Providing Access to Power Users to a Region in Portal

Similar Messages

• How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

  Good morning everybody,
  I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
  What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
  What I have successfully managed to get to work so far is this:
  1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
  show authentication sessions:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
  What I want to get is an output like this:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
  The configuration of the interface connected to the Dumb switch is as follows.
  interface FastEthernet0/x                                                      
   description Connection to DUMBswitch                                            
   switchport mode access                                                         
   switchport voice vlan XXX                                                      
   switchport port-security maximum 10                                            
   switchport port-security                                                       
   switchport port-security violation protect                                     
   authentication host-mode multi-auth                                            
   authentication priority dot1x                                                  
   authentication port-control auto                                               
   authentication timer reauthenticate 4000                                       
   authentication violation replace                                               
   dot1x pae authenticator                                                        
   dot1x timeout tx-period 10                                                     
   spanning-tree portfast                                                         
  The way I see it is explained in the following steps:
  - PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
  - When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
  Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
  Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
  Thank you
  Stoimen Hristov

  Hi Stoimen,
  I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
  From what I can see, you have 2 options available to you:
  1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
  2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
  Hopefully someone else will chime in with another option.
  Xavier

• Can Power Users or Mgt Create and Design Reports Through Query Designer ?

  Dear BI consultants,
  Iam new to BI.
  My management has requested me to Train Power users from All Modules(FICO,HR,QM,PP,SD,MM) to Create Queries and Design Through Query Designer.
  My question is are we suppose to Give query Designer Access to Power users or Mgt so that they can create Queries and reports by themselves.Please Suggest me wht is the Best Practices.
  is it feasable to train power users and Mgt as to how 2 create queries. will there be any side effect on the System or our end.
  Plz suggest.
  wht are the advantages and disadvantages of this.
  If I train the Power users then is there any risk of my Job.
  since they will be creating all reports by themselves.
  wht else can a BI consultant do since iam in a support project.
  how do i convince my Mgt?
  Plz Suggest.
  Thanks Awaiting

  This is common procedure maintained in most of the company's for end users.
  There is no issue if you train the power users.you will be the first point of contact if they have any doubts.and more over you are supporting for your client right? this can't be handed over to power user or end user. data is imp for the client so there will not be any problem for you, if any issue comes while loading you need to take care of the errors and fix the.
  power users or end user will be familiar with Business requirement not with the Query building logic's not with the BW procedure so no worries for you.
  as vineeth said its better to keep control regarding the global and key things at your end so that you will not loose contol on the reports.

• How to provide access to  v$tables in oracle 10g to user

  Hi,
  can any one suggest me how to provide access to v$tables in oracle 10g to user .
  its requried for auditor.
  PLease help me.
  regards

  user12009184 wrote:
  HI have to provide access to all V$ tables
  it required for configuration of new tool.
  ThanksYou can grant it the select catalog role to the user. It should provide all the required access to the general v$* & dba_* views.
  GRANT SELECT_CATALOG_ROLE TO USER;
  Let me know if this helps.
  Regards,
  Rizwan

• Harvesting Projects Providing Access to Users for specific projects OER

  Hello Everyone,
  I am working on OER. I have to implement some requirements as follows:-
  1. When I am harvesting the project, all the files of that project are harvested in the OER. I want to harvest in a Specific Project that I have created earlier in OER or with the same Project name that I am harvesting. Is it possible???
  2. Suppose I have created a user named Arpit which is assigned User role in OER console. User role is provided access to view,edit,create Project. So Arpit can be able to view,edit,create all the projects in OER. But my requirement is that I want to provide access only to a specific project which are assigned to Arpit. Is it possible in OER?
  Please provide any suggestions on above points.

  Can you access the PDP section under the server settings and try to open the PDPs (choose the ones associated with the EPTs of the projects)? Is it successful?
  Then edit and save them without changing anything to see if it helps.
  Hope this helps,
  Guillaume Rouyre, MBA, MVP, MCP |

• How to provide access to login oem to another user except sysman?

  Hi,
  i have installed OracleGrid 10.2.0.3 in windows 2003 server and configuared 10 servers and 15 databases in oem. i created one user in oem repository database. that user should access only two databases through oem. how configuare this?
  Thanks,

  You should not create a super administrator to meet your requirement. So, uncheck the 'super administrator' and choose only the targets which you need to provide access. Follow all the six steps of user creation. You can also provide a full access or just view only.

• How can we provide access/provide permissions to a user/group for group of folders at single step??

