Re: Environment Console Security

I'm not sure of earlier versions but version 3.0.e has the ability to
password protect the Environment Console. It will also password protect
escript at the same time. The problem is that is is an all or nothing
password.
[email protected] on 01/22/98 11:54:40 AM
Please respond to [email protected]
To: [email protected], [email protected]
cc: [email protected] (bcc: Joseph A Mierzwa/HI/CSC)
Subject: Environment Console Security
Hi,
I was wondering whether the Environment Console has any user security
level? Can any developer use Environment Console to change the
environment?
If it is, are there any workaround to this?
Steven Wong
Distributed Objects Sdn. Bhd.
22, Jalan USJ 9/5T,
47620 UEP Subang Jaya,
Selangor Darul Ehsan, Malaysia.
Tel : (603) 5310 777 ext. 309
(603) 5310 222 ext. 309
Email : [email protected]

I usually put a password on the econsole. Only select few have the
rights to use it.
Kamran Amin
Forte Technical Leader, Software Engineering
[email protected]
203-459-7362
Oxford Health Plans
48 Monroe Turnpike
CT, Trumbull 06611
http://www.oxhp.com/
From: Steven Wong[SMTP:[email protected]]
Sent: Thursday, January 22, 1998 11:54 AM
To: [email protected]; [email protected]
Cc: Ewen Lai
Subject: Environment Console Security
Hi,
I was wondering whether the Environment Console has any user security
level? Can any developer use Environment Console to change the
environment?
If it is, are there any workaround to this?
Steven Wong
Distributed Objects Sdn. Bhd.
22, Jalan USJ 9/5T,
47620 UEP Subang Jaya,
Selangor Darul Ehsan, Malaysia.
Tel : (603) 5310 777 ext. 309
(603) 5310 222 ext. 309
Email : [email protected]

Similar Messages

[svn] 1433: adding 'console' security constraint to MBeanServerGateway remote object for MBean tests and ds-console , used when running on Websphere with administrative security enabled.

Revision: 1433
Author: [email protected]
Date: 2008-04-28 13:13:12 -0700 (Mon, 28 Apr 2008)
Log Message:
adding 'console' security constraint to MBeanServerGateway remote object for MBean tests and ds-console, used when running on Websphere with administrative security enabled. Should call setCredentials("bob","bob1") to use this RO.
Modified Paths:
blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/remoting-config.mods.xml
blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/services-config.mods.xml

Hi,
It seems that you were using Hyper-V Remote Management Configuration Utility from the link
http://code.msdn.microsoft.com/HVRemote, if so, you can refer to the following link.
Configure Hyper-V Remote Management in seconds
http://blogs.technet.com/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx
By the way, if you want to perform the further research about Hyper-V Remote Management Configuration Utility, it is recommend that you to get further
support in the corresponding community so that you can get the most qualified pool of respondents. Thanks for your understanding.
For your convenience, I have list the related link as followed.
Discussions for Hyper-V Remote Management Configuration Utility
http://code.msdn.microsoft.com/HVRemote/Thread/List.aspx
Best Regards,
Vincent Hu

[svn] 1447: Add parent attribute to the newly added "console" security constraint

Revision: 1447
Author: [email protected]
Date: 2008-04-28 17:23:41 -0700 (Mon, 28 Apr 2008)
Log Message:
Add parent attribute to the newly added "console" security constraint
Modified Paths:
blazeds/trunk/qa/apps/qa-regress/WEB-INF/flex/services-config.mods.xml

Hi,
you have to grant the Group "TESTGROUP" at leas the "View Object" right on the Root Level of all Users and All groups - then you see the snap in in the CMC.
Regards
-Seb.

SAP Management console security via HTTP

Hello,
We have just started using the HTTP connection to the SAP MMC via port 5<SysNR>13 and have found that you can connect straight to it without it asking for any authentication.
It does ask if you try to shut anything down and you have to be an administrator on the server as well otherwise it won't do anything, however you can freely look at the logs and other information without entering any passwords.
The Help for this new method of connecting just says how to use it and nothing about how to secure it.
Does anyone know of a way to get it to ask for a userid and password when you first connect to it?
Regards
Garry Bayford

Thanks, but I'm afraid that only really says how to protect the connection.
What I'd prefer is to have the console ask for a userid and password when you first connect to it.
We've found a profile parameter called service/prtoectedwebmethods that might be suitable as it may allow us to protect the individual items in the console itself. Not ideal but better than the current setup.

SAP Management Console security

Not sure if this is the correct section so apologies if not.
Does anyone know how to prevent just anyone using SAP management Console?
For example, if someone downloads it from SAP marketplace onto their PC, they can run it and enter instance info and see what is going on for that instance.
They can look at log files etc.
Is it possible to prevent anyone viewing this info?

I am having the feeling you might want to read sap note [1439348 - Extended security settings for sapstartsrv|https://service.sap.com/sap/support/notes/1439348]
And nobody would have to download mmc from service marketplae, it is much simpler. All you need to do is to call http://<yourserver>:50013
But with the default configuration one cannot stop anything without proper authentication.
Kind regards, Michael

Console Security Log

What happened to the Security log in Console? It doesn't seem to exist in ML. I've upgraded from 10.6.8 to 10.8.5. I would like to see who logs in, and when, on this Mac. Any help would be greatly appreciated.

SIGH! This isn't the answer I wanted! Sadly, after already doing a lot of poking around in Console I had reached the same conclusion. I was just hoping I was wrong. Thank you Bob.

EPM 11.1.2 Shared Services not sync up with EAS console security

Hi,
I've provisioned a native group to specific databases in Shared Services within EPM version 11.1.2. But when I go to Essbase->Security for the group, I see that the group also has access to extra databases that I didn't provisioned in Shared Services. I went back into Shared Services and checked that both the group and users within the group are not provisioned to those extra databases, which they are not. So I'm not sure where the extra databases that the group has access to came from.
Please help....I'm not sure where else to check or look at the connection between the databases that were provisioned versu not provisioned.
Thanks

Hmm this is interesting...
I would deprovision the group first and make sure it has no access to Essbase anymore. Then I would provision the group with the correct database. Do you still see the below issue? I have no idea how the group got access to other databases.
I would also check the log files to try to find out how the group got provisioned for the other databases. I am not sure which log file would have this information though. Maybe John, or someone else can direct you there.
Cheers,
Mehmet

Console - Security Question

On Functions and Tables and Fields tab, is there a way to export these values into a text file or another format than how it is displayed in Console?

Hi Victor
this is not posible. You can use the content provided in the reference guide as start point by pasting them in excel file.
thanks-Ravi

MDM Console - security and views

Hi,
I access MDM console remotely on the Windows 2003 server that hosts the MDM system and locally on my own laptop. Both machines run the same version of MDM Console 5.5 SP6 (5.5.63.87) and I have Admin access.
When I view the repository on the Windows 2003 server I can see detailed information (individual fields and detail) when I view the repository from my laptop I can only see the detail.
If I use PORTS as an example. On the Windows 2003 server I can see a list of the ports and when I click on them I can see the port definition. On my local machine all I can see is the port detail (eg, the table definition).
As I have the same version of MDM Console installted on both machines (I have even checked the executable size and date) I'm at a loss to understand why the repository looks different when accessed from the server and my machine.
I have checked the MDM Console Guide and that doesn't offer an insight. I am still searching SDN without any luck.
Your advice is appreciated.

Rob
This might sound silly but are you sure the detail panel in MDM Console has not been pulled up to the top?
Can you attach a screenshot with the Port example?
-Varun

BPC 10.0 - How can I control security at Environment level?

Dear All,
How can I control environment level security in BPC?
i.e.
User1 can work on only ENV01
User2 can work on only ENV02 & ENV03
etc...
I believe this has to be done at BW level, right? If so, how can I do that in BW? Else, how can I achieve this?
Thanks,
Peri

Hi Peri,
yes, the admin panel is within the environment. So when you add users you add them to that specific environment. You can then log onto another environment and add a different set of users.
Those users you wand to add need specific SAP role in the BW so you can see them in the first place.
BR,
Arnold

BlazeDS: Having issues in secured WebSphere 6.0 environment

I have a BlazeDS package that I verified works in Tomcat, WebSphere and over SSL. When I deploy to our target, secured environment (WebSphere 6, Tivoli Access Manager, ...), it blows up with the following error: [9/11/08 17:55:17:004 GMT+00:00] 0000002f ServletWrappe E SRVE0014E: Uncaught service() exception root cause MessageBrokerServlet: Response already committed. [9/11/08 17:55:17:036 GMT+00:00] 0000002f LocalTranCoor E WLTC0017E: Resources rolled back due to setRollbackOnly() being called. [9/11/08 17:55:17:053 GMT+00:00] 0000002f WebApp E SRVE0026E: [Servlet Error]-[MessageBrokerServlet]: java.lang.IllegalStateException: Response already committed. at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendError(WebAppDispatcherContext. java:574) at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:868) at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:851) at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:393) Looking at line 393 in MessageBrokerServlet, it is trying to send an error back as follows res.sendError(HttpServletResponse.SC_FORBIDDEN);. This is part of an else block that is called only if endpoint is null. Very odd as the exact same code package with the same endpoint and channel definition works in the other environments I mentioned. The only difference is this environment is secured via SSL (which I tried locally without a problem) and Tivoli Access Manager. Since the request is getting to the logs, it doesn't appear to be a Tivoli issue as if anything was wrong with the request, it would never get to the server. That leaves WebSphere? Below are the pertinent definitions from my Java service. Any help is greatly appreciated. service-config.xml <channels> <channel-definition id="comment-amf" class="mx.messaging.channels.SecureAMFChannel"> <endpoint url="https://<url-removed-from-post>/amvcmnt/comment-service/messag ebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint" /> <properties> <polling-enabled>false</polling-enabled>  <add-no-cache-headers>false</add-no-cache-headers>   <serialization> <enable-small-messages>false</enable-small-messages> </serialization> </properties> </channel-definition> </channels> remote-config.xml <adapters> <adapter-definition id="java-object" class="flex.messaging.services.remoting.adapters.JavaAdapter" default="true" /> </adapters> <default-channels> <channel ref="comment-amf" /> </default-channels> <destination id="CommentService"> <properties> <factory>spring</factory> <source>commentService</source> </properties> </destination> <destination id="SecuredCommentService"> <properties> <factory>spring</factory> <source>securedCommentService</source> </properties> </destination> <destination id="EntitlementService"> <properties> <factory>spring</factory> <source>entitlementService</source> </properties> </destination>

Hi,
I am facing exactly same issue. my application works fine on local and dev. however, when i deploy it on QA where TAM and clustering is in picture it throws connection failed error. Can you please help me on how to solve this issue.
Regards,
Sachin Patil.
[email protected]

Security error while loading pdf file in jsp in firefox?

When i type in the following link manually in firefox as " file://///172.16.2.1/copyediting/ELS/mallet.pdf", pdf file is loaded successfully in the firefox browser. PDF file is located in remote server which is referred by IP 172.16.2.1.
I've assigned the Same link in a String in jsp page and tested it through my tomcat application as
<%
String linktotest="file://///172.16.2.1/copyediting/ELS/mallet.pdf";
%>
<a href="<%=linktotest%>">link</a>
when i click on the hyperlink , the pdf is not loaded in firefox and i'm getting the following error in firefox error console
Security Error: Content at http://172.16.3.222:8080/FMS/source/journal/ProductionEntry.jsp may not load or link to file://///172.16.2.1/copyediting/ELS/mallet.pdf
can any one please give me the solution.

Links and forms in HTML should point to public URL´s (with http:// or https:// protocol), not to the file system (with file://).
If those files are not public accessible by URL, then you need to create a servlet which does the file streaming task. This example may be useful then: [http://balusc.blogspot.com/2007/07/fileservlet.html].

HT5228 What about a security fix for Java under Mac OS 10.4 and 10.5?

