Permissions from mulitple policies

Similar Messages

• How do I get the Principals as well as the Permissions from Policy?

  I know how to get the permissions from a Policy:
    MyPolicy.getPermissions()
  How do i get the Principals and Permissions?
  If I have:
  grant MyPrincipalClass "Jeff" {
     permission MyPerm "doIt"
  how do I then (in my code) get both the permission and the Principal?
  I am currently doing this:
  java.security.PermissionCollection pc = pol.getPermissions(new java.security.CodeSource(new java.net.URL("file:/D:/JAAS/"), null));
  for (java.util.Enumeration en = pc.elements(); en.hasMoreElements(); )
                  System.out.println(en.nextElement());
  }

  In reference to your earlier question about "setting the Principal"; those responders pointed you to the JAAS documentation, and that's the answer here, too. You need to implement a Policy class that uses the JAAS Subject as a parameter to the Policy constructor as well as to the getPermissions() method. The Subject contains the Principals that have been added to it by (your) involved LoginModules. I'm still using JAAS 1.0 on JDK 1.3, and am real not familiar yet with the JDK 1.4 version of Security, but; I think the same applies there. Keep in mind; the "grant" only declares the permissions for a Principal; it's up to the LoginModules to establish the identity (identities) of the authenticated Principal(s) to which those permissions are to be granted.

• How can I migrate file shares & permissions from one volume to another on the same server?

  I am replacing a storage array and as part of that process, I need to move files/folders and Shares/permissions from one Volume to another volume within the same server.
  The server is Windows 2003 file server.  The file transfers are not a problem, moving all 40 shares with permissions etc. is my main concern because in order to maintain everything I need to change the drive letter of the new volume to match the old
  one so that links to various resources throughout the network do not break.

  Hi, 
  If you want to copy files/folders from one Volume to another volume within the same server, you could use the File Server Migration Tool (FSMT) or Robocopy to accomplish your goals. The tool can move all of the files from the shares on your original volume
  to the new volume.
  For more detailed information, you could refer to the articles below:
  File Server Migration Toolkit
  http://technet.microsoft.com/en-us/magazine/2006.10.utilityspotlight.aspx
  The File Server Migration Toolkit (FSMT) is a free download available at:
  http://www.microsoft.com/en-us/download/details.aspx?DisplayLang=en&id=10268
  Robocopy
  http://technet.microsoft.com/en-us/library/cc733145.aspx
  FSMT and Robocopy will not copy Share permissions but only NTFS permissions. So if the drive letter will not be changed, you can backup and restore the Share permission with steps here:
  Saving and restoring existing Windows shares
  http://support.microsoft.com/kb/125996
  Regards, 
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Windows server 2008 R2 File& Folder Permissions; Ghost Permissions From "Parent Object" Assigned to Folder Owner

  Windows 2008 R2 file server: Subfolders of a particular folder have an account that has Full Control permission that are listed as inherited. That account has no permissions in the parent folder. It was, however the account that was used to copy the folders
  and their contents in there from another source and was the owner of the folder.
  In Advanced Permissions, it shows them as inherited from "Parent Object" as opposed to the folder name of the parent folder (there are some of these.) (The parent folder of the place where the problem occurs does not inherit from _its_ parent)
  I removed it as owner and yet the permissions remained. (as displayed either through the GUI or with ICACLS.)
  If I make _any_ edit in Advanced Permissions, the 'ghost' permissions then go away (e.g. add my account with full control - I'm domain admin, so have that anyway) This step seems like it should be unnecessary, but it is required in this situation.
  I've done this to 5 of about 20 subfolders and it is consistent. Folders which did not have the 'problem account' as their owner did not exhibit this characteristic.
  This affects the files within the subfolders as well.
  Oddly, adding an owner to a folder has the same effect and required the same edit before the permissions are seen. This was tested on a different drive on the same server.
  Is this an anomaly, a bug, or expected performance?

