Role-Based CLI Views with AAA method

Similar Messages

• [Solved] How to update records in entity based on view with distinct

  Hi
  - I have a relational view of the form:
  SELECT DISTINCT
  FROM TAB1, TAB2, ...- I created instead of triggers for delete, update and insert.
  - I created an entity object on this and an updatable view object
  - I added this to my module.
  - Then I test the view object in the module (module > test), and if I try to update an existing record, I receive the error:
  (java.sql.SQLException) ORA-02014: cannot select FOR UPDATE from view with DISTINCT, GROUP BY, etc.
  So, ADF internally create as select FOR UPDATE cursor to update the modified record and as the error shows, this is not possible on a view with distinct, ...
  Is there a way to work around this error without to rewrite the view?
  I was thinking that there is maybe a way to force ADF not to use the select FOR UPDATE and use UPDATE .. SET <value> WHERE <pk>, or maybe to create a new instead of trigger to catch the select FOR UPDATE?

  Arti,
  Here's another solution (that will still use locking, and can help avoid the "lost update" problem):
  http://stegemanoracle.blogspot.com/2006/03/using-updatable-views-with-adf.html
  John

• Create edit form based on view with multiple column key

  Hi
  I have a requirement to create a form to update some tables columns based on a view.
  The problem is that the view has a primary key of 4 columns.
  I have tried to create a rowid key based on one underlying table but this does not work.
  I am calling the form from an interactive report but can only pass 3 keys to the form, so only get 3 fields populated.
  Is there some way i can create the form manually as the wizards cannot cope with this requirement?
  My view is here:
  CREATE OR REPLACE FORCE VIEW "DMOADMIN"."MO_STATUS_LOG_VIEW" ("MONEY_ORD_NO", "STATUS_CODE", "DESCRIP", "STATUS_DATE_TIME", "TXN_DATE_TIME", "LLOG_ID", "LINE_SEQ_NO", "CANCEL_IND", "PROCESS_ID", "PBU_ID", "TXN_SEQ_NO", "CANCEL_REASON", "CONDITION_ID", "ADMIN_DATE_TIME", "ADMIN_LLOG_ID") AS
  SELECT a.money_ord_no,
  b.status_code,
  b.descrip,
  a.status_date_time,
  c.txn_date_time,
  c.llog_id,
  c.line_seq_no,
  c.cancel_ind,
  c.process_id,
  c.pbu_id,
  c.txn_seq_no,
  c.cancel_reason,
  c.condition_id,
  d.txn_date_time admin_date_time,
  d.llog_id admin_llog_id
  FROM mo_status a,
  mo_status_desc b,
  host_txn_log c,
  host_admin_log d
  WHERE a.status_desc_id = b.id
  AND a.money_ord_no = c.money_ord_no(+)
  AND a.status_date_time = c.txn_date_time(+)
  AND a.money_ord_no = d.money_ord_no(+)
  AND a.status_date_time = d.txn_date_time(+)
  WITH CHECK OPTION;
  I have tried to populate the data using with an on load process using a plsql query but it is not working. I get no data found error message. Help!

  Hi Erwin,
  I have a similar situation.
  Tabular form based on a view. The view contains a table in a another instance via dblink and everything works fine.
  The only one difference between my and your view is that my "instead of" view is only for UPDATE. You must to have "intead of" trigger only for UPDATE. Insert and delete works fine withoust "instead of" trigger.
  So, try to delete INSERT and DELETE words from your "INSTEADOFBUBA" trigger.
  hope it helps,
  Mzz

• Create LOV based on view with problem - repost

  Hi,
  I have the following scenario:
  1. Create a view based on several tables from a remote database using db link.
  2. Create a LOV based on the created view. In the LOV, I have the where clause
  " where user_name = portal30.wwctx_api.get_user" because I only want individual
  portal user to see his/her own choices.
  However, when I try to test the LOV, it just hangs.
  3. If I create a table based on the created view, and create a LOV based on the newly
  created table, also use the same where clause -
  "where user_name = portal30.wwctx_api.get_user". The LOV returns correctly.
  Why is this happens? And what can I do to make the Lov works from a view instead of table?
  Thanks;
  Kelly.

