Same user different roles within different organizations

Hello All,
We have requirement where Same user has to have different roles within different organizations.
What will be the solution to handle this situation using SUN IDM ?
Any inputs are greatly appreciated.
Thanks,
Akeel

Let me simplify this,
We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
Say a user works for two organizations Say Org1 and Org2.
The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
Regards,
Akeel

Similar Messages

Reading a user's role in Dynpro

I am currently writing an application in Dynpro / java that will eventually run on EP6.
This application will allow external product distributors to enter sales information and view their history / performance. A distributors access will be quite limited in that they will only be able to see their own sales data.
In addition, the site will be accessed by internal employees who will have a much wider range of functions available to them. They will be able to view performance statistics for all distributors by region and see internal costing sales figures.
Rather than maintain roles within the program, or worse yet, maintain two separate applications, I would like to read a user's role within the portal environment and enable / disable functions in the application based on their role.
From what I have been reading it seems possible to obtain this information through the "getRoleFactory()" method in the UMFactory class but so far I haven't got it to work.
Has anyone had an practical experience obtaining role information from EP6 (in Dynpro preferably). Any information would be helpful at this point (a small code sample would be ideal).
thx
-Sheldon

And use IUser`s method getRoles (https://media.sdn.sap.com/javadocs/NW04/SPS15/um/com/sap/security/api/IUser.html#getRoles(boolean)):
<i>
public Iterator getRoles(boolean recursive)Gets the list of (all) assigned roles of this user including parent groups, grandparent groups,... if recursive is set to true NOTE: This method may also return roles which are already deleted.
Parameters:
recursive - if true returns all parent roles
Returns:
iterator of roles for this principal. The iterator contains uniqueIdOfRole strings
</i>

System needs to approve automatically when the same user has different role

Hi Gurus,
My issue relates to approval in Shopping cart.
Say this is my Issue.
This is the Approval detemined by the system.
1 - X
2 - Y
3- Z
4- X
5- Y
X & Y are the Same user but with different role in the Approvals.
First time 'X' would get the cart to approve it manually but second time system should automatically approve it. Same should happen for 'Y' as well. So now both X & Y needs to approve the cart only once.
Please advice me how to approach this issue or If anyone experience the same kind of issue please let me know how to resolve.
Thanks for your time to spend on it.
Thanks,
SNMPkumar

Hi,
You can handle it with N-Step BADI Workflow.
Regards,
Masa

Configuring IDM menus for different roles for same user?

Looking forward to Sun IDM 8.x and Sun Role Manager 4.1 installation. Couple of points before the decision are -
1. If a user A has two roles R1 and R2 (for Sun IDM) then how does Sun IDM decide how the IDM console should appear (menus etc.) to the user based on whether he's logging in with Role R1 or R2? The login screen doesn't contain any input entry for choosing the role with which to log-in. With that in mind, is it even possible to have multiple roles for same login id? Or does the user have to maintain two seperate login identities?
2. Same question for Role Manager
3. Does Sun Role Manager 4.1 provide Roles merging feature?
Thanks,
AG

IDM combines the two roles. So if a user has the two roles and role R1 grants access to menu items 1,2,3 and role R2 grants access to menu items 3,4,5, the user will have access to menu items 1,2,3,4,5. If you want to separate these two roles, you will need two different login users - but what exactly are you trying to achieve there?
Can't help you with Role Manager, sorry.

Different Risk Analysis Results with the same user from 2 different RAR

Hi..
I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
Thanks...

Hi...
If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs. 13150).
If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
Is it a normal behavior? What could be wrong?
Thanks in advance!!

