Object Replication Security
Hey gang!
I'm building something using object replication and I'm worried about an attacker getting onto the netgroup and writing bad or malformed objects to peers.
Is there any way to prevent or mitigate such an attack?
Thanks,
Nick
1) control to whom you give the groupspec, making sure only the "right" people have it.
2) use a cryptographic hash algorithm such as SHA256 (ActionScript implementation available in the Flex SDK) to compute hashes of each indexed object's serialization (or contents, if the object is a ByteArray). distribute a manifest/catalog of the hashes for all the indices. whenever you receive a wanted object, compute its hash and compare to the corresponding entry in the catalog. if it matches, record the object and add it to your "have" set; if it doesn't match, discard the object and re-"want" it.
for bonus points, for the "distribute the catalog" step, you could make the catalog object at a pre-arranged object replication index, such as 0. you would then "want" index 0, and once you receive it, you'd know what else to want and how to verify each object. if you distribute the catalog over an untrusted channel (such as object replication), you should also verify the catalog object's hash against what you know it should be (which you would have to obtain out-of-band).
for even more extra credit, you could include the hash of the catalog object in the name of the group itself, which is an easy way of implicitly linking the group and its object set and reducing the amount of information you need to communicate out-of-band about the replication set to one piece of information.
Similar Messages
-
Object Level Security in OBIEE 11.1.1.5
Hi All,
I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
1) Created application roles in OBIEE with the same resposiblity names
2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
4) Restarted the BI server and presentation servers.
Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
Regards,
SandeepSandeep Saini wrote:
I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
Hope this helps.!
SVS -
Object Level security not working on OBIEE 11g 11.1.1.7
Hi,
I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
Regards,
SandeepHello Sandeep,
I have just verified the below scenario as you said but didnt find any issue.
I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
This might not be a 11.1.1.7 bug check it from upgrade end.
Regards,
Srikanth -
How can I limit/control the addition of auth. objects to security roles?
Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PMHi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo -
How to get object level security in Universe?
Hi,
I need to get the object level security for an Universe. I'm able to get the list of objects and its security access level (Public / Controlled / Restricted / Confidential / Private / ) from the (.Unv) file using the Designer SDK.
But I need to get the list of users who has the object level security in the universe. In the CMC, by clicking the Universe and click on the Object Level Security tab, we can see the list of users there.
I need to get the same using BOE SDK.
I have used the following query to get the universe from the repository,
"select * from ci_appobjects where si_kind='universe' "
But I'm not able to get the list of users having obj. level security for that universe.
Kindly help me to proceed.
Thanks.The access security level is encapsulated in the SI_KIND='Overload' object.
Look for those types of objects, and the doc for the Overload class.
An Overload references the Universe to which it's associated, and User/UserGroup objects are associated with the Overload via SecurityInfo.
Sincerely,
Ted Ueda -
Object Level security by creating catalog groups in OBIEE-10G
Hi All,
I have a requirement to display the dashboard based on the user login. Ex. Mike belongs to HR, Smith belongs to Accounts
When Mike logs in he should see only these three dashboards. HR View, Common data1, common data2. When Smith logs in he should see only these three dashboards. Accounts view, Common data1, commondata2.
The commondata1 and commondata2 dashboards has common reports for all the departments. The other dashboards are department specific with all different reports. How can I implement this?
From one of my earlier posts I was advised to do it using Object Level security by creating catalog groups. Can you please provide me end to end instructions on how to create Object level security based on catalog groups.
Thanks for your time and help.Hi,
Mike to HR
Smit - Account
Yes, You achive by Object Level security by creating catalog groups
1) Create Catalog group and users in RPD part(Ex: Account_grp,HR_grp)
2)assign user to that particular group(let say Ex: Account_grp= Smith and HR_grp=Mike )
3) login (Admin user id ) into dashboard page and --->mange dashboard page -->add users to that particular
dashboard to relevent users and save it then
try to login that mike and smith user it will work
kindly refer below link
http://www.rittmanmead.com/2010/01/obiee-10g-web-catalog-best-practices/
http://www.rittmanmead.com/2007/05/obiee-and-row-level-security/
thanks
Deva -
Hi,
I am facing an issue in applying object level security in OBIA.
I have successfully done the LDAP authentication.