  Hi Erwin,
  I have a similar situation.
  Tabular form based on a view. The view contains a table in a another instance via dblink and everything works fine.
  The only one difference between my and your view is that my "instead of" view is only for UPDATE. You must to have "intead of" trigger only for UPDATE. Insert and delete works fine withoust "instead of" trigger.
  So, try to delete INSERT and DELETE words from your "INSTEADOFBUBA" trigger.
  hope it helps,
  Mzz

• OIM 11.1.1.5 provisioning role based objectclasses and attributes

  TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
  Some background:
  I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
  My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
  Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
  Should I create a child form containing the objectclasses and try to provision them?
  Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
  Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
  Any help will be greatly appreciated and thank you in advance

  It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
  Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
  There may be a smarter and more out of the box way to do it but this will work.
  Martin

• Privileges and Roles Based Views

  Hello,
  I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
  Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
  How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
  I hope someone can help with the config:
  Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
  Priv3 radius user settings
  cisco av-pair cli-view-name=priv3
  Priv 15 or root user settings
  cisco av-pair shell:priv-lvl=15
  cisco av-pair shell:cli-view-name=root
  Config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 3750
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  logging console informational
  logging monitor informational
  enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
  username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
  username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default line
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  system mtu routing 1500
  udld aggressive
  no ip domain-lookup
  ip domain-name CB-DI
  login on-failure log
  login on-success log
  crypto pki trustpoint TP-self-signed-3817403392
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3817403392
  revocation-check none
  rsakeypair TP-self-signed-3817403392
  crypto pki certificate chain TP-self-signed-3817403392
  certificate self-signed 01
    removed
    quit
  archive
  log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
  spanning-tree mode rapid-pvst
  spanning-tree extend system-id
  spanning-tree vlan 10 priority 8192
  vlan internal allocation policy ascending
  ip ssh version 2
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/24
  interface Vlan1
  description ***Default VLAN not to be used***
  no ip address
  no ip route-cache
  no ip mroute-cache
  shutdown
  interface Vlan10
  description ****
  ip address 10.10.150.11 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  ip default-gateway 10.10.150.1
  ip classless
  no ip http server
  ip http secure-server
  logging trap notifications
  logging facility local4
  logging source-interface Vlan10
  logging 10.10.21.8
  logging 172.23.1.3
  access-list 23 permit 10.10.1.65
  snmp-server community transm1t! RO
  snmp-server trap-source Vlan10
  radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
  radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  exec-timeout 60 0
  logging synchronous
  line vty 0 4
  access-class 23 in
  exec-timeout 60 0
  logging synchronous
  transport input ssh
  line vty 5 14
  access-class 23 in
  no exec
  transport input ssh
  parser view priv3
  secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
  ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
  commands interface include shutdown
  commands interface include no shutdown
  commands interface include no
  commands configure include interface
  commands exec include configure terminal
  commands exec include configure
  commands exec include show ip interface brief
  commands exec include show ip interface
  commands exec include show ip
  commands exec include show arp
  commands exec include show privilege
  commands exec include show interfaces status
  commands exec include show interfaces Vlan10 status
  commands exec include show interfaces Vlan1 status
  commands exec include show interfaces GigabitEthernet2/0/12 status
  commands exec include show interfaces GigabitEthernet2/0/11 status
  commands exec include show interfaces GigabitEthernet2/0/10 status
  commands exec include show interfaces GigabitEthernet2/0/9 status
  commands exec include show interfaces GigabitEthernet2/0/8 status
  commands exec include show interfaces GigabitEthernet2/0/7 status
  commands exec include show interfaces GigabitEthernet2/0/6 status
  commands exec include show interfaces GigabitEthernet2/0/5 status
  commands exec include show interfaces GigabitEthernet2/0/4 status
  commands exec include show interfaces GigabitEthernet2/0/3 status
  commands exec include show interfaces GigabitEthernet2/0/2 status
  commands exec include show interfaces GigabitEthernet2/0/1 status
  commands exec include show interfaces GigabitEthernet1/0/12 status
  commands exec include show interfaces GigabitEthernet1/0/11 status
  commands exec include show interfaces GigabitEthernet1/0/10 status
  commands exec include show interfaces GigabitEthernet1/0/9 status
  commands exec include show interfaces GigabitEthernet1/0/8 status
  commands exec include show interfaces GigabitEthernet1/0/7 status
  commands exec include show interfaces GigabitEthernet1/0/6 status
  commands exec include show interfaces GigabitEthernet1/0/5 status
  commands exec include show interfaces GigabitEthernet1/0/4 status
  commands exec include show interfaces GigabitEthernet1/0/3 status
  commands exec include show interfaces GigabitEthernet1/0/2 status
  commands exec include show interfaces GigabitEthernet1/0/1 status
  commands exec include show interfaces Null0 status
  commands exec include show interfaces
  commands exec include show configuration
  commands exec include show
  commands configure include interface GigabitEthernet1/0/1
  commands configure include interface GigabitEthernet1/0/2
  commands configure include interface GigabitEthernet1/0/3
  commands configure include interface GigabitEthernet1/0/4
  commands configure include interface GigabitEthernet1/0/5
  commands configure include interface GigabitEthernet1/0/6
  commands configure include interface GigabitEthernet1/0/7
  commands configure include interface GigabitEthernet1/0/8
  commands configure include interface GigabitEthernet1/0/9
  commands configure include interface GigabitEthernet1/0/10
  commands configure include interface GigabitEthernet1/0/11
  commands configure include interface GigabitEthernet1/0/12
  commands configure include interface GigabitEthernet2/0/1
  commands configure include interface GigabitEthernet2/0/2
  commands configure include interface GigabitEthernet2/0/3
  commands configure include interface GigabitEthernet2/0/4
  commands configure include interface GigabitEthernet2/0/5
  commands configure include interface GigabitEthernet2/0/6
  commands configure include interface GigabitEthernet2/0/7
  commands configure include interface GigabitEthernet2/0/8
  commands configure include interface GigabitEthernet2/0/9
  commands configure include interface GigabitEthernet2/0/10
  commands configure include interface GigabitEthernet2/0/11
  commands configure include interface GigabitEthernet2/0/12
  ntp logging
  ntp clock-period 36028961
  ntp server 10.10.1.33
  ntp server 10.10.1.34
  end
  Thanks!!!!

