Office Web Apps - Best Practice for App Pool Security Account?

Similar Messages

• Best practices for apps integration with third party systems ?

  Hi all
  I would like to know if there is any document from oracle or from your own regarding best practices for apps integration with third party systems.
  For example, in particular, let's say we need customization in a given module(ex:payables) need to provide data to a third party system, consider following:
  outbound interface:
  1)should third party system should be given with direct access to oracle database to access a particular payments data information table/view to look for data ?
  2) should oracle create a file to third party system, so that it can read and do what it need to do?
  inbound:
  1) should third party should directly login and insert data into tables which holds response data?
  2) again, should third party create file and oralce apps will pick up for further processing?
  again, there could be lot of company specific scenarios like it has to be real time or not... etc...
  How does companies make sure third party systems are not directly dipping into other systems (oracle apps/others), so that it will follow certain integration best practices.
  how does enterprise architectute will play a role in this? can we apply SOA standards? should use request/reply using Tibco etc?
  Many oracle apps implementations customizations are more or less directly interacting with third party systems by including code to login into respective third party systems and vice versa.
  Let me your know if you have done differently and that would help oracle apps community.
  thanks
  rrb.

  you want to send idoc to third party system (NONSAP).
  what kind of system is it? can it handle http requests
  or
  can it handle webservice?
  which version of R/3 you are using?
  what is the mechanism the receiving system has, to receive data?
  Regards
  Raja

• Best practices for app store developer download

  We use company-owned macs to develop iOS applications. We frequently need to access the app store to download free apps (such as Xcode and competitor's apps), but the developers don't want to enter their personal iTunes credentials on company macs to do this. The company does not want to enter their credit card to create a company-wide iTunes account for fear of weird charges ending up on their card. Furthermore, the reason Apple has logins to the app store is to tailor the experience to the individual, so having a company login for many people does not seem to be the way to go. What is the best practice for this? Does iTunes have an "Organization" level object and that entity can add iTunes users to it like the "Developer Teams" aspect for Apple developers?

  I haven't done this, so I haven't solved the problem as such. But those organizations who I've seen mention it either just get free apps via this process:
  http://support.apple.com/kb/HT2534
  or use a corporate credit card with the accounts. You can use a single credit card for all the accounts, to the best of my knowledge. There's also a Volume Purchase Plan for businesses which can simplify matters:
  http://www.apple.com/business/vpp/
  I believe that a redemption code obtained through this program can be used to set up an iTunes Store account, but I'm not certain.
  Regards.

• What is the Best Practice for Server Pool...

  hi,
  wht is the Best Practice for having server pool i.e
  1) having a single large serverpool consisting of "n" number of guest vm
  2) having a multiple small serverpool consisting of less of number of guest vm
  please suggest.....

  Raja Kondar wrote:
  wht is the Best Practice for having server pool i.e
  1) having a single large serverpool consisting of "n" number of guest vm
  2) having a multiple small serverpool consisting of less of number of guest vm I prefer option 1, as this gives me the greatest amount of resources available. I don't have to worry about resources in smaller pools. It also means there are more resources across the pool for HA purposes. Not sure if this is Official Best Practice, but it is a simpler configuration.
  Keep in mind that a server pool should probably have up to 20 servers in it: OCFS2 starts to strain after that.

• Best practice for external but secure access to internal data?

  We need external customers/vendors/partners to access some of our company data (view/add/edit).  It’s not so easy as to segment out those databases/tables/records from other existing (and put separate database(s) in the DMZ where our server is).  Our
  current solution is to have a 1433 hole from web server into our database server.  The user credentials are not in any sort of web.config but rather compiled in our DLLs, and that SQL login has read/write access to a very limited number of databases.
  Our security group says this is still not secure, but how else are we to do it?  Even if a web service, there still has to be a hole in somewhere.  Any standard best practice for this?
  Thanks.

  Security is mainly about mitigation rather than 100% secure, "We have unknown unknowns". The component needs to talk to SQL Server. You could continue to use http to talk to SQL Server, perhaps even get SOAP Transactions working but personally
  I'd have more worries about using such a 'less trodden' path since that is exactly the areas where more security problems are discovered. I don't know about your specific design issues so there might be even more ways to mitigate the risk but in general you're
  using a DMZ as a decent way to mitigate risk. I would recommend asking your security team what they'd deem acceptable.
  http://pauliom.wordpress.com

• OVD best practices for app-specific views?

