Label Security Group Hierarchy
After reading the LS docs and implementing a test scenario am I a bit puzzled about something that is happening. Possibly I misinterpreted the documentation.
I have a three level tier of groups. The data all belongs at the third tier as groups L3A, L3B, and L3C (names simplified for this example):
L1
| \
L2A L2B
| | \
L3A L3B L3C <- ALL DATA AT THIS LEVEL
I have set up the group hierarchy so that L3A's parent is L2A, etc as show above. All users have the same R/W access.
The L3 users I created to work with the data at the L3 groups work. The users I created with the L2 group to view the L3 group data work. However, the L1 group user cannot see any of the data at the L3 level. If I set the L1 user to view the L2 groups, it can see the data.
So, it seems that the data selected by group permissions are only rolling up one level (L3 to L2 but not L3 via L2 to L1). Is this the intended functionality, or is this a bug (Solaris 10.1.0.2.0 64bit)?
Bump
Similar Messages
-
OLS Label Security: how users can view own level/compartment/group choices?
I have an application using OLS (Oracle Label Security) Virtual Database (VDB) for security; to allow users to only view rows to which they have access.
I'm creating a list of values (LOV) to allow the user to change the level or compartment of a database record to a different value for which they still have access. The views that show these values is DBA_SA_USER_LEVELS (and COMPARTMENTS, GROUPS) but this view is only visible to DBA users, not the regular user. We are considering giving regular users access to this view, or granting SELECT_ALL_TABLES as suggested in an article I read. However, this approach seems to loosen security, not maintain it.
How can I allow a user to get a list of levels, compartments or groups available to them without loosening the security on the DBA_* views?
thanks,
ScottBump
-
[10.2.2]
I've inherited a database that has about 500 groups within one policy. I'm told there is a potential for it to continue to grow at a rate of maybe 10 per year.
Are there any limitations on the maximum number of groups, categories, etc for label security?In
http://download.oracle.com/docs/cd/B19306_01/network.102/b14267/labels.htm#i1006370
on 2.2.4 Groups session, we find:
Groups are optional; a label can contain zero or more groups. Oracle Label Security permits defining up to 10,000 groups. -
My Active Directory environment is 2003 functional level and we have Exchange 2010.
I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
2010 can be used with "get-distribution" but as our AD environment is 2003 is this correct also?
Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
Not really sure that the best way to go about this is.
Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
existing managedby values with new ones. In some cases we have multiple users as the owners.
Appreciate any advice on how this can be best achieved. Thank you.Hi,
We can use the following command in Exchange 2010 to export "Managed by" field of Distribution and Security groups:
Get-DistributionGroup | Select-object Name,@{label="ManagedBy";expression={[string]::join(“;”,$_.managedby)}},Primarysmtpaddress | Export-Csv
C:\export.csv
After you changed the Managed by field in export.csv and saved it as a new file named import.csv, we can run the following command to set with new value:
Import-Csv C:\import.csv | Foreach-Object{ Set-DistributionGroup –Identity $_.Name –ManagedBy $_.ManagedBy}
Hope it works.
Thanks,
Winnie Liang
TechNet Community Support -
Using Content Manager with OLS - Oracle Label Security
There are two entries in this forum with OLS - the last one in 2005.
Has any one successfully deployed UCM with OLS?
Thanks,
PaulYes I have with 10gr3
It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
It worked flawlessly...not supported though
Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
Tim -
Using non-alphabetical symbols in Oracle Label Security API
I decide to use Oracle Label Security Release 9.0.1 , but I have some problems in realization . When I try to use function sa_policy_admin.apply_table_policy with
following parameters:
sa_policy_admin.apply_table_policy(
POLICY_NAME => 'policy1',
SCHEMA_NAME => 'domain1\user1',
TABLE_NAME => 'table1'
I receive messages :
ORA-00604: error occurred at recursive SQL level 1
ORA-00911: invalid character
ORA-00911: invalid character
ORA-06512: at "LBACSYS.LBAC_POLICY_ADMIN", line 251
ORA-06512: at line 2
Tell me please , may be there are any limitations on parameter SCHEMA_NAME in function ,
because this function can't understand symbol "\".
Note 1: It is obligatory to use symbol "\" in schema_name ,
because I have to connect to DB as external user (user of Windows 2000 Server).
Note 2: ORA-00911 invalid character
Cause: Special characters are valid only in certain places. If special characters other than $, _, and # are used in a name and the name is not enclosed in double quotation marks ("), this message will be issued. One exception to this rule is for database names; in this case, double quotes are stripped out and ignored.
Action: Remove the invalid character from the statement or encl[i]Long postings are being truncated to ~1 kB at this time.Yes I have with 10gr3
It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
It worked flawlessly...not supported though
Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
Tim -
NOOB Question Network Security Groups
It appears I need to use Powershell to create NSG's etc so stupid question is where do I run the powershell to create the NSG from the command "New-AzureNetworkSecurityGroupNew-AzureNetworkSecurityGroup"
on a particular VM within Azure?Hi,
You could install Azure PowerShell in your Azure VM or in your Local Machine as well.