  DBelt --
  Hopefully this example suffices.
  Setup
  SQL> CREATE USER test IDENTIFIED BY test;
  User created.
  SQL> GRANT CREATE SESSION TO test;
  Grant succeeded.
  SQL> GRANT CREATE PROCEDURE TO test;
  Grant succeeded.
  SQL> CREATE ROLE test_role;
  Role created.
  SQL> GRANT CREATE SEQUENCE TO test_role;
  Grant succeeded.
  SQL> GRANT test_role TO test;
  logged on as Test
  SQL> CREATE OR REPLACE PACKAGE definer_rights_test
    2  AS
    3          PROCEDURE test_sequence;
    4  END definer_rights_test;
    5  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END definer_rights_test;
    9  /
  Package body created.
  SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
    2  AUTHID CURRENT_USER
    3  AS
    4          PROCEDURE test_sequence;
    5  END invoker_rights_test;
    6  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END invoker_rights_test;
    9  /
  Package body created.
  SQL> EXEC definer_rights_test.test_sequence;
  BEGIN definer_rights_test.test_sequence; END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
  ORA-06512: at line 1
  SQL> EXEC invoker_rights_test.test_sequence;
  PL/SQL procedure successfully completed.
  SQL> SELECT test_seq.NEXTVAL from dual;
               NEXTVAL
                     1

• AAA and Role based access (NPS)

  Hi
  I authenticate all my cisco switches and routers with AAA + NPS + AD
  A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
  But I'd like configure role based with IOS view.
  When I issue the enable view command,  I get
  Password:
  I tried with my AD password, enable configurated password, and always gets
  % Authentication failed
  Mi line vty config
  line vty 0 4
  authorization exec VTY-AAA
  login authentication VTY-AAA
  transport input ssh

