Revoking permissions

Similar Messages

• Revoking permissions for Few of the worksets in System Administration role.

  Hi Experts,
  I would like to revoke the permissions for some of the worksets in the role of System Administration. How can i remove the permissions like that ? Is it posible like that ?
  Thanks
  Suresh.

  Hi Priyanshu,
  "Object manager is not activated" simply means, that the SLD server is not started. So, please, first of all navigate to the SLD URL http://<host>:<httpport>/sld, login with an administrative SLD user -> Admininstration and push the star button.
  Regards,
  Blanca

• SCOM 2012 R2 Post upgrade issues

  Hey all,
  yesterday we upgraded our SCOM environment from 2012 SP1 to R2.  All of the installers ran fine without any issues.  After a couple reboots it was back up however we have run into some issues.
  Issue 1:  The ACS seems to be broken.  I can usually run a query on the ACS database manually and get back audit entries.  However, now I am getting nothing back at all.  Here are the errors that are repeated every few minutes on both
  management servers.  I did run the ACS upgrade on them both yesterday.
  Error occured on database connection:
   Status: 0x00040000
   ODBC Error: 14
   ODBC State: 01000
   Message: [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen (ParseConnectParams()).
   Database: Register
   Connection: ComplianceTest
   Statement: -
  Error occured on database connection:
   Status: 0x00200001
   ODBC Error: 14
   ODBC State: 08001
   Message: [Microsoft][ODBC SQL Server Driver][DBNETLIB]Invalid connection.
   Database: Register
   Connection: ComplianceTest
   Statement: -
  Issue 2:  Our UNIX agents are all greyed out now and when I try to upgrade them I get the following error.
  EDIT: and here is something else I just found on our other management server
  Any info would be great
  Thanks
  Warm Fuzzies!

  I am going to update this post.  The service is still crashing nightly.  The views dvAll, dvAll5 and dvHeader are not being created.  I tried the fix provided by the Microsoft rep and it did nothing.  I have uninstalled and reinstalled
  the ACS server multiple times and the views are never created.  When I start the ACS services I get the same errors.
  AdtServer encountered the following problem during startup:
   Task: Load Certificate
   Failure: Certificate for SSL based authentication could not be found. SSL authentication will be disabled
   Error: 0x00000002
   Error Message:
  The system cannot find the file specified.
  Error occured on database connection:
   Status: 0x00040000
   ODBC Error: 4624
   ODBC State: 01000
   Message: [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
   Database: SqlWriter
   Connection: Maintenance
   Statement:
  I see where the forwarders are connecting.  No other errors or messages.  The service is set to start up as the Network Services account.  The DOMAIN\SERVER$ has a logon and is mapped to the SQL user AdtServer on the OperationsManagerAC database.
   We have almost a terabyte of data that we cannot get to after the R2 upgrade.
  Very frustrating!!!!
  Warm Fuzzies!

• Using the Security Manager to restrict access to a single package

  After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
  Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
  Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
  But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
  Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
  It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
  The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

  You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

• How can I download Firefox for my Android but decline Google's policy block?

  Google demands that I accept all the policies they list before I can download Mozilla Firefox. The reason I want Firefox is because Firefox respects my privacy. Google does not respect my privacy and wants to sell my stats. THAT is the reason I want Firefox! How can I download Firefox & decline Google's unacceptable demands?

  By default you cannot. Android's permission model is based on you trusting the app you are installing to use the permissions it asks for with care.
  If you are willing to root your phone and install a custom version of the Android operating system CyanogenMod allows you to granularly approve and revoke permissions from the app you are running.
  This is a somewhat dangerous process and if the wrong things happen you could wreck your phone.
  http://wiki.cyanogenmod.com/wiki/CyanogenMod_Settings#CyanogenMod_settings
  * Permission management [checkbox]: Do you want to be able to allow/revoke permissions to your apps? is what you want
  http://www.cyanogenmod.com/devices/motorola-droid-2

