Multiple Access Policies

I have the WRT54G2 and am trying to set up multiple access policies but am having trouble. Basically I want to restrict my kids devices from access at night during the week and allow access later during the weekends.
I have the policies set up as:
Policy 1: Su, M, Tu, W, Th allow 7am to 10:30pm (2 MAC addresses)
Policy 2: Fri, Sat allow 24 hours (same 2 MAC addresses)
The first policy works just fine, stopping access at 10:30. However, access is denied on Friday and Saturday, the second policy never seeming to kick in.
I've tried multiple configurations to no effect. For example, adding Friday and Saturday to the first policy (which allows access until 10:30 of course). I also tried having the second policy start at 10:30pm (and earlier) and ending just before midnight.
What am I doing wrong here?
Thanks.

Try to design your policies as 'deny' the timeslots you want your kids not to be allowed access

Similar Messages

  • Security exception when provisioning using multiple access policies

    We have upgraded our eDirectory connector to version 9.0.4.12. When provisoning manually all process tasks work correctly. However, when provisioning through an access policy or multiple access policies, once the edirectory Create User task runs it creates a security exception and all other connectors fail to provision until retried. We have set the system config parameter of Access Policy Multiple Resource Enhancement to TRUE and we have set the account discirminator in the process form to Server. Why would it fail?

    I have the same problem. Have you solved your problem, if so please let me know what the solution is.
    Einar �rn

  • Belong to Multiple Access Policies

    Hello,
    I am curious about everyone else's experience with access policies being maintained by groups, and some users belonging to multiple groups and multiple access policies. Example:
    John Doe belongs to group1 and group2
    Order
    1
    AccessPolicyA
           Selected groups: group1
           Blocks access to URL xyz.com
    2
    AccessPolicyB
           Selected groups: group2
           Allows access to URL xyz.com
    Will the WSA check all access policies that John Doe authenticates to? Or will it stop and use the first access policy that he hits, in this example AccessPolicyA?

    It is a bit of a hassle, but we had to reorder our access policies thinking in a top down approach as well.
    Also you can create AD global security groups specifically for Internet access if you'd like.  Prefix it with something that makes sense so they are all together in AD.  We use IG-  (IG stands for Internet Group).  So we have AD groups called IG-RestrictedInternet or IG-SocialMedia.
    If your in Restricted intenret, your totally restricted  except for a few sites we allow.  If your not in a group you have general internet access except for time wasting stuff like facebook.  If your in IG-SocialMedia then you have all the general internet access PLUS social media like facebook, linkedin, etc...  This is usually given to marketing or HR people.
    So while annoying, there are ways to think about how to handle this.  I can see your point say you are a Manager of the marketing department. Well you might be in an AD group for marketing as well as an AD group for management.  In this case our Management policy would come above the marketing policy.  So if your not doing specific groups then you can just order them by employee position hierarchy with usually management / hr on top.

  • Problem with Access Policies (create multiple resources)

    I'm having a problem with Access Policies:
    The first policy must create a resource.
    And the following policies should create childs on the resource.
    The problem here is that when policies will add the childs, the resource is not provisioned yet.
    And then each one will create a resource but i just want one resource with the childs.
    When the resource is already provisioned, the policies update this resource properly.
    How can I fix this?
    tks

    Ricardo,
    I had a similar problem. In a post-process handler I was managing the user membership in specific roles through the removeMemberUser and the addMemberUser of the tcGroupOperationsIntf class.
    The last parameter of this method was a boolean which, when true, would automatically trigger the access policies programmatically in the post-process.
    The problem is that there also is an OOTB event handler for triggering access policies, so I was basically triggering the access policies twice and duplicated resources were appearing.
    Hope this helps.
    Cheers

  • Provision a RO several times with one user using Access Policies

    Hello,
    we need to provision several Unix machines and for this purpose, we use one only resource object (SSH User). Additionallyl, we created an access policy for every machine:
    - Access Policy Unix Server 1
    - Access Policy Unix Server 2
    - Access Policy Unix Server N
    We created the following group in OIM: SSH Group.
    We set the policies in such a way that whenever a user is added to the SSH Group, the SSH User RO is provisioned with the user for every machine. We created several access policies, because the parameters of the form are different for every machine.
    The problem is that when a user is added to the SSH Group, the SSH User resource object is provisioned only once. It is provisioned by the access policy with the highest priority. We would like that the SSH User RO was provisioned by every access policy. That is, the user should have the SSH User RO provisioned N times, after adding it to the SSH Group.
    Is there any way to achieve this without creating a resource object for every Unix Machine? We need to provision more than 300 Unix machines and this would require a lot of time...
    Thank you for your help