  Hi,
  Do you mean that there is an account that has Full Control permission that are listed as inherited but it doesn’t appear in the parent NFS permissions? If so, please try to uncheck the "Include inheritable permissions from this object's parent" checkbox,
  clicking Apply.
  There is a similar thread, please go through it to help troubleshoot this issue:
  NTFS: I have a user’s that's inherited from parent folder but it doesn’t appear in the Parent ACL
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6061af36-4d44-4de8-8139-d71f06d59a2c/ntfs-i-have-a-users-thats-inherited-from-parent-folder-but-it-doesnt-appear-in-the-parent-acl?forum=winserversecurity
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Reset Permissions from Single-User Mode

  I believe I have accidently removed the permissions from my iMac. I can access single-user mode and need desperately for someone to walk me through how to reset the permissions (I get a blue screen when I try to boot). Please help.

  JMT001 wrote:
  I believe I have accidently removed the permissions from my iMac.
  what do you mean? what EXACTLY did you do? did you change permissions on the top level of the hard drive to no access?
  if so see this link
  http://discussions.apple.com/message.jspa?messageID=2087835
  if it's something else explain what you've done.

• MY IPHONE WAS STOLEN IVE GOT IT BACK FROM THE POLICE BUT WITH A DIFFERENT ID CANT GET INTO PHONE TO CHANGE I D AND PASSWORD

  MY I PHONE WAS STOLEN IVE GOT IT BACK FROM THE POLICE BUT IT HAS SOMEONES I D AND PASSWORDHOW DO I RECTIFY THIS

  If the thief or someone set up an Apple ID on the iPhone and hence Activation Lock, there's no way you can unlock it. That would require that Apple ID and password and it's not likely the thief is going to provide that information. Call Apple Support and ask if there's anything they can do to help. You'll almost certainly need to provide proof of ownership and possibly a copy of the police report, but it's possible in this situation that they can do something for you, though in most cases of an Activation Lock they can't.
  Regards.

• Inherit Permissions from parent

  If I were to use Inherit permissions from parent instead of standard POSIX on a share, what happens
  when you propergate permissions? Do permissions that you explicitly set get changed by the parent folder?
  Are there any issues I should be aware of before trying Inheritted permissions?
  The reason I want to change is because I have folders on my RAID that for instance hold raw un-touched images, whoever saves the files into this folder becomes the owner and everyone is read only, which is no good if someone else wants to make changes and save over the image, I have ACL set to try and overcome this, but Photoshop doesn't respect ACL and just goes by the POSIX permissions. Which means users are having to save to desktop and the drop the file in the raw image folder to replace it - which is ok but not perfect.
  If I were using Inherit permissions and set the raw folder to everyone read and write, then in theory any files added into the folder would be read and write for everyone, is this correct? if so, what would happen to the permissions when a second user edits the image and re-saves it, is it still inheritting the read write permissions?
  Hope this makes sense and i'm not rambling too much, but with 3Tb of files on the RAID I can't afford to experiment and screw up the permissions on the existing files else I'll be killed by 10 angry designers!

  Did you ever find an answer to this? I'm having the same problem and wondering if it's simply a 10.5 server glitch. You shouldn't have to use ACL to get around it and as far as I know, if you set POSIX to inherit permissions from parents, that's exactly what should happen. But it doesn't for me either. Whoever creates a folder on our RAID becomes the new owner and staff is read-only.

