Restrict read/edit access for a Manager, when Manager Visibility is enabled

Similar Messages

• Implement strategy for ASA on TACACS w/ restricted read-only access

  An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.
  ASA 5550
  running ASA 8.2(2)
  using ASDM 6.3(5)
  authenticating to ACS 4.2
  The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.
  What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?
  1. Try and avoid the creation of a second TACACS username for the admin and read-only users.
  2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

  If you want to configure ASA for read-only access via tacacs then you have to do the following task
  ASA/PIX/FWSM Configuration
  In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  On the ACS, you need to create command authorization set for only SHOW commands:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  Associate command authorization set with user or group
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2
  Regards,
  Jatin
  Do rate helpful posts-

• XCM(Extended Configuration Management) Read Only Access for Webshop

  Hi,
  We dont hav e XCM admin access in our project.We need to have just the view(read only) access.This will help us immensly during any troubleshooting. Plus we will save a lot of time while troubleshooting if the view access is avaialable to us. In case of any issues in the XCM setting, we can easily pin point the issue and ask the ERP team to change it. In absence of it we can only speculate what could have gone wrong on the XCM side. Is there any role in XCM so that we can get just read only access.
  Regards

  Hi,
  The below note will help you.
  Note 1014383 - Read only user in the XCM and Administration area of ISA
  Regards,
  Shanto Aloor

• How to hide an webpart for the all members who have access for the this site but visible for the restricted read users?

  Hi,
  Any help?
  Thanks
  srabon

  Hi Srabon,
  We can set the "Target Audience" property of web part to group maintaining restricted read  users.  By this, the web part will be shown to specific users only.
  Please let us know if this helps.
  Thanks,
  M. Gubendra Raj

• Read only access for bpel console in SOA Suite 10.1.3.5.1(weblogic)

  Hi
  For SOA Suite 10.1.3.5.1 on weblogic, Is there any way to restrict certain users to some pages in bpel console.. e.g. read only access to bpel console.
  I have found articles on web regarding this but they all are for SOA Suite 10.1.3.3 (and 3.4) on Oracle app server. Article provides a hack by using servlet filters.
  How to do a similar thing in SOA Suite 10.1.3.5.1 on weblogic ?
  Can somebody provide step by step instructions?
  Thanks

  Hi James,
  I have already seen this link and several refined versions of it but it wont work for weblogic. For example
  There is no j2ee/oc4j_soa/applications/orabpel/console directory (i looked into home directory as well but could not found orabpel/console dir).
  So question is where to put filter class and how to make changes in web.xml as this file is not present in j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/
  I checked deployments in weblogic admin console and seems BPELConsole is deployed as a module under BPELPM ear.
  Any idea?
  Thanks.

• How to assign read only access for a database to a single user?

  Hi All,
  I have created a login for one of the user , and i used deny view to deny that user access to any of the databases to be shown.Now, he cannot see any databases in the explorer window.
  My question is now i want to give this user permission ( read-only) to a single database. How can i do that? I have googled around and found some solutions but nothing is working.
  Can someone please help me with any suggestions.
  Thanks a lot for your time and suggestions in advance.
  Thanks

  Hi Bhanu,
  Thanks for your reply, I am not sure i got it. I have a user created with the name of 'msam_test' and if i login into management studio with this userid and password i dont see any databases showing up because i used the DENY View command to hide which is
  working fine.Now i just want to see only 1 database named 'suresh3_test' with a read only access to this database.
  I tried using your code in the below way
  USE [suresh3_test]
  CREATE USER [<msam_test>] FOR LOGIN [<msam_test>] WITH DEFAULT_SCHEMA=[dbo]
   exec SP_ADDROLEMEMBER 'DB_DATAREADER','<msam_test>'
  But i receive an error saying
  Msg 15007, Level 16, State 1, Line 3
  '<msam_test>' is not a valid login or you do not have permission.
  Msg 15410, Level 11, State 1, Procedure sp_addrolemember, Line 75
  User or role '<msam_test>' does not exist in this database.
  Can you please help me on this.
  Thanks

• Acrord32(acrobat reader) loads up for no reason when i use firefox 4.

