft office (any office may due, but info from your local office will be more accurate), and ask for the
  Account Manager for SMB (small to medium businesses) in the
  education sector.
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• Using a security group to add members to the collection question

  Hi,
  I have a collection created in SCCM 2007 that is using a security group for membership. So I added a computer to the security group in AD but when I go to SCCM and click on the collection I dont see the computer in the collection. Should it show here or
  because it is a security group based membership will it not show the members?
  THanks!

  Details from Active directory are added to SCCM database through discovery methods. Please ensure that AD security group discovery and AD system discovery are enabled in the primary site. If they are enabled, check the frequency set for these discovery
  methods. Once you added these computers to the AD group, you need to wait till the next discovery cycle before it appears in SCCM collections. Till that point, SCCM database will not have information about the group memberships of these computers

• Unable to change members of AD security groups who have access to shared mailboxes

  I have an exchange 2013 running for over a year now and never had any problems with it. Until recently.
  A request came in to make a new shared mailbox. So I did just that and gave rights to a security (not mail enabled) AD group. Just like I Always do. Everything worked fine. A few hours later I did exactly the same for another request and then the people
  could not access the shared mailbox. So I added my regular user to the AD group and I also couldn't (I tested it with OWA and Outlook). I tried to remove myself of one of my own shared mailboxes and the permissions wouldn't stick. When I removed the entire
  group then the permissions were gone(and I could not access the shared mailbox). When I added it back I had my permissions back but still wasn't in the group. Then I tried adding a distribution group with the same result.
  It seems when I add normal users directly to the permissions everything works.
  When I had to restart the server a few days later. All changes were applied but I could not change it again.
  i'm a bit stumped on this one. i'm out of options.

  Hi Jelle,
  "I did exactly the same for another request and then the people could not access the shared mailbox.", I would like to verify if you give the same Security Group rights to multiple shared mailboxes.
  If the security group members can't have access to all the shared mailboxes they have rights, you can recreate a security group and grant permissions to shared mailboxes one by one to check the result.
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Can I deploy 2 computer GPO for 2 different Security Groups to the same machine?

  Hi
  this is my scenario
  I have 2 different security group ( in a domain ) and i would like to deploy 2 different Computer GPO depends by the user SG membership
  this is a terminal server ( 2k12) and I would like  have the computer GPO policy/admin template/windows components/remote desktop session host/profile different for each security group.
  thanks
  Marco

  > I have 2 different security group ( in a domain ) and i would like to
  > deploy 2 different Computer GPO depends by the user SG membership
  Not really, but for some settings there is a workaround... ->
  http://evilgpo.blogspot.de/2012/03/how-to-save-my-screen.html
  > this is a terminal server ( 2k12) and I would like  have the computer
  > GPO policy/admin template/windows components/remote desktop session
  > host/profile different for each security group.
  For THIS setting, it definitely does NOT work. The profile path must be
  known BEFORE the user is logged on and this means BEFORE any user
  specific settings can be processed.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))