Programmatically determine group membership under NI Security

Similar Messages

• Group Membership under Settings/My Account is not updating

  We use an External table for User permissions/Groups to get updated in Group Membership.
  We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
  -Dinesh

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

• IR:  Dow to determine group membership?

  Is there a way to tell what System 9 native group that a user belongs to from IR?
  I have a bqy document that can be opened by users from several different groups, and I would like to branch code based on what group the user is a member of.
  I tried to find this in the System 9 BI repository, as well as the Shared Services repository, and couldn't find it. I'm afraid that this may only reside inside the openldap database..
  Thanks!

  Jeff,
  I am not sure of your exact need but there is an IR feature (been there for a while from Brio 6) called row-level security. It allows you to create a hidden join to limit the data in a table based on who runs the bqy. For example, if you have 5 markets - East, West, North, South, Central and 20 locations with 4 locations in each of those markets. You also have a column called Location_ID in your fact data tables. Let us say you have a table called Orders with columns Order_ID, Order_Description, Location_ID. To use row-level security, you create a table say RLSTable with columns such as Group_ID, Location_ID where Group_ID values are East, West, North, South and Central.
  There is a BQY tool (you can find it in a folder such as C:\Hyperion\BIPlus\docs\en\row_level_security.bqy) that you use to administer the groups, users and the security restrictions. I would recommend that you copy the row_level_security.bqy to some other location and use that copied copy.
  You use this tool to define which groups have restrictions. It uses a specific set of tables created during the install (but can be created later as well) that maintain the row-level security data.
  So if a user from West group will run a query on the Orders table, the user will only see the data for Locations with Location_ID matching West group in the RLSTable. The user would not need to define a limit in their bqy file as it will automatically be added behind the scene.
  DOCUMENTATION:
  ==================
  * Chapter 22 of this PDF: http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/ir_user.pdf
  * http://dev.hyperion.com/techdocs/intelligence/intelligence_82/hi_row_level_security_intro.pdf
  Sanjeev

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

  Dear Admins,
  We're running a Weblogic 10.3.0 cluster with our own software deployed.
  We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
  Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
  Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
  We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
  In the Managed server we see this error (with test user):
  Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
  method=create, methodInterface=Home, signature={}.
  When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
  Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
  Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
  Group Hierarchy Cache TTL: 3600
  provider specific settings :
  Group Membership Searching: unlimited
  Max Group Membership Search Level: 0
  Also in Myrealm -> Performance we have set :
  Enable WebLogic Principal Validator Cache
  Max WebLogic Principals In Cache: 5000
  If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
  This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
  I'm more then willing to provide more info or config files
  Edited by: user5974192 on 21-nov-2012 5:17

  This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
  Edited by: user572625 on Aug 25, 2011 11:54 PM

• Is there a way for an end user to see who has membership in a security group

  Windows Server 2008 R2
  Active Directory Domain
  Windows 7 workstations
  I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
  Is that possible? Any drawbacks or concerns?

  Hi Tod,
  Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
  Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
  However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
  More information for you:
  Viewing the Direct Members of a Group
  http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
  Net group
  http://technet.microsoft.com/en-us/library/cc754051.aspx
  Best Regards,
  Amy

• Not able to edit membership of universal security groups

  I’m not able to edit membership of My Universal security groups using outlook, when I add/remove members it shows the error
  “Changes to the public group membership can’t be saved. You do not have sufficient permission to perform this operation on this object”
  I've already assigned the RBAC role “Security Group Creation and Membership” to a security group and the user who is editing the group is the member of this role group. I’ve also tried to assign the role directly to user, but it also did not work.
  Exchange 2010, Outlook 2010.
  Could someone please suggest me on this.
  ------- Subodh

  No, I am still facing issue.
  I’m not able to edit membership of My Universal security groups using outlook, when I add/remove
  members it shows the error
  “Changes to the public group membership can’t be saved. You do not have sufficient permission to
  perform this operation on this object”
  I've already assigned the RBAC role “Security Group Creation and Membership” to a security group
  and the user who is editing the group is the member of this role group. I’ve also tried to assign the role directly to user, but it also did not work.
  I have multi domain scenario like Exchange is in child domain and AD Users are in Parent domain.
  ------- Subodh

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• How to read contents of files that do not fall under public security group?