• Problem connecting (read only) to Sybase Server using Crystal XI

  Hi,
  I'm having a very similar problem to Renuha in the thread 'Problem connecting to Sybase Server using Crystal XI-Version-11.0.0.1994'
  The thread is marked as assumed answered but I suspect not!
  I am experiencing this issue in Crystal XI R1 11.0.0.2495, post SP4 install.
  Though the issue was exactly the same pre SP4 install, when it was a vanilla install @ version 11.0.0.1282.
  I am trying to connect to a Sybase database via Crystal > Start Page > Standard Report Wizard > Standard Report Creation Wizard > Sybase Server > Make New Connection
  I enter the details, of my read only user account, and select my desired database, from the (successfully) populated 'Database' drop down.
  After some time, in the 'Standard Report Creation Wizard' window I get the server listed under the Sybase Server branch, but, on expanding the server I only get '...no items found...'. However ,if I use the sa account, after selecting a particular database, I can see all the available database objects under the Sybase Server > [server] node.
  I am on Windows XP Pro SP3, with Sybase Open Client v12.5.2
  I assume my Sybase Open client is correctly installed as I am able to successfully connect using the sa account.
  I am trying to connect to a Solaris 10 (5.10) system running Sybase @@version= Adaptive Server Enterprise/15.0.3/EBF 16548 ESD#1/P/Sun_svr4/OS 5.8/ase1503/268
  Our database vendor/supplier has said:
  "...Crystal reports is not handling the granularity of the Sybase revoke permissions and assuming we've revoked all access to any table where we have revoked only write access.
  Is anyone able to assist?
  Thanks,
  Matt

  Don,
  Thanks again for the response and my apologies for the delay in reply - they keep giving me other work to do!!
  Anyway.
  CR XI R2 SP6 successfully installed.
  Same outcome on Sybase connect, with a full read/write sa account
  i.e. successfull connect and sight of all database objects within my chosen database.
  Same outcome on my restricted read only account
  i.e. I am able to successfully authenticate and choose which database I wish to select but subsequently, still, 'no items found' is displayed when I expand my database node.
  I believe it is a problem with the read only account as both accounts are able to connect, as shown by the availablilty of the dropdown, listing the available databases within the specified Sybase instance.
  The reasons for going down this path are as you suspect - I've been asked to provide access which is not full!
  As far as the testing via test tbl creation.
  I know very little of Sybase (?!) and all our Sybase DBA activities are carried out by our system/dB vendor/supplier.
  To do further testing I would have to go back to our dB vendor/supplier but, as mentioned, (I get the impression) they already beleive they have carried out all required of them by providing locked down read only access.
  I ought to mention that the database trying to be accessed is a restored copy of "the previous days" live data, on an MIS server. The read-only account comes over as with full privileges, and it is a script, subsequent to database restore, which knocks down the accounts privs, to read-only. Given this scenario what would I have to ask of them re further testing/troubleshooting?
  Thanks,
  Matt

• Exchange Server 2013 and ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

  Hello, Team!
  I think I’ve found a serious issue in last CU releases. This is the case:
  1 Multirole server Exchange 2013 SP1 (and older) , one creceive connector from internet to this server, no edge, nothing.
  I care about preventing spoofing my company’s email addresses, and remove remove the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender transport permission from anonymous senders.
  To do this, we usually simple run powershell command
  Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  This command works on Exchange SP1, the client (telnet session, f.e.) which try spoof address of company will be refused. (see screenshot below)
  But in Exchange 2013 CU5, CU6 and even CU7 release this revoke permissions DOESN’T WORKS without any errors, softly. I've try Powershell and ADSI but
  unsuccessfully.
  Then we take off permission on connector above,
  we keep 3 default permissions:
  Accept-any-sender
  Accept-Routing-Headers
  Submit-Message to Server
  It is wonderful works only on server SP1, but not on servers with older versions, which have right settings.
  The saddest thing is I have information about Office 365 this behavior reproduced too. And I also think what in your lab you could take 15 minutes and play this simply thing....
  I found only that information on connector side is diffenent on SP1 and CU5,6,7.
  This is normal connection on SP1, when somebody try spoofed address. We can see a 250 AUTH Response on server side, and server refuse fake connection, all right.
  And on CU5 and newest versions we doesnt see this code. Maybe auth mechanism miss something?
  Any suggestions? On MS connect site a didn't found exchange bugs topic :)

  Hi Dmitriy,
  Thanks for your update.
  Then how about the receive connector configuration? Are they using the same authentication settings?
  Thanks.
  I would like to clarify the situation a little
  for you.
  I carried out a large migration project environment from EX2010 to 2013.
  When I support this environment for 2013 more than two years.
  And setting worked well in 2010,CU1,CU2,CU3,and finally in
  SP1 over from my upgrades.
  Understand that it does not work in versions of
  the above, and I'd really like
  to know why.
  I repeat that I would like to know
  in the first place, why it
  does not work anymore?
  Why it is not documented?
  As You can see, if you approach with the existing
  and available information on the problem, not
  you will immediately understand that there are serious problems
  caused serious changes.
  I want to attract the attention of the  Exchange team  and other peoples
  to the problem and find out why
  this is happening.
   

