Limiting admin users permission to view content

Similar Messages

• Limited-access user permission lockdown mode and allowing anon users to view list items

  I'm working on setting up a public-facing SharePoint website that will need to support anonymous user access. I'm using the Enterprise Publishing Portal site collection template, so the Limited-access user permission lockdown mode feature is turned on.
  Everything is working great, except allowing users to view a list item. One of the key features I was hoping to leverage was the ability to display custom lists on a web page using a List View web part. Then they could click on an item and see the DispForm.aspx
  so the item's content was accessible, including any file attachments.
  A real-world example is adding an RSS viewer web part to the home page and allowing anon users to click on one of the events to see the details of it. Currently, in lockdown mode, the users gets an authentication prompt. 
  I toyed with the idea of turning the lockdown feature off. However, I'm uncertain of the full impact that would have on security. For example, I know it will allow anonymous users to see who created and modified an item, which we don't want exposed to the
  public (i.e. our employee names). Seems like opening a can of worms by disabling the lockdown mode... 
  Any ideas on how to tackle this would be greatly appreciated.

  So far, this is the most promising solution I've come across:
  http://soerennielsen.wordpress.com/2012/05/29/how-to-make-list-items-visible-to-anonymous-users-in-search

• Permission to view content of table of SYS schema to newly created user

  Hi,
  I am facing issue giving permission to view contents of table p_users of SYS schema to newly created user.
  Regards,
  Phani Ram

  Hi Phani,
  Could you please check if you have an a authorization to give a permission to other users for particular schema.
  I mean check for privileges, user and roles.
  Warm Regards,
  Earesh kumar

• Non-admin users can't view GAL with Outlook Connector

  Non-admin users are unable to view the Global Address List with Outlook Connector. When I give a test user admin rights (in our portal), the user can view the GAL. The VLV index is setup and functioning correctly for admin users. My versions are Directory Server 5.2 Patch 4, JES 2005Q4, Outlook Connector 7.1.222.4.
  I've reviewed the ACIs on o=cp per http://docs.sun.com/app/docs/doc/819-5200/gbnse?a=view and verified that they are getting passed down to the child entries. I added a new ACI for a specfic test user, but I see no effect when I run an ldapsearch as that user. Here are the ACIs:
  1. Allow Calendar Administrators to proxy
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar administrators to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(groupdn = "ldap:///cn=Calendar Administrators, ou=Groups, o=cp");)
  2. Allow Calendar users to read and search other users
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";
  allow (read,search)(userdn = "ldap:///uid=*,ou=People,o=pcc.edu,o=cp");)
  3. Allow test users to proxy
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow test users to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(userdn = "ldap:///uid=299899598658566,ou=People,o=pcc.edu,o=cp");)
  Here's the log for an ldapsearch as a non-admin user:
  -bash-3.00$ grep "conn=386080 op=1 msgId=2" access
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SORT cn
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - VLV 1:1:dpelinka 2964:11852 (0)
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  When the same search is run by an admin user, nentires=3.
  Here is the test ldapsearch:
  ldapsearch -h vmpt1 -p 389 -D "uid=299899598658566,ou=People,o=pcc.edu,o=cp" -w {password} \
  -b "ou=People,o=pcc.edu,o=cp" -x -s "sub" -S "cn" \
  -G "1:1:dpelinka" "pdsRole=Employee" uid
  David,

