LDAP and everyone group

Similar Messages

• Difference between Domain\Domain Users and Everyone Group in SharePoint

  Hi,
  In SharePoint 2013, is Everyone Group an AD group ? Please help with details.
  Thanks
  srabon

  Hi All,
  Domain Users, Authenticated Users, or Everyone
  Domain Users
  The Domain Users is the only real group of the 3 listed above.  By that I mean you can add and remove members from this group.  Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain
  Users group resides in.  By default all users created in the domain are automatically members of this group.  However, the  default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group.
  Because Domain Users is generally considered the most secure group of the three listed above.
  Authenticated Users
  Authenticated Users was first introduced in Windows NT 4.0 SP3.  This is a built-in group and cannot be modified.  The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain. 
  Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain
  other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account. 
  Everyone group
  The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.  NULL session connections (aka
  anonymous logon) used to be included in this group but were removed in Windows 2003.  This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE,
  LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.
  Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group
  -Ivan

• LDAP and Notes Group Security Authentication Troubles

  First, my apologies if this is in the wrong forum, but after looking at the forum names a few times this seemed the most appropriate.
  I have a PDF file that I would like to have access restricted to a certain group on my organization's directory server. I'm kind of the new guy here, so I'm not 100% certain on this, but I'm pretty sure that our setup is:
  A Lotus Domino LDAP server storing the directory information in a Lotus Notes database. Each user has a Notes certificate stored on the server for authentication to various databases we have on our intranet.
  I've entered the LDAP server information in the Security Settings... window in Acrobat, and I'm sure its correct as I can use the same information to browse the LDAP server with Softerra LDAP browser. There is no authentication required, but the server might restrict access based on domain; I'm not sure (shouldn't matter). Anyway, when I go to Manage Trusted Identities... then Add Contacts, then Search, I can never get any results to return.
  I wish to only allow users in a certain group, CN=ALLOWED - GROUP, to have access to the PDF. I feel that there should be a way to accomplish this with the Notes certificates. Anyone know what I'm doing wrong or need to do?
  If something I've said is wrong or unclear, I'd be happy to try again; this sort of thing isn't my forte.
  Thanks in advance,
  Mark

  > I guess the CA is the machine that's hosting the Lotus notes database
  No, the CA is merely an "entity". It's your Certificate Authority, the master certificate used to sign and authenticate all subsidiary certificates. You are talking about setting this up as a PKI for signature validation and managed security, right? Or am I way off base with your workflow and leading you away from where you should be (if so, feel free to ignore me - lots of people do)?
  Leonard is right though, for securing individual PDFs to a specific group you would need LiveCycle Rights Management ES. The security needs to be in the PDF itself otherwise its useless. Say you configure your security at an application level, as you are trying to do, and then someone copies the PDF to a USB key and takes it home. No longer on your network, so they can now freely open the document.

• RDBMSRealm, everyone group, guest user

  Hi folks, I'm having some fun with the rdbms realm lately and have a few
  questions.
  We're using the RDBMSRealm example with form based auth under WLS 5.1 SP 9 and
  have the following in web.xml
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
       <description>These pages are only accessible by all authorised xyz users.</description>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <description>These are the roles that have access</description>
  <role-name>
  xyz
  </role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <description>All application users</description>
  <role-name>
  xyz
  </role-name>
  </security-role>
  which basically says that every page in the web-app requires a user to be in the
  xyz role and does seem to work fine.
  Now, what I'd like to do is to allow everyone to access one particular page
  within the application (that is, this page does not require the xyz role). So
  something like the following would be great.
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Some Particular Page</web-resource-name>
       <description>This page is accessible to everyeone.</description>
  <url-pattern>/particular/page.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <description>everyone can get at this page.</description>
  <role-name>everyone</role-name>
  </auth-constraint>
  </security-constraint>
  However, this doesn't seem to work, I get redirected to the form based login
  page and once I've logged in can get to the page that I'm hoping shouldn't
  require a logged in user.
  So I'm wondering about the xml syntax and semantics.
  - What are the rules around specific and general mappings, like will a
  more specific mapping be used before falling back to the general mapping?
  - Are the mappings applied in order (first to last) and the first match
  taken?
  - Are the rules according to section 10 of the servlet spec applicable here?
  Now my problem might also be the RDBMSRealm its self -- I'm also having some
  problems with the everyone group and the guest user. If I remove the first
  constraint above and only include the /particular/page.jsp constraint to the
  everyone group things still don't seem to work right.
  I can see the realm call getGroup("everyone") and getUser("guest) but both
  calls return null, since these principals are not in our database
  tables. However, if I hit http://localhost:7001/AdminRealm I do see a list of
  all groups that our RDBMSRealm knows about and I also see the everyone group
  which contains system and guest users and so I have more questions.
  - Does CachingRealm fall back to the standard properties realm if it gets nulls
  from the RDBMSDelegate?
  - Does the everyone group include unauthenticated users (i.e. guest) as I'm
  hoping?
  I've tried adding an instance of weblogic.security.acl.Everyone to my
  RDBMSDelegate class and checking if the call to getGroup is looking for
  "everyone" in which case I return this instance but this doesn't seem to do
  anything either. I also tried adding this everyone group to the list returned
  by getGroups but that didn't help and I carried the idea through to getUser and
  getUsers with a guest user but again no luck. I'm always forced to authenticate
  before I can get to the page that should allow anyone (everyone) to see it.
  Any help, ideas, advice, beer, etc. would be much appreciated!
  Thanks,
  Derek

