Role Mining on hierarchical entitlements (OIA 5.0.3)

Similar Messages

• RuntimeException while Role Mining (OIA integration with Waveset)

  HI All...
  I would appreciate some help with the following, If anybody has any ideas.... plz.
  My Appologies if it is in the wrong category but there is no Identity Analytics category.
  My PoC Environment consists of
  Vm #1
  Centos 5.5 (64bit)
  JDK 1.6.0_25 (64bit)
  Oracle Waveset 8.1.1 patch 4 (145769-05)
  MySql (5.0.77)
  Oracle Glassfish 3.1.1 (Zip Distro)
  VM #2
  Centos 5.5 (64Bit)
  JDK 1.6.0_25 (64bit)
  Oracle Identity Analytics 11.1.1.3.6 (p12831135)
  MySql (5.0.77)
  Apache Tomcat 6.0.32
  VM #3
  Centos 5.5 (64Bit)
  JDK 1.6.0_25 (64bit)
  MySql (5.0.77)
  All components are installed and configured as described in their respective documentation. Waveset and Analytics each have their own repository locally and the 3rd VM contains a database with 2x Tables (each configured as a resource in Waveset). Table 1x - 32 000 entries, Table 2x 45 000 entries.
  Integration was configured and tested successfully.
  From a Waveset side the Accounts contained in the 2x Tables have be reconciled with Waveset and shows up as expected. Column mapped, and users on direct resource assignments (No Roles yet...)
  From an Analytics side I have done the following:
  1. Import the same Business Structure that was used in Waveset into Analytics using csv import.
  2. Import the Global Users from Waveset using the configured provisioning server instance.
  3. Import the Resource Metadata from Waveset.
  4. Import the Resources from Waveset.
  5. Import the Accounts from Waveset.
  Up to this point this all completed successfully.
  I ran some custom SQL updates to link the Global Users to the relevant Business Structure (bu_globalusers table) as this was not done during the import. (even thou waveset.organization maps to RMBUname and customproperty1) but no matter.
  If I log into Analytics I can go to the Identity Warehouse and see the Business Structure, see the Users assigned to a Business Structure and the Accounts linked to that user.
  I can go to Resources and see the Attributes defined under each, as well as sample search results when I select an attribute.
  I modified the WEB-INF/rolemining-context.xml: <property name="roleminingAccountThreshold" value="*50000*"/> to allow for the number of records in the database tables during role mining.
  I configured the Resource type for one of the resources to have one of the attributes minable. I then went and scheduled a Role Mining Task to mine that resource.
  The task ran with the following result:
  13:39:10,119 DEBUG [RMEServiceUtil] About to call scheduler service to schedule roleMiningRun : com.vaau.rbacx.scheduling.domain.SchedulerRoleMiningJob@106e94
  13:39:10,127 DEBUG [SqlMapRoleMiningOptionsDaoImpl] LoadingRoleMiningOptionsWrapper
  13:39:10,209 DEBUG [FindRolesHelper] Loading Role Mining Run from backend: 31
  13:39:10,209 DEBUG [SqlMapRoleMiningRunDaoImpl] Loading RoleMiningRunWrapper
  13:39:10,216 DEBUG [FindRolesHelper] Loading Role Mining Options from backend: 31
  13:39:10,216 DEBUG [RMEServiceUtil] About to call scheduler service to schedule roleMiningRun : com.vaau.rbacx.scheduling.domain.SchedulerRoleMiningJob@106e94
  13:39:10,224 DEBUG [SqlMapRoleMiningOptionsDaoImpl] LoadingRoleMiningOptionsWrapper
  13:39:10,232 DEBUG [SqlMapRoleMiningRunDaoImpl] Loading RoleMiningRunWrapper
  13:39:10,261 DEBUG [MLRbacxRoleMiningServiceImpl] Creating DataRecords...
  13:39:10,306 DEBUG [RoleMiningConfigurationManagerImpl] Retrieving Role Mining configuration
