MDM Security Requirements

Hello All:
I am new to MDM Security Administration and would like to know how and what controls are available in the system. (Example controls on able, fields etc)?
I am trying to compile a Task/Function Matrix which will help the functional teams convey their access requirement in the system.
Help is much appreciated.
Khurram

Hi Khurram,
I am new to MDM Security Administration and would like to know how and what controls are available in the system. (Example controls on able, fields etc)?
I am trying to compile a Task/Function Matrix which will help the functional teams convey their access requirement in the system.
MDM security is largely maintained by the presence of roles and users. We can have roles defined in MDM which will have proper authorizations. We can then create users and then assign them roles so that we can maintain the security in MDM. This all can be done through MDM console.
These authorizations ensures that only users who have access or read/write authorization will be able to perform theie respective tasks.
This is what is mentioned in SAP Help documentation in this regard.
A.              MDM Repository Security
A traditional SQL DBMS allows you to define basic user-level security to prevent unauthorized access to the database. You can specify the tables to which each user has access, granting at the table level either: (1) no access to the table; or (2) complete read/write access to the table, including access to all of its fields and records.
By contrast, MDM supports a dramatically more flexible multidimensional security scheme that provides much more granular control over which users can access an MDM repository, which functions they can perform, and which tables, fields, and records they can access. The MDM security scheme includes:
●      Users. A user represents an entity that can connect to and access the MDM repository. Each user has a user name and password, and is assigned one or more roles that collectively specify the complete set of privileges for that particular user.
●      Roles. Each role specifies a set of privileges to access each of the MDM repositoryu2019s tables, fields, lookup record values, and records, and to perform each of the repository functions. The same role can be assigned to more than one user.
●      Privileges. For each repository function, you can either prevent or allow the role to perform the function, and for each table and field, you can grant the role full read/write access or read-only access.
●      Constraints. For the Masks table and some lookup tables (those referenced by at least one single-valued lookup field and no multi-valued lookup fields), you can specify the set of masks or lookup values that should be visible and accessible for the role.
Precisely defining each role u2013and then assigning one or more roles to each useru2013 provides very fine control over who can access an MDM repository and how they can access it.
You can define repository security from within the MDM Console by working on the following administrative tables, which are located under a repositoryu2019s Admin node in the Console Hierarchy tree:
●      Roles. Defines the sets of functional permissions, access privileges, and record constraints that can be assigned to MDM user names.
●      Users. Defines the MDM user names that can access the MDM repository and manages their role assignments.
Within a SQL-based DBMS, you can use views to precisely control field- and record-level access by various users. However, views are cumbersome to manage, and more importantly, degrade system response, often creating severe performance bottlenecks.
B.                  Console-Level Repository Security
Recall that MDMu2019s multi-level security model supports granular, role-based repository access to functions and data from within MDM client applications. This multi-level security model extends to administrative functions within the MDM Console itself.
The MDM Console security scheme includes:
●      Users
Repository administrators must connect to an MDM repository with an MDM user name and password before any administrative tasks can be performed in the MDM Console.
●      Roles
The roles assigned to an administratoru2019s MDM user name determine which administrative functions are permitted or restricted for that administrator in the MDM Console.
●      Privileges
Administrative, Schema, and Change Tracking functional groups on the Roles table enable granular control over access to all MDM Console functions.
With these features, you can precisely define limited administrative roles for each of your administrators or administrative tasks. You can then assign these targeted roles to users instead of the Admin role, which retains full access to all MDM privileges.
Kindly go through the link below to get additional info:
http://help.sap.com/saphelp_mdm550/helpdata/en/8e/9f9c427055c66ae10000000a155106/frameset.htm
Go to ->Repository maintenance->MDM repository security
You will find enough information.
Hope it helps.
Kindly reward points if helpful
Thanks and Regards
Nitin Jain

Similar Messages

  • Windows 8.1 Mail app and Exchange 2010 EAS partnership - "Make Windows user account an Administrator" to meet security requirements?