  THorner <[email protected]> writes:
  RDBMSRealm, everyone group, guest user
  Update-I've got it working.
  AS well as the isMember change mentioned below I altered getPrincipal
  for both the RDBMSRealm class
  if(name.equals("guest")){return createUser("guest","guest");}
  if(name.equals("everyone")){return new Everyone(this);}
  and RDBMSDelegate
  if(name.equals("guest")){return realm.createUser("guest","guest");}
  if(name.equals("everyone")){return new
  weblogic.security.acl.Everyone(realm);}
  did something to RDBMSUser so that guest always authenticates
  (alternatively you could put the guest user on the database, surely?)I did see various examples of the guest and everyone additions to the realm
  code, but I also read some stuff that indicated that if the rdbms realm returns
  null for these requests then the caching realm should fall back to the standard
  properties realm which does have the guest user and everyone group defined.
  With the debugging turned on this does seem to be what it does and the
  guest/everyone code doesn't seem to be needed. I also checked the
  http://localhost:7001/AdminRealm servlet and did see the everyone group with
  system and guest users as part of it.
  >
  Allow guest access to the file servlet (otherwise they can't be sent any
  HTML pages - my best guess would be that this is your problem).This was probably part of the problem, judging by the messages from the realm
  debugging.
  Also I altered weblogicURL.policy to allow 'everyone' access to the page
  that was to be unrestricted - so I guess you should set
  I hope this helps, if not (and you haven't already) turn on RDBMSRealm
  debugging - eventually I found the information useful (in that it tends
  to tell you what it has last been looking for, and the methods used)In the end, I found that specifying that the everyone group is required for a
  particular resource didn't seem to work. Instead I protected the majority of my
  application with a set of rules and left all other pages without any matching
  rules and the guest user then seems to work ok.
  The servlet 2.3 spec has an addition to the <role-name> tag which allows a * to
  indicate all roles but this isn't in the 2.2 spec.
  Thanks for the help!
  Cheers,
  Derek
  >
  terry
  -----Original Message-----
  From: THorner
  I am working on something similar (although not in a war),
  which isn't working yet, but I can tell you a couple of
  things that I have come across.
  -----Original Message-----
  From: [email protected]
  [mailto:[email protected]]On Behalf Of Derek
  Scherger
  Posted At: Mon 04 June 2001 22:13
  Posted To: weblogic.developer.interest.security
  Conversation: RDBMSRealm, everyone group, guest user
  Subject: RDBMSRealm, everyone group, guest user
  Hi folks, I'm having some fun with the rdbms realm lately and
  have a few
  questions.
  We're using the RDBMSRealm example with form based auth under
  WLS 5.1 SP 9 and
  have the following in web.xml
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
       <description>These pages are only accessible by all
  authorised xyz users.</description>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <description>These are the roles that have
  access</description>
  <role-name>
  xyz
  </role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <description>All application users</description>
  <role-name>
  xyz
  </role-name>
  </security-role>
  which basically says that every page in the web-app requires
  a user to be in the
  xyz role and does seem to work fine.
  Now, what I'd like to do is to allow everyone to access one
  particular page
  within the application (that is, this page does not require
  the xyz role). So
  something like the following would be great.
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Some Particular Page</web-resource-name>
       <description>This page is accessible to
  everyeone.</description>
  <url-pattern>/particular/page.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <description>everyone can get at this page.</description>
  <role-name>everyone</role-name>
  </auth-constraint>
  </security-constraint>
  However, this doesn't seem to work, I get redirected to the
  form based login
  page and once I've logged in can get to the page that I'm
  hoping shouldn't
  require a logged in user.
  So I'm wondering about the xml syntax and semantics.
  - What are the rules around specific and general mappings, like will a
  more specific mapping be used before falling back to the
  general mapping?
  - Are the mappings applied in order (first to last) and the
  first match
  taken?
  - Are the rules according to section 10 of the servlet spec
  applicable here?
  Now my problem might also be the RDBMSRealm its self -- I'm
  also having some
  problems with the everyone group and the guest user. If I
  remove the first
  constraint above and only include the /particular/page.jsp
  constraint to the
  everyone group things still don't seem to work right.
  I can see the realm call getGroup("everyone") and
  getUser("guest) but both
  calls return null, since these principals are not in our database
  tables. However, if I hit http://localhost:7001/AdminRealm I
  do see a list of
  all groups that our RDBMSRealm knows about and I also see the
  everyone group
  which contains system and guest users and so I have more questions.
  - Does CachingRealm fall back to the standard properties
  realm if it gets nulls
  from the RDBMSDelegate?
  - Does the everyone group include unauthenticated users (i.e.
  guest) as I'm
  hoping?
  I've tried adding an instance of weblogic.security.acl.Everyone to my
  RDBMSDelegate class and checking if the call to getGroup is
  looking for
  "everyone" in which case I return this instance but this
  doesn't seem to do
  anything either. I also tried adding this everyone group to
  the list returned
  by getGroups but that didn't help and I carried the idea
  through to getUser and
  getUsers with a guest user but again no luck. I'm always
  forced to authenticate
  before I can get to the page that should allow anyone
  (everyone) to see it.
  Any help, ideas, advice, beer, etc. would be much appreciated!
  Thanks,
  Derek