  13:39:10,306 DEBUG [RoleMiningConfigurationManagerImpl] Returning in memory role mining configuration
  13:39:10,308 DEBUG [NamespaceEndpointInstanceCreator] Calling account manager to count accounts
  13:39:10,838 DEBUG [NamespaceEndpointInstanceCreator] Accounts counted by account manager
  13:39:10,838 DEBUG [NamespaceEndpointInstanceCreator] 1 endpoints had 32675 accounts
  13:39:10,838 DEBUG [RoleMiningConfigurationManagerImpl] Retrieving Role Mining configuration
  13:39:10,838 DEBUG [RoleMiningConfigurationManagerImpl] Returning in memory role mining configuration
  13:39:10,839 DEBUG [NamespaceEndpointInstanceCreator] Normalizer flag is true
  13:39:10,839 DEBUG [NamespaceEndpointInstanceCreator] Loading accounts in endpoints
  13:39:10,839 DEBUG [NamespaceEndpointInstanceCreator] Calling account manager to load accounts
  13:39:31,222 ERROR [SqlMapTemplateConcurrentReader] End:getAccountAttributeWrappersRootOnly, com.vaau.commons.dao.concurrent.ibatis.SqlMapTemplateConcurrentReader@4dbff46fResult: Error, Parameters:{rootIdList=[24633, 24658, 24683, 24708, 24733, ...
  49158, 49183, 49208], endPointId=1}
  13:39:31,232 ERROR [SqlMapTemplateConcurrentReader] End:getAccountAttributeWrappersRootOnly, com.vaau.commons.dao.concurrent.ibatis.SqlMapTemplateConcurrentReader@fa85648Result: Error, Parameters:{rootIdList=[6, 31, 55, 80, 105, 129, 154, 178, 202, ...
  +Repeats a bunch of times+
  +Repeats a bunch of times+
  2755, 762771, 762787, 762803], endPointId=1}
  14:09:35,912 ERROR [MLRbacxRoleMiningServiceImpl] Problem starting role mining processjava.lang.RuntimeException: Error while executing query:getAccountAttributeWrappersRootOnly
  14:09:35,913 ERROR [RoleMiningExecutor] Role Mining run exit with errors. com.vaau.rbacx.rolemining.service.RoleMiningException: java.lang.RuntimeException: Error while executing query:getAccountAttributeWrappersRootOnly
  Traced it to a file called WEB-INF/classes/com/vaau/rbacx/dao/ibatis/maps/AccountAttributeWrapper.xml which had some "^M" character in it but nothing serious.
  The Entry in question looks like follows:
  <select id="getAccountAttributeWrappersRootOnly" resultMap="hierarchyWrappers-with-metadata">
  select aah.id as aah_id, aah.root_id as aah_root_id, aah.parent_id as aah_parent_id,
  av.id as attribute_value_id, av.attribute_id, a.name as attribute_name, av.attribute_value,
  avm.high_privileged, avm.data_owner_id, avm.data_owner_name, avm.classification, avm.definition
  from acct_attr_hier_nodes aah
  join attribute_values av on aah.attribute_value_id = av.id
  left join attribute_value_metadata avm on (av.id=avm.attribute_value_id and #endPointId:BIGINT#=avm.endpoint_id)
  join attributes a on av.attribute_id = a.attributekey
  where 1=1
  <dynamic prepend="and">
  <iterate property="rootIdList" open="aah.id in (" close=")" conjunction=",">
  #rootIdList[]:BIGINT#
  </iterate>
  </dynamic>
  </select>
  The SQL executes against the DB without error, had to removed the "+#endPointId:BIGINT#=avm.endpoint_id+" as "+avm.endpoint_id=1+" does not exist in the DB by the time I execute the Query.
  Could not find the same Xml entry in Oracle Analytics 11.1.1.3.0, so I'm assuning its fairly new or linked to a previous bug....
  So finally getting to the Question: What is this and how can I get it fixed...? If anyone has any Ideas it would be much appreciated.
  Thank You,
  Pieter
  Edited by: user9372024 on Aug 26, 2011 7:22 AM

  I am facing the same issue - has anyone had any luck with integrating the two?
  Thanks in advance.