    As the title says,  I have a new Windows 8.1 based device which I'm trying to connect to my Exchange 2010 box (SP3 Update Rollup 2).  I currently have my iphone set up as an EAS client with no problems.  I have an EAS policy on my mailbox
    with the following settings surrounding passwords :
    Require Password, Require Encryption, Allow Simple Password, Time without user input - 10 minutes.  Allow non-provisional devices is also checked.
    The Windows 8.1 device has Bitlocker enabled, which meets the encryption requirement - I know this because the 1st time I tried this it moaned about Bitlocker needing to be enabled to meet requirements, though at that time the local user account on the Windows
    8.1 device was an admin level account so it never mentioned this issue, it worked normally.
    Now, while using a std user account on the Windows 8.1 device and trying to connect up via EAS, it complains that my local windows user account must be an ADMIN level account to meet the security requirements...?
    Anyone encountered this?

    Did anyone solve this problem? I'm also struggling with this issue.
    this is still a problem. I'm just hitting it now and it's not doing much for management's love of Microsoft devices.
    Evidently, it has to be an admin to set the policies on the device to match the policies on the EAS. And once set, a user can be changed back.
    But this is seriously not cool. Don't the "app" folks and the enterprise folks talk to each other?

  • Network Security Requirement : Confidential - Not Enforced

    I am having a perplexing problem with the network security requirement feature in SJSAS 8 Update 1.
    In deploytool, under my WAR, in the security tab, for my only SecurityConstraint, I set the Network Security Requirement to CONFIDENTIAL. This should cause any access to thse objects over port 80 to be redirected to https via for 443.
    The failure is that it does not redirect clients accessing over port 80 to a secure connection. The tricky part is that it fails in a completely random way. Sometimes for some WARs it will work as expected, then after X number of server restarts / redeployments, some of the same WARs will not do the redirect as expected. Through continuous redeploys and restarts during development, all WARs will or will not do the redirect in any given situation.
    Has anyone else experienced this problem and worked around it? Any help is greatly appreciated! Thanks in advance!
    mod_critical