• RDMBS - Creates two rows in table and adds to "everyone" group

  I have got the RDBMSRealm (using the example code) working from a JSP and a new
  user is persisted to my Oracle 8i users table. From the WLS console I can also
  see this new user under my Group "Candidates". However it has also added this
  user to the "everyone" group and I have two identical rows in my table. I can't
  see where it picks up this "everyone" group. Any pointers would be appreciated.
  Thanks.
  I'm using WLS 6.1 sp2 under Windows 2K Prof.

  "Roger Lee" <[email protected]> wrote:
  >
  I have got the RDBMSRealm (using the example code) working from a JSP
  and a new
  user is persisted to my Oracle 8i users table. From the WLS console I
  can also
  see this new user under my Group "Candidates". However it has also added
  this
  user to the "everyone" group and I have two identical rows in my table.
  I can't
  see where it picks up this "everyone" group. Any pointers would be appreciated.
  Thanks.
  I'm using WLS 6.1 sp2 under Windows 2K Prof.

• Regular expressions and capture groups

  Hi everyone :)
  Is there a way to override the default behaviour of capture groups in regular expressions? More specifically I want to override this:
  "The captured input associated with a group is always the subsequence that the group most recently matched."
  For example, if I have a string that is this:
  * <comment one>
  * <comment two>
  <some text>
  I have a pattern of the form "(.*)(/\\*.*\\*/)(.*)" which will match multi-line comments. I have also specified the flag DOTALL so that the predefined character class '.' matches over line-breaks.
  If I apply this pattern to the above string I get comment two being captured, not comment one. This is because of the stipulation that I cited above.
  I need to be able to capture only the first match, and prevent the capture group from being overwritten by more recent matches.
  Is this possible? Any ideas?
  Thanks in advance.
  Kind regards,
  Ben Deany

  Is there a way to override the default behaviour of
  capture groups in regular expressions? More
  specifically I want to override this:No, but you don't need to.
  I have a pattern of the form "(.*)(/\\*.*\\*/)(.*)"
  which will match multi-line comments.Comment two is captured by the second group because comment one is eaten by the first group. Use the reluctant quantifier "*?" on the . in the first group instead of the greedy quantifier "*" to get what is apparently the behavior you want. Then the first group will contain nothing, the second group will contain comments one and two, and the third group will contain the following text.
  .* is a very powerful thing to use. It will match everything in its path, guzzling text like moonshine at Mardi Gras. The only reason it doesn't match comment two as well is because then the expression as a whole would not match.
  The parentheses surrounding the first and third groups are not needed (unless you want to use group methods on them too).

