Restricting access via user agent

Similar Messages

• Restricting Access via User Groups

  So I have created some user groups via the Administration page in APEX. I would like to use these groups to control access to various tabs in my database application. Can someone please tell me how I might go about doing this? I can't seem to locate a good example.
  Thanks,
  Mark

  Hi Mark,
  You can e.g. create an authorization scheme (shared components) - pl/sql function returning boolean.
  You can use some functions in apex_util to determine if they should have access. e.g. apex_util.current_user_in_group(p_group_name in varchar2); http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21676/apex_util.htm#BABHCBEG
  Then just apply that authorization scheme to the tab and consequent pages associated to the tab.

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• TC with Access via User Accounts

  Hi all folks,
  I start using a new TC (2TB with 7.5.1) with access via User Accounts switched on, but it confuses me a little. In general I'm interesting in storing some more data to the TC, also I'm interesting in using seperate folder/mountpoints.
  I add some User Accounts (I used the short names from my Mac, for example lutz, test, work, gast and admin) and every User can logon/connect to the TC, with a User Folder and a "Data" Folder, but admin can't connect to the User Folder.
  All the time I try to logon/connect with the admin User, I can mount the "Data" Folder, but I can't mount the "admin" Folder (but the folder is shown).
  In the Mac Syslog I find,
  /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder[111]:
  NetworkNode::handleMountCallBack returned -6602
  I got a box with,
  The operation cannot be completed because the original item for "admin" cannot be found.
  And in the TC Syslog I find,
  Syslog Protocol 6 - All Information
  Nov 18 00:16:54 Gewichtung: 5 AFP login OK from [email protected].
  Nov 18 00:16:57 Gewichtung: 5 AFP session from [email protected] closing.
  Nov 18 00:16:58 Gewichtung: 5 AFP login OK from [email protected].
  Nov 18 00:18:03 Gewichtung: 3 No Address for NTP server time.euro.apple.com.
  I got folders like this, "lutz" and "Data" and both are empty.
  From the admin Point of view the "Data" Folder looks like this and the "admin" folder can't connect too.
  "Data"
  "Data/Shared"
  "Data/Users"
  "Data/Users/lutz"
  "Data/Users/test"
  "Data/Users/gast"
  "Data/Users/work"
  "Data/MacBook.sparesbundle"
  "Data/PowerBook.sparesbundle"
  My question, is "admin" an TC internal User too?
  What's the reason I can't mount the "admin" Folder and why I got a complete view to the TC filesystem with the "admin" User only?
  It's nice to see this, but what's the reason!
  How to add some more Shared folder for data exchange?!
  Any idea what's happend,
  thanks for any help, I can't find any information about this behavior,
  Lutz
  p.s.
  The password from the User Account definitions are ignored for the "admin" user, the TC Password is used all the time.
  p.s.
  I read "http://web.me.com/pondini/Time_Machine/FAQ.html", too.

  Hi all folks,
  anyone who spend some time to add an User Account named "admin" to a TC and try to logon/connect to the TC with this user.
  If someone try to do this, don't use the same password for "admin" and the TC itself, but try to logon/connect with "admin" to the TC with the defined passwords, both. I can connect "admin" to the TC with the TC password only, not with the password defined via User Account.
  Thanks for any help,
  Lutz

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• Restrict access to users in customer line item display FBL5N

  Hi all,
  We got a requirement from my client that, they want to restrict access of their users to view details of few customers  only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
  we created 4 customer account groups,we created like .. SD customers1
                               SD customers2
                               Onetime customers
                               FI customers
  These FI customers cannot be viewed by all users except who has authorization in Tcode  FBL5N, we need to restrict to display only SD and one time customers details.
  we have tried with Basis but its not working and its blocking to view all customers.
  anyone got this kind of requirement , Is it possible to restrict....please help me.
  Thanks
  Nagesh
  Edited by: nag on Dec 27, 2011 5:26 PM

  It is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
  in the transacion FBL5N. You can confirm this functionality in trans. SE24.
  As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
  If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
  Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
    F_BKPF_BLA Accounting Document: Authorization for Document Types
    F_BKPF_BUK Accounting Document: Authorization for Company Codes
    F_BKPF_GSB Accounting Document: Authorization for Business Areas
    F_BKPF_KOA Accounting Document: Authorization for Account Types
    F_BKPF_BED Accounting Document: Account Authorization for Customers
    F_KNA1_BED Customer: Account Authorization
    F_KNA1_BUK Customer: Authorization for Company Codes
  Kind Regards
  Soumya

• Restricting access via MAC address?