• UCM security modeling

  Hi,
  The use case is like this
  OID
  1. I have different groups in OID say Group1, Group2,...... 1000+ groups
  2. I have other groups (apart from the 1 mentioned above) as well in OID say OtherGroup1, OtherGroup2,...... 1000+ groups
  Please NOTE: The users presnt in Group1, Group2,.... and OtherGroup1, OtherGroup2,.... are completely different users
  Also all the groups mentioned above are already repsenr and I cannot modify the existing groups as they are used for some other purposes as well.
  I can just use the existing groups.
  In my webcenter application I crate a object say "Sales"
  And I want to create a folder in UCM by same name called as "Sales" and the contents inside this "Sales" folder should have the security as mentioned below
  1. "Content1"
       - "Group1" should have R, "Group2" should have RW, "Group3" should have RWD
       - "OtherGroup1" should have R, "OtherGroup2" should have RW, "OtherGroup3" should have RWD (This group might remain same for all contents)
  2. "Content2"
       - "Group4" should have RWD, "Group5" should have RW, "Group6" should have R
       - "OtherGroup1" should have R, "OtherGroup2" should have RW, "OtherGroup3" should have RWD (This group might remain same for all contents)
  and so on..
  So please suggest how can I achieve this type of security model in UCM.
  Thanks in advance.

  which account am I suppose to add on "Contnent1"The account will be Content1. @Content1_R is the name of a group in LDAP, which grants its members R permission to the Content1 account.
  And also what should be the "SecurityGroup" for "Content1" since "SecurityGroup" is mandatory for a content item check in. You may have to create a generic group where all users have RWD permissions - resulting permission are intersection of those from SG and accounts.
  Also once the account is added I cannot change the permission for a particular user, so the option left with me will be to assign him to different account which has desired permission for given content (that too if I can add multiple accounts).Account is a setting on a content item, and it is expected to be changed only exceptionally. What you can change, though, is membership of users in your created groups - thus, granting/revoking permissions of users to particular accounts. This can be as dynamic as you need.

• AclEntry.setNegativePermissions() implemented by weblogic.security.acl.AclEntryImpl?

  I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2 realm
  (implementing the ManageableRealm interface) for users and groups and
  delegates to a rdbms delegate for aclentry management. I read an earlier
  post about revoking a permission which requires a custom realm to augment
  the weblogic.security.acl.AclImpl class. My question is similar in nature.
  In a situation where a positive AclEntry needs to be changed to a negative
  entry, what are the requirements imposed on the custom realm implementer?
  Do I need to worry about the checkPermission call on the Acl implementation?
  On the AclEntry implementation? Is there a BEA recommended path similar to
  that for revoking permissions?
  I would also recommend that the BEA responses to the revoking permissions
  post and this be included in the documentation outlining the
  responsibilities for implementing a custom realm.
  Thanks!
  Jon
  Jon Wilmoth
  Software Architect
  eSage Group
  (206) 264-5675 (Voice & Fax)
  [email protected]
  http://www.esagegroup.com

  Hi Jon,
  Your issue should be raised with BEA support. With regard to your second isssue:
  "and this be included in the documentation outlining the
  responsibilities for implementing a custom realm."
  You should raise this as an enhancement either via the support channels or via
  [email protected]
  Kind Regards,
  Richard Wallace.
  Senior Developer Relations Engineer.
  BEA Support.
  "Jon Wilmoth" <[email protected]> wrote:
  I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2
  realm
  (implementing the ManageableRealm interface) for users and groups and
  delegates to a rdbms delegate for aclentry management. I read an earlier
  post about revoking a permission which requires a custom realm to augment
  the weblogic.security.acl.AclImpl class. My question is similar in nature.
  In a situation where a positive AclEntry needs to be changed to a negative
  entry, what are the requirements imposed on the custom realm implementer?
  Do I need to worry about the checkPermission call on the Acl implementation?
  On the AclEntry implementation? Is there a BEA recommended path similar
  to
  that for revoking permissions?
  I would also recommend that the BEA responses to the revoking permissions
  post and this be included in the documentation outlining the
  responsibilities for implementing a custom realm.
  Thanks!
  Jon
  Jon Wilmoth
  Software Architect
  eSage Group
  (206) 264-5675 (Voice & Fax)
  [email protected]
  http://www.esagegroup.com

• ACL Question in Weblogic

  Hi,
  From the Weblogic document, it mentioned that the ACL only work on file Realms.
  Can it apply to directory like http://www.bea.com/*.
  Here is what I need to do:
  For http://www.bea.com:7001 is free to access,
  for http://www.bea.com:7001/administrator or http://www.bea.com:7001/test can
  only be access from certain IP arrange or VPN.
  Can it be done by Weblogic? or I need to build my own http proxy?
  Furthermore, I saw that Weblogic also support UNIX Security Realm, does I means
  that I can allow only defined UNIX user to access certain directory ot files?
  btw, I am using Weblogic 6.1.
  Thanks a lot!!