  (4-15-11)
  i just started using firefox 4(new release) two days ago, i noticed it started to hang and freeze up, so i open up my windows task manager and saw that 2 files was running "AcroRd32.exe"(acrobat reader) , i'm using the most updated version of adobe, the older version of firefox "3.6.16" did not do this. The question is how do i stop "AcroRd32.exe" from starting up for no reason when i use firefox ?. i do not go to sites that have PDF's in them

  IE uses a different version of Flash (ActiveX) than other browsers use (Plugin version), you need to install the correct version of Flash for Firefox.

• Restricting (Limiting) SQ01 access for a set of users

  We are attempting to restrict a user so that they can run specific queries but not change them.  We do not want to go into each query within a user group and lock the individual queries.
  We want to make this more global in that all users groups to which an person is assigned, can be accessed as a run only. 
  We want to ensure that individuals can also NOT create queries either.  Display and Execute Only.
  Thanks,
  Shyam

  This is done using the authorization concept. Please create composite and single roles with all the required tcode accesses and applicable for a specific Employee group/ Personnel Area/ Personnel Subarea. The tcode used to create roles in PFCG.
  Below is the set of standard SAP roles and authorization objects.
  AUTHORIZATION OBJECTS:
  P_ORGIN
  P_ORGXX
  P_PERNR
  PLOG (For OM)
  S_PROGRAM                        
  S_TCODE
  P_TCODE
  S_QUERY
  P_PCLX
  B_LSMW
  S_BDC_MONI
  STANDARD SAP ROLES:
  SAP_HR_OS_HR-ADMINISTRATOR
  SAP_HR_OS_HR-MANAGER
  SAP_HR_OS_ORG-MGT-MANAGER
  SAP_HR_OS-MANAGER
  SAP_HR_OS-SPECIALIST
  SAP_HR_PA_HR-MANAGER
  SAP_HR_PA_HR-ADMINISTRATOR
  SAP_HR_REPORTING

• How do we restrict the user access for a particular G/L account

  Dear Experts,
  At our customer site, we follow master / derived role concept for authorisations.
  We have a requirement to restrictict user at G/l account authorisation level.
  I am aware that every g/l account account has a authorisaition group. But g/l account authorisation is a non-org value for which the present value is * for brgru, we cannot restrict by user/org. At our customer site the authorisations are provided at master role level for a designation and derived role is restricted for a plant, BA etc..
  Is there is any user parameter level restriction which can handle this requirement, i mean user parameter for specific g/l account, as we do LIF pid to restrict vendor level access.
  Appreciate your suggestions ASAP.
  Best regards,
  M.Kumaran

  Depends.
  What are you trying to protect? GL account masterdata (FS00) or FI document creation for specific GL accounts?
  Without knowing more about the design principles behind your roles, your release or other restrictions, I would suggest:
  (1) grouping off the GL accounts you want to protect in authorization groups (maintained via FS00);
  (2) deactivating either object F_BKPF_BES (if your trying to restrict FI document creation) or object F_SKA1_BES (if your trying to restrict access to GL account masterdata) or both in master/derived role;
  (3) create several separate roles that would contain only the aforementioned objects with access to specific GL account groups;
  (4) assign the roles from step 3 to users as required.
  Hope this helps.

• Easy read-only access for noobs

  Lightroom is a great product for the photographer, but for his spouse it's not so easy.  I'd like an easy way to copy an image to the clipboard or export it to iPhoto to be used in other apps like iWeb.
  My photos are stored on a server.  It should be easy for my wife to go through the collection in read-only mode and use photos for blogs, emails, slideshows, etc without having to learn how to sync the directory tree, export from Lightroom and manage those temporary files.  Currently the best process I can find is:
  Use Bridge to browse the photos since only Adobe products can see the Develop settings for the RAW images.
  Select the image and right-click Open-With Camera Raw
  In Camera Raw Save the file as a JPEG into a temporary folder
  In Finder, find the temporary folder, open the JPEG with Preview or drag the file to iPhoto
  If It's in Preview, Copy the image to the clipboard for pasting into an app like Mail or iWeb.
  It seems like we could eliminate several steps here if Adobe Bridge had a convert&copyToClipboard option that would convert a RAW with Develop settings into a JPEG and then copy that JPEG into the clipboard for pasting into an application.
  If anyone has a better approach, let me know.
  Besides the cost overhead, it's not realistic for her to use Lightroom from her computer because Lightroom won't dynamically see folder tree changes without a Sync.  Using Bridge she also loses out on virtual copies.
  Thanks,
  -Ryan.

