Managing users to provide access on multiple lists having unique permissions.
I have 20 lists in a site coll and all are having unique permissions and the reason of why i have stop inheritance is to not giving users edit access on site pages but should have full access on lists. If i used inherited permission and want to give full
access to list, i have to check 'manage lists' in the permission level which provides user edit permission or some unauthorized access in to the page.
So, because in order to overcome this i have created two permission level: for
page view & for list/library view and stop inheritance on library and give users
list/library view access in it to let them access the lists/library.
it makes the management very high in terms of new user access. For this i have to go to more than 20 places and grant permission to that particular user. How can i manage and use it in effective way...please help me on this..!!
Hello Mohit,
I would suggest to create groups based on permission level you have given and add the users to those groups.
For all the lists you will add the groups for the permissions, so whenever you want grant/remove access to users you will add/delete the user from that group.
My Blog- http://www.sharepoint-journey.com|
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful
Similar Messages
-
Set Single user with reviewer access to multiple conference room calendars
Want to add a single user with reviewer access to multiple conference room calendars, used the below but it given a below error , Single user i am able to add but single user for multiple confernce room calendars hot happening.
Import-csv C:\smtp1.csv | foreach-object {Add-MailboxFolderPermission -identity $_mail":\Calendar" -User "Mike" -AccessRights "Reviewer"}
Smtp1.csv
mail
[email protected]
[email protected]
Error:--
[PS] C:\>Import-csv "C:\smtp1.csv" | foreach-object {Add-MailboxFolderPermission -identity "$_mail:\Calendar" -User "Mike" -AccessRights "Reviewer"}
The specified mailbox "\Calendar" doesn't exist.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
The specified mailbox "\Calendar" doesn't exist.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
The specified mailbox "\Calendar" doesn't exist.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
The specified mailbox "\Calendar" doesn't exist.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermissioni tried with that as well but getting the below
A positional parameter cannot be found that accepts argument ':\Calendar'.
+ CategoryInfo : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
A positional parameter cannot be found that accepts argument ':\Calendar'.
+ CategoryInfo : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
A positional parameter cannot be found that accepts argument ':\Calendar'.
+ CategoryInfo : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "" to type "Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter". Error: "Valu
e cannot be null.
Parameter name: mailboxFolderId"
+ CategoryInfo : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-MailboxFolderPermission -
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
List of users who have access to multiple mailboxes
Hi,
I got the list of around three hundred generic mailboxes
Please help me with the command which can help me to get the report of all users who has access on those generic mailbox.Hi,
If you want to export these permissions to a csv file, you can use the following cmdlet:
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where {$_.user -notlike "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[String]::join(‘, ‘, $_.AccessRights)}} | Export-Csv
C:\MailboxAccess.csv -NoTypeInformation
Hope this can be helpful to you.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Amy Wang
TechNet Community Support -
New user creation for accessing BPM work list
Hi,
I have installed AIA in my system and by default it allows me to login to the BPM worklist using AIAIntegrationAdmin user. All the error notifications are also sent to this user.
If I want to send error notifications to other users and provide them access to BPM worklist, how should i go about it?
Pointers to this would be great help.hi,
As mentioned i have created a user (named TestUser) in enterprise manager and given him the roles of ascontrol_monitor and ascontrol_appadmin. I have made an entry of this user in users-properties.xml. Still i am not able to login into worklist with this user credentials.
Please find the user definition I added in users-properties.xml file:
<userObject>
<name>TestUser</name>
<description>Demo User</description>
<email>[email protected]</email>
<title>Load Agent 5</title>
<firstName>Test</firstName>
<lastName>User</lastName>
<manager>jstein</manager>
<timeZone>America/Los_Angeles</timeZone>
<languagePreference>en-US</languagePreference>
<notificationPreferences>Mail</notificationPreferences>
</userObject>
PLease let me know if i have to make changes at any other places. -
Blanc list of uniquely secured items
I have an issue in a 2010 Document Center
When I go to site permissions, I am warned that "Some content on this site has unique permissions which are not controlled from this page.
I then click "Show me uniquely secured content".
I am now presented an overview of "Lists that may contain items with unique permissions".
I then click "view exeptions" to see the items.
But in the list that shows up, there are no items, only a note "There are no items in this list that are uniquely secured."
How can I get to see the items that still triggers the warning about unique permissions?Hi,
When clicking Show me uniquely secured content under site permissions page, we will see exceptions which show all lists having unique permissions. When clicking
Manage Permissions, we will be redirected to list\lib permissions page where we can check the unique permissions on it.
Can you please show where do you click "view exeptions" and see note "There are no items in this list that are uniquely secured"? A screenshot will be perfect.