  Hi,
  I need to read the contents of a WCM based xml file that does not fall under public security.
  The process is like this:
  First the user makes chnages to the content.
  The workflow will be triggred based on the security group metadata that is associated with the content.
  Once the content is finally approved our workflow calls a custom idoc script.
  First we tried directly reading the xml contents from the idoc script which was still in the context of workflow. But since content item is still in workflow I was not able to read the changes. So I created a separate content publisher thread and read the DOC_INFO and checked for the dStatus value. If the value is RELEASED then I reading contents by calling ssIncludeXml idoc script.
  This was working fine for public content. But now the requirement is that all content cannot be public. Content authors should not be able to edit the content that does not belong to their group, So we created security groups (and roles) and are associating that groups to the relavent content.
  Beacuse of this change I am not not able to read the non public content. The call to DOC_INFO_BY_NAME service, which gives all the content files' metadata, is expecting the user to be logged in to give the details.
  I tried calling the CHECKIN service with sysadmin and captured the cookies returned by that service and use cookies for the DOC_INFO_BY_NAME service call. But the service call was faling. It is throing the 401 forbidden error with the message that user needs to be logged in to get the details.
  How to address this problem. Someone please help.
  Note: I also tried using ridc for this. I was able to get it working but since it is executing in the context of server ridc api is changing server's environment properties like HTTP_HOST, HTTP_CGIPATHROOT etc. It also seemed like system was becoming non functional after using ridc. When I called check-in the system metadata values like security group are no more loading. Not sure if ridc is the culprit here but worried that it might be causing this issue.
  Regards,
  Pratap

  Sorry, I posted too much details while posting this question. I was saying "not able to read *non* public content".
  Anyway, I was able to resolve the issue. I was able to authenticate with sysadmin credentials in the request to service using basic authentication and was able to read doc info with that credential.
  But I realized there is more than option for reading secure content.
  - I could set user name as sysadmin in the m_environment (if I am in the context of a service) and the call the DOC_INFO_BY_NAME service.
  - I can post an HTTP request to DOC_INFO_BY_NAME service with sysadmin credentials and do basic authorization via the connection. (This is what i have done successfully as of now )
  - I could add guest role to all security groups with R (read) privileges.
  I will look into all options and implement the one which is more apt.
  Regards,
  Pratap

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Computer's group membership

  I am trying to find a way to list the groups a computer knows it is a member of. Normally a computer only picks up a group membership change after a reboot. You can purge the kerb tickets and it will sometimes pick up the new membership.
  I have a requirement to determine if a group membership has propigated to >300 servers for GPO filtering, but the only way I can find to validate this is by running a gpresult and checking the computer group memberships.
  I started by trying to run a gpresult remotely but that does not always return the computer group membership. Is there a wmi call that can pull this or can a kerb ticket be dissasembled to get the memberships?

  jrv,
  I understand how Active Directory and the various methods of GPO provisioning work.
  The systems in question (>300 production servers) have been added to a provisioning group. This group is used to filter application of a GPO. I need to validate the systems have picked up the new group membership before moving forward with a multi-step
  implementation.
  When a gpresult is run the output displays the groups the system is a member of in order to determine GPO application. I am trying to get this data from remote systems programatically, hence why I posted in this forum since I am specifically asking if anyone
  knows of a WMI (or other) call that would return the computer group memberships.
  As I re-organize a GPO structure in dire need of cleanup I am going to have to do this validation multiple times over a large number of servers. Being able to automate this process would help quite a bit.
  "For computer accounts this requires a reboot." - See this article: 
  http://setspn.blogspot.com/2010/10/updating-servers-security-group.html

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar

• "changes to the public group membership cannot be saved" error from Outlook 2010 users, but no problem with Outlook 2003.

  We have the exact same issue as this but our groups are already universal security group and we still have problem:
  http://social.technet.microsoft.com/Forums/en-NZ/exchangesvrmigration/thread/2c953cb4-5411-4f72-beb9-6b4c16fd6685
  The distribution-groups were upgraded to Exchange 2010.  User A can update the group from Outlook 2003 or OWA 2010 but not from Outlook 2010.  Anyone know the solution?
  thanks

  Hi lilyl,
  For this issue, please refer to this document:
  How to Manage Groups that I already own in Exchange 2010?
  http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
  So what does the "Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform
  this operation on this object." error mean, when you are connecting to an Exchange 2010 server?
  It means Exchange 2010 is doing its job - as designed...
  Thanks,
  Evan
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.