  Hi Jon,
  Your issue should be raised with BEA support. With regard to your second isssue:
  "and this be included in the documentation outlining the
  responsibilities for implementing a custom realm."
  You should raise this as an enhancement either via the support channels or via
  [email protected]
  Kind Regards,
  Richard Wallace.
  Senior Developer Relations Engineer.
  BEA Support.
  "Jon Wilmoth" <[email protected]> wrote:
  I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2
  realm
  (implementing the ManageableRealm interface) for users and groups and
  delegates to a rdbms delegate for aclentry management. I read an earlier
  post about revoking a permission which requires a custom realm to augment
  the weblogic.security.acl.AclImpl class. My question is similar in nature.
  In a situation where a positive AclEntry needs to be changed to a negative
  entry, what are the requirements imposed on the custom realm implementer?
  Do I need to worry about the checkPermission call on the Acl implementation?
  On the AclEntry implementation? Is there a BEA recommended path similar
  to
  that for revoking permissions?
  I would also recommend that the BEA responses to the revoking permissions
  post and this be included in the documentation outlining the
  responsibilities for implementing a custom realm.
  Thanks!
  Jon
  Jon Wilmoth
  Software Architect
  eSage Group
  (206) 264-5675 (Voice & Fax)
  [email protected]
  http://www.esagegroup.com

• How to remove corrupted portal forms.

  I am unable to delete Portal Components (forms, reports) that got
  corrupted
  when I try to revoke permissions from it.
  For example, I granted execute permission to 5 users. Later, when
  I try to
  revoke
  execute permission from 3 users, the form was corrupted totally.
  I can't even
  edit it. So now, it still shows up as an entry under the
  application but I
  cannot even edit nor delete it. How do I remove it? Thanks.

  My new 5800 had the same problem.
  I fixed it like this:
  - first used the Content Copier in the OVI suite to backup the memory card.
  - then go into the FileManager application on the phone, select the memory card and then under Options->Memory Card Options select "Format". This will wipe all the data off the memory card.
  - Then I restored the memory card from the backup using the ContentCopier again (otherwise you end up losing all the Nokia Maps)
  - Switched the phone on and off again.
  - Going into the music player, it came up with a message like "Looking for music files" or something.
  - Once this had finished, all the working music tracks were back in the library but the corrupt ones were gone.
  No other problems that I can see after doing this.
  regards
  Message Edited by lameplanet on 06-May-2009 06:11 PM
  Message Edited by lameplanet on 06-May-2009 06:12 PM

• Confused with DPS versions?

  Being a creative cloud subscriber, I have the ability to build sinlge edition apps with DPS, but I am very confused as to what this means.
  I have a publication which we want to get on the iTunes store. It is one publication which will have multiple issues going forward (one a month). With the single edition version of DPS, will I be able to submit additional issues to my app or does every issue have to be it's own app? Furthermore, will I be able to require readers to subscribe to read the publication?
  It would seem completely illogical to me to not let an app update with future issues of a publication and I really hope this isn't the case.
  Any help is appreciated.
  Thank you.

  You can set up an account at digitalpublishing.acrobat.com/welcome/ using whatever email/username/password the client would like.  When firing up DPS, you login to the Folio Builder using those credentials then build your folio accordingly.
  For the next client, repeat the process using a different email/username/password.
  I would also recommend having your own acrobat.com account for testing purposes then, when the folio is complete and good to go, just recreate the entire folio in the proper client account.
  I'd definitely get with the client and see how they'd like to proceed.  Contrary to other advice, with using the Adobe Content Viewer method the size of your viewship is meaningless.  Doesn't matter if there's 10 or 1000 people logging in and using the folio via the Content Viewer - it works the same way. There's no download or signup limit that I'm aware of.. With an Enterprise account, there's a far greater level of control and security that a corporation would appreciate - including distribution.  If there's an enterprise account, the IT group can set up provisional profiles that go out to pre-approved devices (iPad, iPhone, Android), and then the users can download.  Much better control and I believe that IT could also immediately revoke permissions if necessary.  With the Content Viewer method, once it's out there...it's out there.  No way to pull it from individual devices.  You'd have to delete the entire folio in the Builder...but then everyone loses it the next time they login to the Content Viewer app.