  Hello,
  Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
  I'm kinda stumbling around here
  Thanks,
  Jonny

  Sorry if I wasn't being specific enough...
  I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
  What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
  Surely it's possible?

• How do I restrict access so users can only visit certain sites?

  At work we are setting up a laptop in order to do only one thing - use one particular website. I'd like to make sure nobody can visit any other sites.

  Your secure computer has a piece of unpleasant software - My Web Search. Remove any signs of it in Add-ons>Extensions and Plug-ins. Also check in Add/Remove Programs(Programs and Features in Win7). Also make sure you don't have any entries for Fun Web Products.
  You are showing Fx3.5.8. If that is so, it is high time you updated. Chances are, though, that My Web Search has frozen your User Agent String.
  Google for further information but don't accept advice from people behind these products. You can also look in the Search Firefox Help box above.

• Anyconnect IKEV2 restricting access via AAA auth Group

  Hi Everyone,
  I have ASA config with 2 connection groups
  Say Group  1 and 2.
  Currently both are assigned to Same Auth AAA group
  One of our external vendor has access to both XM files of connection group 1 and 2..
  If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
  Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
  Regards
  Mahesh

  Hi Rick,
  There is info
  Our ASA is configured with two connection groups.Our Vendor has XML files of both the
  Connection groups say                                      1 and 2.
  AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
  We are using 2 factor Authentication.
  We want vendor to connect to connection group 2 only.
  We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
  If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
  it restrict the vendors connection to connection group 2 only?
  Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
  Need to know how i can do this?
  Regards
  MAhesh

• Restricted access for user in SU01

  Hi All
  How can we give authorisation to a User to modify access (Create/Delete/Password Change/Role assign /Role Delete..etc) for other user IDs but that user should have only display access for his User ID.
  Please Help me in this.

  Hi,
  I have worked with many clients, and the requirement of handling the user Administration and Role Administration is different from each client to other client.
  Some client may ask for the same person should handle both User and Role ADministration, but some client may ask for separating the tasks.
  In your case, if you want to restric the person to maintain the other users but not the own user id, this can be achieved by doing the following:
  Create a separate user group who is doing the administration part and create other user groups for other users.
  Create a role with SU01 and restrict the Standard objects with all user groups except the administation one and add S_USER_GRP authorization object manually into the same role and provide only 03 with the administration object.
  The above will solve the problem of administration not able to update the own user id, but the other users.
  Regards
  Anandm

• Access denied errors in domain logs after configuring Ldap and restricting access to users

  Hi Experts,
  I'm getting access denied errors in my domain logs , this log is written continiously ..Has any one encountered the same issue and fixed this?
  ####<Sep 2, 2014 2:30:07 PM EDT> <Error> <Default> <ftizsldmwapp001.ftdc.cummins.com> <AdminServer> <[ACTIVE] ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <096a131bdb6c126e:6cecae89:14834848020:-8000-0000000000009bc8> <1409682607304> <J2EE JMX-46335> <MBean attribute access denied.
    MBean: EMDomain:EMTargetType=j2ee_application,name=em,type=EMIntegration,Application=em
    Getter for attribute HostName
    Detail: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[]
  TIA,
  -Karthik

  Hi Experts,
  I'm getting access denied errors in my domain logs , this log is written continiously ..Has any one encountered the same issue and fixed this?
  ####<Sep 2, 2014 2:30:07 PM EDT> <Error> <Default> <ftizsldmwapp001.ftdc.cummins.com> <AdminServer> <[ACTIVE] ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <096a131bdb6c126e:6cecae89:14834848020:-8000-0000000000009bc8> <1409682607304> <J2EE JMX-46335> <MBean attribute access denied.
    MBean: EMDomain:EMTargetType=j2ee_application,name=em,type=EMIntegration,Application=em
    Getter for attribute HostName
    Detail: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[]
  TIA,
  -Karthik

• SQ00 Restrict Access By User Group

  Hi all,
  I've just created a BOM Overview Report (Query) in SQ00 by using a logical database. I've assigned user's to the User group for the Z_BOM info set to run the report.   
  In Production client nobody has permissions to run SQ00 at this time. My question is if I put transaction SQ00 or SQ01 in a role and assign to users will they be able to run for any info set, or try and create new queries on thier own in there?   I don't want my production floor folks being able to see financial queries.....how do I set this up from a security standpoint...so these users only see the new SQ00 BOM Overview Report?  Thanks for your Input!!