Please refer the following link to install PowerShell:
http://azure.microsoft.com/en-in/documentation/articles/powershell-install-configure/
I ran the following command in my Local Machine to create a Network Security Group and it worked successfully:
New-AzureNetworkSecurityGroup-Name"******"-Location"******"-Label"*******"
Regards,
Malar. -
Is there a way for an end user to see who has membership in a security group
Windows Server 2008 R2
Active Directory Domain
Windows 7 workstations
I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
Is that possible? Any drawbacks or concerns?Hi Tod,
Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
More information for you:
Viewing the Direct Members of a Group
http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
Net group
http://technet.microsoft.com/en-us/library/cc754051.aspx
Best Regards,
Amy -
not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
Any idea?after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
hope this helps who stuck like me!! :-) -
How to install Oracle Label Security in Oracle Database 10g EE
Hello All
I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
M.
Sorry about my English.Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
Find more ways in the Documentation here:
http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm -
I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
groups on the project site upon publishing/syncing:
<Project Name> Members
<Project Name> Owners
<Project Name> Visitors
<Project Name> Project Managers (Project Web App Synchronized)
<Project Name> Team Members (Project Web App Synchronized)
Web Administrators (Project Web App Synchronized)
Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
and add a whole list of users in the Site Permissions list without groups.
Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
or publishing.
How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
Thanks in advance.Paul,
Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies. -
Security Group for SharePoint 2013 Online Enterprise 3
I need to copy all the user account names from one SharePoint Security group to a different SharePoint Security group in the same single tenant.
I can not figure out how to do this.
Thanks.
DawnCall your local Microsoft office (any office may due, but info from your local office will be more accurate), and ask for the
Account Manager for SMB (small to medium businesses) in the
education sector.
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
Using a security group to add members to the collection question
Hi,
I have a collection created in SCCM 2007 that is using a security group for membership. So I added a computer to the security group in AD but when I go to SCCM and click on the collection I dont see the computer in the collection. Should it show here or
because it is a security group based membership will it not show the members?
THanks!Details from Active directory are added to SCCM database through discovery methods. Please ensure that AD security group discovery and AD system discovery are enabled in the primary site. If they are enabled, check the frequency set for these discovery
methods. Once you added these computers to the AD group, you need to wait till the next discovery cycle before it appears in SCCM collections. Till that point, SCCM database will not have information about the group memberships of these computers -
Unable to change members of AD security groups who have access to shared mailboxes
I have an exchange 2013 running for over a year now and never had any problems with it. Until recently.
A request came in to make a new shared mailbox. So I did just that and gave rights to a security (not mail enabled) AD group. Just like I Always do. Everything worked fine. A few hours later I did exactly the same for another request and then the people
could not access the shared mailbox. So I added my regular user to the AD group and I also couldn't (I tested it with OWA and Outlook). I tried to remove myself of one of my own shared mailboxes and the permissions wouldn't stick. When I removed the entire
group then the permissions were gone(and I could not access the shared mailbox). When I added it back I had my permissions back but still wasn't in the group. Then I tried adding a distribution group with the same result.
It seems when I add normal users directly to the permissions everything works.
When I had to restart the server a few days later. All changes were applied but I could not change it again.
i'm a bit stumped on this one. i'm out of options.Hi Jelle,
"I did exactly the same for another request and then the people could not access the shared mailbox.", I would like to verify if you give the same Security Group rights to multiple shared mailboxes.
If the security group members can't have access to all the shared mailboxes they have rights, you can recreate a security group and grant permissions to shared mailboxes one by one to check the result.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
Can I deploy 2 computer GPO for 2 different Security Groups to the same machine?
Hi
this is my scenario
I have 2 different security group ( in a domain ) and i would like to deploy 2 different Computer GPO depends by the user SG membership
this is a terminal server ( 2k12) and I would like have the computer GPO policy/admin template/windows components/remote desktop session host/profile different for each security group.
thanks
Marco> I have 2 different security group ( in a domain ) and i would like to
> deploy 2 different Computer GPO depends by the user SG membership
Not really, but for some settings there is a workaround... ->
http://evilgpo.blogspot.de/2012/03/how-to-save-my-screen.html
> this is a terminal server ( 2k12) and I would like have the computer
> GPO policy/admin template/windows components/remote desktop session
> host/profile different for each security group.
For THIS setting, it definitely does NOT work. The profile path must be
known BEFORE the user is logged on and this means BEFORE any user
specific settings can be processed.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
Maybe you are looking for
-
How to query a distant database without using db link in pl/sql
Hi I have two different distantly located databases say d1,d2 There is a table dept which had deptno (primary key),department name as columns . I need to query database d2 on the basis of the deptno present in database d1. In database d2 , there are
-
Mail won't go online with IMAP but Exchange works
Mac mail has beeen working fine for me for many years. Last day or so all my non Exhcange accounts won't go online. I read through the forum. I have checked the connection doctor. It is "unable to contact server". I tried network utility to port scan
-
My iphone 6 battery duration is just 4 hour or less, please help me
my iphone 6 battery duration is too low, just 4 hour or less, please help me with this?
-
Idea/suggestion: How about an option to create webgalleries with lightboxes. Allowing clients who are viewing webgalleries to make selections and add to a lightbox, which (to go a bit furthur) could be either saved or sent to the photographer. Making
-
I am using adobe photoshop cs6. I am facing a problem. When i save any image as "save for web". After saving image it show cropped. An image show many parts of the image after saving the image. Please help me. Thanks in advance.