• To get the company code and country grouping attached to a position

  Hi everyone,
  I have a position and I need to get the company code and the country grouping that this position is attached to. Could you kindly suggest an FM or a class which would fetch the above data keeping in mind the inheritance tree. That is, if the company code is not maintained in HRP1008, then it should look for the same in the Org Unit that this position belongs to and so on..
  Any help will be greatly appreciated.
  Regards,
  Alpana.

  Hi
  Check the A011 relationship of the position and get the cost center, from cost center you can get the company code and country grouping from Cost Center Master CSKS.
  ~~~Ganesh Kumar K.

• Users added to Profile Manager not showing up in everyone group

  So profile manager was working quite well until I made a change to the workgroup group.
  I removed the password policy from the workgroup group and added a new group for the password policy so we could essentially still manage non user assigned iOS devices.
  Now when I add a new user to the workgroup group on the server I have them login to the mydevices site so we can enroll the device and they can login but are immediately presented with:
  "You do not have permission to access the page you were looking for. Contact your system administrator."
  In troubleshooting the issue I noticed that new users being added are not showing up the in the everyone group which is preventing the users from having proper access. Prior to all this I could add a user and they would show up in everyone as intended.
  Any thoughts?

  I'm not sure if this is the same issue, but I have a user in Server.app that is not showing up in Users group. She is listed in her sub-group, but I cannot add devices to her account. When I click on the arrow next to her name in the sub-group, it takes me to the Users list to the top user.
  Any thoughts?

• Getting list of all users and their group memberships from Active Directory

  Hi,
  I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
  ==================
  import javax.naming.*;
  import java.util.Hashtable;
  import javax.naming.directory.*;
  public class GetUsersGroups{
       public static void main(String[] args){
            String[] attributeNames = {"memberOf"};
            //create an initial directory context
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "p8admin");
            try {
                 // Create the initial directory context
                 DirContext ctx = new InitialDirContext(env);     
                 //get all the users list and their group memberships
                 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                 while (contentsEnum.hasMore()){
                      NameClassPair ncp = (NameClassPair) contentsEnum.next();
                      String userName = ncp.getName();
                      System.out.println("User: "+userName);
                      try{
                           System.out.println("am here....1");
                           Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                           System.out.println("am here....2");
                           Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                           System.out.println("-----"+groupsAttribute.size());
                           if (groupsAttribute != null){
                                // memberOf is a multi valued attribute
                                for (int i=0; i<groupsAttribute.size(); i++){
                                // print out each group that user belongs to
                                System.out.println("MemberOf: "+groupsAttribute.get(i));
                      }catch(NamingException ne){
                      // ignore for now
                 System.err.println("Problem encountered....0000:" + ne);
                 //get all the groups list
            } catch (NamingException e) {
            System.err.println("Problem encountered 1111:" + e);
  =================
  The following exception gets thrown at every user entry:
  User: CN=Administrator
  am here....1
  Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
  000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
  ]; remaining name 'CN=Administrator'
  I think it gets thrown at this line in the code:
  Attributes attrs = ctx.getAttributes(userName, attributeNames);
  Any idea how to overcome this and where am I wrong?
  Thanks in advance,
  Regards.

  In this sentence:
  Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
  It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
  userName + ",CN=Users,DC=filenetp8,DC=com"
  But I still have some problem with it.
  Hope it will be useful for you.

• Primary Group and Additional Group in Solaris 10

  hi!
  We've just freshly installed a Solaris 10 system. I'm very new in Solaris. There's something i noticed, and i'm not sure whether is that normal.
  In the user screen in solaris management console, i notice that i'm not able to see the Primary group and additonal group list. What i can see is only the Primary group in ID format. I'm able to see it only the first time when i launch the Solaris management console or switch from one workplace to another. After right clicking on the user properties for the second time, it disappear and show only the primary group id in integer. On the left hand side of the screen, it says "The group cannot be listed. You can change the primary group 10 to another valid integer. Because of error or oversight, group membership cannot be found. You can enter a number for the primary group, but cannot choose from a list of groupnames. Also you cannot choose Seconday Group until the group info is available". "Check group files, NIS maps, or load for possible corruption. If you have not already populated appropiate files or maps, See administrator guide, Naming and Directory Services(DNS, NIS, LDAP) or docs.sun.com for LDAP see also Solaris Management console help, about the toolbox editor to manage LDAP"