    There are other options. You could create a child table to hold the IT Resource information, assuming all parent data is the same for every system. Then on the insert/delete to child table entries, you can provision and de-provision from that target. On disable/enable you would need to search through the child table and perform the action against all instances. The same for the other update tasks.
    This is the limitation of access policies. They manage a single resource object target instance. You could also code a generic resource that has child table entries. When an insert happens, you can use the APIs to provision and instance of the specific target with the provided details. Then you could create access policies to add entries to the child table, and each would provision the appropriate object, and deprovision too.
    Takes some custom code, but it's doable. Just remember though that they are all still the same resource object, so reporting would show them all, as well as attestation, as a single instance, with multiple provisioned to each user.
    Another option is to duplicate the work flow using find and replace in the XML and generate a unique workflow for each instance.
    -Kevin

  • OIM 9.1.0.2 - Access Policies issue

    Hi Gurus,
    I have facing a strange behavior in the Access Policies features.
    When users are inactived in the OIM, they should be removed from the groups associated to the AP, but the groups remain associated and because that the AP is triggered again provisioning resources to the users.
    Has someone faced the issue?
    Brgds,
    Carlos

    What does all of your group membership rules look like? Are you sure your right side is the correct format? You can create a rule where Users.Status = "Active". Just need to make sure it's case sensitive so you'll want to check the database for existing values.
    -Kevin

  • Feature Request : provide a way to create access policies or identities with matching condition based on the HTTP header's "Referer" field

    Hello,
    I have a use-case I would like to share with you. When a customer configures its WSA with highly restrictive internet access like in the example below, it may trigger some issues :
    1- allow internet access only for URLs defined in whitelist.
    2- block ALL other requests.
    Let's take the following example :
    1- the customer only allow requests to www.siteA.com. siteA.com is the only URL included in its whitelist.
    2- www.siteA.com contains many embedded objects (such as facebook like tags, youtube videos, links to partners sites, ...)
    In this configuration, the end user will be allowed to reach siteA but the page will not be fully displayed. All the embedded objects not directly located on siteA will be missing.
    With WSA, the easiest way I can imagine to solve the issue is to list all the embedded objects present on siteA, get back their URL and also add these URLs to the whitelist. But this solution if of course far to be really convenient since it involves to know exactly how each HTTP page you want to consult is built.
    With other proxies, such as Bluecoat proxies or McAfee Web Gateway proxies for example, I used to solve this kind of issue by using the HTTP referer field (the URL you come from). For example with Bluecoat :
    <Proxy>
        ALLOW request.header.Referer.url.domain=//www.siteA.com/
    => All requested objects from siteA.com will be automatically allowed by the proxy, even if they are not part of my whitelist.
    - Do you have a better suggestion than the one I'm currently using with WSA (adding each sites in whitelist) ?
    - Would it be possible to add the field HTTP referer as a matching condition for Identities and access policies in your next release ?
    Thanks in advance
    Best regards

    As far as I'm aware this functionality is still not available... would be an awesome feature to have, but could also be abused at the same time by a user writing their own "middleware" proxy and setting the referrer header to that allowed site..  could be done in like ~15 lines of perl / python.
    Either way... would still be a cool feature to have.

  • Is there any other way to achieve per user call forward restriction other than to create multiple voice policies?

    Hello,
    We mentioned the environment details below:
    Environment
    In our PBX environment, currently a user can forward calls to any local (within a region) internal extension. But for external PSTN call forwarding, a user needs to send a request and be approved by their manager. And the forwarding restriction
    is applied such that user is only allowed to forward to that particular PSTN number - to prevent toll fraud.
    Moving forward to Lync, using voice policy's call forwarding and simultaneous ring PSTN usages, I can set it to allow forward and simultaneous ring to custom PSTN usage and a custom route that will only send calls to these pre-approved
    external numbers.
    Outcome
    But in such a scenario,
     sSince all the custom external allowed numbers will have to be put into a single Route match table, User A will be able to successfully
    set up call forward to User B's number. (if they come to know about it somehow, that is)
    rü 
    Route matching list will be very long due to the number of users per hubsite that has call forwarding enabled.
    Questions
    Is there any other way to achieve per user call forward restriction other than to create multiple voice policies ? MSPL may be ?  
    2. Is there a limit in the number of entries you can have on the Route pattern matching regex expression ?
    Please advise. MANY THANKS.