• "Inherit Permissions From Parent" doesn't work

  In OS X 10.5 server, selecting the option for an AFP share to inherit permissions from its parent does not work for users on OS X 10.3. All files created by users running 10.3 have 755 permissions, regardless of the parent folders permissions.
  Clearly, this rather dramatically reduces the utility of AFP in 10.5 Server for anyone with users running OS X 10.3.
  OS X 10.3 server did not have this problem.
  Manually propagating permissions is futile for two reasons. First, the needed set of nested permissions is complex enough that propagating them manually would take hours, and secondly there would be intervals between the propagations when documents would not be accessible to the right people.
  Consider a drastically simplified example:
  Imagine a share named "Share" with a folders inside it named Admin. Inside the Admin folder might be two additional folders named Accounting and Personnel. Inside Personnel there are folders named Performance Review and Forms. It would look like this:
  Share
  -- Admin
  ----- Accounting
  ----- Personnel
  -------- Performance Review
  -------- Forms
  Now consider several groups: Employees, Accounting, HumanResources
  Employees should have read write access to Share, and everything under it unless more restrictive permissions are explicitly created. Only the Accounting group has access to Accounting, and everything in Accounting should only be accessible to Accounting. Performance Reviews should only be accessible to the HumanResources group, but Forms should be accessible to all Employees.
  Now a member of the employees group saves a new file in the Forms folder, but the group doesn't have, and needs, read/write privileges. To fix this the permissions from Share can't be propagated to all the files and folders inside it because that would nuke the special privileges for Performance Reviews and Accounting.
  It might be conceivable that every n minutes a script could run that would recurse, depth first postorder, through the hierarchy assigning all files in each folder the permissions of the enclosing folder, but there are at least two problems with that. First, it would be slow and between runs the files wouldn't have the right permissions. Second, sometimes we might want a file to have special explicitly specified permissions that differ from the parent, but it would be terribly cumbersome to specify the exceptions for this sort of script.
  POSIX behavior also doesn't solve the problem because it will set the same permissions as we're seeing already, there's no obvious way to change the default permissions, and doing so would have security implications elsewhere on the server if that "umask"ish setting couldn't be specified exclusively for the share.
  Inherited permissions would solve the problem, and have solved the problem under past versions of OS X server, but they don't work on 10.5 with 10.3 clients.
  Does anyone know of a workaround or have any additional details?

  glad someone else is experiencing this, I'm having the same problem with inherit from parent.
  I was going to start using inherit because Leopard has ruined ACL's, Leopard clients don't honour the deny delete subfolders and files ACE, basically the leopard permissions systems seem to be flawed

• Document library not automatically inherit permissions from parent

  Hi all,
           Whenever I create a new document library the inherit permissions not automatically set for this library, So I have to click Inherit permissions for each time i create a new document library.   please
  help to apply inherit permissions automatically whenever new library create.
  Manikandan

  Hi Alex,
  when you create a library and then go to the permissions settings for it it's set to not inherit permissions?
  Ans : It Does not have any inherited permissions from the parent site.
  Does it have a copy of the standard permissions set? If not what does it have and what is it missing from the site default?
  Ans : No. Empty permissions.
  But whenever i stop and start apply inherited permissions on the parent site works fine (I mean apply to all document library). but i could not do it all time whenever the new library create. I hope whenever the permissions changes on the parent site may
  affect the document lib permissions. pls help how to proceed ?
  Manikandan

• 10.3.9: G3 iMac won't run 'Repair Permissions' from Panther Disk!

  I upgraded the memory to 1024 mb RAM and reinstalled Panther yesterday after leaving it on the shelf for a couple of years due to numerous problems running it on Kihei and Pismo (both with 256 mb RAM). The loading process went well; I ran the following utilities after loading all of the updates:
  TechTool 4.0.1
  Disk First Aid from Panther disk
  Repair Permissions from Panther Disk
  Reset NVRAM, PRAM and OF
  TechTool showed no problems and Disk First Aid said a repair was made. The first time I attempted to repair 'permissions' the process seemed to be about half way complete when it stopped and displayed the following error:
  'Disk Management Tool' has lost contact with Disk Utility, close function and restart Disk Utility' or something to this effect.
  Every attempt afterwards results in the same error message coming up almost immediately. iMac seems to be running properly at the moment; is it about to crash again like it did so many times in the past before I reverted to Jaguar? Any insight or advice will be welcome. I will post a copy of this on the 10.3 Panther board too.