  Let me tell you a better way of doing this for all users...
  Steps:
  1. Remove authorizations for tcodes SQ00, SQ01, SQ03, SQVI.
  2. If possible remove authorization for SA38, SE38. This is to prevent users by copying the program name from other queries (menu >> system >> status) and executing.
  3. Note down the report name for a particular query. In SQ01 you can do this by clicking In background button or following the menu path Query >> More functions >> Display Report name
  4. Create a custom authorization object e.g. Y_SHOP_FLOOR in tcode SU21 (similarly for financials etc if you want) and assign it to relevant users.
  4. Create a Z or Y transaction code in SE93 (of type report), assign the step 4 custom authorization object to this tcode and enter the report name from step 3.
  Edited by: Jeevan Sagar on Feb 5, 2012 1:18 AM

• Restrict Access to certain users based on if a variable in the SQL database is set to 1

  Hey guys,
  I am quite new to PHP and MySQL and I have a question concerning access  restriction. For a website project I am experimenting with Dreamweaver's  login and restrict access behavior, which works fine. However, on the  website I would like to restrict access for users that only have a 1 set  in the corresponding MySQL database (which means that e.g. each page has a different variable in the database that can be set to 1, which would allow me to personify access beyond the level of the out-of-the box option, where each user can only have one access level). So it is quite similiar to the  out-of-the-box restrict access to page based on user group, but just  depending on another variable in the database.
  I guess it can be done with an if condition that checks in the database if the logged in user has a 1 in this variable, and if yes give her/him access if not redirect to another page. However, I could not figure out  how to implement that.
  Your help is highly appreciated!
  Thanks in advance!

  Hello guys,
  I spend quite some time on the internet reseaching my wish and redefined my need: I would basically like to have the possibility to assign a user multiple access levels. There would be e.g. 10 pages for each I create an access level. Then a user with e.g. access to pages 2 and 8 can only access these two pages. So my basic question is if and if yes how I can assign a user muliple access levels at a time and store these values in the MySQL database.
  Thanks a lot for your help!!

• Restricting access to a  cube while it is being maintained

  Hi,
  We are trying to restrict access via discoverer/excel add in to a CUBE while cube is being maintained. We were able to achieve this by revoking privileges to certain roles before the start of the cube build.
  I would like to know if there is any better way or built in functionality(out of box) that restricts access to a cube a while it is refreshing? Any help is appreciated.

  Ragnar is correct, the best way to do this is to attach the AW in exclusive mode. You can either do this manually yourself before starting your load job, or automatically by scheduling the job and using mutiple processes to load and solve the cube.
  The problem is removing users currently viewing data via Excel/Disco when the job starts. If you can ensure there will be no users accessing the AW when the job starts, then the exclusive attach mode will prevent any users from attaching the AW during the processing. If you cannot guarantee this, then there is a problem because the job will fail when it tries to attach the AW in exclusive mode. Obviously you could put this in a loop and wait until a user exits the front end application and releases the AW. Alternatively, you could write a SQL script to disconnect/kill all sessions accessing the AW - not very nice for the users though if they are building a report because they will lose all their unsaved changes.
  When the AW is attached in exclusive mode, bad news is that Discoverer/Excel will probably generate a nasty Java error message when a user tries to connect using Discoverer/Excel.
  Therefore, overall not an ideal situation. But I cannot think of a really good way to manage this at the moment. Sorry I can't be more helpful.
  Keith Laker
  Oracle EMEA Consulting
  OLAP Blog: http://oracleOLAP.blogspot.com/
  OLAP Wiki: http://wiki.oracle.com/page/Oracle+OLAP+Option
  DM Blog: http://oracledmt.blogspot.com/
  OWB Blog : http://blogs.oracle.com/warehousebuilder/
  OWB Wiki : http://wiki.oracle.com/page/Oracle+Warehouse+Builder
  DW on OTN : http://www.oracle.com/technology/products/bi/db/11g/index.html

• OIM 11g R1 (11.1.1.5.0) Restricting access to Modify resources by field.

  Is there a way to restrict the access to modify specific fields on a resource, based on roles? In design console you have the options of, "Allow Insert", "Allow Update", "Allow Delete" on the form associated with different roles. Is there any way you can restrict this access specifically to fields in the way you can restrict access to user attributes based on authorization policies?

  You are failing to utilize the product then.  You don't have to utilize a soa-composite for this.  They can be set to auto-approve anyway.  But you should not just grant admin access to the user and all their resources so easily.
  Not sure what kind of event handler you can even use.  You could try and explicitly deny access to those roles by adding them to the form permissions and unchecking all the values.
  -Kevin