• Dimension with 2 roles and 2 hierarchies used in 2 cubes

  Hi,
  I have a dimension in which there are two dimension roles (roleA, roleB) defined as well as two hierarchies (hierarchyA, hierarchyB). Currently hierarchyA is set as default. (Not because that is in fact the default one, only because OWB forces one to choose a default)
  I need to define two cubes (cubeA, cubeB). CubeA will use the dimension with roleA and cubeB will use the dimension with roleB.
  Is it possible to tell cubeA to use/see/make available only hierarchyA and cubeB only hierarchyB? HierarchyA makes no sense in cubeB so I want to "specify" hierarchyB for cubeB.
  Thanks,
  Juanita

  A different issue but possibly related:
  I have a ROLAP cube with one of the dimensions containing multiple hierarchies. If I deploy this with deployment option set to "Deploy data only", it works 100%. As soon as I change the deployment option to "Deploy All", I get a VLD-0398 error.
  I need to choose "Deploy all" since the cube metadata must be deployed to the OLAP catalog in order for Disco OLAP and BI Spreadsheet Add-In to see the cube.
  First question:
  Is it possible to deploy to the OLAP catalog if the cube has a dimension with multiple hierarchies?
  Second question:
  If it is not possible, what is the workaround?
  Thanks,
  Juanita

• Exporting Roles from OIA

  Hi,
  I am exporting roles from OIA, it creates roles in OIM with access policies without any RO and child data.
  Is there any way to export everything from OIA role along with policies, entitlement data in Child Form, and RO.
  Also, it updates the priority to -1.and can we disable priority modifications.
  Thanks
  sjit

  Have you followed this? http://docs.oracle.com/cd/E24179_01/doc.1111/e23377/integratingwithoimpreferred.htm#BABGFGCD
  Un-comment the following part in the workflow with the appropriate connection name and try:
  <!--<function name="exportIAMRoleBatchFunction" type="spring">
  <arg name="bean.name">exportIAMRoleBatchFunction</arg>
  <arg name="iamConnectionName"/>
  </function>-->
  -Bikash

• How to pull Roles and Policies from backend using SQL query in OIA

  Hello,
  I have Roles and Policies defined in OIA with mapping each other and there is no direct extract report from OIA Web console.
  Is there any oracle SQL query by which we can get the data and filter the Policies based on the role ?
  Note: We have one Role having more than one Polcies defined in OIA.
  Appreciate your help.
  Thanks

  I am quoting this from MOS Doc Id "Why would multiple session records be present in the User Sessions screen in P6 Web, and why might some of them have different IP addresses? (Doc ID 1600172.1)"
  Multiple sessions show up for users since different sections of P6 Web have their own sessions associated with them. If a user is authorized to use multiple areas of the software they will have multiple sessions each time they log in. Additionally, if users are closing their browsers before logging out of P6 Web Access you might see some past sessions still appearing in the list. These will eventually be cleared out by background jobs, however you can also reset the sessions in the software by clicking the "Reset User" link (Administer > User Sessions > Manage User Sessions), or by choosing the "Reset All Users" link (Administer > User Sessions > Manage User Sessions) to do this for all past sessions.
  Multiple IP addresses for sessions can happen when a user logs in from different machines. For example, a person may login at their desk, but then go to a colleagues workstation to discuss a project, and log in from there. Doing so will leave them with multiple IP addresses in the session records.
  Hope this helps
  Regards,
  Sachin Gupta

• Is OIA supports adding Multiple data owners for single role?

  Hi
  Can you please let me know, if we can assign multiple data owners under resources tab, data mangement tab.
  Or with glossory upload using file based?
  The intension to keep backup data owner for each role for certifications.
  Thanks

  No, OIA does not support multiple data owner. You also cannot target the backup data owner in certification.

• Sun Role manager question.