Miles LI TechNet Community Support -
Hi Nico, Thaks you so much for your reply,, Can you please advice or give me some steps to write script pelase? Regards,Kareem
Hi All, How can we provide access/provide permissions to a user/group for group of folders at single step?? I can able to provide access for a single folder at a time. I want provide access to a list of folders( more than 30 ..) at single step?? Regards,Kareem
-
Workflow to grant access to each List item based on a column value
Hi,
I have 2 lists Risks and RisksLookup.
In Risks, I have Title, Description, service impacted and status columns.
In RisksLookup, I have service impacted, AD1, AD2, AD3, AD4 and AD5.
I have a requirement where in I have to write a Workflow to provide access to each List item based on the value of service impacted. i.e. If service impacted in Risks List is Client A, I have to lookup what all AD groups are present for Client A in RisksLookup
List and provide access to only those groups for that item.
Regards, Shreyas R SHi
another approach
create 5 more lists, dedicated to each impacted service. for Each one these lists apply needeed right ( based onAD groups )Keep you main list where first level will add new items . Attach a workflow to this main list, which will start when an item
is added and which will add specific item's value to his new list ( based on impacted service value )
Romeo Donca, Orange Romania (MCSE, MCITP, CCNA) Please Mark As Answer if my post solves your problem or Vote As Helpful if the post has been helpful for you. -
Are managed users allowed to download apps?
Hi, I never had this problem before. I disabled AIM for one of my users (I'm the Admin). I have this user set for Managed with "some Limits" so I can disable certain apps.
I found my user was able to re download AIM and put it into one of their personal folders and execute it from there?
I am surpised at this. I thought Mac OS X didn't allow this?BlueRondo:
If your managed user has internet access they can indeed download files. However, installation usually requires admin user to authenticate.
Good luck.
cornelius -
SP2010 - Get List of Subfolders' Permissions
I have multiple folders, and each folder has multiple subfolders with unique permissions. Does anyone have a script (or something else) that would cycle through each subfolder and output the permissions? I would also like it to output the folder path/ web
path.
I have tried recording a query table, but it won't record 'document permissions'.Hi,
See whether these links helps you -
http://social.technet.microsoft.com/Forums/sharepoint/en-US/a85647f2-5194-4962-815c-17c0778dc69c/how-to-get-a-report-or-list-for-permissions-on-all-sharepoint-2010-sites-and-subsites-and-libraries
http://johanmeyer.ukuvuma.co.za/2013/02/22/export-all-user-permissions-from-a-sharepoint-2010-site-to-csv/
Hope this helps!
Ram - SharePoint Architect
Blog - SharePointDeveloper.in
Please vote or mark your question answered, if my reply helps you -
Report on Sites, Lists and Libraries with Unique Permissions
I would like to get a report on Sites, Pages, Lists, Libraries, Items and Documents under a Site Collection having Unique Permissions. What is the best way to accomplish that ?
Finally catch your meaning. In SharePoint 2010, uniquely secured objects can be displayed on the permission settings page of the parent object(see my screenshots here
http://cid-6f40fb61d28cf147.office.live.com/view.aspx/Technology/UniquePermission.docx
). And as you may already know, it seems only show inheritance broken within a site. I found it does not show unique permission of sub sites in a site collection.
You may want something like a Broken Inheritance Report Jobs in SharePoint Administration Toolkit for SharePoint 2007 (http://blogs.msdn.com/b/sharepoint/archive/2009/08/27/announcing-the-fourth-release-of-the-microsoft-sharepoint-administration-toolkit.aspx
). However, I had not found it in SharePoint Administration toolkit for SharePoint 2010.
If you are currently in need of this kind of reports, you may try third party tools such as that from the Lightingtools(I am not familiar with it and don’t know
if it will meet your requirement).
Or you can back up the content database from and restore it to test environment to query. With the help of SQL Server profiler, I found that the stored procedure proc_SecChangeToUniqueScope(http://msdn.microsoft.com/en-us/library/dd358095(PROT.13).aspx
) is called when you break permission inheritance. You can find more information around this store procedure by searching:
http://www.bing.com/search?q=site%3Amsdn.microsoft.com+proc_SecChangeToUniqueScope
And you can make use of database comparison tools such as that from the visual studio 2010 premium/ultimate to compare the content database before and after the site
permission inheritance is broken to learn what tables to query (of cause, you should do all this in test environment). -
List of users who has access to current community
Hi,
Is there an API which provides list of users who have access to current community in ALUI? Will there be huge performance impact in retrieving the list of all users who have access to current communty?
Thanks
SampathSorry,
I am not quite following you..