  I have a requirement to create app-specific views of joined (OID+AD) ldap directory data. It occurs to me that logically I could take 2 approaches to this as laid out below as option1 & 2. Although I'm not sure how to actually create option 2. I've listed the adapters i'd construct, the adapter type, and name/purpose of each. The end product of each option is 2 join adapters that present different app-specific views derived from the same source ldap data. Each join adapter would be consumed by different apps and present different subsets and transformations of that directory data.
  OPTION1:
  1 ldap oid1
  2 ldap ad1
  3 ldap oid2
  4 ldap ad2
  5 join oid1+ad1 (for app1)
  6 join oid2+ad2 (for app2)
  OPTION2:
  1 ldap oid1
  2 ldap ad1
  3 ? oid2 (a transformed subtree derived from oid1)
  4 ? ad2 (a transformed subtree derived from ad1)
  5 ? oid3 (a transformed subtree derived from oid1)
  6 ? ad3 (a transformed subtree derived from ad1)
  7 join oid2+ad2 (for app1)
  8 join oid3+ad3 (for app2)
  With option 1, i would create create 2 OID and 2 AD adapters; repeating the connectivity configuration for each; and each adapter once deployed is going to establish its own pool of ldap connections to the source ldap servers. this is a little clunky as you scale it beyond the initial two app-specific views, and leaves me a little concerned about how well this model scales considering each ldap adapter is going to setup its own pool of connections. i.e. with 5 app-specific view to construct, i'd have 5 OID and 5 AD pools... seems to somewhat defeat the whole point of pooling.
  Option 2 is predicated on the idea of creating 1 single ldap adapter in ovd for oid and another single one for ad; then create secondary adapters which pull and transform data from those two primary source adapters. No matter how many secondary OID & AD adapters I create, only the two primary adapters actually have pooled connections to OID and AD. The advantage here clearly is in how we manage and limit how many pools we are setting up. But I'm not sure what kind of adapter to use for oid2/3 and ad2/3. I looked at using a join adapter, configured not to actually join anything, but rather just pull from a single primary adapter, but I couldn't see any way to change the subtree being pulled from the primary adapter. The alternative might be to create ldap adapters that connect to oid1 and ad1... a loopback approach... but this gets us into pools on top of pools. Again, a little clunky.
  Any thoughts or recommendations with regard to best practices here?

  I haven't done this, so I haven't solved the problem as such. But those organizations who I've seen mention it either just get free apps via this process:
  http://support.apple.com/kb/HT2534
  or use a corporate credit card with the accounts. You can use a single credit card for all the accounts, to the best of my knowledge. There's also a Volume Purchase Plan for businesses which can simplify matters:
  http://www.apple.com/business/vpp/
  I believe that a redemption code obtained through this program can be used to set up an iTunes Store account, but I'm not certain.
  Regards.

• Certificate Requirements / Best Practice for DR Pool

  Good morning
  I'm looking for clarification on the certificate requirements for DR. I already have both my primary pool and my DR pool built, and paired. At the time I configured there, I used two different certificates for each pool. I would really just prefer to use
  one when we build the environment live. 
  Is there some reason I cannot just add *all* servers from both primary and DR pool into one cert as SANs? The subject name/common name of the cert doesn't *really* matter as long as both the pool FQDNs and all server FQDNs are in the Subject Alternative
  Names, right?

  It may work, but it's not the path Microsoft recommends:
  https://technet.microsoft.com/en-us/library/gg398094.aspx.  This is one of the reasons I always try use an internal certificate authority, even if I have to deploy one just for Lync, just so little items like this don't matter
  much. 
  If it works, it's up to you.  I'd base that decision on how mission critical the solution is.  If it's your phone system, I'd follow Microsoft's guides to the letter so I'm not in a nightmare situation if I ever have to call Microsoft support. 
  If it's IM and P only, I'd be willing to let some things slide if it's saving you a lot of money. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Best practices for disabling an employees account, but leaving mailbox available for others while not accepting messages

  I'm sure that other organizations have some policy for this. In our case, we want to keep the mailbox available for others to still access, but disable the user account and remove it from OWA.
  In this case, I've disabled the AD object, disabled OWA from the features, and set the mailbox to only receive emails from a dummy mailbox (so that no new emails are accepted).
  This all works fine and senders receive a NDR that their mail was rejected, however I'd also like to set a friendlier custom NDR to call the office instead when any sender attempts to send email to that recipient.
  What would best practices, suggestions be for this behavior?

  Hi,
  According to your description, the user object in AD has been disabled.
  In this case, the mailbox cannot mostly likely be accessed. Thus, maybe OOF couldn’t help you.
  If I misunderstand your meaning, please feel free to let me know.
  And we can depend on transport rule:
  The recipient is
  send rejection message to sender with enhanced status code:
  http://technet.microsoft.com/en-us/library/bb123506(v=exchg.141).aspx
  Thanks,
  Angela Shi
  TechNet Community Support

• [Ask] Best practice for making pools with CAM.