    The following is the deployment descriptor for one of the WARs (this problem affects them all, on multiple different machines with different setups).
    The following is from the Security Contraint:
    <security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/participant/*</url-pattern> <url-pattern>/assetmodel/*</url-pattern> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>asadmin</role-name> <role-name>cvbdataentry</role-name> <role-name>cvbadmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
    The rest is as follows:
    <?xml version='1.0' encoding='UTF-8'?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" > <display-name>CVBadmin</display-name> <servlet> <display-name>assetmodel/OpenRecord</display-name> <servlet-name>assetmodel/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/Lookup</display-name> <servlet-name>participant/personell/account/Lookup</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Lookup</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/record</display-name> <servlet-name>participant/personell/account/record</servlet-name> <jsp-file>/participant/personell/account/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/Remove</display-name> <servlet-name>assetmodel/line/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.Remove</servlet-class> </servlet> <servlet> <display-name>participant/location/record</display-name> <servlet-name>participant/location/record</servlet-name> <jsp-file>/participant/location/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/Save</display-name> <servlet-name>assetmodel/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.Save</servlet-class> </servlet> <servlet> <display-name>syncError</display-name> <servlet-name>syncError</servlet-name> <jsp-file>/syncError.jsp</jsp-file> </servlet> <servlet> <display-name>participant/Search</display-name> <servlet-name>participant/Search</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Search</servlet-class> </servlet> <servlet> <display-name>participant/location/List</display-name> <servlet-name>participant/location/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.List</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/Create</display-name> <servlet-name>participant/personell/account/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Create</servlet-class> </servlet> <servlet> <display-name>participant/personell/listresults</display-name> <servlet-name>participant/personell/listresults</servlet-name> <jsp-file>/participant/personell/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>participant/record</display-name> <servlet-name>participant/record</servlet-name> <jsp-file>/participant/record.jsp</jsp-file> </servlet> <servlet> <display-name>participant/personell/account/Passwd</display-name> <servlet-name>participant/personell/account/Passwd</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Passwd</servlet-class> </servlet> <servlet> <display-name>participant/location/Create</display-name> <servlet-name>participant/location/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.Create</servlet-class> </servlet> <servlet> <display-name>Logout</display-name> <servlet-name>Logout</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.Logout</servlet-class> </servlet> <servlet> <display-name>participant/location/Remove</display-name> <servlet-name>participant/location/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.Remove</servlet-class> </servlet> <servlet> <display-name>participant/Save</display-name> <servlet-name>participant/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Save</servlet-class> </servlet> <servlet> <display-name>assetmodel/listresults</display-name> <servlet-name>assetmodel/listresults</servlet-name> <jsp-file>/assetmodel/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/record</display-name> <servlet-name>assetmodel/line/record</servlet-name> <jsp-file>/assetmodel/line/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/List</display-name> <servlet-name>assetmodel/line/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.List</servlet-class> </servlet> <servlet> <display-name>participant/personell/Save</display-name> <servlet-name>participant/personell/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.Save</servlet-class> </servlet> <servlet> <display-name>assetmodel/line/Create</display-name> <servlet-name>assetmodel/line/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.Create</servlet-class> </servlet> <servlet> <display-name>participant/personell/List</display-name> <servlet-name>participant/personell/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.List</servlet-class> </servlet> <servlet> <display-name>assetmodel/Create</display-name> <servlet-name>assetmodel/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.Create</servlet-class> </servlet> <servlet> <display-name>participant/Remove</display-name> <servlet-name>participant/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Remove</servlet-class> </servlet> <servlet> <display-name>participant/Create</display-name> <servlet-name>participant/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Create</servlet-class> </servlet> <servlet> <display-name>assetmodel/line/listresults</display-name> <servlet-name>assetmodel/line/listresults</servlet-name> <jsp-file>/assetmodel/line/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>participant/personell/Remove</display-name> <servlet-name>participant/personell/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.Remove</servlet-class> </servlet> <servlet> <display-name>assetmodel/List</display-name> <servlet-name>assetmodel/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.List</servlet-class> </servlet> <servlet> <display-name>assetmodel/record</display-name> <servlet-name>assetmodel/record</servlet-name> <jsp-file>/assetmodel/record.jsp</jsp-file> </servlet> <servlet> <display-name>participant/searchresults</display-name> <servlet-name>participant/searchresults</servlet-name> <jsp-file>/participant/searchresults.jsp</jsp-file> </servlet> <servlet> <display-name>menu</display-name> <servlet-name>menu</servlet-name> <jsp-file>/menu.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/OpenRecord</display-name> <servlet-name>assetmodel/line/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/location/listresults</display-name> <servlet-name>participant/location/listresults</servlet-name> <jsp-file>/participant/location/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>exception</display-name> <servlet-name>exception</servlet-name> <jsp-file>/exception.jsp</jsp-file> </servlet> <servlet> <display-name>participant/OpenRecord</display-name> <servlet-name>participant/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/location/Save</display-name> <servlet-name>participant/location/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.Save</servlet-class> </servlet> <servlet> <display-name>participant/personell/OpenRecord</display-name> <servlet-name>participant/personell/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/personell/Create</display-name> <servlet-name>participant/personell/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.Create</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/Remove</display-name> <servlet-name>participant/personell/account/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Remove</servlet-class> </servlet> <servlet> <display-name>participant/personell/record</display-name> <servlet-name>participant/personell/record</servlet-name> <jsp-file>/participant/personell/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/Remove</display-name> <servlet-name>assetmodel/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.Remove</servlet-class> </servlet> <servlet> <display-name>assetmodel/PreRecord</display-name> <servlet-name>assetmodel/PreRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.PreRecord</servlet-class> </servlet> <servlet> <display-name>assetmodel/line/Save</display-name> <servlet-name>assetmodel/line/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.Save</servlet-class> </servlet> <servlet> <display-name>participant/location/OpenRecord</display-name> <servlet-name>participant/location/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.OpenRecord</servlet-class> </servlet> <servlet-mapping> <servlet-name>assetmodel/OpenRecord</servlet-name> <url-pattern>/assetmodel/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Lookup</servlet-name> <url-pattern>/participant/personell/account/lookup</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/record</servlet-name> <url-pattern>/participant/personell/account/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/Remove</servlet-name> <url-pattern>/assetmodel/line/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/record</servlet-name> <url-pattern>/participant/location/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/Save</servlet-name> <url-pattern>/assetmodel/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>syncError</servlet-name> <url-pattern>/syncError</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Search</servlet-name> <url-pattern>/participant/search</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/List</servlet-name> <url-pattern>/participant/location/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Create</servlet-name> <url-pattern>/participant/personell/account/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/listresults</servlet-name> <url-pattern>/participant/personell/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/record</servlet-name> <url-pattern>/participant/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Passwd</servlet-name> <url-pattern>/participant/personell/account/passwd</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/Create</servlet-name> <url-pattern>/participant/location/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Logout</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/Remove</servlet-name> <url-pattern>/participant/location/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Save</servlet-name> <url-pattern>/participant/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/listresults</servlet-name> <url-pattern>/assetmodel/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/record</servlet-name> <url-pattern>/assetmodel/line/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/List</servlet-name> <url-pattern>/assetmodel/line/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/Save</servlet-name> <url-pattern>/participant/personell/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/Create</servlet-name> <url-pattern>/assetmodel/line/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/List</servlet-name> <url-pattern>/participant/personell/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/Create</servlet-name> <url-pattern>/assetmodel/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Remove</servlet-name> <url-pattern>/participant/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Create</servlet-name> <url-pattern>/participant/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/listresults</servlet-name> <url-pattern>/assetmodel/line/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/Remove</servlet-name> <url-pattern>/participant/personell/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/List</servlet-name> <url-pattern>/assetmodel/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/record</servlet-name> <url-pattern>/assetmodel/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/searchresults</servlet-name> <url-pattern>/participant/searchresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>menu</servlet-name> <url-pattern>/menu</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/OpenRecord</servlet-name> <url-pattern>/assetmodel/line/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/listresults</servlet-name> <url-pattern>/participant/location/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>exception</servlet-name> <url-pattern>/exception</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/OpenRecord</servlet-name> <url-pattern>/participant/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/Save</servlet-name> <url-pattern>/participant/location/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/OpenRecord</servlet-name> <url-pattern>/participant/personell/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/Create</servlet-name> <url-pattern>/participant/personell/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Remove</servlet-name> <url-pattern>/participant/personell/account/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/record</servlet-name> <url-pattern>/participant/personell/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/Remove</servlet-name> <url-pattern>/assetmodel/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/PreRecord</servlet-name> <url-pattern>/assetmodel/prerecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/Save</servlet-name> <url-pattern>/assetmodel/line/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/OpenRecord</servlet-name> <url-pattern>/participant/location/openrecord</url-pattern> </servlet-mapping> <session-config> <session-timeout>60</session-timeout> </session-config> <error-page> <error-code>500</error-code> <location>/exception.jsp</location> </error-page> <security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/participant/*</url-pattern> <url-pattern>/assetmodel/*</url-pattern> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>asadmin</role-name> <role-name>cvbdataentry</role-name> <role-name>cvbadmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>ldap</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginFail.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>asadmin</role-name> </security-role> <security-role> <role-name>cvbdataentry</role-name> </security-role> <security-role> <role-name>cvbadmin</role-name> </security-role> <security-role> <role-name>customer</role-name> </security-role> <security-role> <role-name>accountant</role-name> </security-role> <security-role> <role-name>participant</role-name> </security-role> <ejb-local-ref> <ejb-ref-name>ejb/DataAccessBean</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <local-home>com.deerteck.cvb.ejb.session.DataAccessLocalHome</local-home> <local>com.deerteck.cvb.ejb.session.DataAccessLocalObject</local> <ejb-link>ejb-jar-ic1.jar#DataAccessBean</ejb-link> </ejb-local-ref> <ejb-local-ref> <ejb-ref-name>ejb/LDAPBean</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <local-home>com.deerteck.cvb.ejb.session.LDAPLocalHome</local-home> <local>com.deerteck.cvb.ejb.session.LDAPLocalObject</local> <ejb-link>ejb-jar-ic1.jar#LDAPBean</ejb-link> </ejb-local-ref> </web-app>