  Road Hazard: Try the instructions in this article. It is not possible to use the Panther installation disks to repair the permissions on a system which is experiencing this issue.
  scapesuiter: A Kihei is one of the models which make up the first slot-loading iMac machines. These came out in October 1999 and were discontinued in July 2000.
  (15253)

• After loading yosemite can't get permissions from any network PC - OK from MACs on network...any advice?

  after loading yosemite can't get permissions from any network PC - OK from MACs on network...any advice?

  would love to...way over my head so far...upgraded to Yosemite 10.10.2 - I have another MAC (motorola chipset...maybe 10.6?) and 3 PCs on the network...the older MAC linked up through the network just fine...
  I can see the Yosemite MAC on the PCs...I can open customer file folders (I am a printer) from the shared drive...I can drag files (let's just call them PDFs, they mostly are) to the MAC customer file...but if I try to open them from the PC I get an error message that says permission denied - or may be in use by another user. There are no other users. After I uploaded to Yosemite, I noticed most if not all drives and or folders had permissions changed to either no access or to read only...I've changed as many as I could find...drives, and folders...I can open those same files if I'm on the yosemite mac...Here's the catch, though...I was on a different floor and that PC can open a PDF on the Yosemite...but the RIP that prints our large format prints now won't print those files (whole RIP locks up) unless they are first dragged to the PC desktop...then all is fine. I thought it was MAC upgrade oriented, but I do have a PC that halfway works...I'm really stymied...

• Help with adding a user copying permissions from another user $RoleDefinition.Name SharePoint 2010 Powershell

  Hello,
  I need to basically find everyplace 'ADUser1' exists and then add a new 'ADUser2' with the same permissions as the first group.
  I have created a script that runs through an entire web app and finds everyplace the AD account is directly given access to and access via a group.  I then need to add the new user and assign the permissions from the first ADUser, copy them. Below
  is not the entire script, just where I'm trying to add the new user.  The rest of the script works fine to find the first user.  I'm stuck with this part:  $role = $_.RoleDefinitions[$newRoleDef].  I get an error that I can call a method
  on a null valued experssion.. I guess I don't know how to specify to copy the role from the first user, and use it to set the new user?
            #Get the Permissions assigned to user
             $WebUserPermissions=@()
               foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
                               $WebUserPermissions += $RoleDefinition.Name +";"
          $newRoleDef = $RoleDefinition.Name
            #write-host "with these permissions: " $WebUserPermissions
            #Send the Data to Log file
            "$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File C:\Apps\Scripts\Logs\UserAccessReport.csv -Append
      $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
                  $role = $_.RoleDefinitions[$newRoleDef]
                  $assignment.RoleDefinitionBindings.Add($role)
                  $_.RoleAssignments.Add($assignment)

  Hi,
  According to your post, my understanding is that you want to copy user permission to another user via PowerShell.
  Instead of copy permission to another user, we can get the user permission, assign the permission to a group, then add the other user to the group. Now the user would get the same permssion as this user.
  http://get-spscripts.com/2010/07/adding-groups-with-permission-levels-to.html
  http://blog.thefullcircle.com/2013/02/create-a-sharepoint-group-with-permissions-and-add-an-ad-group-to-it/
  We can also use the third-party tool to achieve the same scenario.
  http://permissionsmanager.codeplex.com/
  http://www.boostsolutions.com/blog/how-to-copy-permissions-to-other-users-in-sharepoint/
  Thanks,
  Jason
  Jason Guo
  TechNet Community Support

• Can I remove admin permissions from main account then create new one?

  I have heard that it is considered best practice to use an account that does not have administrator permissions for normal use, especially when connected to the internet for safety reasons. I am the only user of my Macbook and only have one account, the one that was created when I first used the computer. I obviously don't want to have to start all over again and so is there a way that I can safely create a new account, give it administrator permissions that I would use just for times when I need to make system changes and remove the admin permissions from my first account so that I don't have to migrate all my files and setting to a new user account?