PPOME - Can't insert the SAME task for different organization unit

Hi all,
I have a doubt; in SAP 46C, it seems that is impossible to insert in PPOME, Detailed window, Tasks tab the same task for different organization unit. The only way to do this is in PP01 - General management, where you can explicitely create a [B-007] relations with the same "T" Object. Now, it is a little bit difficult for a user to switch from PPOME ad PP01 when defining new organizational structure.
The question: is there any way to insert the <b>SAME</b> task directly in PPOME, overwriting the standard behaviour of the system that by default create a new task for each new insertion?
Thanks all
Paolo

Hi Naveen
thank you for your prompt reply.
The issue that I want to solve is that some organization unit (not all) must be flagged for an external export to another system, depending on some characteristic of each org unit. I didn't find a similar attribute on standard field, so I thought to insert a common task to all the org units to export, so that this relation can serve as the missing attribute on org unit definition.
PP01 let me insert a task (type T, and not TS) on an org unit directly, so I want to know if I'm going to break some standard behaviour of SAP if I insert a task on OU.
Thank you
Paolo

Assigning different authorization to same user based on Query

Hi experts,
I am redefining my issue,
Is there any way i can assign different authorizations to the same user but based on either Query/Workbook.
lets say i have two Analysis authorizations A & B and two Queries X and Y.
If the Query/Workbook is X then Add Authorization A to user ABC.
else if the Query/Workbook is Y then Add authorization B to user ABC.
this is because i have two set of workbooks the same user can access and authorization for these two set is different based on the workbook.
I tried using the auth objects 0TCTWORKBK,0TCTQUERID OR 0TCTQUERY but no success so far.
thank in advance.
Edited by: youmenbi on Feb 12, 2008 1:20 AM
Edited by: youmenbi on Feb 12, 2008 1:31 AM

Hi
We have set same kind of authorizations based on the users. The Cost Center Manager is assigned a role and the authorizations for each of the Report/Layout/Workbook is based on his/her profile...some are Read only, some or Read & Write...etc.
If you go through that route......and assign each of the Reports/Layouts/Workbooks to Users....you may succeed.
I know it is a bit time consuming but that is one alternative we could think of as it addressed seamlessly any changes in CC Managers.
Regards
Srinivas

Trusted RFC not working for different user , working for same user

Dear All,
I have two SAP system - One Solman (7.0) and another ECC 6.0 (SR3) on HPUX box with Oracle DB (Unicode).
I want to establish Trust relationship between these system.
I have configured the same, as per the following link:
http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm
and note 128447.
My requirement is one user X in solman client 001,
will execute some test plan (Tcode stwb_2) which will take the control to ECC 6.0 client 200, execute the tcode as user Y and come back in Solman again.
The user X (SAP_ALL) exists in Solman - client 001 and user Y (SAP_ALL) exists in ECC 6.0 - client 200.
In ECC 6.0 client 200, I have created a role ZRFCACL with the following and assigned to the user Y (as per the above help / note):
Role : ZRFCACL
Auth. Obj: S_RFCACL
Value assigned to fields are:
     RFC_SYSID : SOL
     RFC_CLIENT: 001
     RFC_USER : X
     RFC_EQUSER: N
     RFC_TCODE : *
     RFC_INFO : *
     ACTVT     : 16
Whenever the user X is trying to execute the test from solman, he is getting the error : "No authorization to log on as trusted system (RC = 0)"
Each time the user is trying the above, in ECC 6.0, the following dump is occuring:
CALL_FUNCTION_SINGLE_LOGIN_REJ under username SAPSYS
I have assigned the role ZRFCACL to user X in Solman also.
Next, I have performed the following check:
created one user M in both system
created the role ZRFCACL2 in ECC 6.0 client 200 as follows and assigned the role to user M:
     Role : ZRFCACL2
     Auth. Obj: S_RFCACL
     Value assigned to fields are:
          RFC_SYSID : SOL
          RFC_CLIENT: 001
          RFC_USER : ''
          RFC_EQUSER: Y
          RFC_TCODE : *
          RFC_INFO : *
          ACTVT     : 16
Assigned SAP_ALL to user M in both system (So the user M in Solman does not have ZRFCACL2).
This time, the trust relationship worked and no dump got generated.
I have also checked the thread Trusted RFC do not work
but unable to resolve the issue.
Any suggestion where the things are going wrong in this / what else I need to check or this is not possible at all?
Thanks in advance for your help.
Sudip