  Dear all,
  there's a few things I want to ask:
  Condition:
  - I have 48 disk with 300GB each and want to make some pool that contains /ctl , /archive , /data , /backup , /redo
  - i use software common array manager 6.9
  - based on the information I got, when use more than 1 pool, when the data is processed is faster then if only make 1 pool.
  Question:
  - which/what is the best practise when the data is spread out in several pool? my target is iops < 4ms
  - How many pool do I make?
  - How many hard drive is set in 1 pool?
  Thank you in advance.
  Rey
  Edited by: 952840 on Jan 3, 2013 11:41 PM

  Hi,
  If you are adding new folders then just add them to the Oracle Business Area. The business area is just a collection of folders. If the business area was changed in an upgrade the new folder would not be deleted.
  If you want to add fields to the existing folders/views then you have 2 options. Add the field to the defining base view (these are the views beginning OEBV and OEFV) and then regenerate the business views. This may be overwritten if the view is upgrade but this is unlikely.
  Alternatively, copy the view to create a new version and then map the old folder to the new view and refresh. You may need to re-map the folder if the folder is upgraded, but at least you have a single folder used by both Oracle and custom reports.
  Rod West

• What are best practice for packaging and deploying j2EE apps to iAS?

  We've been running a set of J2EE applications on a pair of iAS SP1b for about a year and it has been quite stable.
  Recently however we have had a number of LDAP issues, particularly when registering and unregistering applications (registering ear files sometimes fails 1st time but may work 2nd time). Also We've noticed very occasionally that old versions of classes sometimes find their way onto our machines.
  What is considered to be best practice in terms of packaging and deployment, specifically:
  1) Packaging - using the deployTool that comes with iAS6 SP1b to package is a big manual task, especially when you have 200+ jsp files. Are people out there using this or are they scripting it with a build tool such as Ant?
  2) Deploying an existing application to multiple iAS's. Are you guys unregistering old application then reregistering new application? Are you shutting down iAS whilst doing the deployment?
  3) Deploying ear files can take 5 to 10 mins, is this normal?
  4) In a clustered scenario where HTTPSession is shared what are the consequences of doing deployments to data stored in session?
  thanks in asvance for your replies
  Owen

  You may want to consider upgrading your application server environment to a newer service pack. There are numerous enhancements involving the deployment tool and run time layout of your application that make clear where you're application is loading its files from.
  If you've at a long running application server environment, with lots of deployments under your belt, you might start to notice slow downs in deployment and kjs start time. Generally this is due to garbage collecting in your iAS registry.
  You can do several things to resolve this. The most complete solution is to reinstall the application server. This will guarantee a clean ldap registry. Of course you've got to restablish your configurations and redeploy your applications. When done, backup your application server install space with the application server and directory server off. You can use this backup to return to a known configuation at some future time.
  For the second method: <B>BE CAREFUL - BACKUP FIRST</B>
  There is a more exhaustive solution that involves examining your deployed components to determine the active GUIDS. You then search the NameTrans section of the registry searching for Applogic Servlet *, and Bean * entries that represent your previously deployed components but are represented in the set of deployed GUIDs. Record these older GUIDs, remove them from ClassImp and ClassDef. Finally remove the older entries from NameTrans.
  Best practices for deployment depend on your particular environmental needs. Many people utilize ANT as a build tool. In later versions of the application server, complete ANT scripts are included that address compiling, assembly and deployment. Ant 1.4 includes iAS specific targets and general J2EE targets. There are iAS specific targets that can be utilized with the 1.3 version. Specialized build targets are not required however to deploy to iAS.
  Newer versions of the deployment tool allow you to specify that JSPs are not to be registered automatically. This can be significant if deployment times lag. Registered JSP's however benefit more fully from the services that iAS offers.
  2) In general it is better to undeploy then redeploy. However, if you know that you're not changing GUIDs, recreating an existing application with new GUIDs, or removing registered components, you may avoid the undeploy phase.
  If you shut down the KJS processes during deployment you can eliminate some addition workload on the LDAP server which really gets pounded during deployment. This is because the KJS processes detect changes and do registry loads to repopulate their caches. This can happen many times during a deployment and does not provide any benefit.
  3) Deploying can be a lengthy process. There have been improvements in that performance from service pack to service pack but unfortunately you wont see dramatic drops in deployment times.
  One thing you can do to reduce deployment times is to understand the type of deployment. If you have not manipulated your deployment descriptors in any way, then there is no need to deploy. Simply drop your newer bits in to the run time space of the application server. In later service packs this means exploding the package (ear,war, or jar) in to the appropriate subdirectory of the APPS directory.
  4) If you've changed the classes of objects that have been placed in HTTPSession, you may find that you can no longer utilize those objects. For that reason, it is suggested that objects placed in session be kept as simple as possible in order to minimize this effect. In general however, is not a good idea to change a web application during the life span of a session.