  Jay,
  Here's a full set of logs. The first set is from my test search; the second from an actual OC search. I don't see anything different between the admin and non-admin except for the number of entries returned.
  ADMIN TEST SEARCH
  -bash-3.00$ ./test_vlvindex.shl
  version: 1
  dn: uid=375308679900788,ou=People,o=pcc.edu,o=cp
  uid: 375308679900788
  dn: uid=534616896694744,ou=People,o=pcc.edu,o=cp
  uid: 534616896694744
  dn: uid=506947161967075,ou=People,o=pcc.edu,o=cp
  uid: 506947161967075
  index 2973 content count 11893
  DS log-bash-3.00$ grep "conn=1964292 op=1" access
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SORT cn
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - RESULT err=0 tag=101 nentries=3 etime=0
  NON-ADMIN TEST SEARCH
  -bash-3.00$ ./test_vlvindex.shl
  index 2973 content count 11893
  DS log-bash-3.00$ grep "conn=1973983 op=1 msgId=2" access
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SORT cn
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  ADMIN OC SEARCH
  -bash-3.00$ grep -i vlv access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
  -bash-3.00$ grep "conn=1000785 op=14 msgId=15" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - RESULT err=0 tag=101 nentries=9 etime=0
  -bash-3.00$ grep "conn=1000785 op=15" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - RESULT err=0 tag=101 nentries=11 etime=0
  -bash-3.00$ grep "conn=1000785 op=16 msgId=17" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - RESULT err=0 tag=101 nentries=18 etime=0
  NON-ADMIN OC SEARCH
  -bash-3.00$ grep -i vlv access
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
  -bash-3.00$ grep "conn=2220710 op=1" access
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="cn mail uid objectClass"
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SORT cn
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  -bash-3.00$ grep "conn=2220710 op=2" access.20080107-171147
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SORT cn
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
  -bash-3.00$
  David.

• I don't have permission to view content on hard drive in mac pro???

  I no longer wanted to use my macbook anymore, it's a 2008 model if I remember correctly the white plastic version. However, I wanted to put the hard drive I have in it into my mac pro since I have two more available slots for storage. But after I put it in I went to go try viewing it's contents and it says
  My mac pro  os x version is 10.6.8 I'm not entirely sure what my macbook is running, but it's not yosemite, most likely a version of snow leopard.
  Any ideas of what's going on? How can I get permission to view the contents?

  Try opening Disk Utility and repairing permissions on the disk.
  Next try select that disk in Finder and right click and select Get Info. Then go to Sharing and Permissions section and update/change it

• Permission Error when copy files into cmsdk using NFS with non admin user

  Hi All,
  We are using CMSDK with NFS protocol and we have created different users with ACL to control different access for users.
  When we copy files into cmsdk folders using one of the admin user this works fine, even a multiple copy works fine. But when we use any non admin user , some time copy commands works but some time it throw a permission deny error. and this is happening very intermittently.
  when we use ftp protocol and ftp file it's all works fine for the both admin & non admin user. Is there any limitation in using CMSDK NFS protocol
  Did any one encouter any similar issue. Any pointers would be of great help.
  Thanks in advance
  Regards,
  Navin

  Hi All,
  We are using CMSDK with NFS protocol and we have created different users with ACL to control different access for users.
  When we copy files into cmsdk folders using one of the admin user this works fine, even a multiple copy works fine. But when we use any non admin user , some time copy commands works but some time it throw a permission deny error. and this is happening very intermittently.
  when we use ftp protocol and ftp file it's all works fine for the both admin & non admin user. Is there any limitation in using CMSDK NFS protocol
  Did any one encouter any similar issue. Any pointers would be of great help.
  Thanks in advance
  Regards,
  Navin

• Limited Admin Privileges/Specific Elevation of User Accounts

  I'm hoping to create an account on my laptop for my roommate.  I don't want him to have a full admin account, but he knows enough about computers that he could troubleshoot networking, and I want to enable him to install programs on the system.  I'm not sure what the best way to go about creating an account which can elevate itself for specific tasks; I've never modified my sudoers file before, and I don't know how to do so to grant him access to the privileges he should have.  I don't want to force him to use Terminal; I'd rather have him be able to enter a username/password for Admin privileges when prompted, whether that's his standard user account or a limited Admin account, but I want to make sure that account DOESN'T have access to modify anything in Users & Groups, can't create accounts with dscl, can't modify the keychain or hard drive partitions, etc. 
  Am I right in thinking the sudoers file is the best way to approach this?  How do I find out what processes to allow access to?  Does Network Preferences, for example, have any dependencies he will also need to be able to run?  Also, is there a good starting point/article on modifying the sudoers file for this type of thing anywhere?  <<clearly googling the wrong thing because my searches just tell me how to add someone to the sudoers file>>