  Pete,
  Good point... that's true. I shouldn't say there aren't any programs that support XMP... there certainly are!
  I don't know, though, of any application that can read - and more importantly *use* - the XMP data that's specifically related to the Lightroom Developer metadata.
  An application can say that it has read/write support for XMP (which is actually not only for LR, but also for Photoshop and even PDFs), but that doesn't mean the application has to recognize - and honor - every piece of metadata contained within that XMP file. I think a lot of the applications listed on Adobe's website only support a subset of the Lightroom metadata: EXIF, IPTC, geocoding... that kind of thing.
  So it's one thing to say that an app supports XMP, and it's another to say that an application fully supports XMP. If an image editor supported every XMP tag, it could take a RAW + Lightroom XMP file, pick up where you left off in Lightroom, save its own changes back to XMP, and Lightroom would recognize the other editor's changes. I don't think even Photoshop supports XMP to that level!
  I don't know of any app that will read Lightroom's Developer metadata and display the same image that you see in Lightroom, which is what the OP was asking for and  what I was addressing in  saying there aren't apps that support XMP.
  But, you're right, I was an over-sweeping generalization.  So, let me restate more accurately
  The XMP data is developed by Adobe, but it's a published standard so in theory anybody who wanted to COULD read the Lightroom Developer XMP/DNG data. But nobody does.
  Of course, all this is a little academic because even if an organizer (e.g. Picasa) could honor all the Lightroom metadata and display the image "correctly", it wouldn't matter. The ultimate goal of the OP is to use the image in blogs, emails, etc. which is unfortunately still going to require a JPG. Maybe one day DNG and XMP will be as widely supported as JPG (which I think is Adobe's goal)!
  Thanks for keeping me honest

• How to create a read only access for database

  I am developer but willing to lear some of the dba tasks. I would like to know the steps that i need to take to creat a read only access database that is going to be used for the report development.
  I really appreciate if you tell me all the steps I need to create that. I have a full right to do this in the develpment database. thanks

  thank you for your reply but it does not tell me how i can set up a read only access acccount for the user. Do i need to create a role and assign the role to the users?

• Read only access for objects in application designer

  I want to apply read only access to all the objects in application designer. I would like to know how we can do this.
  Jayaprakash Tedla

  Jayaprakash,
  On 8.48 :
  1. Create a PERMISSION LIST
  1.1 leave empty the navigator homepage
  1.2 leave unchecked Can Start Application Server? and Allow Password to be Emailed?
  1.3 On Pages tab, leave it empty
  1.4 On PeopleTools tab, check Application Designer Access, then click on Definition Permissions, Tools Permissions Miscellaneous and Permissions, and put there the rights as well as you want. You can put Read Only on all component in one shot by clicking on the button, or one by one by choosing in the listbox for each type of components.
  1.5 leave all other tab blank
  2. Create a ROLE, and add the permission list created on step 1.
  3. Create the user, and give the role created on step 2.
  4. Open Application Designer, connect there with the new user, and enjoy on read-only access.
  Hope this help,
  Nicolas.

• How to configure Mailbox Read-Only access for Mailbox's owner on Exchange Server 2010?

  I have to configure the Exchange Server 2010's mailbox to only grant Read-Only Access on the mailbox's owners.  So they can only allowed to read their messages and cannot modify or remove them.  Are there any references or methods to do?

  Hi,alexchy8
  We can make use of 2 PowerShell commands to achieve this goal.
  Add-MailboxPermission and Add-MailboxFolderPermission.
  Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
  Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
  You can read the following article as reference:
  http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
  or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards.

• How enable read only access for ACS server itself

  Hi,
  We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
  We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
  We are using ACS4.0 verison. Please let me know whether its possible.
  Thanks
  Nachi

  Hi,alexchy8
  We can make use of 2 PowerShell commands to achieve this goal.
  Add-MailboxPermission and Add-MailboxFolderPermission.
  Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
  Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
  You can read the following article as reference:
  http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
  or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards.

• How to create a user with read only access for ESB / BPEL Console

  I need to create a user with read only access to ESB Console & BPEL Console. I have created a user
  (esbreadonly) and assigned ascontrol_monitor role but user is still able to
  delete services from ESB systems (such as DefaultSystem). Is there any way to
  create a user that has strickly read only access to ESB Console & BPEL
  Console
  Thanks
  Dinesh Patel

  Check out this post.. I'm in the process of testing.
  http://chintanblog.blogspot.com/2007/12/i-saw-numerous-people-asking-about-bpel_290.html