    1) I think multiple policies may be your best bet, though it's not a fun one to manage, I agree.  MSPL could do it, but it would be more complex to maintain in the end.  Even gateways have limitations on routes.
    2) I'm not aware of a limit, though I'm not saying there's isn't one.  But if you hit it, you could move to a second usage/route combo.
    I'd suggest building out some PowerShell usage/route creation/organization script for this so it's not something that would need to be maintained within the GUI.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications
    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • ACS 5.2 NDG Locations not showing up in Access Policies

    When I add locations under Network Device Groups and then try and use them in my Access Policies they don't show up. It just says "No data to display". If I try and recreate them I get an error "Object you are trying to Create already exists.' but it is blank. I can run an export and they show up in the CSV file but they don't show up anywhere on the GUI. I have deleted the file and recreated with the same result.
    I have been searching all over for anyone with a similar situation but have come up empty. Any thougts?
    Regards,
    Andy

    I have recollections about two issues related to this:
    - If there are mutliple attributes with the same name as the NDG. Eg if create a user attribute called "Locations" it can cause problems. Can be resolved by renaming the attribute
    - Could be issues if word "system" appears in NDG node name
    Not 100% sure for these (disclaimer) but wanted to mention in case it gives some pointers

  • Issue in OIM 11gR2Ps2 while provisioning using access policies

    Hi,
    we  are provisioning resources using access policies, we  are facing any issue while provisioning resource using two access policies. we are populating the main process form data using two access policies, according to  the access policy priority we are seeing the first access policy form data value in the user process form, but the second access policy value is not showing in the user process form, for example we are populating processform  fieldvalue1 using access policy1 and processform fieldvalue2 using access policy2.
    Thank you,

    Hi,
    we are facing issue in the following scenario
    we are provisioning a resource based on the user position through access policies, for example  a user  position "contractor" is satisfies two rules based on the rules he will get two roles, these two roles trigger two access policies, and two access policies giving same resource for example "AD", in AD main  process form there two lookups(lookup A,lookup B), we are giving looukp A value in acess policy1 and lookup B value in access ploicy2, when ever user gets AD resource through these roles, after provisioning when we see the user process form only lookup A value is there and lookup B is empty.But i want to get both lookup A,lookup B values, what i observed was based on the  priority access policy values are comming to user resource form, the next access policy form values are not reflecting the user process form.
    Thanks,

  • New Xperia Z1 wifi problem 14.4.A.0.108 (Multiple access points)

    Hi,
    I recently got a replacement Xperia Z1. This phone was immediately updated to the latest firmware (ending with 108) so I do not know if this problem existed prior to the update.
    My problem is that the phone thinks it's still coneected to a wireless network even when it's not which prevents the phone from reconnecting when in range of a new network.
    When it's working it looks like this: (same signal strenght in both the top bar and the settings)
     When it's not working it looks like this (sifferent signal strenghts when compring the settings and the top bar)
    And I'm 15km away from my home network
    To make it work again I only have to turn off wifi and then turn it on again.
    This screen shows for about 10 seconds when the problem has occured (instead of usually 1-2 seconds)
    I've already tried to reset and reinstall the firmware.  Is this an hardware error or has this something to do with the latest update?
    //Mikael

    An Update:
    I've found that this problem only occurs on networks with multiple Access Points and when the phone is switching from on AP to another.
    If the problem occurs the network stays "connected" even though I leave the area as described in my first post.
    Does this help? 
    I've tested on several networks.

  • E4200 Firmware 1.0.03 Parental Controls/ Intenet Access Policies not kicking in.

    I have configured my e4200 to block traffic at certian times uses both the Parental Controls and the Intenet Access Polices.  Neither one seems to work though.  The traffic just keeps flowing.
    I have the following summary in my IAP:
    1    9toMidStoT                 Deny  Sun, Mon, Tue, Wed, Thu   21:30 - 23:55
    2    midto6AMEveryday   Deny   Every Day                              00:00 - 06:00
    3    AllowDays                  Allow Every Day                                06:00 - 21:30
    4    Late                             Allow  Fri, Sat                                    21:30 - 23:55
    Each of the four rules is enabled.
    I have the same MAC addresses specified in each rule.  Initally I had only the first two rules.  Those didn't work, so I added rule 3 and 4 (they do the same thing as rules 1 and 2 but from the opposite direction).  There are no compliaints, but they don't stop any traffic. 
    I started with the Parental Controls, they didn't work either.  The page in there that lets you pick which machines you want to block seemed next to worthless.  I have about four rows listed as "Network Device."  REALLY LAME!  As the MAC addresses are accesible and these weren't working I went to the IAP. 
    Does anyone else have this working?  Is this feature broken in 1.0.03?  I had it working in 1.0.01.
    Thanks!

    What happens when you set "block internet access" to always? I have also had weird experiences with this feature.
    For example, as I am typing this message, I have instructed the router to block all internet access on this computer (using parental controls), yet I am still able to visit this forum; although, other websites are blocked. I'll also try your rules and see what effect they have on my computer.
    I also agree with you about the annoying "network device" issue that happens when the router isn't able to identify the devices' hostnames. There are also devices that appear in that list, which haven't seen in my DHCP table for awhile.
    I don't work for Cisco. I'm just here to help.

  • How to Map OIA Provisioning policies to OIM Access Policies

    Hi,
    Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
    Secondly the access policies defined in OIM can contain resources belonging to different resource types unlike the OIA where we can create access policies only pertaining to the selected resource type, Kindly let us know how the Import and Export process would workout in this scenarios as well
    Appreciate your guidance and support
    Thanks
    Avinash

    Hi,
         Any helpful pointer on above mentioned scenario ?
    Thanks,
    RPB

  • Multiple access or multiple statement

    In our scenario we have multiple records coming from SAP and we have to INSERT into Database.
    We have modeled a XML-SQL jdbc document format in the target data type. There is one issue that we need to clarify here.This would be regarding the occurence of the the STATEMENT node vis-a-vis the ACCESS node.Two options which we have are:
    1)  Make the Statement unbounded and access as occurrence 1. Generate a new statement for each record and map the access for each record.
    2)  Make the Statement as 1..1, and make the ACCESS as 1..unbounded. The next step would be to generate the ACCESS node as many times as the number of records to be inserted.
    Is there a difference here? or is there an advanatage or disavantage among the above two options.

    What is the difference between having the STATEMENT tab as unbounded or the access being unbounded.
    If you have only one table with one insert statement, then there is no need to create Statement and access node as unbounded. Its occurrence could be one. If there are multiple tables to be used, you should make occurrence of Statement as unbounded. Similarly in case of multiple insert on same table, you will have to create access node as unbounded.
    Would there be muliple database queries triggered on the database in case the STATEMENT is set to unbounded?
    Yes.
    Would a case with muliple ACCESS tags and one STATEMENT tag generate just one SQL statement.
    Both will generate multiple SQL statements. Statement will create altogether a new transaction.
    The problem with multiple access could be that either all insertion would be committed or all would be rolled back. And the problem with multiple Statement would be that each insert will act as a separate transaction which surely hampers performance.
    Regards,
    Prateek

  • ACS v5 best practice w/ access policies.

    Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.
    Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?
    For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.
    One Access Policy
    1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000
    2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500
    Or have two Access Policies, one dedicated to each device type?
    Access Services
    >VPN 3000
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Access Services
    >ASA 5500
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Just not sure which way to go. Any help is greatly appreciated.
    e-

    Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.
    Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?
    For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.
    One Access Policy
    1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000
    2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500
    Or have two Access Policies, one dedicated to each device type?
    Access Services
    >VPN 3000
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Access Services
    >ASA 5500
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Just not sure which way to go. Any help is greatly appreciated.
    e-

Maybe you are looking for

  • Creting  object array  with constructor

    Hello all, Here is a query kindly let me know your views. Q) I want to create four objects and if i write a constructor how is it invoked.. kidly help me ... thanks in advance mahesh

  • ITunes 7 messed up my library, how do I revert?

    Well... Another iTunes 7 problem, what a bomb. This is the case: I installed iTunes 7, unfortunately without checking forums if there were any problems with it... (When it's official it should work correctly, right?) After the installation iTunes sta

  • N85 No Power (Not Turning On)

    I was updating using Nokia Software Updater through PC, and when the program said I had about 2 minutes left, my phone died and went white(the screen). I did not do anything to it as the instructions said. But then it just went dead. and a pop-up mes

  • Why can't I save pdfs from web anymore?

    I noticed this recently, it didn't dawn on me at first, thought it was a particular web security, but even common sites I save from are no longer letting me.  There is no save icon, no menu, nothing. I am using Adobe 9 reader, with Firefox browser an

  • Do I need to download the Find my Iphone app if it is already enabled on my iphone's settings?

    Do I need to download the Find my Iphone app if it is already enabled on my iphone's settings?