• DPS versions

  Not sure if im still on the loop but as far as i know there's a single, pro, and enterprise subscriptions of DPS.   However, I was advised by a vendor that single and pro will no longer be offered soon specifically by next month.
  I also noticed on the adobe pages that Enterprise is being promoted and infos and comparison about single and pro is nowhere to be found.
  Can someone enlighten us please?  Thanks

  You can set up an account at digitalpublishing.acrobat.com/welcome/ using whatever email/username/password the client would like.  When firing up DPS, you login to the Folio Builder using those credentials then build your folio accordingly.
  For the next client, repeat the process using a different email/username/password.
  I would also recommend having your own acrobat.com account for testing purposes then, when the folio is complete and good to go, just recreate the entire folio in the proper client account.
  I'd definitely get with the client and see how they'd like to proceed.  Contrary to other advice, with using the Adobe Content Viewer method the size of your viewship is meaningless.  Doesn't matter if there's 10 or 1000 people logging in and using the folio via the Content Viewer - it works the same way. There's no download or signup limit that I'm aware of.. With an Enterprise account, there's a far greater level of control and security that a corporation would appreciate - including distribution.  If there's an enterprise account, the IT group can set up provisional profiles that go out to pre-approved devices (iPad, iPhone, Android), and then the users can download.  Much better control and I believe that IT could also immediately revoke permissions if necessary.  With the Content Viewer method, once it's out there...it's out there.  No way to pull it from individual devices.  You'd have to delete the entire folio in the Builder...but then everyone loses it the next time they login to the Content Viewer app.

• CS6 Stopped Working on OS X Mavericks (Serial Number Revoked)

  I have used Adobe Creative Suite 6 but it stopped working after I upgraded my Mac OS to Mavericks.
  I contacted Adobe support and was advised to uninstall/reinstall, but it still shows the same error message “The serial number you entered has been revoked. This product cannot be licensed.”
  Support staff said there is no issues with my serial number and it must be some technical issue (so they did not agree to reissue the serial number).
  Please kindly advise how to solve.
  I refer to this support page and tried below solutions but did not work for me.
  Delete the FlexNet Publisher preferences folder: I did not have the folder.
  Run the License Repair Tool: Did not work for me
  Repair disk permissions: Did not work for me
  Reset permissions on the FlexNet Publisher licensing service folder: I did not have the folder.
  Solution 5: Reset permissions on the Adobe PCD folder: I did not have the folder.
  Also, I updated Java OS X as shown here, but did not work either.
  I am using Mac Book Air with Mac OS X 10.9.4. I appreciate any advise. Thanks!

  uninstall (using the adobe uninstaller, clean (using Use the CC Cleaner Tool to solve installation problems | CC, CS3-CS6) and reinstall using the installation files.
  Downloads available:
  Suites and Programs:  CC 2014 | CC | CS6 | CS5.5 | CS5 | CS4 | CS3
  Acrobat:  XI, X | 9,8 | 9 standard
  Premiere Elements:  12 | 11, 10 | 9, 8, 7
  Photoshop Elements:  12 | 11, 10 | 9,8,7
  Lightroom:  5.5 (win), 5.5 (mac) | 5 | 4 | 3
  Captivate:  8 | 7 | 6 | 5
  Contribute:  CS5 | CS4, CS3
  Download and installation help for Adobe links
  Download and installation help for Prodesigntools links are listed on most linked pages.  They are critical; especially steps 1, 2 and 3.  If you click a link that does not have those steps listed, open a second window using the Lightroom 3 link to see those 'Important Instructions'.

• Grant permissions on sys.sql_logins doesn't work: why?

  Using admin user I try to run:
  3> GRANT SELECT ON sys.sql_logins TO someuser
  4> go
  Msg 15151, Level 16, State 1, Server ..., Line 2
  Cannot find the object 'sql_logins', because it does not exist or you do not have permission.
  1>
  Why is that?

  Hi Martin
  No, it won't work.
  Features that are Not Supported in SQL Database
  GRANT/REVOKE/DENY endpoint, server-level, server principal, and system object permissions
  and related system tables such as sys.server_principals and sys.server_permissions.
  If you have any feedback on our support, you can click
  here.
  Eric Zhang
  TechNet Community Support