  Hi Nico, Thaks you so much for your reply,, Can you please advice or give me some steps to write script pelase? Regards,Kareem

  Hi All, How can we provide access/provide permissions to a user/group for group of folders  at single step?? I can able to provide access for a single folder at a time. I want provide access to a list of  folders( more than 30 ..) at single step?? Regards,Kareem

• Providing access to Variables in the Query Designer

  Greetings experts and fellow consultants,
  I have a simple question, did a search and did not come up with much of an answer.  Currently, we have a system with a role for BI Power Users in order for them to create ad-hoc queries.  An issue we found was that these power users were not able to view variables within the query designer:
  Under the "Characteristic Restrictions" pane, the variables show up as (Display Not Allowed) under their associated InfoObjects.  This is presenting an issue (understandably) and I would like to provide access for these power users to see the variables.
  My question is, are there any circumstances where I would want to restrict which variables are shown to the power user?  Right now, I plan to allow display access to all variables (via S_RS_COMP+S_RS_COMP1 for those informed on Security).  Just trying to brainstorm on whether there might be scenerios where I would want to hide certain variables.
  Many thanks to all opinions, as always!

  Suresh, in my above post I knew how to enable this.  I just wanted to know in regards to security whether there were any exposures.  Apparently, I could not find any and the changes went through without issue.  The way you enable display of variables in the Query Designer is the following:
  S_RS_COMP:
  RSINFOAREA '*'
  RSINFOCUBE '*'
  RSZCOMPTP 'VAR'
  ACTVT '03'
  S_RS_COMP1:
  RSZCOMPTP 'VAR'
  RSZCOMPID '*'
  RSZOWNER '*'
  ACTVT '03'
  Hope this helps.  Of course, adjust the field values are you see fit but the minimum requirement is that RSZCOMOPTP 'VAR' (Variables) and ACTVT '03' (Display).

• BEx Analyzer for Power Users

  Hi
  My Power users have been given access to design their queries in Bex Designer and publish via the web.
  For no reason, they don't have access to run their queries via Bex Analyzer. I am trying to push for them to have access to Bex Analyzer but I need some concrete reasons for them to be able to have this. I have always been a fan of being able to develop in BEx and immediately view in BEx
  Can anyone think of advantages or reasons why the Power Users should view in Bex Analyzer?

  The BEx Analyzer would give the users the power of BW and with it the power of XL. This could be a very good option when one is faced with a very rigid formatting requirement. One can use the BEx/workbook combination to design a formatted report which could otherwise have not been possible with the web. Of course some formatting features are as I understand are provided with the new report designer in NW04s, but XL could still be powerful for this.
  Some developments in BW could be avoided if we use XL like when you have to manipulate data from multiple areas and queries. For instance, you could have a sales query, a Finance query and even a purchasing query in a workbook and do some calculations with the data. If you were to do it in the QAD, you might have to have created a multicube with all the above and then write a query.
  In addition to that one can use the macro feature of xl and carry out further formatting/analysing/processing of the data
  Cheers
  Anand

• Power users on 2003 server

  I have noticed the domain users group has been granted "power user" group membership on a 2003 server.
  There is some sensitive information on the admin shares of this system, my concenrs are, with power user permissions over a remote server.... whats the risk?
  The power users group does not have remote desktop permissions nor can they physically access the servers console (local logon), but I wanted to ensure there are no other ways a user could remotely access the server if they have power user permissions on
  the server? Are there any other ways?

  Microsoft has documentation for the rights of a
  Power User in Windows XP. These things will generally apply to Windows Server 2003 (assuming it is not a domain controller)
  Power Users 
  The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions that are allotted to this group allow this group's members to modify computerwide settings. If non-certified applications must be
  supported, then end users will need to be part of the Power Users group.
  Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000
  and Windows XP Professional security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000
  or Windows XP Professional.
  Power Users can:
  Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.
  Install programs that do not modify operating system files or install system services.
  Customize systemwide resources including printers, date, time, power options, and other Control Panel resources.
  Create and manage local user accounts and groups.
  Stop and start system services which are not started by default.
  Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.
   Caution
  Running legacy programs on Windows 2000 or Windows XP Professional often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to
  gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy certified Windows 2000 or Windows XP Professional programs in order to achieve maximum security without sacrificing program functionality.
  Programs that are certified can run successfully under the Secure configuration provided by the Users group. For more information, see the Security page on the Microsoft
  Web site.
  Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• How to provide access to Critical Transactions in GRC AC 10.0

  +Hello Gurus,+
  +We are in phase of implementing GRC AC 10.0 , and have a requirement where there are "Critical Transactions" identified by the Business and if there is any end user who wants to access any specific "Critical Transaction" e.g. PA30 etc then it must automatically go to a specific Owner of that transaction.+
  +As far as i know , we can have a workflow for getting a role assigned, but not sure if it is possible to have a workflow where every "critical transaction" will have an owner and then on selection of the transaction it will trigger a workflow.+
  +I would also like to know what is a standard or rather best practice in SAP GRC , regarding providing access to "CRITICAL Transactions" ??+
  +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  +Looking forward to know about the suggestion/solution for this issue.+
  +Thanks in advance.+
  +Regards,+
  +Victor+

  Hello,
  Victor Ger wrote:
  > +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  > +Victor+
  I think that only one firefighter with all the critical transactions is not a good idea. I guess it's better to have different firefighters IDs assigned to different users. The point here is to decide if you really want to have a trace for all critical transactions executions.
  An example:
  Tx. SM37 is considered a critical transaction if the user has also the auth. object S_BTCH_ADM set to "yes".  This allows to delete or copy others user's jobs. This is and authorization that a Basis person must have. Do you really want to trace this?
  I think that force a Basis person to use a firefighter for this is nonsense, because this tx. is part of his/her job. Then, you should accept this sort of risks, otherwise you'll get the point where you replace the normal users with FF users. This is not the idea of FF.
  Of course, this is just a thought and all depends on your business requirements.
  Cheers,
  Diego.