• Best Practice for trimming content in Sharepoint Hosted Apps?

  Hey there,
  I'm developing a Sharepoint 2013 App that is set to be Sharepoint Hosted.  I have a section within the app that I'd like to be Configuration-related, so I would like to only allow certain users or roles to be able to access this content or even see
  that it exists (i.e. an Admin button, if you will).  What is the best practice for accomplishing this in Sharepoint 2013 Apps?  Thusfar, I've been doing everything using jQuery and the REST api and I'm hoping there's a standard within this that I
  should be using.
  Thanks in advance to anyone who can weigh in here.
  Mike

  Hi,
  According to
  this documentation, “You must configure a new name in Domain Name Services (DNS) to host the apps. To help improve security, the domain name should not be a subdomain
  of the domain that hosts the SharePoint sites. For example, if the SharePoint sites are at Contoso.com, consider ContosoApps.com instead of App.Contoso.com as the domain name”.
  More information:
  http://technet.microsoft.com/en-us/library/fp161237(v=office.15)
  For production hosting scenarios, you would still have to create a DNS routing strategy within your intranet and optionally configure your firewall.
  The link below will show how to create and configure a production environment for apps for SharePoint:
  http://technet.microsoft.com/en-us/library/fp161232(v=office.15)
  Thanks
  Patrick Liang
  Forum Support
  Please remember to mark the replies as answers if they
  help and unmark them if they provide no help. If you have feedback for TechNet
  Subscriber Support, contact [email protected]
  Patrick Liang
  TechNet Community Support

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Best practice for loading config params for web services in BEA

  Hello all.
  I have deployed a web service using a java class as back end.
  I want to read in config values (like init-params for servlets in web.xml). What
  is the best practice for doing this in BEA framework? I am not sure how to use
  the web.xml file in WAR file since I do not know how the name of the underlying
  servlet.
  Any useful pointers will be very much appreciated.
  Thank you.

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Best practices for office 365 SHARED CALENDAR for whole school / organization

  hi
  we need guidance on best practice for setting up SHARED CALENDAR on Office365 exchange server for entire organization (school)of150 staff.
  Requirements
  + all staff should have read only / reviewer permissions on calendar
  +handful staff should have editor permissions on calendar
  + the calendar should synchronise custom categories and colors
  Current Solution
  at the moment we have found that a shared mailbox is the best solution because;
  - allusers can add the shared mailbox on outlook 2010as additional mailbox as readonly
  - all the categories & colors for the calendarare automatically synchronised because the color categories are stored within this mailbox.
  - you can edit calendar permissions in outlook to allow some users as "editor" of the calendar.Problem with Current Solution
  the problem however is that the users also need to access this...
  This topic first appeared in the Spiceworks Community

  Hi Aleksei,
  I think Inactive mailboxes in Exchange Online is the feature that you want. This feature makes it possible for you to preserve (store and archive) the contents of deleted mailboxes indefinitely.
  A mailbox becomes inactive when an In-Place Hold or a
  Litigation Hold is placed on the mailbox before the corresponding Office 365 user account is deleted.
  But I'm afraid that it might be impossible to "easily share certain folders or even whole mailbox with people in the company". As can been seen from below articles, this only allows administrators, compliance officers, or records managers
  to use the In-Place eDiscovery feature in Exchange Online to access and search the contents of an inactive mailbox:
  http://technet.microsoft.com/en-us/library/dn144876(v=exchg.150).aspx
  http://blogs.technet.com/b/exchange/archive/2013/03/21/preserve-mailbox-data-for-ediscovery-using-inactive-mailboxes-in-exchange-online.aspx
  Anyway, this is the forum to discuss questions and feedback for Microsoft Office client. For more details about your question, I would suggest you post in the dedicated forum of
  Exchange Online, where you can get more experienced responses:
  https://social.technet.microsoft.com/Forums/msonline/en-US/home?forum=onlineservicesexchange
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
  Regards,
  Ethan Hua
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Best practices for setting up users on a small office network?

  Hello,
  I am setting up a small office and am wondering what the best practices/steps are to setup/manage the admin, user logins and sharing privileges for the below setup:
  Users: 5 users on new iMacs (x3) and upgraded G4s (x2)
  Video Editing Suite: Want to connect a new iMac and a Mac Pro, on an open login (multiple users)
  All machines are to be able to connect to the network, peripherals and external hard drive. Also, I would like to setup drop boxes as well to easily share files between the computers (I was thinking of using the external harddrive for this).
  Thank you,

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang