Restricted/View Access Only - User
Hi,
I have a need to create a user account on our ASA (8.x code) device but only allow them read access; particularly, view the overall config and interface statistics.
I have tested with an account, but my attempts at setting the privilege level seem to be ineffective at restricting accesss. How might I accomplish this task?
thanks,
Jim
Jim, you should get it working after reference this thread.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB?cmd=display_location&location=.2cc2c575/4
If still have issues let us know.
B.regards
Similar Messages
-
Restrict program access ( only three user at a time)
Hi
I want to restrict the program only two users at a time ( with out using authorization object ).
Thanks & Regards,
K.Gunasekar.Just an idea:
create a table with one column to store the userid. Each time the program ist started, you execute a SELECT COUNT( * ) on that table and EXIT from your program as soon as the table contains more that 2 entries. In case the table does not contain more than two entries, you can proceed after adding the SY-UNAME to that table. At the end of the prgram you have to delete SY-UNAME from that table. -
I am trying to create a view only application user for CUP. - customer wants view access to admin page on cup. I created a new group and assigned a role of 'ccmadmin view' . I assigned the group to a new application user - I try and login but it does not present me with the admin pages - it just takes me back to the web login page. If i login with the wrong password it states wrong username or password but as i said if i login correctly then it just presents me back to the admin page with the blank username and login page.
Hi
Ah - I see what you mean. I just labbed this. Looks like someone at Cisco has done a wonderful job of testing this.
If you've ever done this in CCM, you'll know you normally add the custom user group to the 'Standard CCM Admin Users' role that grants access to ccmadmin, and then give read/update privileges by creating another role.
Unfortunately with CUPS, you don't see that role in order to be able to add it.
So:
Go into User Groups, click on Standard CUP Super Users.
Click 'Copy', and call the new copy Standard CUP Read Only Users or whatever you like
Select 'Assign roles to user group' from the drop down
Remove 'Standard CCMAdmin Administration' but LEAVE 'Standard CCM Admin Users' there.
Add the 'ReadOnly' role you created or the 'Standard CCMAdmin Read Only' role listed as for 'Presence Administration' to the group
Save it
Assign your app user to the group.
That must be worth more than three stars? :-)
Regards
Aaron -
Restrict view access to a distribution group
Hi, management have decided they want to have a distribution group made up of all employees personal email addresses (in case of emergency broadcasts etc etc).
I have been trying to figure out a way to create this list, but only give a few particular users access to view and send to it.
So far, my thinking is I can put the list into an OU, which only has permissions for those users to view, and disable it for everyone else.
Just wondering if there is a better way to do this? The send restrictions are pretty straight forward, its the view restrictions that need to be dealt with...
Thanks,
NathanHi Nathan,
As Amit suggested, you can create a dynamic distribution group. And then follow the steps below to set the message delivery restrictions.
Open EMC -> Recipient Configuration -> Distribution Group -> right click the dynamic distribution group you want to configure -> Properties -> Mail Flow Settings -> double click the Message Delivery Restrictions -> specify the user who
can send to this distribution group.
For more information, here is a helpful article for your reference.
Configure Dynamic Distribution Group Properties
http://technet.microsoft.com/en-us/library/bb124560(v=exchg.141).aspx
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
Restricted view access to other schemas 'showstopper' problem
I'm tasked with the potential roll-out of SQL Developer across a large number of users (doing away with equivalent software in the process).
The feedback has been very positive. However, the only real issue stopping the replacement from progressing is that we cannot view certain objects in other schemas (package bodies, triggers etc) ... i.e. we need to connect as the schema owner to view these. This is essential, otherwise everyone would need to know the application schemas password.
Our current software has the same issue unless the following option in the Options/Startup window is activated: 'Check for access to DBA views. Otherwise, SYS.ALL_xx views will be used when listing objects'. Thereafter the issue is resolved.
Is there any workaround (e.g. like the above) in SQL Developer?
Many Thanks.Sue, thanks for your reply although I already have access to Package code via tools like SQL*Plus.
I guess the problem being discussed here is similar to the following thread (for which you have already logged a bug). See:
How do I view package bodies in another schema ?
Re: How do I view package bodies in another schema ?
On a similar issue, I note that there is a possibility that a fix will indeed be implemented in release 1.1. See:
Package body not visible
Re: Package body not visible
Please advise what the current status is relating to a fix?
Many thanks for any clarification. -
Restrict Outlook Access Only To Domain Joined PCs?
We have contractors that use their employers laptops to access various LAN resources on our network such as access to shared network drives, printers, Remote Desktop and access to our Intranet sites. They have mailboxes on our Exchange servers and
we would like their mailbox access to be restricted to EAS and OWA, not Outlook unless they are using one of our domain-joined computers.
The main reason for this is to restrict these users from downloading their mailbox contents into into a personal folder. We can create PST restrictions on our domain-joined PCs via group policy, but these policies would not apply to computers not joined
to our domain.
Of course we would also like to prevent Outlook access to their mail from their home PCs that they may have installed Outlook on, but we still need seamless remote access to Outlook on domain-joined laptops used remotely.
How can this be done?PS -- Andy are you going to MEC ?
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
I will be there will bells on!
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
How to restrict "sftp only" user into your home dir and subdir
Hi OTN forums members
Question : I want restrict a sftp only user to browse ONLY in your home directory and subdirectory . I don't want sftp user access into other directory.
Details : I want use a "ssh bundle package" on s10(only package on SUNWCXall installation cluster). I don't want to use the "extrernal package", as "ProFTP", "Chroot", sunfreeware OpenSSH package,ecc. It's possible?
Technical Details of my system(test) : the hostname and username it's fantasy name, not real ;-)
root@sunlab1:/[1]$ cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
root@sunlab1:/[2]$ uname -a
SunOS sunlab1 5.10 Generic_142909-17 sun4u sparc SUNW,Sun-Blade-100
root@sunlab1:/[3]$ grep explorer /etc/group
explorer::111:
root@sunlab1:/[4]$ grep explorer /etc/passwd
explorer:x:111:111:Sun Explorer Data Collector sftp only user:/export/home/explorer:/usr/lib/ssh/sftp-server
root@sunlab1:/[5]$ zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 27.3G 9.33G 96K /rpool
rpool/ROOT 11.6G 9.33G 18K legacy
rpool/ROOT/s10s_u7wos_08 11.6G 9.33G 11.6G /
rpool/cfengine 73.7M 950M 73.7M /var/cfengine
rpool/dump 1.00G 9.33G 1.00G -
rpool/export 5.01G 9.33G 11.8M /export
rpool/export/home 1.40G 3.60G 1.40G /export/home
rpool/mp3 2.65G 2.35G 2.65G /mp3
rpool/patches 206M 2.80G 206M /var/patches
rpool/swap 768M 9.58G 514M -
root@sunlab1:/[6]$
root@sunlab1:/[7]$ cd /export/home
root@sunlab1:/export/home[9]$ ls -la
total 47
drwxr-xr-x 5 root root 9 Oct 7 09:51 .
drwxr-xr-x 4 root sys 6 Jun 7 09:44 ..
drwxr-x--- 11 explorer explorer 11 Oct 7 11:30 explorer
root@sunlab1:/[8]$ sftp explorer@sunlab1
Connecting to sunlab1...
Password:
sftp> dir
[...more output...]
sftp> pwd
Remote working directory: /export/home/explorer
sftp> cd /var/adm
sftp> dir
[...more output...]
sftp> get messages
Fetching /var/adm/messages to messages
sftp> pwd
Remote working directory: /var/adm
sftp> bye
root@sunlab1:/[9]$
root@sunlab1:/[10]$ pkginfo -l SUNWsshr
PKGINST: SUNWsshr
NAME: SSH Client and utilities, (Root)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Client and associated Utilities
[...snip...]
root@sunlab1:/[11]$ pca -l installed --pattern=[Ss]sh
[...snip...]
Using /var/patches/pca/patchdiag.xref from Oct/14/10
Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
List: installed (3/584)
Patch IR CR RSB Age Synopsis
141742 04 = 04 -S- 427 Obsoleted by: 141444-09 SunOS 5.10: sshd patch
143140 04 = 04 RS- 119 Obsoleted by: 143559-03 SunOS 5.10: ssh patch
143559 03 = 03 RS- 38 SunOS 5.10: ssh scp patch
root@sunlab1:/[12]$ pca -l 141444 143559
Using /var/patches/pca/patchdiag.xref from Oct/14/10
Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
List: 141444 143559 (2/405)
Patch IR CR RSB Age Synopsis
141444 09 = 09 RS- 367 SunOS 5.10: kernel patch
143559 03 = 03 RS- 38 SunOS 5.10: ssh scp patch
root@sunlab1:/[13]$Legenda:
PCA = [url http://www.par.univie.ac.at/solaris/pca/] Patch Check Advanced , PCA is 3PP free and fast tool for Analyze, download and install patches for Solaris
IR =Installed Rev. CR = Current Rev. (published on patchdiag.xref from Oct/14/10)
RSB =[R]eccommended,[S]ecurity, [\B]ab patches
Not helpful reading "<tt>man sshd_config</tt>" and "<tt>man sftp-server</tt>", and Google searching. Nothing by MOS Community search.
Any idea?
Best Regards
Michele V.
P.S.: Excuse me for my bad English.Hi OTN forums members,
I find the solution. Thanks Andrea Manganaro (aka Amanga) for the help.
1) Download and install OpenSSH for Solaris 10/SPARC and all dependencies(Please read the http://www.sunfreeware.com/openssh.html note):
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssh-5.6p1-sol10-sparc-local.gz]openssh-5.6p1-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-1.0.0a-sol10-sparc-local.gz]openssl-1.0.0a-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/zlib-1.2.5-sol10-sparc-local.gz]zlib-1.2.5-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/libgcc-3.4.6-sol10-sparc-local.gz]ibgcc-3.4.6-sol10-sparc-local.gz
2) Configure <tt>/usr/local/etc/sshd_config</tt> file with the "+<tt>ChrootDirectory</tt>+" directive. For me:
# override default of no subsystems
#Subsystem sftp /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp[...]
# Example of overriding settings on a per-user basis
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no3) Create group and user for sftp-only account. For me:
root@taurus # groupadd sftponly
root@taurus # grep sftponly /etc/group
sftponly::202:
root@taurus # useradd -g sftponly -c "Sftp only user" -d /export/home/explorer -s /bin/false -m explorer
explorer:x:1002:202:Sftp only user:/export/home/explorer:/bin/false
root@taurus # passwd explorer
New Password:
Re-enter new Password:
passwd: password successfully changed for explorer
root@taurus # 4) Change home directory permission and create a r/w direcorty (uploads) for sftponly user account.
root@taurus # cd /export/home
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-xr-x 3 explorer sftponly 3 Oct 29 15:41 explorer
root@taurus # chown root:sftponly explorer; chmod 750 explorer
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 explorer
root@taurus # This will make a read-only, chrooted directory perfect for people to come in and get stuff, but never write.
For example, you could make a directory explorer/uploads that allow people to write in.Then you can moderate what gets copied into the read-only /explorer area. Remember that if a user can write in a directory then they can also delete anything in that directory.
root@taurus # cd explorer
root@taurus # mkdir uploads && chown -R explorer:sftponly uploads && chmod 0755 uploads
root@taurus # ls -al
total 9
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 .
drwxr-xr-x 4 root root 4 Oct 29 15:28 ..
drwxr-xr-x 2 explorer sftponly 2 Oct 29 15:56 uploads
root@taurus # 5) Disable SunSSH "service" and enable OpenSSH "service" (with SMF):
root@taurus # svcadm disable sshSee [url http://www.sunfreeware.com/sshsol10.html]here for Running openssh vis SMF on Solaris 10 Systems
root@taurus # svcadm disable ossh
root@taurus # svcs -a | grep ssh
disabled 12:37:51 svc:/network/ssh:default
online 15:29:41 svc:/network/ossh:default
root@taurus # 6) Test your job :-)
Helpful links:
==============
http://www.sunfreeware.com
http://www.openssh.org
http://calomel.org/sftp_chroot.html
HTH
Michele Vecchiato -
Create user with DBA privileges with a restriction to access user data
Hi
I need to create a user with all DBA privileges with a restriction to access all user schemas
Thanks,
BalajiUse Database Vault - http://download.oracle.com/docs/cd/E11882_01/server.112/e16544/toc.htm
HTH
Srini -
Hierarchical view access in worklist
Good Day!
exists BPM application with roles to grant access to users
The organisation has Hierarchical structure and user must have access in worklist only to task in his view area
Is it possible to separate view not only by roles, for example by Hierarchical structure ??
Ths!HI!
No
Example
We have next Organization structure
1. Company Tester
1.1Department Socks
1.1.1 SubDepartment One
1.1.2 SubDepartment second
1.1.3 SubDepartment third
1.2Department T-short
1.2.1. SubDep T-short One
1.2.2. SubDep T-short 2
1.2.3. SubDep T-short 3
1.3department Smile
For example employee Emp works in 1.1.1 - and he has view access only to 1.1.1 task in BPM Workslist (of course BPM roles must be granted)
Next the employee Boss works in 1.1 and he has access to 1.1 + 1,1,1 + 1,1,2 + 1,1,2task in BPM Workslist
The CEO works at 1. and has access to all tree -
Restricting the user to access only one view in or database
A user wants to create a database link , so that he can view one of our views. We want to restrict permission, so that he can access only that view, and not any of our tables. What is the best way to proceed?
Thanks in advance,
GayatriPl do not post duplicate threads - Restricting the user to access only one view in or database
-
How to restrict a User to access only 2-3 views in MM01/MM02 ???
Hi,
Can anyone tell me how can I restrict a User to access only 2-3 views in MM01/MM02 and also the User should not be allowed to change the View selection by clicking on the Select Views button ?.
Regards,
LuckyHi Prashant,
Can this only be done through changes in Authorization Objects ? Is not there any setting which can be done in SPRO for this ?
Hi Sheshagiri,
I could not exactly understand how the access to MM Views can be restricted to User through TCode OMT3B i.e. in SSeq. 01 and Screen 07 ? Subscreen 2154 is for Mat. Groups ? Please explain your answer in detail.
Regards,
Lucky -
Restrict View of quotation only by its creator and not to all users
Hi,
There is a team of Marketing users who are responsible to send Quotations to Customers for Sales Inquiry.
One Marketing User is sending quotation to his generated lead/Customer. Similarly another user is also sending a quotation to his own generated lead/ customer.
Now, after the quotations are sent, while pulling a report, all marketing users are able to view every Quotation sent to different customers created by different users in one screen.
We don't want one marketing user to view another marketing user's quotation, since there is a possibility of information leakage (Sale Price-Quote) due to which we are loosing customers. Somebody from marketing team is leaking the information to competitors.
Kindly suggest a way to control this problem.Hi Nabin
Are you talking about only in report or do you want to control this in VA23/VA22 transactions as well? If you restrict this in report users could watch this in display quotation transaction.
And also let me know which report you are talking about? Share the Tcodes please. If this is standard one then its better to remove that from user's role and create your own report. Use authority check object in that report and give access to every user so that they can view their own quotations.
Search the google with authorization check coding. Create an authorization object with ERNAM field and give every user name in every user's role. If this is confusing for you, you could seek help from your technical guys.
Thank$ -
Restrict access to users in customer line item display FBL5N
Hi all,
We got a requirement from my client that, they want to restrict access of their users to view details of few customers only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
we created 4 customer account groups,we created like .. SD customers1
SD customers2
Onetime customers
FI customers
These FI customers cannot be viewed by all users except who has authorization in Tcode FBL5N, we need to restrict to display only SD and one time customers details.
we have tried with Basis but its not working and its blocking to view all customers.
anyone got this kind of requirement , Is it possible to restrict....please help me.
Thanks
Nagesh
Edited by: nag on Dec 27, 2011 5:26 PMIt is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
in the transacion FBL5N. You can confirm this functionality in trans. SE24.
As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
F_BKPF_BLA Accounting Document: Authorization for Document Types
F_BKPF_BUK Accounting Document: Authorization for Company Codes
F_BKPF_GSB Accounting Document: Authorization for Business Areas
F_BKPF_KOA Accounting Document: Authorization for Account Types
F_BKPF_BED Accounting Document: Account Authorization for Customers
F_KNA1_BED Customer: Account Authorization
F_KNA1_BUK Customer: Authorization for Company Codes
Kind Regards
Soumya -
SharePoint 2010 List View Web Part not showing for read-only users?
Hello all,
I have List View Webparts on my Blank Web Part page, and it's not showing for Read-Only users.
Is this intended by Microsoft or is it a bug?
Thank you!Hi,
According to your post, my understanding is that the read only user could not see the list view web part.
Per my knowledge, the issue may be cause that the user do not have the proper permission for the list.
1. Check whether the user can access the list.
2. Check whether the user can view all the items instead of partial items in the list.
3. Check whether there are some fields refer to other lists or terms, especially the lookup field or managed metadata filed.
If that is the case, make sure the user can access the lookup list.
Thanks,
Jason
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Jason Guo
TechNet Community Support -
How to restrict AS02 access to certain fields only
How to restrict AS02 (Asset Master Record) access to certain fields only. Currently when you assigned AS02 to a certain user, this will enable the user to change all the fields in the asset master record. Suppose i want only the user to restrict the access to certain field eg.NDJAR (Life in Yrs).
Thanks for your inputs.
Regards,
Roberthello,
basis has to assign the proper activity with object A_S_ANLKL. in this case they have to allow activity 03 only with combination of Cocode,asset class. see some more details below.
This authorization object is the first part of the object "asset master record."
The definition at this level determines whether the user is authorized to process data in a given company code. The activity type for the transaction is also defined here. This authorization object is used for master data transactions, for the display of value fields, and for reporting.
Defined Fields
The following fields are assigned to the authorization object
Asset class (specified by entering a value in the pop-up window)
Company code (specified by entering a value in the pop-up window)
Activity type - there are three different activity types:
01 = Create
02 = Change (including blocking and deleting)
03 = Display
Maybe you are looking for
-
Virtual Copies, Stacking & Sort by File Name
The scenario is as follows... I create a Virtual Copy of an image (Original & VC automatically stacked) The file is sorted based on the File Name of the Original file. I now move the Virtual Copy to the top of the stack. The file has been moved to th
-
Sorry, I don't know what other details I should provide. My friend has a program installed which lets him know out loud what is happening as he navigates, but it's been quite a process for him to attach files; he often requires help and it would cert
-
Making a PDF X3 file for printing in only 1 colour (black)
Hi, Sorry but it seems I need again some help. From InDesign CS 3 I am making (Print to Adobe PDF) a PDF file for a printing house (books and magazines). I need to do a PDF X3 compatible file, and among other settings it checks that indeed the file h
-
IPhone and Other 2.4GHz Units Don't See New Time Capsule Net
Problem: My iPhone and other 2.4GHz equipment do not see my new Time Capsule network. I had an old circa 2006 Apple Extreme network and decided to upgrade with a dual-band Time Capsule. After setting up the Time Capsule with as close to the old setti
-
Problems with Tiger Server SSL after attempting to update cert
I have been getting an error message saying that my SSL is self-signed even though it is a GeoTrust cert. I deleted the certificate that was there and had my cert re-issued in order to try to remedy this problem and now my SSL site prevents the serve