• Access Denied creating user accounts through vba

  Hello,
  I have a MS-Access application that runs on a Windows 2012 server. My customer logs into the server using RDP. The MS-Access application is started up automatically by means of the environment variable in the user settings. The customer needs to be able
  to create new windows users for this application, simply by clicking a button.  
  The VBA script to create users works, because when I start up the MS-Access application with my own logged on Administrators account, the new users get created. If my customer tries it, he gets 'Access Denied' error. I have added his user account to
  the Power Users group, but that did not solve the problem. I also tried to make him member of the DCOM Users Group, the 'Access Denied' error remains...
  I do not want to give him administrator priviliges, because he is 'just a customer'...
  What do I need to do for this setup to work? I tried altering some DCom settings, but frankly I do not have enough knowledge to feel comfortable with this. Hope anybody can help me out here...
  best regards, Rob

  Is this a standalone server? Only administrators can create user accounts, so there is no work around for that. You could look at something that has the administrator account/password stored and launch PSEXEC or something else in an elevated session behind
  the scenes but that is a security volunerability because the credentials are stored.
  If the account is being created in an Active Directory environment you could delegate permissions to the appropriate OU for your customer.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• BOE XI 3.1 - 'View only access' to ADMIN User Account

  Guys,
  we are using BOE XI 3.1 FixPack 1.6 version.
  I want to create a Test ID (for example, Test_ID) which is having ADMIN Access. But i need to provide 'View Only Access' to this Test ID account. Means this Test ID can enter into CMC. But should not modify/delete/add/ users or usergroups or folders in CMC.
  Is it possible to provide 'View Only Access' to the user who is having ADMIN access?
  Much appreciated. Thank you.

  Hi Seb,
  This is not working. I tried the same in one of the Test ID (This is an Enterprise Account).
  But i am getting the message "Account information not recognized: Access is denied" in the CMC login page.
  I logged in via Administrator and verified the Test ID. The account is enabled.
  Please any help.
  Thank you.
  regards,
  Kiruba v.r.

• Change public share access to read only for public and full access to selected users

  Hi, new to the community just purchased a recertified WDMyCloud 2TB after my 2 years old MyBookLive 2TB HD died due to accidental power cable unplugging. I've got everything setup including MiniDLNA by following instructions on this forum and everything is working  exactly as I want it to except public share. I want public share to be set to read only access for public and full access to certain users (just myself at the moment) and having a "upload" folder within this share with full public access to everything in this folder would be a bonus. I tried login in to ftp with root user and removing write permission for public but that blocks me out as well. I'm sure it's possible by doing some majic on SSH but I wouldn't have a clue so hoping someone here would be able to help me out.

  Mr_Khan wrote:
  What i want is public to have read only access to file server. Public as in users who do not have a user account on mycloud. E.g someone who connects to to my home network for the first time and is able to browse and download content from public share. I'm aware of being able to set indivual access to shares for users like full access, read only and no access but public users won't have a user account.Through the My Cloud UI interface what you seek to do is not possible. The public share like all other share folders are an all or nothing affair when using the adminstration UI. When using the administration UI you do not have granular control on shared folders to limit non users to read only access or set permission levels for subfolders. The workaround to do what you seek and have the public folder set for read only is to change the folder settings via SSH. It may take some work to set the folder security so that users can read/write to the public folder while the guests only have read access. However, if you reboot the WD My Cloud or update the WD My Cloud firmware those settings may be reset back to the default settings where the entire public folder is read/write for all. There are way to prevent this but again it will take a bit of coding to do so via SSH. See this link (even though its for the WD My Book Live) for a starting point on how to use SSH to change the permission levels on the public folder. Another option if one doesn't go the SSH route is to turn off public sharing for the public folder then create a "guest" user account and give that "guest" account read only access to the public folder while all other user accounts have full read/write access.

• Non power user cannot execute batch load

  Hello all. I have a batch sccript being executed in the AftLoad event script. For a non power user, if they load there file, they receive an error after the load indicating Object Variable or With Block Variable not set. It points to the line in the batch script that is executing the serial batch. I can see that the batch executes, as in the OpenBatch folder the file is removed. However, the error appears and the load never finishes. If I make this user a power user, they are able to process the load without any issue. Any ideas?

  The user needs to be granted access to all locations for the batch to work. Batch was originally designed as an admin only utility.