In object level, I want to give permission for the currently logged in user to a page of General Ledger dashboard.
Regarding this I have added the group corresponding to the logged in user through "Manage privilege" and given Access to the Dashboards.
But after doing this I am getting following error in my report when I ll loggin as the same user.
"Odbc driver returned an error (SQLExecDirectW).
Error Details
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 27004] Unresolved table: "Financials - GL Balance Sheet". (HY000)
SQL Issued: {call NQSGetQueryColumnInfo('SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"')}
SQL Issued: SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"
Please suggest me where else I need do any setting.Hi,
Looks like the user does not have access to the presentation table/column, check and see if the group has access.
See: http://obiee-tips.blogspot.com/2009/09/obiee-security.html
Regards,
Matt -
Object Level Security,Data Level Security&Row level Security
can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
Thanks in advance,
KumarHi Kumar
Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
Please mark Correct or helpful if this clears -
Object level security will be done by bi-server or presentation server
hi all
object level security will be done by bi-server or presentation server?
r both will be done by bi-server?
TnksHi,
object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
Ya in simple words authorization and authentication.
Hope it helps you.
By,
KK -
How do you created object level security in BI for roles.
How do you created object level security in BI for roles. For example if I want users to only execute reports in BI for a particular "object" report how would I do that.
Thanks.Hi Maritza,
Can you be more specific.
If you are looking for BI Security concept, check this presentation:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Regards,
Zaheer -
Object Level Security Profile-Collaborators
Dear All,
I the document collaborator security profile one permission is change master data state, is master data considered all fields within the contract.Also what will happen if this permission is changed to not set.
Thanks,
JayHi,
object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
Ya in simple words authorization and authentication.
Hope it helps you.
By,
KK -
Object Replication / Many objects
What is the best approach to introduce a new object to replicate to a group after a previous object has been replicated? Imagine, peer A shared object A to the group using addhaveObjects(0, chunks(A)) and all peers successfully replicated that object. Next, peer B wants to share another object B to the same group. By just doing addhaveObjects(0, chunks(B)) this won't do anything as all lower indices (e.g. 0 - 10) have been "used" for the replication of object A already - at least that is what I expect to happen.
So is the best practice to create a new group for the new replication and notify all peers in the current group to join that group? Or should B just start at index chunks(A)+1 for the new object B, i.e. addhaveObjects(chunks(A)+, chunks(A) + 1 + chunks(B))?
Dirk.Hello
Your last guess is the best, "Or should B just start at index chunks(A)+1", except that the object replication space needs not be contiguous so you may start each object at a round value, say objectIndex*1024.
As a note, it may be hard for the "seed" to know when all data it sent has been replicated amongst all; also, some peers may join later. There's nothing wrong, however, with different peers seeding different pieces of content at the same time, just make sure everybody shares all the received chunks.
Good luck -
Object Replication Manager - Errors 6004
Hello everyone.
I'm seeing these errors in SMS_OBJECT_REPLICATION_MANAGER component.
I have seen many posts with the same issue reported, but none with answer that would help me correct this in my environment, like here:
http://social.technet.microsoft.com/Forums/en-US/3f0cc0ed-5fd9-4860-aabd-e40e8f62053f/sms-object-replication-manager-failed-to-process-sms-object-changes?forum=configmgradminconsole
These errors do not go away. Instead, they keep piling up.
I looked at replication logs for more details but there is really nothing relevant there.
Does anyone have any suggestions where else could be the issue?
Thanks you for your help.Hi,
My fault, the steps in the blog below should work.
"SCCM and components:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ SMS \ Tracing \ ENABLED = 1 – (REG_DWORD – General SCCM turn on Logging)
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ SMS \ Tracing \ xxxxxxx \ Enabled = 1 – (REG_DWORD – The Role SCCM’de If you change the compositions according to him)
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ SMS \ Tracing \ xxxxxxx \ MaxFileSize = 3000000 – (REG_DWORD – 3 MB large – NAL and Debug Logging for growth with more than it is worth)
Important components to be linked to SQL for SQL logging, open the key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ SMS \ Tracing \ Sqlenabled = 1 – (REG_DWORD) "
SCCM ConfigMgr 2012 How to Turn On Verbose SQL NAL logging
(Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice.
Microsoft does not guarantee the accuracy of this third-party contact information.)