  Hi,
  1. Does Sun IDM 7.1 support SRM 5.0.3?
  2. Does Sun IDM 8.1 support SRM 4.1?
  I am not able to find this information anywhere. Please assist.
  Thanks,
  Santoshanand

  IDM is used for managing the identities (User). It manages the full cycle of user CREATE -> MODIFY - > DELETE
  Role Manager manages the entitlements of the target applications.
  Integration of both tools are required because if someone has 3k-5K-10K roles/entitlements then it is very difficult to manage through IDM. So we manage these through Role Manager (OIA). We can also generate reports and do certification on role through Role Manager.
  For detailed description, go through OIA docs.

• Example for SOD conflicts defined in OIA

  Hey;
  We are using application called OIA(previously named as SUN role manager) to do the role mining. I am looking for someone who may provide a list of
  all the typical SOD((Segaration of Duties) conflicts so that i can take it as a reference. Basically, We want to use rules defined in OIA to implement SOD policy.
  Thanks

  Okay, but if I use the out-of-the-box products Oracle provides (ie: Discover Plus with Olap, and the OracleBI Spreadsheet Addin) I still dont understand what my solution is?
  The only other solution we tried was to create formulas using AWM template files. The issue here is trying to find out what property syntax needs to be added to the XML code, so that my formula, by default, is associated to a certain formating style (ie: 00.00). And then when you reference that formula in those out-of-the-box Oracle products, it displays as expected.

• Set up Roles in ebs for Users?

  Hi
  I am creating a conversion for employee security. I was wondering if anyone has set up roles in ebs. I am attempting to get minimal employee data...just names and emp numbers. With that I will set up users. Now that's fine, but what I want is to set up roles for those users. Say a Buyer or Vendor. I want to classify them as such. And then have different responsibilities show up in the app.
  Can this be accomplished? Any insight would help.

  If I have understood this correctly, you could use RBAC (Role Based Access). This is more commonly known as User Management (product code UMX).
  The ony user with this role is initially SYSADMIN. However, you can use SYSADMIN to grant this role to other users.
  Once you have access to User Management, you can define a ROLE. ROLES can be hierarchical, so one ROLE can incorporate other roles.
  To achieve what I think you're trying to do, create a ROLE called ABC. Then make RESPONSIBILITIES X, Y and Z subordinate to that role. Respopnsibilities are specific type of roles anyway.
  Then ROLE ABC will contain responsibilities X, Y and Z.
  Still using the User Management responsibility, ASSIGN ROLE ABC to a user. Then go into 'standard' System Administrator. Navigate to SECURITY > USER >DEFINE and query this user. You will NOT see the responsibilites X, Y, Z because the form defaults to the DIRECT RESPONSIBILITIES tab. These are the responsibilities assigned via System Administrator. BUT - use the tab called INDIRECT RESPONSIBILITIES and you will see X, Y and Z.
  Apply this process to multiple users and you have a solution!
  Regards
  Tim

• Does idm support maintenance of access manager's group/role/filtered role

  The xml of Access Manager Realm Resource Adapter has object types group, role and filtered role with object feature list,create, update and delete. Does that mean with the adapter installed, we can make use the idm to maintain the access manager's group/role/filteredrole? Is there any customization/configuration needed in order to provision these features in idm?
  Thanks,

  1. The AM agent can return ldap attributes after authentication. What you can do is use Sun Directory Server Proxy to provide a virtual view of both LDAP and your DB to AM.
  2. Sun Role Manager is a tool for role mining and attestation, ie it helps with compliancy verifications which is required by many businesses these days. Sun Identity Manager does not need Sun Role Manager if you just want to provision roles for your users, however, as it appears to be the case in your envirionment, the roles created by IDM are exported to SRM for compliance verifications.