  To modify network settings he needs to be able to unlock the preference pane. If you can unlock one pane you can unlock them all including Users & Groups.
  While it is more feasible allow him some latitude in the application installing scenario it's going to be a pain. The non-server version of OS X is just not setup for this. Either a user has admin privileges or he doesn't there is no part way.
  Again if you trust him then you should also trust him not to do what you don't want him to do. If you tell him he can do x but please don't do y and you think he won't abide by your rules then giving him any access is potential trouble.
  And again if he can get to the machine when you are not around he can do what he likes, privileges or no privileges.
  good luck,
  regards

• "view content preview in thumbnails" option is not available in view settings for "finder" for one user

  "view content preview in thumbnails" option is not available in view settings for "finder" for one user

  I hope this discussion can be revived. I have the same problem. There seem to be quite a few Japanese sites that don't bother specifying their encoding. Perhaps they are older and from a time when it was not necessary to adhere to standards. Examples: http://www1.plala.or.jp/CUE/cave_yozawa.html, http://chigaku.web.fc2.com/saitama/sanchi/youzawa/youzawa.html. Happy to upload screenshots, but how?
  Is there a way to tell Safari what encoding to use if the web page fails to do that?

• Generic Object Services - View Attachments disabled for non admin user

  Hi,
  I am using SAP 4.7 and the attachments created using table TOA01 - archive link are visible to an administrator user through Generic Object Services toolbox while same View Attachments option appears disabled for other non admin users.
  Kindly help !

  Hi Neha,
  I'm sorry I don't have answer to your question but I wonder if you could help me.
  I'm looking at OSS note 530792 to configure GOS 'create attachment' option to copy the attachments to the archive server. currently, these are written to the SAP office tables SOC3, SOFFCONT1, etc and I want to use the archivelink and SAPHTTP and copy to the archive storage.
  Have you successfully managed to configure your system since you mentioned TOA01?
  In the same GOS menu I've activated the 'Business document' option and can copy these to the archive server by correctly configuring OAC2 and OAC3.
  I'll really appreciate of you could please share your knowledge.
  Thanks.
  Soyab

• Fail to connect on Citrix with Limited User but succeeds with Admin user

  On one of our customer's installations which is on a Citrix server, the users cannot connect to the database when they are Limited users. But if the same user is promoted to Administrator it can connect.
  The Application uses ODP.Net to connect. Other tools in the installation that use ODBC works for limited users.
  The OracleConnection.Open method throws an exception without an error message.
  The stack trace is:
  at Oracle.DataAccess.Client.OracleException.HandleErrorHelper(Int32 errCode, OracleConnection conn, IntPtr opsErrCtx, OpoSqlValCtx* pOpoSqlValCtx, Object src, String procedure)
  at Oracle.DataAccess.Client.OracleException.HandleError(Int32 errCode, OracleConnection conn, IntPtr opsErrCtx, Object src)
  at Oracle.DataAccess.Client.OracleConnection.Open()
  On the server we have installed Oracle Client 10.2.0.1 where the .Net provider also is installed (otherwise it would not work for the admin user either).
  Anyone who has a clue on why this strange behavior happens?
  / Nils

  That was a known issue in 10201, and should be resolved by patching the client up to 10204. You do that by applying the database patch to the client, and you can get the 10204 database patch on Metalink.
  Cheers,
  Greg

• I have "migrated" my Time Capsule files to my new iMac and most of the files to me "I don't have permission to view files" I am they admin....will I thought I was. What gives?