  Have you gone through the below listed parser view configuration example. Please check here
  View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
  AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
  In case you still have any issues, run debug parser view and share the output, I'll try to help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• ADF BC: Creating updatable VO based upon DB View with "instead of" trigger

  Hello all,
  I have got an interesting issue. I have an Oracle DB view that is used to hide some complexity in the underlying DB design (it does some unions). This view is updatable because we have created an "instead of" update trigger to update the correct table when a row is updated. This is working fine in SQL.
  Next, we have created an ADF Entity object based upon the view, specifying an appropriate PK for the DB View. Then, we have created an updatable VO based upon the EO. All well and good so far. The issue we have is in trying to commit changes to the DB - because the ADF BC framework is trying to lock the row to update (using SELECT ... FOR UPDATE), it's not working because of ORA-02014 - cannot select FOR UPDATE from view with DISTINCT, GROUP BY, etc.
  This leads me to thinking about overridding doSelect() on the EO as hinted here http://radio.weblogs.com/0118231/stories/2005/07/28/differenceBetweenViewObjectSelectAndEntityDoselectMethod.html
  As a temporary test, we have over-ridden the EO's doSelect to call super.doSelect(false) and it does work, although we will have lost update issues as detailed in Steve's article.
  My questions:
  1). Is overriding doSelect() the correct thing here? Perhaps there is a better way of handling this problem? I do have a base EO class from which all of the EO's extend, so adding this behavior should be straightforward.
  2). Does anyone have example doSelect implementation? I am thinking of overriding doSelect for my EO and calling super.doSelect (lock=false), but then I need to deal with some possible exceptions, no?
  Kind regards,
  John

  Hi John,
  I have exactly the same issue as you experienced back in January. I have a complex data modelling requirement which requires the need to pivot rows into columns using ROW_NUMBER() and PARTITION clauses. To hide the complexity from the middle tier, I have created a database view and appropriate INSTEAD OF triggers and mapped my EO to the view. I have overriden the lock() method on the EO implementation class (to avoid ORA-02014) and would like to try the same solution you used with the pl/sql call to lock the record.
  My question is, how did you manage the release of the lock if the transaction was not rolled back or committed by your application i.e. if the user closed the browser for instance.
  In my naivity, I would like to think that the BC4J framework would release any locks for the database session when it found the servlet session to be terminated however my concern is that the lock would persist and cause complications.
  Any assistance greatly appreciated (if you would be willing to supply your lock() method and pl/sql procedure logic I would be even more grateful!).
  Many thanks,
  Dave
  London

• Cisco Role based views

  Hello,
  I want to set up the following - a CLI view that will restrict different users when they login using telent or ssh.
  Now for this i have enable AAA, and also create two views one for Guest and one for ADMIN.
  I then have set up secret passwords for each view. Now i want user name adam to access view GUEST and username DON to access ADMIN view.
  Is this possible?
  Thanks,                  

  hi,
  You have the following configured:
  aaa  authentication login mgmt group my_radius local
  aaa authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  logging synchronous
  login  authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport  input ssh
  Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
  You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
  enable seceret will be locally defined. but you have the following configured:
  aaa  authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  line  vty 0 4
  authorization exec mgmt
  Hence exec mode will also be done via radius server.
  when you configure:
  aaa  authentication login VIEW_CONFG local
  line vty 0 4
  login  authentication VIEW_CONFG
  You are making the authentication local, hence it is working the way you want.
  In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Role-based view commands missing from config

  Hi All,
  I set up a 2960G with IOS 12.2(44)SE6 and created a role-based view to be used by our helpdesk.  One of the things they need to do is add rules to a MAC ACL on the switch.  I've successfully created a view for them and can include and exclude most commands, however, when I try to include the "commands mac-enacle include all permit" command, I get no syntax error, and there is no line in my configuration reflecting the change. As it stands, from the helpdesk view (named smco) I can get into mac acl configuration mode, but I can't issue any of the sub commands.
  Any advice would be greatly appreciated.  I tried upgraded to 12.2(55)SE and had the same result.
  The current configuration for the parser view is as follows:
  parser view smco
  secret 5 hashed_pw
  commands configure include mac access-list extended
  commands configure include all mac access-list
  commands configure include mac
  commands exec include configure terminal
  commands exec include configure

  After I issue the command "commands mac-enacl include all permit" there is no line in my startup or running configuration that says: "commands mac-enacl include all permit" or anything that closely resembles that.
  I've tested with multiple local accounts.  After authenticating, I issue the "enable view smco".