• Role Reaffirm in GRC10

  Hi all,
  did anyone use the Role Reaffirm functionality within GRC10?
  The functionality seems to be available, but we cannot get any roles listed to be reaffirmed.
  We have defined approvers for roles in GRC, have users assigned, ran the RR Reminder background job.
  Is there anything missing?
  The config parameters seem to have magically disappeared from the list of available parameters.
  Also could not find any documentation on Role Reaffirm in AC 10
  Thanks for some input,
  Daniela

  Hello experts,
  I get the same issue:
  I have 1 role with reaffirm expiration on 05/16/2013 and 1 role which already had expired on 05/08/2013.
  In order of the fact, that today is 05/15/2013, I expect in 'Access Management > Role Mining > Role Reaffirm' a result of 2 roles which have to be reaffirmed.
  But it already gives the warning "No records found"!
  In advice of Leon I tried to type the value '1' in "Number of days before Duedate", so I would expect 1 role as result... but: "No records found"!
  I attached some screenshots of my configuration.
  Any ideas?
  EDIT: can somebody tell me the reminder email notification Job for role reaffirm? I only know the Job "GRAC_ERM_ROLE_CERTIFY_NOTIF" for role certification
  Thanks in advance :-)
  Edgar

• Deployment and Deployer Role; a question

  Hi All,
  I have a question about the Deployer Role in WLS8.1/WLI8.1. I was playing around
  with this Deployer Role and created a user with it. This is in WLS8.1. what i
  was thinking was that this user (a deployer user) could be able to deploy/undeploy/redeploy
  applications .....which worked fine.....BUT this is what i have found to be incorrect
  since i want this my Deployer user to have the priviledge for deployments ONLY.
  The user that i created can also change JMS, JDBC connection pool settings .........which
  in my case is incorrect.
  can somebody please suggest some workaround for this .....i want my Deployer user
  to do ONLY deployment stuff and not ANYTHING ELSE(like JMS,JDBC stuff or etc).
  -steve

  1. The AM agent can return ldap attributes after authentication. What you can do is use Sun Directory Server Proxy to provide a virtual view of both LDAP and your DB to AM.
  2. Sun Role Manager is a tool for role mining and attestation, ie it helps with compliancy verifications which is required by many businesses these days. Sun Identity Manager does not need Sun Role Manager if you just want to provision roles for your users, however, as it appears to be the case in your envirionment, the roles created by IDM are exported to SRM for compliance verifications.

• OIA-OIM Integration.

  Hello everyone,
  I have worked with OIM for quite a while now. Recently I have started working on OIA and my end goal is to integrate OIM with OIA. Having said that I would like to know what are the typical activities that are performed when such a integration takes place. I think the activities can be divided into the following categories:
  1. Initial Activities
  2. On-going activities
  I understand that the activities will change depending on if OIM already exists or not.
  Scenario 1: Existing OIM deployment which needs to be integrated with OIA
  Scenario 2: New deployment with OIM and OIA
  I also see that OIA offers features like Attestation and SoD. Attestation I guess can be done since OIA is always in synch with OIM, but can we enforce preventive mechanism using OIA for SoD?
  Can everyone please contribute based on their experience with OIM-OIA integration.
  Thanks in advance.

  Hi user90210,
  The key thing to point out about OIM and OIA is that they have different repositories
  * OIM - Being online with the target systems and the information gets updated constantly
  * OIA - Is an offline database repository for the role management and attestation aspects (OIA does not touch the target systems)
  Yes attestation can be done by both products though OIA has the capabilities of attribute attestation with the option of drilling further into detail (RACF would be a good example here). The product also has additional audit benefits included OOTB
  Regarding the scenarios, the only initial factor to take into account would be the role management aspect
  Initial activities would include populating the identity warehouse in OIA, building up the globalusers, accounts, businessunits etc. You can either get this information from OIM or from a flat file repository feed (so OIM would need to be populated first). If the information is already in OIM then GREAT, lets pull all the information out of OIM into OIA.
  When you go through an approval process within OIM for a role for a user for example, it will push the request to OIA to determine whether this approval process should take place. This is where the SoD preventative violation gets involved. If there is a policy in place that states expressions that the action should not take place then the user-role would not be finalised. If there are no SoD violations then it goes into the approval process with the role and policy owners associated to that role. If all is good then it pushes the request back to OIM and assigns that person to that role.
  You have 2 options regarding roles, either bring them in from OIM and manage the existing developed roles within the environment, or start from scratch an build the roles based on the information you have within OIA.
  OIA doesn't necessary need to be in sync with OIM, when you have roles implemented its always best to keep the information up to date, though you may decide to bring the information of accounts, globalusers etc and start the role engineering - which may take weeks. While this is taking place the old roles may be implemented within OIM still. If you decide to bring in accounts and globaluser constantly you may never be able to complete your initial task on creating roles.
  OIA only needs to be in sync with OIM when
  1) You have roles active and SoD violations in place
  2) You want to start a new attestation
  If you haven't figured it out already, roles within OIA are authorative over OIM
  Let me know if this helps
  Regards,
  Daniel

• Disable login prompt for SAP NW based Xcelsius Dashboard

  Hi all,
  Need assistance to understand what needs to be done in the below case:
  Current scenario:
  1. Developed Xcelsius Dashboard based on SAP NW Connectivity on BO XI 3.1 SP2+.
  2. Configured trust between SAP BW server and BO Server using steps outlined in integration kit(login/accept_sso2_ticket, etc).
  Imported user roles in BOE and enabled SAP authentication.
  After this, WEBI Reports based on Bex queries refresh in Infoview without prompting for Login id/Password.
  3. Configured SAP Server to enable portal/interop switch to display the Xcelsius Dashboard within Infoview which is the existing BI portal. Used Hyperlink object for enabling the link.
  In the hyperlink, I am using the same link which gets generated when I use the option Xcelsius 2008>>file menu>>SAP>>Launch
  Issue: On click of Hyperlink, I get SAP EP Login window. Once I fill up the SAP user id and password, the dashboard comes up
  Server Configuration:All on same domain
  SAP system ID=X(SAP BW server)
  SAP system id=Y(SAP EP Portal)
  BOBJ system Z(BOBJ Server)
  User roles stored in X. Entitlement system defined in Z for SAP BW Server X.
  Dashboard is not available in SAP EP Portal in any folder as of now. Have not created any roles yet.
  As per the various posts and KB articles,
  Do I need to enable SNC for both X and Y? or trust between Infoview and SAP EP portal can be enabled without enabling SNC?
  Just like SAP BW server, does the SAP EP portal also has *.cert files that can be used to exchange with BO Server to enable trust.
  Thanks,
  V Fernandes

  Hi Ingo,
  Thanks for your explanation. I was referring the configuration mentioned in the wiki article for displaying Xcelsius Dashboard in Infoview where this was explained as a possibility. Even though its not Lean.
  Link: [http://wiki.sdn.sap.com/wiki/display/BOBJ/IntegrationofanXcelsiusdashboardinBOE+Infoview]
  The only difference in my case is the use of SAP Authentication instead of Enterprise.
  Thus as per your last update the following workflow is only valid:
  1. User logins to Infoview using SAP Authentication.
  2. User clicks on Xcelsius Dashboard Hyperlink object.
  3. SAP Enterprise Portal login pops up within the Infoview Workspace.
  4. User has to fill in the Login credentials again.
  5. Dashboard load up successfully.
  Please correct me in case I am wrong.
  Thanks for the response.In case there is any other way this can be achieved, then please do let me know. Appreciate for all the help.
  Regards,
  V Fernandes

• Permissions

  Here is a summary of the permissions system the way I understand it. I hope it helps save anyone out there some of the time and trouble I've had to endure to understand Permissions.
  I) POSIX:
  Get info
  The 'Get Info' window is a user-friendly way to view and manage permissions on files and directories. But it is a little confusing to understand.
  You can tell if you've really messed around too much with the permissions of a file or directory if the Get Info window lists your Sharing and Permissions as 'custom'. You shouldn't have any 'custom' permissions settings if you are new to managing permissions.
  For all beginners, there should only be three listings in the 'Get Info' window. The reason this confuses people is because everyone wants to see themselves as the owners of their computer's files and directories, and nobody wants to see 'everyone' with access to important files and folders.
  First listed is the file's (or directory's, if you selected a directory) owner. There is only one owner for each file or directory, but the owner can be changed in terminal with chown (provided you have the needed privileges).
  Next listed is the primary group to which the owner of the file or directory belongs. A user can only belong to one primary group, but the primary group of a user can be changed with usermod in terminal.
  Next listed is all other users. This is the account that mostly ruins people as everyone wants 'everyone' to have no access to their computer. The main problem is that the need for 'everyone' to have permissions on some important files is not correctly understood by most people.
  Using File Hierarchies to Manage Permissions
  It is easier to accept the need for 'everyone' to have access to important directories once you realize that the file and directory permissions are also managed via the file and directory hierarchies. So, regardless of who has permissions on a file or directory, if it is copied or moved to a directory to which 'everyone' has no access, and you are the only one with permissions, then the moved or copied file cannot be accessed by anyone until you move it back out of your directory. The role of file hierarchies in managing permissions is a very important part of the system, but most people are not aware of how it works.
  It is similarly easier to understand the need for 'everyone' to have access to important directories with two different examples. Say, for example, you add a new user to your system. The system will automatically copy directories into that user's home folder for that user to use. But if the directories are not accessible by 'everyone', then that user will not have access to any of the copied resources.
  For another example of the need for 'everyone' to have access to important directories, consider what happens when you attempt to assign 'no access' to 'everyone' on your System folder. Now, you yourself cannot access the folder and you have to reboot your system with disks. You cannot simply add yourself as the owner of the System file, because the system needs to access that file at start-up. The System is one important user on your system which you cannot do without! So the System must be the owner of the System directory. The System automatically belongs to a group called 'wheel' which allows for the connection of other 'Systems' to your 'System' through a common group. Is the 'System' did not belong to any group, you could never share resources, files, directories, or executables (like a printer, for example) with other 'System' users. So your computer automatically includes a 'wheel' group and a 'System' (YOUR 'System') that belongs to that group. Now then, you are not your system. Your system is your system. In order to use your system, you have to have a user account. Also, you have to have access to your System folder. Since the System folder necessarily belongs to your system, and the system is necessarily installed as a member of the 'wheel' group (otherwise you would not be able to network), then there is only one more permission through which you can gain access to your system, and that is the 'everyone' group. This is because there are only three reserved places on the permissions bits. There is one place for the file (or directory) owner, one place for the primary group of that owner, and one place for 'everyone' else.
  The three-entry 'limits' to the permissions system (owner, group, everyone) make much more sense when you realize that the directory and file heirarchy permissions are meant to be used as the other half of the permissions assignments. Where the most important owner ('System') of a directory (system) must be the most accessible (to 'everyone'), all other groups and users can impose more restrictions on files and folders (directories) that they create, as well as those which they have imported into their own files and folders, using the file hierarchies to manage permissions.
  Terminal ls -l command
  When in terminal, you use the ls command to see a list of the files in the current directory. However, when you at the -l option to the ls command, you also get to see the file and directory permissions for each file or directory in the current directory.
  The permissions for a file start with a -, and the permissions for a directory start with a 'd'. That is followed by 9 dashes or letters. The letters are for 'read' 'write' and 'execute' (rwx). The first three are for the file or directory owner. The second three are applied to the file or directory owner's primary group. The second three are applied to everyone. However, if a file which 'everyone' can read is in a folder to which 'everyone' has no access, then there will be no access to that particular file, even though the permissions for 'everyone' assign access. That's because the permissions assignments to a file or folder are only half of the permissions management. The other half is the arrangement of the files and folders, through the hierarchical assignment of permissions restrictions. That is the fact about permissions systems that confuses everyone.