  I have "migrated" my Time Capsule files to my new iMac and most of the files to me "I don't have permission to view files" I am they admin....will I thought I was. What gives?

  You should be able to change the permissions on the files.. this is yet another bungle by Mavericks I suspect.
  http://support.apple.com/kb/PH13799
  Sometimes it is because you Migrated wrongly.
  http://pondini.org/TM/E10.html
  It is not up to Mavericks because sadly the guy who wrote all this great info died recently.

• How to view / edit other users subscriptions to reports via report admin user ?

  Is there a built-in GUI means or power tool to access a list of all the users' subscriptions to reports in SQL 2012 ?
  It seems that report admin can only view his own subscriptions, same as any other user via "my subscriptions", but no found option for report admin user to view or manage susbcriptions of other users.
  How would u recommend to view the list of all the subscriptions to reports in SSRS, and as necessary to
  also manage them ?
  p.s. Is there a GUI for this in SQL 2014 ?
  Thanks

  Hi moital,
  According to your description, you want to access a list which contains all users subscriptions and edit them. Right?
  In Reporting Services, we have a table named "Subscription" in the ReportServer database. It includes all the information of each subscription. Please go to SQL Server Management Studio and try the query below in ReportServer database:
  select c.UserName,b.SubscriptionID,a.ItemID ReportID,a.Path,a.Name ReportName
  from Subscriptions b inner join Catalog a on a.ItemID=b.Report_OID inner join Users c on b.OwnerID=c.UserID
  It will return us each subscription with corresponding ReportName, UserName and Path:
  Then we can go to the Report based on the path if we need to edit the subscription. We don't have build-in GUI for any version SQL, but this can be a good method to get the list of subscriptions.
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou
    

• SSAS Tabular : OLE DB or ODBC error : The Microsoft Access database engine cannot open or write to the file. It is already opened exclusively by another user, or you need permission to view and write it's data.; 3051.

  Hi all, i'm trying to import a spreadsheet into a tabular model and getting this stupid error even though the impersonation account i'm using is an admin account with full access to the file.  ANY IDEAS? I hate these stupid permission related issues!!!
  Thanks for your help. 

  Hi, I know the post is old, but I'm having this problem and maybe you could eleborate a bit.
  What are the steps to get this done?
  What worked for me is to go to the Excel file, right click and add the MSOLAP user. But this is a manual process, I have many excel files. I don't want to do this to each one. Is there a way to do this in one go?
  Thank you
  Try creating a folder for all the files you want to import. Give the MSOLAP user permission to read that folder then copy your excel files in there.
  However apart from prototypes I rarely do direct imports of Excel files. For any ongoing project I always stage them in a SQL Server table using SSIS. There are just too many things that can go wrong with Excel files, like people locking the file by leaving
  it open. Or changing the file by adding extra columns or putting string values in numeric columns. I find that in SSIS I can build a lot more robust data flows to handle this sort of thing. 
  http://darren.gosbell.com - please mark correct answers

• I don't have permission to view the contents of hidden files on my own Macbook Pro

  I don't have permission to view the contents of hidden files on my own Macbook Pro.
  Im fairly new to Mac and for some reason I do not have permission to view the contents in hidden files.
  Can someone please help.
  Thanks

  kata505 wrote:
  After some time, I found the location of the files to be in the folder 'Masters'.
  Thank You everyone for their help.
  Much appreciated
  It is not good to mess with the structure of the iPhoto or Aperture Libraries.
  You can access the image "files" from within the programs. Anything you would want to do with an image file you can do with the image in the iPhoto app itself.
  If you really must get to the file, you can select Reveal in Finder from the File menu.

• Why can't Admin Users see what I've given them permission to see?

  I have a Secure Zone set up on my client's site and have set them up with 3 admin users and given them permissions to view and edit the secure zones. However, when their Admin Users go in to the Admin Console and click on Site Manager they can only see Web Forms and System Emails. What's going wrong?

  Does not sound like you have set up the roles correctly.