• What is the mean of using Portal with Role Based security as entry point

  Hi Experts we have requirement of integration of Portal and MDM
  I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
  1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
  2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
  Please give me the clarity of what is the meanin of second point
  Regards
  Vijay

  Hi
  It requires the entire land scape like EP server and MDM server both should be configured in SLD.
  Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
  Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
  Please go through this link
  http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
  You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
  The estimation involves as per your requirement clearly
  Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
  Regards
  Kalyan

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Call a Graphical Calc view with input Parameters from a Script Based Calc View

  Hi All.
  I am trying to call a graphical calculation view with input parameters from a script based calculation view as below but getting syntax error:
  SESSION_SAMPLE = SELECT SESSION_CREATE_DATE,SHA256,CA_MEASURE
                               FROM "_SYS_BIC"."WILDFIRE/CV_SESSION_SAMPLE"
                               WITH PARAMETERS  ('PLACEHOLDER' = ('$$IP_START_DATE$$',:START_DATE),
                                   'PLACEHOLDER' = ('$$IP_END_DATE$$',:END_DATE));
  START_DATE  and END_DATE are input parameters of the script based calculation view.
  Can anyone please help me with the correct syntax for accomplishing this?
  Thanks,
  Goutham

  Hi Gautham,
  One more option  what i would like you to try is the below option , here i have just changed the order of passing nothing else.
  SESSION_SAMPLE = SELECT SESSION_CREATE_DATE,SHA256,CA_MEASURE
                               FROM "_SYS_BIC"."WILDFIRE/CV_SESSION_SAMPLE"
                                 ('PLACEHOLDER' = ('$$IP_END_DATE$$','$$END_DATE$$'),
                                'PLACEHOLDER' = ('$$IP_START_DATE$$','$$START_DATE$$'))
  Regards,
  Vinoth

• OLAP on 11g and Materialised Views with Multiple Value-Based Hierarchies

  Hello OLAPians
  I am trying to setup Orable BIEE to report on an OLAP cube with pre-aggregated data. As OBIEE is not able to hook into the OLAP directly i have to create an SQL cubeview.
  Currently i am on a 10g OLAP environment and am using the oracle sample SQL cubeview generator to create an SQLview of my cube.
  The cube itself has multiple dimensions and these dimensions have multiple VALUE-based (ragged) hierarchies and dimension members can be shared across hierarchies also.
  Initially i had a problem running the view generator plugin because there is a bug within it that does not finish if there are multiple value-based hierarchies present. I was able to get around this by manually editing the limitmap for the cubeview and manually creating the SQL view.
  The question that i want to ask is how robust is the 11g materialised views with multiple value-based hierarchies and the sharing of dimension members across different hierarchies?
  Has anyone successfully been able to create a cubeview and import it into OBIEE without the hassle of manually editing the limitmap?
  A problem arises with the value-based setup whereby if the client creates a newer depth in the ragged hierarchy, i need to manually create the limitmap and the cube-view over again, and then re-map the BI Administration mappings.

  The simple answer to your question,
  how robust is the 11g materialised views with multiple value-based hierarchies...?is that materialized views are not supported on top of value-based hierarchies in 11g. The reason is that it is not possible to write a reasonable SQL statement that aggregates a fact over a value-based hierarchy. Such a SQL statement is necessary if we want to create a rewritable MV on top of the cube.
  But I suspect this is not what you are really asking. If you are trying to set up OBIEE on top of the cube in 10g using the view generator, then you will probably want to use the "ET VIEWS" that are generated automatically in 11g. These are generated whether or not you enable materialized views on top of your cube. I am not aware of any issues with the generated value-based hierarchy view support in 11g. Members may be shared between value hierarchies and you will not need to generate or modify limit maps.