  • TS1702 I forgot security required 3 questions and answers.

    I forgot my secure required 3questions and answers.
    So I don,t buy the app.
    Please check it out.

    I want to buy the app for I.pad.
    But I don,t buy it because I forgot my password and your secured required questions and answers.
    I change my password successful. But i don,t know
    your secured required questions and answers
    I want to buy the apps.

  • Security Requirements Template for BOE XI3.1

    I'm looking for the "Security Requirements Template" document, a template that can be used to setup a content plan in BOE XI3.1.
    It is an Excel document, that shows by application the possible rights.

    Hans - you're probably referring to Dwayne Hoffpauir's 2008 GBN User Conference presentation - it's really helped me set up our security for XI 3.1.
    http://www.forumtopics.com/busobj/viewtopic.php?t=119849&highlight=mere+mortals

  • Security requirements to upgrade Master Data Services Database

    What is the security requirements to upgrade an MDS database. When I choose Upgrade Database and after running the upgrade scripts I get the following exception:
    Microsoft.MasterDataServices.Configuration.ConfigurationException: The user does not have access to the application. 

    Hi RicardoMarques182,
    Did the error happen right after the upgrade was done and was trying the open the Master Data Service(MDS) application? Could you please help to post the full(more detailed) error message?
    Just per the general error message, please ensure the currnt login user has the at least Explorer function permission:
    http://msdn.microsoft.com/en-us/library/ff487017.aspx
    Thanks,
    Jinchun Chen

  • Security requirements?

    Consider the Police Case study and identify 3 security requirements. For each of these security requirements:
    •     Discuss the necessity for the feature and how it will be implemented;
    •     Implement code for your security feature;
    •     Demonstrate, discuss, testing of the security feature.
    what types of security features available on oracle? I found sql to sql and access grant/revoke.....but I do not understand what sql to sql does?
    need help

    See the Oracle Security documentation :
    Either the 2-Day Guide at http://download.oracle.com/docs/cd/E11882_01/server.112/e10575/toc.htm
    Or the more detailed Guide at http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/toc.htm
    Hemant K Chitale

  • Failures with windows security requirements and binaries installed

    We are in the process of getting our application certified for Windows Server 2012 for Gold certification and running into the following 2 issues:
    1. Failure for "Applications must comply with Windows security requirements".
    Looks like the MPR tool is trying to scan some .log files and .xml files when the test is running and these are being used/locked by the application at that time. So these are listed under "Checks that didn't complete". attached is a screenshot
    of this.
    2. Failure for "Were any binaries installed for this Component"
    This is the log message for "No binaries were detected as installed". Ours is a Java app and Java binaries are the only executables.
    ======================================================================
    Log generated by Microsoft Platform Ready Test Tool - Version 4.1.0.0 | Signed: Tuesday, March 26, 2013
    ======================================================================
    Test name: PPSS 3.23 Gold
    Test date: 05/01/2013 13:11:54
    Tested on: Virtual Machine on Microsoft Windows Server 2012 Hyper-V
    Test for: Windows Server 2012
    ======================================================================
    Test case/Verification: 11.1.1 - Check if application installed binaries
    ======================================================================
            To pass this test, binaries must have been installed for this Component by a method tester identified in the ‘Setup Information’ screen.
    To validate an actual test was conducted, a waiver must be filed.
    The Windows Server Logo Program requires a complete but brief, technically detailed explanation of the application/solution, installation method, and hosted platform (ex: IIS, SharePoint, etc.).
    Document any client components, besides Internet Explorer. ISV client components must also be tested with MPR Tool, on either Client or Server OS concurrently.
    Waiver link may be found on MPR Tool or on Windows Server Logo Program website.
    ======================================================================
    Result: No binaries were detected as installed.
    05/01/2013 13:11:54 :: 
    ======================================================================
    05/01/2013 13:11:54 :: Note: The files below were excluded from this test
    ======================================================================
    C:\Windows\Installer\cce9a8.msi
    ======================================================================
    Test case/Verification: 11.1.1 - Check if application installed binaries
    05/01/2013 13:11:54 End of Log.
    ======================================================================
    QUESTIONS:
    How can we resolve these issues?
    Is passing these 2 failures mandatory in order to get certified?
    Can we file a waiver for these? 
    Thanks,
    Neeha.