Users can only view a community if the permissions exist for that specific community. I dont understand what do you meant by
"I need to let user type a name and show his/her user ID from the list of users who have access to the current community".
Are you trying to look at user permissions based on a list of communities existing in the portal? The user can't even get to that community if he doesn't have permissions. -
JES Access Manager User Creation for Messanger
Hi Everyone
I installed JES 2005 Q4 on Solaris 10 x86 with schema 2 and Access Manager 7. The Directory Tree is as follows:
Sol1.nucleussoftware.com:389
dc=nucleussoftware,dc=com (34 acis)
DSAME Users
Internet
People
Groups
Client Data
services
nucleussoftware.com
People
Groups
o=Netscape Root (3 acis)
cn=Schema (6 acis)
cn=monitor (5 acis)
cn=config (4 acis)
Organization DN when I ran "configutil" after running comm_dssetup.pl, was specified o=nucleussoftware,dc=nucleussoftware,dc=com
This is fresh installation and not any migration.
Now I create user from Access Manager, http://sol1.nucleussoftware.com/amserver
There are two organizations 1. Nucleussoftware and 2. Nucleussoftware->nucleussoftware.com
So I have two locations to create users in People.
When I create user from Access Manager and try to login into WebMail, I get Login Failed.
But when I open "startconsole" or "mpsconsole" and open Messaging Server Console and in new user's property, Account Attribute, I mark the check box, and now try to login into WebMail, I get error message, "Mailbox is on a different server".
I am missing one attribute that I used to get with schema 1 on iPlanet 5.2 for any user, Mail Server Address.
Please tell me the exact method of creating a user for Messaging.
Regards
Amit BistAccess Manager was never intended to create working mail users. The Delegated Admin package is provided as part of JES, and that's what it is for, to manage users and groups. There's both a web interface, and a command-line interface, "commadmin"
Or, you can examine the ldap entries for the automatically created accounts, and duplicate that. Messaging doesn't really care how the ldap entries get done, just so that they are done correctly. -
Providing Access to Power Users to a Region in Portal
Is there a way in Oracle Portal to provide Access to a Region of a Page Group to a specific user so they can make changes to it such as announcements to a system maintenance, etc.
Thx in advance.
KAuser5944528 wrote:
Is there a way in Oracle Portal to provide Access to a Region of a Page Group to a specific user so they can make changes to it such as announcements to a system maintenance, etc.
Thx in advance.
KABasically, each page (and also the page-groups, but I think you meant pages) has editable Access setttings where you can define any user, or group of users to have any privileges (view, edit, manage, etc). So, the easiest solution would be to create a page and use these settings and give editing privileges in this Access tab to only the group of administrators in your company. Other users may be given the viewing privileges.
On such a page, you can have any portlets (eg, reports, forms, dynamic page, etc) coming from the providers. Access can also be set for each of these portlets and the group of administrators may be assigned the editing privileges for them. Other users may be given the viewing privileges. That way, this will remain visible to other users but editable only to the admin users.
hope that helps!
AMN -
How to find out list of users and their access on Sharepoint
Hello Everyone
How can i find out list of users and what access they have on SharePoint site? I want to create table with list of the users and their access?
Thanksyou can get the report using below powershell scripts. first one gives list of users in a site collection level.
The second link generates the permissions reports for each user.
http://techtrainingnotes.blogspot.com/2010/12/sharepoint-powershell-script-to-list.html
https://sp2010userperm.codeplex.com/
My Blog- http://www.sharepoint-journey.com|
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful
Maybe you are looking for
-
I dropped my laptop recently and messed up the hard drive so after installing new hard drive I reloaded win 7 and Mozilla Firefox. When Firefox loads up there is a 1" plus gap on the top and a half inch gap at the bottom of all pages. How can I get t
-
ISight and Skype -- iSight not working
I installed Skype and contacted a friend. I can see her, but she can't see me. The problem appears to be with my iSight; the Skype preferences can't detect a camera. I'm on a Macbook running 10.5.2.
-
Hi There, In SAP GRC 10.0, our team had an issue where we could not add duplicate fields from separate table (see ERROR: Select Currency/UoM field for the selected analyzed fields). This was resolved by the SAP Note 1904313/ 1904314 (http://service.s
-
JRE not working in Vista x64?
I have download the latest JRE build 1.5.0.10 x64 and installed it on Vista x64. The installation was very fast and OK while I try to find the java console in the control panel but I can not find it and it was not working which launch firefox to visi
-
CIN : Excise invoice before Commercial Invoice
Hi All, Please tell me how to configure TAXINN and CIN settings in case, when we want to create excise invoice before commercial invoice. I know this can be done but don't know how, please help. Thanks and regards Amit