Hi Valdecir,
Thanks for the reply. I am providing the detail of the generated dump below:
Please check in case any clue is there.
Runtime Errors         CALL_FUNCTION_SINGLE_LOGIN_REJ
Date and Time          12.08.2008 18:59:32
Short text
No authorization to logon as trusted system (Trusted RC=0).
What happened?
Error in the ABAP Application Program
The current ABAP program "SAPMSSY1" had to be terminated because it has
come across a statement that unfortunately cannot be executed.
What can you do?
Note down which actions and inputs caused the error.
To process the problem further, contact you SAP system
administrator.
Using Transaction ST22 for ABAP Dump Analysis, you can look
at and manage termination messages, and you can also
keep them for a long time.
Error analysis
An RFC call (Remote Function Call) was sent with the invalid user ID "98819 "
. Or the calling system is not registered as trusted system in the
target system.
How to correct the error
The error code of the trusted system was 0.
Meaning:
0    Correct logon as trusted system mode
1 No trusted system entry for the calling system "SOL " or the
security key entry for the system "SOL " is invalid
2 User "98819 " does not have RFC authorization (authorization object
(S_RFCACL) for user "98819 " witl client 001.
3    The timestamp of the logon data is invalid
The error code of the SAP logon procedure was 1.
Meaning:
0    Login was correct
1    Wrong password or invalid user ID
2    Locked user
3    Too many attempted logons
5    Error in the authorization buffer (internal error)
6    No external user check
7    Invalid user type
System environment
SAP-Release 700
Application server... "gcbeccd"
Network address...... "10.10.4.158"
Operating system..... "HP-UX"
Release.............. "B.11.23"
Hardware type........ "ia64"
Character length.... 16 Bits
Pointer length....... 64 Bits
Work process number.. 1
Shortdump setting.... "full"
Database server... "gcbeccd"
Database type..... "ORACLE"
Database name..... "RD3"
Database user ID.. "SAPSR3"
Char.set.... "C"
SAP kernel....... 700
created (date)... "Apr 5 2008 00:55:24"
create on........ "HP-UX B.11.23 U ia64"
Database version. "OCI_102 (10.2.0.1.0) "
Patch level. 146
Patch text.. " "
Database............. "ORACLE 9.2.0.., ORACLE 10.1.0.., ORACLE 10.2.0.."
SAP database version. 700
Operating system..... "HP-UX B.11"
Memory consumption
Roll.... 16192
EM...... 4189840
Heap.... 0
Page.... 0
MM Used. 1194640
MM Free. 2992576
User and Transaction
Client.............. 000
User................ "SAPSYS"
Language Key........ "E"
Transaction......... " "
Transactions ID..... "489F2BD6C36D0F12E10000000A0A049E"
Program............. "SAPMSSY1"
Screen.............. "SAPMSSY1 3004"
Screen Line......... 2
Information on caller of Remote Function Call (RFC):
System.............. "SOL"
Database Release.... 700
Kernel Release...... 700
Connection Type..... 3 (2=R/2, 3=ABAP System, E=Ext., R=Reg. Ext.)
Call Type........... "synchron and non-transactional (emode 0, imode 0)"
Inbound TID.........." "
Inbound Queue Name..." "
Outbound TID........." "
Outbound Queue Name.." "
Client.............. 001
User................ 98819
Transaction......... "SMSY"
Call Program........."SAPLSRTT"
Function Module..... "SCCR_GET_RELEASE_NR"
Call Destination.... "SM_RD3CLNT200_TRUSTED"
Source Server....... "gcbsolm_SOL_00"
Source IP Address... "10.10.4.206"
Additional information on RFC logon:
Trusted Relationship "X"
Logon Return Code... 1