  Yes it is, for security reasons. When you log in as an administrator, everything you do, every command you run, runs with admin privileges. If you open a trojan or other malware as an administrator, you hand over much of your system to the malware. By running as non-admin, only the contents of your home folder are vulnerable.
  Consider a trojan that modifies Safari, so that next time you make an online purchase, Safari captures your credit card number and sends it to a third party. If you opened that trojan as an administrator, the trojan could install itself without your knowledge. If you were running as non-admin, it would have been stopped in its tracks.
  If you need any more convincing, you can read what Apple has to say about it:
  Each user needing administrator access should have an individual administrator account in addition to a standard or managed account. Administrator users should only use their administrator accounts for administrator purposes. By requiring an administrator to have a personal account for typical use and an administrator account for administrator purposes, you reduce the risk of an administrator inadvertently performing actions like accidentally reconfiguring secure system preferences.
  Unless administrator access is required, you should always log in as a nonadministrator user. You should log out of the administrator account when you are not using the computer as an administrator.
  (from page 42 of this document)

• Repairing permissions from disc -not

  Just to put it out there I own 4 mac's currently and have been using them for 10 years and I'm pretty stumped right now. I updated to 10.4.5, decided to repair permissions from disc and I boot up (from a 10.4.x disc probably like 10.4.2 or 3) and I get a diagram of a mouse with an arrow pointing at it showing that it needs batteries! I've never seen this before and I don't use an external mouse so what the heck is this? I read that you're not supposed to use install discs to repair permissions after you upgrade beyond that version. Never heard that before but that's fine. I can't even boot up beyond this mouse diagram thing to repair the disc. Is it the PB or what? Beyond that if you aren't supposed to use a boot disc, how do you repair permissions? Using disc utility in "utilities" doesn't do everything. Maybe someone can straighten me out here.
  I've upgraded to 10.4.4 on my dual 2.5 ghz and use the same tiger install disc and or update disc (I have both) and have no problem.
  thanks in advance
  powerbook 1.67 high rez 15"   Mac OS X (10.4.5)   2 gigs ram

  thanks for the reply, my understanding is that repairing from disc doesn't get everything, that you need to boot from a dvd or external disc.
  any idea why my PB wont boot from either disc? what if I wanted to reinstall, I cant even do that!!
  thanks

• Question about Removing Permissions from the System Folder with chmod

  Hi
  I have a question about the removal of permissions from the System folder (and sub directories and files).
  Background
  Since installing a new HD, clean install of 10.6, application of updates and moving over backed up user directories I have had several issues with permissions.
  I have read several threads on this and using disk warrior and other tools I have been able to fix most of the issues.
  The Problem
  The issue that remains is a permissions check using Disk Utility keeps reporting
  ACL found but not expected on "System".
  followed by an extensive list of sub directories and all.
  Attempts to repair take hours and the same errors are reported.
  Found Solutions
  I have read about changing and/or completely removing the ACL from the permissions from the System using two different commands:
  sudo chmod -R -N ./System/* ( to remove all ACLs)
  or
  sudo chmod -R -E ./System/* ( to replace all ACLs )
  My Question is ( to the UNIX gurus):
  What is the difference between the usage with -E and -R and which is the best approach for a Systems directory and (subordinates)?
  Many thanks!!

  OK
  So I misread on the your instructions about the PW reset, did it, no harm in that. I did also select the options to reset all the permissions for all the accounts and the ACL issues were not resolved. My bad, I forgot to note that.
  You do suggest getting and expert opinion but alas these are rather elusive. In most cases the Apple solutions is to do a complete reinstall... I have found that unless you completely wipe a drive and rebuild everything there are often artifacts left behind. Since I have full and redundant back-ups I would rather explore and hack a little instead of a dull old system reinstall. The irony is the system issue I had was it was the result a reinstall and combo update on a new drive. I recognize the risks of entering the realms of the System folders but I am willing to explore knowing full well that I have a path to recovery.
  Thanks again for your insights. I come to the forums looking for insights and ideas but not a lecture...