Best Regards,
Joyce Li
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
I am confused with the object replication capabilities of RTMFP. I am not sure which "objects" are replicated or how they are created an managed. Does anyone have any examples they could hare?
That makes me feel better, as I was beginning to think I was missing something. I am actually just experimenting with building a distributed status reporting system. The feature I was working on was enabling the submitter to compose the status report while disconnected (such as on an airplane) an/or when connected to a local LAN (as in a conference /war room like setting) with no internet connectivity.
Given what I have been trying it seems like what is needed is two additional methods on the netGroup class.
AddHaveItem - takes as a parameter a GUIDlist. (The GUID is defined by the application, so in my example the GUID may be a logical key like "lastname + yy/mm/dd" or some much more elaborate GUID creation scheme.
AddWantItem - takes as a parameter a GUIDlist or the string "ALL" indicating everything
with the response behavior being similar to the AddWantObjects and AddHaveObjects. This may provide a means of accessing the shared objects without depending on a central semaphore. I suspect you have the internal information necessary to map the GUID to the index already in the internals of the group.
A couple of more unrelated questions:
1) While debugging I tend to use the same GroupSpecifier over and over. What I notice is unless I disconnect cleanly the next time I connect the previous peer is still represented in the group. So this morning I started plugging away. I ranmy application and saw there were 10 connections to my group. I know this is residual from last night because I am only running on my LAN (using netConnection.connect("rtmfp:") ) and only have one machine with one instance of the app running. Where is this information coming from? Where is it stored? When will it "timeout"? Is there any way to access these internal structures and information?
2) It seems it would be very useful to provide access to current group members. In my example app mentioned above I want to show the current user any other peers who are online an connected to the group. The only way I see to do this is to manually build the list by listening for "NetGroup.Neighbor.Connect" which I believe only gets me the endpoints I am directly connected with. In my case I want the user to see a list of everyone they can communicate with (regardless of whether connected directly or indirectly). More assumptions on my part but this must be available in the internals since NetGroup.Post is able to deliver to all current users.
Again, thanks for your assistance on this new, potentially revolutionary functionality. While all the other vendors are betting big on the cloud adobe is innovating on the opposite end of the spectrum where in my opinion most users are most naturally comfortable.
(pls look for private message) -
Article: Video-on-Demand over P2P in Flash Player 10.1 with Object Replication
Check it out guys, comments welcome.
Video-on-Demand over P2P in Flash Player 10.1 with Object Replication
http://www.flashrealtime.com/video-on-demand-over-p2p-in-flash-player-101-with-object-repl ication/
TomI figured it out.
It has to do with nested items using 3d functionality.
I had sprites loading the images which I in turn addChild to another sprite (so I could offset the position before rotation).
As soon as I changed my
holder.addChild(image);
to
addChild(image);
... my problems disappeared !
This means I have to change my concept a bit, or at least rewrite the code - but at least the stuff stays on screen.
I really hope this issue gets sorted out.
Hope you figure your issue out as well.
Maybe you are looking for
-
I made a dumb decision to 'Erase Free Space' on my drive. I now have no free space, I realize because it wrote 0's over all my free space. Is there a way to undo this??? Help please I can't save any documents now! Thanks in advance all, it is truly a
-
MBP working very slow, rarely displays working wheel
Hi guys, My MBP is working very slow. I have taken off AVG, and in my user account I've stopped Soundflower from launching automatically. This seemed to help for a few days, then it's back to dragging. I used Etre; but don't know the items mean... Th
-
Hi Everyone, I am trying to create BPF as per the How to Guide given on SDN. While I am validating the BPF, it gives me below error - BPF: Error reading master data Invalid attribute name (P_Owner) in dimension (P_ACCT) When I check for the dimension
-
Weird behaviour in OpenGL compositing with r300g
Hello, I have a weird issue on my laptop with both KDE 4.6.5 and 4.7RC2. When switching on desktop effects with Alt-shift-F12, the screen turns gray, with a darker gray for the panel. I can also see the decorations ok, but that's all. The weirdest th
-
Hi Is anyone know from where I can download form 6i server , I have a cd of 6i developer but when try to install 6i form server It's display to me it's licencse , and I don't think It's could be installed. Is form 6i server a commercial product?