Trusted Return Code. 0
Note: For releases < 4.0, information on the RFC caller are often
only partially available.
Information on where terminated
Termination occurred in the ABAP program "SAPMSSY1" - in
"REMOTE_FUNCTION_CALL".
The main program was "SAPMSSY1 ".
In the source code you have the termination point in line 67
of the (Include) program "SAPMSSY1".
Source Code Extract
Line
SourceCde
37
endmodule.
38
39
module %_rfcdia_call output.
40
"Do not display screen !
41
call 'DY_INVISIBLE_SCREEN'.
42
perform remote_function_diacall.
43
endmodule.
44
45
module %_cpic_start.
46
if sy-xprog(4) = '%RFC'.
47
perform remote_function_call using rfctype_external_cpic.
48
else.
49
call 'APPC_HD' id 'HEADER' field header id 'CONVID' field convid.
50
perform cpic_call using convid.
51
endif.
52
endmodule.
53
54
55
form cpic_call using convid type c.
56
communication send id convid buffer header.
57
if sy-subrc eq 0.
58
perform (sy-xform) in program (sy-xprog).
59
else.
60
message a800.
61
endif.
62
endform.
63
64
form remote_function_call using value(type).
65
data rc type i value 0.
66
do.
>>>>>
call 'RfcImport' id 'Type' field type.
68
if sy-xprog = 'JAVA'.
69
system-call plugin
70
id 'JAVA' value 'FORW_JAVA'
71
id 'RC'   value rc.
72
if there is no rollout on the JAVA side which
73
rolls both, JAVA and ABAP, we return to the
74
C-Stack and reach this point
75
76
in case there was an rollout, the ABAP-C stack is lost
77
and we jump direkt to this point
78
79
here we trigger the rollout on this Abap side with
80
the following statement
81
system-call plugin
82
id 'JAVA' value 'ROLL_OUT'
83
id 'RC'   value rc.
84
else.
85
perform (sy-xform) in program (sy-xprog).
86
rsyn >scont sysc 00011111 0.
Contents of system fields
Name
Val.
SY-SUBRC
0
SY-INDEX
1
SY-TABIX
0
SY-DBCNT
1
SY-FDPOS
0
SY-LSIND
0
SY-PAGNO
0
SY-LINNO
1
SY-COLNO
1
SY-PFKEY
SY-UCOMM
SY-TITLE
CPIC and RFC Control
SY-MSGTY
SY-MSGID
SY-MSGNO
000
SY-MSGV1
SY-MSGV2
SY-MSGV3
SY-MSGV4
SY-MODNO
0
SY-DATUM
20080812
SY-UZEIT
185932
SY-XPROG
SAPRFCSL
SY-XFORM
READ_SINGLE_LOGIN_DATA
Active Calls/Events
No.   Ty.          Program                             Include                             Line
Name
2 FORM         SAPMSSY1                            SAPMSSY1                               67
REMOTE_FUNCTION_CALL
1 MODULE (PBO) SAPMSSY1                            SAPMSSY1                               30
%_RFC_START
Chosen variables
Name
Val.
No.       2 Ty.          FORM
Name REMOTE_FUNCTION_CALL
%_DUMMY$$
0000
0000
2222
0000
SY-REPID
SAPMSSY1
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
5454555322222222222222222222222222222222
310D339100000000000000000000000000000000
SYST-REPID
SAPMSSY1
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
5454555322222222222222222222222222222222
310D339100000000000000000000000000000000
HEADER
000000000000
000000000000
TYPE
3
0000
0003
SY-XPROG
SAPRFCSL
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
5455445422222222222222222222222222222222
3102633C00000000000000000000000000000000
%_ARCHIVE
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RC
0
0000
0000
SY-XFORM
READ_SINGLE_LOGIN_DATA
000000000000000000000000000000
000000000000000000000000000000
544455444445444445445422222222
2514F39E7C5FCF79EF414100000000
%_SPACE
0
0
2
0
No.       1 Ty.          MODULE (PBO)
Name %_RFC_START
%_PRINT
000                                                                                0###