  Terminal chmod command
  In terminal, you can change the permissions 'mode' assigned to a particular file or folder (or even an entire hierarchical structure) using the chmod command. There is a numbering system to correspond to the 10-letter (drwxrwxrwx) system. You can learn more about that online or by typing 'man chmod' into the terminal.
  Terminal chgrp command
  In terminal, if the owner of a file or directory belongs to more than one group, you can change the group that has permissions to the file or directory to one of the owners' non-primary groups. You can learn more about that by typing 'man chgrp' into the terminal.
  Terminal, editing  the /launchd-user.conf file
            You can set the 'umask' by editing the configuration file for the user. Editing configuration files is an important part of the system and a valuable skill to learn. Once you learn how to edit the user configuration file, you can easily change the default permissions mode that is assigned by that user to his or her new files and folders by changing the 'umask' variable. The umask variable uses a 4 digit number for permissions, just like the chmod command.
  Who are Users?
  There are several very important users on your system. Your computer itself is a user on your computer, called 'System'. There is a user called 'root' that gives you control over the 'System' (and consequently can destroy your entire system). 'Root' user is also a default member of the 'admin' group. When your system is first installed, it prompts you to add yourself as the first human 'user' and makes you the first human member of the 'admin' group, as well as a member of the 'staff' group. Your primary membership is to the 'staff' group, but you can also function as a member of the 'admin' group by entering your password when prompted or when required in a command. You can add any other users from that point and grant them admin privileges, or not, or membership in some other group with other privileges to access certain directories or files.
  What are the Groups?
  Groups like 'wheel' and 'daemon' are used to connect your system to network users without granting system privileges. Your computer 'System' is a user that belongs to the 'wheel' group. 'Root' user also belongs by default to the 'wheel' group and 'admin' group' and 'staff' group (so that if you, the hardware owner, log in as 'root' user, you can access everything on the hardware). The 'wheel' group is like an empty socket waiting for you to allow other network resources to connect with your system by adding them to the 'wheel' group. A user could be a member of the 'wheel' group without having privileges or permissions to anything on your system. Maybe such a user would only be given permissions to access a printer or a single folder on your system.
  'Everyone' is the group that most people want to eliminate. However, 'everyone' is necessary for the most important system resources, which can subsequently be assigned restricted access (when they are moved or copied to other, more restricted, files and directories) using the hierarchical assignment principle. 'Everyone' is the most misunderstood group identity.
  Apart from such default required groups, you can create any group you like, and many applications will add a group to your system for use with that application and its resources. You can see what groups are on your system (and what users belong to them) by reading the etc/group file.
  If a user is not assigned to any group, the computer assigns them to the default group called 'staff'.
  What is the best way to set up file and directory permissions?
  There is a utility called 'disk utility' which you can use to 'fix' your permissions if you messed around with them too much without knowing what you were doing (learning, obviously!). If you still have access to your system, and it is acting funky, and you have been messing around with permissions, 'disk utility' is likely to solve all of your trouble. If the permissions are too badly ruined (for example, if you assign 'everyone' 'no access' to your system folder, etc), and you have no way to login to the root user (root user can be both enabled and logged in through any terminal window using 'dsrootenable', if you have both an administrator password and a root user password) then you may have to reboot from disk or perform a new installation, since you likely have removed yourself from your own computer.
  Apart from the 'disk utility' defaults for important directories, there is no best way to set up permissions. When you combine the permissions mode of a file or directory with the hierarchical permission structure, there are many ways that intellectual property can be both protected and shared, according to the project and purposes.
  There are many possible arrangements for permissions, and each proposed scheme requires a bit of study to understand how security, privacy, collaboration, and sharing will be affected.
  II) ACL:
  Microsoft WindowsOS manages permissions differently (They use ACL's instead of POSIX). There, you assign each file or directory different permissions for each user or group. In Apple OS it is called 'ACLs' when you create custom permissions by removing or adding permissions for users or groups that are in conflict with the standard three-values permission system. Altering the permissions to create these 'custom' settings shows up with the 'ls -l' command as a '+' appended to the permissions bits (drwxrwx---+). The reason for the '+' (or the exceptions added to the standard security permissions) can be listed using the ls command with the -le switch.

  Mac OS X ACLs are based on a FreeBSD ACL implementation that extends the standard Unix/POSIX file system DAC security model.  The ACLs used in Windows' security model work differently, because the Windows' security model is based on security tokens that interact...well, to be honest, I've always felt that the Windows security model reminds me of the OS X preference domain model more than anything else.
  Otherwise, not bad at all.