Apple recognized and offered a fix for the Flashback trojan here:
http://support.apple.com/kb/HT5228?viewlocale=en_US&locale=en_US
But it is only for OS 10.7 and 10.6. Presumably, users of 10.5 and 10.4 are still vulnerable. Because Apple insisted on providing Java support, rather than Oracle, the fix that was released in February doesn't work unless Apple were to make it work.
If Apple is unwilling to support Java for 10.5 and 10.4, they need to hand over whatever documentation Oracle would need so they can keep the Java environment (and security) up to date. 10.5 and 10.4 are still viable OSes and to not patch obvious security flaws in one way or another is irresponsible, at best.

http://www.apple.com/feedback/ - Apple products feedback links
I wouldn't expect anything to come of it.
I have disabled Java on my browsers. It isn't really neded all that often.

Unable to expand Roles n policies after enabling Active directory security

I am running weblogic 10.3 on Linux and integrated console security with Microsoft AD.
Below error occurs when I tried to expand roles and policies.
Please help.
Message: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression
Stack Trace: com.bea.console.exceptions.ManagementException: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:678) at com.bea.console.actions.security.roles.RoleTableAction.expandGlobalRolesNode(RoleTableAction.java:208) at com.bea.console.actions.security.roles.RoleTableAction.expandNode(RoleTableAction.java:193) at com.bea.console.actions.security.roles.RoleTableAction.execute(RoleTableAction.java:102) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:255) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:256) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:133) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:54) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.security.providers.xacml.entitlement.RoleManager.getRole(RoleManager.java:134) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperImpl.getRoleExpression(XACMLRoleMapperImpl.java:499) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperMBeanImpl.getRoleExpression(XACMLRoleMapperMBeanImpl.java:389) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:445) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:443) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10$1.run(AuthenticatedSubjectInterceptor.java:582) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10.run(AuthenticatedSubjectInterceptor.java:580) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor.invoke(AuthenticatedSubjectInterceptor.java:573) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:307) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy70.getRoleExpression(Unknown Source) at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:671) ... 81 more

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd">
<name>ABC</name>
<domain-version>10.0.1.0</domain-version>
<security-configuration>
<name>ABC</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MYSECURITY</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>ad.win.XYZ.com</wls:host>
<wls:port>3210</wls:port>
<wls:user-name-attribute>SamAccountName</wls:user-name-attribute>
<wls:principal>CN=ABC (APPLICATION),OU=Service Accounts,OU=Infrastructure Solutions,OU=USPC,DC=americas,DC=win,DC=xyz,DC=com</wls:principal>
<wls:user-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}3gr1b24C1+ZescfrcJGfTA==</wls:credential-encrypted>
<wls:user-from-name-filter>(&(SamAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:cache-size>3200</wls:cache-size>
<wls:group-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:group-base-dn>
<wls:bind-anonymously-on-referrals>true</wls:bind-anonymously-on-referrals>
<wls:all-groups-filter>(objectclass=group)</wls:all-groups-filter>
<wls:group-membership-searching>limited</wls:group-membership-searching>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{3DES}Da9bWdtd5q7ah0l1OlmgTprs5EsrhL0siPsTNKzMDOasnQwrpgSVnAKFIdM3O/CjsXOzrq2fBACcbtup4aQCbNpjynWFUDB1</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}IwjibsnAdGEU/pYi+0n1bg==</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<rotation-type>byTime</rotation-type>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25000</listen-port>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server1</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25010</listen-port>
<listen-port-enabled>true</listen-port-enabled>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
<java-compiler>javac</java-compiler>
<client-cert-proxy-enabled>false</client-cert-proxy-enabled>
</server>
<server>
<name>ABC_server2</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25020</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server4</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25040</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server5</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<machine xsi:nil="true"></machine>
<listen-port>25050</listen-port>
<cluster xsi:nil="true"></cluster>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
</server>
<server>
<name>ABC_server6</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25060</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server7</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25070</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server8</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25080</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server10</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25100</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server9</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25090</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server3</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25030</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>ABC</name>
<credential-encrypted>{3DES}RhnPr+8XsDxhU8rgpPiikqpyeP74wxX/T2mnALX9oFI=</credential-encrypted>
</embedded-ldap>
<configuration-version>10.0.1.0</configuration-version>
<configuration-audit-type>logaudit</configuration-audit-type>
<app-deployment>
<name>ABC25090</name>
<target>ABC_server9</target>
<module-type>ear</module-type>
<source-path>/home/arajpoot/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25080</name>
<target>ABC_server8</target>
<module-type>ear</module-type>
<source-path>/home/aherleka/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25030</name>
<target>ABC_server3</target>
<module-type>ear</module-type>
<source-path>/home/rprajapa/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25060</name>
<target></target>
<module-type>ear</module-type>
<source-path>/home/xyin/working/default-app/dist/ABC.10.1.0.ear</source-path>
<sub-deployment>
<name>/</name>
<target></target>
</sub-deployment>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>ABC25010</name>
<target>ABC_server1</target>
<module-type>ear</module-type>
<source-path>/home/payadav/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25050</name>
<target>ABC_server5</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8070</name>
<target>ABC_server7</target>
<module-type>ear</module-type>
<source-path>/home/irakshit/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8020</name>
<target>ABC_server2</target>
<module-type>ear</module-type>
<source-path>/home/wchou/working/default-app/ABC.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8100</name>
<target>ABC_server10</target>
<module-type>ear</module-type>
<source-path>/home/amulik/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8040</name>
<target>ABC_server4</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
<jdbc-system-resource>
<name>ABCCDWDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource-2021-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCCDWDataSource_coper</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource_coper-9655-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCOracleDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCOracleDS-5997-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCReportDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCReportDataSource-6033-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABC_NEON_DATASOURCE</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABC_NEON_DATASOURCE-9653-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCRDRDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCRDRDS-5401-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCtest</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCtest-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCreport</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCreport-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>