  Is that normal? What could be wrong here? Please advise. Thanks.

  hi! Anyone can provide advise on the issue i encountered?

• Question about Everyone Group in SharePoint 2013

  Hi,
  I have couple of question about EVERYONE group below,
           - As per the best practice which Group we should use instead of EVERYONE group in Sharepoint ?
           - What is the difference between Everyone and All Authenticated Users Group
  We have added Everyone Group in different sites, now the question is if we hide this group showing up in sharepoint people picker, is there any impact interms of current site?
           - Is there any way we can hide Everyone group showing up in the people picker only for the site / Site Collection level.
  Please help.
  Thanks
  srabon

  There is no functional difference between the Everyone group and All Authenticated Users (after Active Directory has been upgraded to Server 2003 native schema).
  I'm not aware of any function to hide the group from the People Picker.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Authentication against both LDAP and BI repository

  I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

  Hi,
  why dont you create a group in ldap and add the correspondng users to that group.
  You can configure the LDAP server with that group and try...
  Hope it works...
  Regards
  Venkat

• Identity Service LDAP with dynamic grouping

  Hi all,
  We are developing an enterprise application with oc4j and bpel.
  First we managed to handle user management with XML based JAZN tool.
  After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
  But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
  When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
  We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
  There is a section in is_config.xml like:
  <roleControls>
  <property name="nameattribute" value="cn"/>
  <property name="objectclass" value="groupOfUniqueNames"/>
  <property name="membershipsearchscope" value="onelevel"/>
  <property name="memberattribute" value="uniquemember"/>
  <search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
  </roleControls>
  I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
  Hope somebody has already done that..

  I find a solution here:
  http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
  I am currently using weblogic's defaultAuthentication to test BPM 11g.
  I do not know if this approach works in production environment.

• Changing permission on "Everyone" group on "Users" folder to "No Access"

  Hello Everyone,
  I need help on changing permission on "Everyone" group on "Users" folder to "No Access" using a Terminal command line.
  What i'm trying to do is assign "Everyone" group to "No Access" on "User" folder to restrict other users from going to users home folder on the computer.
  Right  now, when a user login he/she has the ability to view files that are not located in the documents folder
  PS
  Network is configured for OD/AD, home folder is located on Dell Server
  Appreciate the help, Thanks very much

  You are running Oracle Linux and want to use a network volume provided by Windows 2008 to install Oracle Database.
  Your problem is that you cannot set appropriate privileges on the mounted volume to perform the installation.
  Is this correct?
  If yes, then as far as I know, Windows file sharing is not support, even if you fix the permission issues. Your problem is the file system, which won't be Linux ext3. NFS might be supported, but I think it is not the best idea. Have you looked into iSCSI? It will allow you to mount remote disks using SCSI protocol. You could do pretty much everything with such a mounted disk that you can do with a locally attached drive, including initializing, but instead of using the local bus, it will use the TCP/IP network.
  How to setup iSCSI on Windows Server 2008 (storage server)
  http://technet.microsoft.com/en-us/edge/Video/ff710316
  CentOS / Red Hat Linux: Install and manage iSCSI Volume
  http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-iscsi-howto.html
  Edited by: Dude on Jun 23, 2011 12:08 PM

• Need info regarding Oracle UCM Accounts and Security Groups behaviour

  Need information regarding Oracle UCM Accounts and Security Groups behaviour.
  Oracle UCM version: 11.1.1.5.0
  Steps:
  1. Log in with "weblogic" user and created a content with id "content1"
  2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
  3. Log out
  4. Log in as "acc1user1", the user is not able to see the "content1"
  5. Log out
  6. Log in as "role1user1", the user is not able to see the "content1"
  Account and Group information:
  1. User "acc1user1" is part of "@acc1(R)"
  2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM
  Expected:
  Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.
  Please help me understand why the users are not able to see the content.

  ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
  But in the second part the number of set of users is huge (approx say 600)I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?
  If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).
  Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.
  I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios.