Restrict access to Sharepoint to a group of AD users

Similar Messages

• Restrict access to buttons, regions, etc. on a per user basis?

  My application restricts access to buttons, regions, etc. on a per user basis.
  Here is my application logic...
  1. A User can only edit items they own.
  2. A Super-User can edit all items
  So, when a user logs in, I use a post-authentication process to set the user ID to an application level item.
  Now, for example, to have an edit button display on a page, I need to check the item's owner ID against the application level user ID...and check to see if this user is on the Super User list via a query.(which could be set to another application level item upon login...I guess)
  Question...What is the best way to do this? Conditional display? Authorization scheme?
  Would something like the following work for a Conditional Display?
  Condition: SQL Expression
  &USER_ID.=&P6_ITEM_OWNER_ID. OR USER_ID in (select USER_ID from table where USER_ID=&USER_ID.)
  How would I do this with an Authorization Scheme? (I like the idea of updating the logic in single location...but I'm not sure if it is possible because I have to check PX_OWNER_ID would be different on each page.)

  Hi Denes,
  Thanks for your code which allows user to edit (if authorized) and view (if not).
  But some how - I do not get the image to show up - instead it show a small underline.
  From SQL point of view - here is what I get - when i run the sql
  '<img src="/i/ed-item.gif">',2,CR TEST,,,,dune2.cit.cornell.edu,CRDMTEST.CIT.CORNELL.EDU,PSPROD,,,CRDMTEST
  Here is my wrap_image function
  create or replace function wrap_image(p_user_name in varchar2,p_dm_name_id in number)
  return varchar2 IS
  v boolean := False;
  ret_val varchar2(1000);
  begin
  dbms_output.put_line('user='||p_user_name);
  dbms_output.put_line('dm_name='||p_dm_name_id);
  -- Check authorization if the user is super user - return true, else if he has edit priv on dm_name_id - return true - else false
  v:=ACL_DMTOOLS_DM_PRIV(p_user_name,p_dm_name_id);
  if v then
  ret_val := '<img src="/i/ed-item.gif">';
  ret_val := ''''||ret_val||'''';
  dbms_output.put_line('TRUE');
  else
  ret_val := '';
  dbms_output.put_line('FALSE');
  end if;
  return ret_val;
  end;
  Thanks for your great educational site.
  Regards
  atul

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• SSH login- how do I restrict access to a shared folder?

  I have created Shares in WGM for SMB and AFP access on my OS X 10.4.8 Server. However when I connect via SSH it's not restricting access to the folder based on the User Name I login with- I see the entire volume! How do I restrict access to a specific folder based on a user name setup in WGM? ACL's?

  Hey George,
  It sounds like you are trying to limit ssh/sftp users to a specific area, aka jails. The FTP server lets you 'chroot' users to a certain area making it appear as the root thus preventing them from navigating up the hierarchy, which is what I think you, and me and many others are trying to accomplish.
  The ssh compiled into OS X is missing this very needed feature. There have been a few documented workarounds, but they've either been too insecure or too clunky for me.
  I've dealt with the fact that my users can get to the root of the hard drive, and have just been very careful about my privileges (by using ACLs), thus preventing them from getting inside areas they shouldn't.
  There's a good write up here: http://www.schwie.com/brad/macosxsftpchroot/ and if you include the term 'chroot' in your searches, you should find a bit about it here too.
  And Roger, I think George meant the file sharing protocol used by ssh. man sftp.

• Restricted access to nodes in SOLAR01

  Hi
  I have setup restricted access to the nodes in SOLAR01 (details shared below in the for "information area") - now I need to enter the team members who are allowed to update documentation in each business process & step.
  It seems that access to a higher level node is not inherited by the lower level nodes so I have to update each business process & step individually.
  This is going to be a mammoth task that will need to be repeated every time a new team member joins - is there a mass update function avaialble or perhaps a way to cause the lower level nodes to inherit the team member access of its parent?
  regards
  Marina
  For information
  To set up restricted access I did the following for standard project users;
  1.  In transaction SOLAR_PROJECT_ADMIN, edit your project and go to tab "Proj. Team Member'
  Check the box "Restrict changes to nodes in project to assigned team members
  (make sure you have assigned your team members in the grid)
  2.  Make a copy of SAP_SOLAR01_ALL role into the customer namespace and make the following changes
  S_PROJECT
  ACTVT = 03,23,71,76
  also set your project ID
  S_PROJ_GEN
  project ID = your project
  proj_func = SCEN
  S_DATASET
  actvt = 33,34
  add in S_IWB
  ACTVT = 01,02,03,33,6,80,D1,V1
  IWB_AREA = IWBSOLAR
  IWB_EXTNSN = /KWCUST/
  IWB_FLDGRP = your project
  AI_SA_TAB
  remove PRODATA from TABNAME (for administrators who should be able to edit everything create an auth with this made available).
  Any other entries I have not specifically mentioned I have given them a * value.