    Update: We were not giving the right installation directory and corrected that.
    After changing the installation directory, we end up with these 2 failures:
    Log message for Binaries installed is below. As mentioned in the message above, ours is a Java application that does not have any binaries installed.
    Can we submit a waiver for this?
    =====================================================================
    Log generated by Microsoft Platform Ready Test Tool - Version 4.1.0.0 | Signed: Tuesday, March 26, 2013
    ======================================================================
    Test name: PPSS 3.23 Gold Certification
    Test date: 05/06/2013 12:56:03
    Tested on: Virtual Machine on Microsoft Windows Server 2012 Hyper-V
    Test for: Windows Server 2012
    ======================================================================
    Test case/Verification: 11.1.1 - Check if application installed binaries
    ======================================================================
            To pass this test, binaries must have been installed for this Component by a method tester identified in the ‘Setup Information’ screen.
    To validate an actual test was conducted, a waiver must be filed.
    The Windows Server Logo Program requires a complete but brief, technically detailed explanation of the application/solution, installation method, and hosted platform (ex: IIS, SharePoint, etc.).
    Document any client components, besides Internet Explorer. ISV client components must also be tested with MPR Tool, on either Client or Server OS concurrently.
    Waiver link may be found on MPR Tool or on Windows Server Logo Program website.
    ======================================================================
    Result: No binaries were detected as installed.
    05/06/2013 12:56:03 :: 
    ======================================================================
    05/06/2013 12:56:03 :: Note: The files below were excluded from this test
    ======================================================================
    C:\Windows\Installer\1ab2aa62.msi
    ======================================================================
    Test case/Verification: 11.1.1 - Check if application installed binaries
    05/06/2013 12:56:03 End of Log.
    ======================================================================
    Log message for executables installed is below. Is a waiver needed for this? The highlighted part of the log message talks about not needing a waiver for the optional test. Is it talking about 3rd party binaries alone?
    ======================================================================
    Log generated by Microsoft Platform Ready Test Tool - Version 4.1.0.0 | Signed: Tuesday, March 26, 2013
    ======================================================================
    Test name: PPSS 3.23 Gold Certification
    Test date: 05/06/2013 12:56:00
    Tested on: Virtual Machine on Microsoft Windows Server 2012 Hyper-V
    Test for: Windows Server 2012
    ======================================================================
    Test case/Verification: TC2.3 - All binaries and installers must be Authenticode signed
    ======================================================================
     Authenticode sign all setup files and binaries installed by the application.
     Binaries not built by product group or company can be considered 3rd party.
     3rd party binaries without valid signatures will fail this test case. No waiver is required for this optional test case.
    ======================================================================
    05/06/2013 12:56:00 :: Binary list
    No binary found for verification.
    05/06/2013 12:56:00 :: 
    List of installers that failed signature verification: 
    C:\ppss_323_installer\install_PPSS_3_23_0\setup.exe
    ======================================================================
    Note: The files below were excluded from this test
    ======================================================================
    C:\Windows\Installer\1ab2aa62.msi
    ======================================================================
    No executable files were detected as installed during test.
    Microsoft Platform Ready Test Tool requires that your application physically installs executable files on this Computer.
    ======================================================================
    Test case/Verification: TC2.3 - All binaries and installers must be Authenticode signed
    05/06/2013 12:56:03 End of Log.
    ======================================================================
    Any help of guidance in addressing these 2 issues will be great.
    Thanks,
    Neeha.