Security Setup

Hi,
We are having HFM used for reporting and consolidation.
Two Specific issues/questions
1) We are having seperate Development, UAT and production environments. However the security setup/AD groups for all three environments are same. We cannot create different security groups in three different environments as it will affect meta data level changes.So the issue is that , person having UAT environment is also able to access the production system, as AD groups for security class are same. Is there a way we can diffentiate the security of three different environments?
2) HFM offers application adminsitrator roles. However, we are having 3 different team:
A) One performing change management such as meta data level changes
B)Second one performing security
C)Third one performing maintainance actiivites such as dispensation, bypass,validation tolerane limit load excahgne rate.
Is there a way we can segregate these responsibilites by setting up different access/roles for the users.
Your help would be much appreciated.

Hi,
In regards to question #1 :
Option a - Use Native Groups. If you were using Native Groups as opposed to the AD groups, you could keep everyone assigned to the same groups and simply have different levels of access between the apps. A lot of systems will use Native Groups with external directories (i.e. Active Directory) for users. This probably isn't something of interest since you already have everything in AD and would be a lot of hassle to rework....
The other options I propose really depend on what exactly are you trying to accomplish in DEV vs PROD in regards to security. They are somewhat hackish but would solve your issue....
Option b - If you want everyone to have full access to everything in DEV as opposed to more limited access in prod, give the WORLD built in group access to all of your security classes in DEV only.
Option c - If you want everyone to have the same entity / account access just a different level (i.e. Read to Write), then you can just extract the production security file and replace all the security class access items from Read to All, etc.
Option d / e - If you want to give people different account / entity access as opposed to level of access, this is a bit trickier because any moves you make in AD would apply for all of the apps.... I would think this wouldn't be that common and maybe you only need this for a couple people? For the few instances of this, I think the best bet optiosn are : d.) create a Native Group and put them in that with the proper security class access. e.) Assign the user directly to the security class with the proper access in the environment. Security class access is not contained in AD and the changes would not automatically propagate..... If you have to do this for a "ton" of users, it wouldn't be much fun though.
In regards to question #2 -
A) - First of all, if someone has the HFM client or a text editor and access to the metadata file, anyone can make the changes. Your best bet is to control the extracting and loading aspect of this. The 'Load System' role will control who can load metadata to HFM.
B) - Provisioning Manager will allow changes to user access to the App
C) Not sure what you're looking for here. Exchange rates would be a data load so they would need to be able to load data to the system. This sounds like more of an Account / Entity access item so you would need to make sure the user has proper security class access in HFM.

Re: Environment Console Security

Similar Messages

Maybe you are looking for