  Hello,
     If you want the team member to be inherited along the lower nodes you have to use button "Make Mass Changes"; access the higher node, go to "Administration" tab, then "Team member" tab, then use the fourth button "Make mass changes" to add a team member, after that, it will be inherited along the lower nodes.
  I hope that hleps!
  Best regards,
  Federico.

• Restricting access to link based on a user's accesslevel

  I've gotten the DW login feature working for restricting
  access to pages based on a user's successful login and associated
  accesslevel. However, I have some links that open an Excel
  spreadsheet and an Outlook calendar. Is there an easy way to
  restrict access to a link so that an unauthorized user can't
  navigate to the link? Here's my code for the link:
  <td height="19" colspan="3"
  valign="top"><em><strong><a
  href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current Production
  Schedule (Read Only)">STI Production Schedule
  </a></strong></em></td>
  <td height="4%" valign="top"><strong><a href="
  http://server_3/public/cal_engineering/"
  title="FROM INTRANET"><font size="2" face="Verdana, Arial,
  Helvetica,
  sans-serif">INT</font></a></strong></td>

  What server side language are you using? Do the links need to
  be restricted
  to just one access level, or multiple levels? Should it be
  blocked for only
  one level or multiple?
  Bryan Ashcraft (remove brain to reply)
  Web Application Developer
  Wright Medical Technologies, Inc.
  =============================
  Macromedia Certified Dreamweaver Developer
  Adobe Community Expert (DW) ::
  http://www.adobe.com/communities/experts/
  "mslee1965" <[email protected]> wrote in
  message
  news:e52o7e$3ak$[email protected]..
  > I've gotten the DW login feature working for restricting
  access to pages
  > based
  > on a user's successful login and associated accesslevel.
  However, I have
  > some
  > links that open an Excel spreadsheet and an Outlook
  calendar. Is there an
  > easy
  > way to restrict access to a link so that an unauthorized
  user can't
  > navigate to
  > the link? Here's my code for the link:
  >
  > <td height="19" colspan="3"
  valign="top"><em><strong><a
  > href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current
  Production Schedule
  > (Read
  > Only)">STI Production Schedule
  </a></strong></em></td>
  >
  > <td height="4%" valign="top"><strong><a
  href="<a target=_blank
  > class=ftalternatingbarlinklarge
  > href="
  http://server_3/public/cal_engineering/"">http://server_3/public/cal_engin
  > eering/"</a> title="FROM INTRANET"><font
  size="2" face="Verdana, Arial,
  > Helvetica,
  sans-serif">INT</font></a></strong></td>
  >
  >

• Best way to restrict access to documents (outside of the group or library level)

  Hi, we're thinking of implementing SharePoint Server 2013 Standard Edition for our organization. Many of our employees are research scientists working on proprietary information. From the (admittedly little) I understand about SharePoint, if a user wants
  to restrict access to a particular document to the 2 or 3 people with whom they're collaborating (and also have it not appear in the search results), they will have to email their power user to request that a new document library be created in which they can
  store their documents. Is that correct? In this case, what is the best way to handle item-level permissions? Users absolutely want to have the freedom to restrict access to their documents themselves rather than being forced to go to their power user. Thanks.

  Hi,
  Per my knowledge, if you want to restrict access to the documents to some users, then you need to have Manage Permissions permission to modify other users’ permission on the documents.
  If you do not have the Manage Permissions permission, I recommend to ask the site administrator to create a workflow as below to remove the corresponding users’ permission on the documents which you uploaded. You can start the workflow on the document you
  upload and then the permission of the users set on the workflow will be removed from the document.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Problems to restrict access to a page when the user belong to more than 1 group

  I have realized that Dreamweaver on a coldfusion document only works fine when the user only belongs to a single group, this is because the code supplied by dreamweave when you use the option "Restrict access to a page" at "Server behaviors" it assumes that the user only have one group as you can see on this line created automaticly by dreamweaver:
  <cfif MM_Username EQ "" OR MM_UserAuthorization EQ "" OR ListFind("admin",MM_UserAuthorization) EQ 0>
  MM_UserAutorization has the value of the field assigned for the list of groups or levels, as you can see it could work if we reverse the parameters of the listfind function but the problem would be if we grant the access to more than one group because the sentence would be like this:
  <cfif MM_Username EQ "" OR MM_UserAuthorization EQ "" OR ListFind("Admin,Manager",MM_UserAuthorization) EQ 0>
  so both paramethers are lists therefore no user will get access to the page.
  I am trying to make a work around to fix this problem but I don't know how to get the name of the page since the Application.cfc so I can validate the access to this page against tables on my database.
  Does someone have a work around or a tip how to fix this problem?
  Thanks in advance.
  AG

  Seems like you have a problem with your group names.ctxLdap.modifyAttributes(groupName,member);Ensure that the value of your variable groupName is a a valid distinguished name.
  Note that an OU (organizationalUnit) is not a group. You do not add users to OU's, you create users in OU's.

• Anyconnect IKEV2 restricting access via AAA auth Group

  Hi Everyone,
  I have ASA config with 2 connection groups
  Say Group  1 and 2.
  Currently both are assigned to Same Auth AAA group
  One of our external vendor has access to both XM files of connection group 1 and 2..
  If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
  Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
  Regards
  Mahesh

  Hi Rick,
  There is info
  Our ASA is configured with two connection groups.Our Vendor has XML files of both the
  Connection groups say                                      1 and 2.
  AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
  We are using 2 factor Authentication.
  We want vendor to connect to connection group 2 only.
  We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
  If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
  it restrict the vendors connection to connection group 2 only?
  Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
  Need to know how i can do this?
  Regards
  MAhesh

• Restricting  Access for SQ01 User Group

  Hi ,
  Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
  Thank you
  Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

  Hi,
  Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
  If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

• Restricting access using groups pulled from OID Authenticator

  Using the OID Authenticator provider, can access to WLS be limited to those ldap registered users who belong to a specific group (as specified in ldap) ?
  I have setup an oid authenticator provider which works in terms of WLS authentication. By looking in AdminServer.log I can see that a users group is picked up however, I'd like to use the group name to restrict access. Is this possible if specif param's in the oid authenticator are used ?

  Remove or replace the ACI that says "Anonymous access" with something more in line with the level of access desired

• Restricting access by group

  I have a vpn set up on my PIX with two vpngroups - one for my wireless employees and one for my wireless visitors. I have a visitor account set up in my radius server that is used for authentication to the visitor group. Both groups are set for authentication via radius. My problem is that I do not want a visitor to be able to use that account to authenticate using the wireless employee profile. Is there a way that if I can configure my radius server to put the visitor account in a group - that I can restrict access on the pix when someone tries to log on from this group? Help - any suggestions on how to handle this issue will be greatly appreciated!

  This is possible I guess. Heres are a couple of white paper which could have some info.
  Network Access Restrictions White Paper
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  Securing ACS Running on Microsoft Windows Platforms
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00800887d8.shtml

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• Restricting access of site collection admin

  I have a group of three people in the site collection administrators group.  How do I restrict access to certain content from this group?  These are technology people and we have confidential finance and HR material that they are not authorized to see.  It seems no matter what the security is set at, these people can still see the content.  Please help.

  Hi Milissa,
  An old post, however for reference of anyone finding it, this can now be solved in SharePoint 2010 and SharePoint 2013.
  There is a security module that blocks site collection administrators from viewing sensitive content. More information is available here: https://www.berkeleyit.com/enterprise-security-services-platform-for-sharepoint/
  [At the time of writing] The second video on the right shows this functionality.
  Hope this helps,
  Scott

• Restrict group to edit users in people picke in infopath

  hi
  I have a document with people picker I want to restrict group A to pick or edit the users in existing document and groupB able to edit the users in people picker how is it possible to make it in InfoPath.

  Hello,
  This would be easy to do with groups that can access specific sections of the form and then use SharePoint or AD groups to govern access, but unfortunately it does not work in InfoPath. 
  One alternative possibility is to set up a list in SharePoint and enter the names of the smaller group of people into that list (Person field).
  The InfoPath form has a data connection to that list. The form has one section with a people picker and another section with a calculated field that shows the value of the people picker. 
  When opening the InfoPath form, check if the current user exists in the list and hide the section they should not see.
  cheers, teylyn