  • Is internet security required to keep my email from being hacked?

    Is any type of Internet Security required to  keep my email from being hacked?

    No not needed for a non jailbroken apple device. 

  • MDM Security

    Is it possible to maintain MDM Security using Automator?
    For example:
    1. Manually create Access Node Group
    2. Manually assign users to Access Node Groups
    3. Upload Access Node Groups security using Automator
    I’ve tried to upload the file bellow but Automator failed with the massage:
    “Property MDM_ORAReadLF is not defined" but the property exists under Access Leaf tab for ACCOUNTS hierarchy.
    Automator file sample:
    UpdateHierPropValue,ORACLE_CURRENT,ACCOUNTS,MDM_ORARead (Leaf),Read
    Thanks
    Dragomir Pejic
    [email protected]

    Hello,
    Great question -- I have never tried that before -- perhaps using the ChangeProp Automator parameter it is possible?
    Please let me know if you get it to work.
    Thanks,
    todd rebner
    http://www.advancedepm.com/

  • ISE integration with Mobile Device Management ( MDM ) help required

    Dear Techies,
         Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
         We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
    Setup Brief :
    =========
          Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
         Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
    Activity Brief:
    =========
         As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
    Clarifications Required
    ================
    Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
    Wireless Scenario
    MDM can be integrated to ISE ? 
    How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
    What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
    If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
    Is MDM will do client provisioning or ISE should do ?
    Is MDM send or update patches of Mobile Devices ?
    As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
    Thanks for Reading...
    Arun

    I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
    Kindly let me know your views or any documents on the following scenarios with the current release in mind
    1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
    The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
    2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
    Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
    3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
    Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
    4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
    For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
    There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
    5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
    This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
    You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
    6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
    For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
    7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
    IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
    Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
    Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • MDM Security for taxonomy attributes

    Hi,
    I have created a taxonomy and linked attributes to it in MDM 5.5 SP6. I do not want users to populate or change the attribute values in Data Manager after they have assigned a part to a taxonomy node. That will be done with xml via Import Server.
    I see that I can set Change Tracking on Taxonomy[Attributes], but I don't see any way in the Roles - Functions/Tables and Fields or in the Configuration options in Data Manager to allow users to see the attributes and their values but not change the values.
    thanks!
    Morgan Hinkle

    Hi Morgan,
    Is there any way to allow them to set the taxonomy node per part, but not modify the associated attributes?
    Yes, this is possible for a user in taxonomy mode of Data Manager.
    Go to Console, Open Repository> Admin>Roles>Functions>Taxonomies-->Modify linked Attributes.
    So you need to navigate up-to Modify Linked Attributes and Set Access as None. Set this role only to that particular user which is not allowed to Changed linked(associated) attributes with category in taxonomy mode. You can also set Add Attributes and Modify Attributes access to None for that user as per your requirement.
    Note: This function is applicable, when that user select Category table as current table in Taxonomy mode of Data Manager. This is working fine at my end. But if you are talking about this taxonomy associated Attributes get not changed by User from Main table record for that specific user (I mean a record in main table is associated with a category where this category is linked with some attributes and you want no user can change these attribute values in main table), then as per my understanding this is not possible because as designed, every action done within a Taxonomy node (add, update, remove) is considered to be an update to the main record, thus it has only one entry in the Roles >>tables and Fields tab (which is the Taxonomy look-up field of the main table). I firmly believe that MDM does not support this functionality as of now.
    Check for similar reply from SAP for Qualified table in below thread.
    Data Manager Security on qualified table
    Regards,
    Mandeep Saini

  • Security requirements on sender mail adapter

    I have set up a sender mail adapter to fetch the email with attachment from MS exchange mail server. The sender mail adapter can process the attachment well and convert it to XML format. Now I have a new requirement to determine if the email comes from a particular user. I can see the FROM field in the payload "MailMessage" But I don't know how to get the value of this field. Any idea on how to set up the message mapping? Thanks in advance.

    Before the sender mail adapter processes the attachment in the email, it need to determine the email is actaully from the business user not someone else on server. Cuz everyone can send email to the email address the mail adapter connects to, that is why this security issue comes from.
    Basically when you fetch a email with attachment, in Sxi_monitor, you can see two field in the payload, One is MailMessage and the other is MailAttachment-1. In the MailMessage, you can see all the emial header fields, such as From, To, Subject, Content etc. I need to check if the FROM field is email address we allowed. That is basic requirements. Let me knwo if you want me to explain it further.
    Edited by: Bai Li on Dec 23, 2010 6:02 AM

  • Security requirements ....Urgent

    Hi All
    I am preparing some proof of concepts and please provide me more information of the following questions.
    1. Can organization structure/position-based security be incorporated into the roles?
    2. Report Distribution - Report split into separate reports for individual groups    without having to maintain multiple reports.
    3. Data is encrypted
    4. Meets auditing and compliance requirements
    5. Reliability ( Insense of SAP software)
    6. Scalability( Insense of SAP software)
    7. Administration ( Insense of SAP software)
    8. Provide development tools and SDK to integrate into business process and other applications. (Category: Development )
    Please provide me help.sap.com links if you think that would be the best answer.

    Any ideas

  • MDM Security role issue

    Hi ALL
    I have created a new MDM role for Combined Basis & security purpose, The role works fine when tested for creating users & roles & some basis activities. It has full access to basis activities & readonly access to other activities outside of basis.
    The problem i face is -> when User click on any of the nodes other than the Basis area & select  "create a new record " then the user gets Not authorized message, But upon cancelling the activity also, the user can't get back to the basis area because the NO AUTHORIZATION comes back upon clicking on any area,
    Only solution i see here is that the user should close the MDM client console & then relogin again into the server & repository.
    Do you know how can i get back to the basis activity without closing the MDM console & work normally.
    regards
    Naveen Murthy

    Some how can you revist the assingments ?
    can you go to SUIM and determine which tcds are executable for the role assigned and the user?
    Edited by: george G on Apr 30, 2008 6:35 PM

Maybe you are looking for

  • Asset Downpayment

    Hi, We are planinng to use Downpayment for direct acquisitions (not AUC) But, the problem is depreciation is getting calculated fot tty 180 and reversing for 181 where as we don't want any depreciation to be calculated for downpayments (if we deactiv

  • I have drop the SD card to DVD rom .How to get back it?

    when SD card drop to DVD rom inside. How to get back it?

  • Regarding DB13 jobs and Mail

    Hi All, How can i send email if any background jobs which all are completed completed. My specific requirement is for any database specific jobs completed, means whatever job i scheduled through DB13, if it is completed either completed successfully

  • Deploying war in Weblogic 10 ; NoClassDefFoundError: org/apache/xml/utils/D

    How do I set a jar in setDomainEnv.cmd ? C:\mydirectory\repository\xalan\jars\xalan-2.7.0.jar If I set this one, will it resolve? <27-Nov-2012 6:08:26 o'clock PM PST> <Notice> <Log Management> <BEA-170019> <The server log file C:\bea10\user_projects\

  • Unable to extend existing wireless network with new TC

    I have an original 500GB Time Capsule that I've been using successfully for a long time. It is plugged into my modem/router (which acts as a DHCP server) in bridge mode. As the TC is getting full (and the number of Macs in our house is increasing!),