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2222333222222222222222222222222222222222222222222222222222222222222222222222222222222222223000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RFCTYPE_INTERNAL
3
0000
0003
Internal notes
The termination was triggered in function "ab_xsignon"
of the SAP kernel, in line 2491 of the module
"//bas/700_REL/src/krn/rfc/absignon.c#9".
The internal operation just processed is "CALY".
Internal mode was started at 20080812185932.
Calling system.....: "SOL "
Caller.............: "98819 "
Calling client.....: 001
RFC user ID........: "98819 "
RFC client.........: 200
Trusted return code: 0
Logon return code..: 1
Transaction code...: "SMSY "
Active state.......: "-782823270"
Note: At releases < 4.0, the information for the caller is not
available.
Active Calls in SAP Kernel
Lines of C Stack in Kernel (Structure Differs on Each Platform)
(0) 0x4000000003b2b450 CTrcStack + 0x1b0 at dptstack.c:227 [dw.sapRD3_DVEBMGS00]
(1) 0x4000000004d2c470 Z16rabaxCStackSavev + 0x1d0 [dw.sapRD3_DVEBMGS00]
(2) 0x4000000004d32160 ab_rabax + 0x3570 [dw.sapRD3_DVEBMGS00]
(3) 0x4000000002b43cb0 SignOnDumpInfo + 0x280 at absignon.c:2491 [dw.sapRD3_DVEBMGS00]
(4) 0x4000000002b3f2f0 ab_xsignon + 0xb30 at absignon.c:876 [dw.sapRD3_DVEBMGS00]
(5) 0x4000000002aa4cb0 ab_rfcimport + 0x1ad0 at abrfcfun.c:3599 [dw.sapRD3_DVEBMGS00]
(6) 0x40000000040f4a80 Z8abjcalyv + 0x500 [dw.sapRD3_DVEBMGS00]
(7) 0x400000000402f190 Z8abextriv + 0x440 [dw.sapRD3_DVEBMGS00]
(8) 0x4000000003f538b0 Z9abxeventPKt + 0xb0 at abrunt1.c:281 [dw.sapRD3_DVEBMGS00]
(9) 0x4000000003f360a0 ab_dstep + 0x280 [dw.sapRD3_DVEBMGS00]
(10) 0x4000000001cb4600 dynpmcal + 0x900 at dymainstp.c:2399 [dw.sapRD3_DVEBMGS00]
(11) 0x4000000001cab0e0 dynppbo0 + 0x280 at dymainstp.c:540 [dw.sapRD3_DVEBMGS00]
(12) 0x4000000001cb1ec0 dynprctl + 0x340 at dymainstp.c:358 [dw.sapRD3_DVEBMGS00]
(13) 0x4000000001c9dff0 dynpen00 + 0xac0 at dymain.c:1628 [dw.sapRD3_DVEBMGS00]
(14) 0x4000000001fea460 Thdynpen00 + 0x510 at thxxhead.c:4830 [dw.sapRD3_DVEBMGS00]
(15) 0x4000000001fb4de0 TskhLoop + 0x4e20 at thxxhead.c:4518 [dw.sapRD3_DVEBMGS00]
(16) 0x4000000001faae40 ThStart + 0x460 at thxxhead.c:1164 [dw.sapRD3_DVEBMGS00]
(17) 0x4000000001569ec0 DpMain + 0x5f0 at dpxxdisp.c:1088 [dw.sapRD3_DVEBMGS00]
(18) 0x4000000002c10630 nlsui_main + 0x30 [dw.sapRD3_DVEBMGS00]
(19) 0x4000000002c105c0 main + 0x60 [dw.sapRD3_DVEBMGS00]
(20) 0xc00000000002be30 main_opd_entry + 0x50 [/usr/lib/hpux64/dld.so]
List of ABAP programs affected
Index
Typ
Program
Group
Date
Time
Size
Lang.
0
Prg
SAPMSSY1
0
11.04.2005
09:27:15
22528
E
1
Prg
SAPLSCCA
1
05.07.2005
13:10:18
52224
E
2
Prg
SAPRFCSL
0
13.02.2005
17:31:45
17408
E
3
Typ
RFCSYSACL
0
13.02.2005
17:31:45
7168
4
Typ
SYST
0
09.09.2004
14:18:12
31744
Directory of Application Tables
Name                                     Date       Time       Lngth
Val.
Program SAPMSSY1
SYST                                       . .       : :     00004612
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0001\0\0\0
Program SAPRFCSL
RFCSYSACL                                  . .       : :     00001760
SOL                             RD3
ABAP Control Blocks (CONT)
Index
Name
Fl
PAR0
PAR1
PAR2
PAR3
PAR4
PAR5
PAR6
Source Code
Line
116
CLEA
00
0035
SAPMSSY1
60
117
CLEA
00
0036
SAPMSSY1
60
118
CLEA
00
0037
SAPMSSY1
60
119
MESS
00
001C
SAPMSSY1
60
120
ENDF
00
0000
SAPMSSY1
62
121
00
0000
SAPMSSY1
62
122
PERP
00
0001
SAPMSSY1
64
123
PERP
02
0000
SAPMSSY1
64
124
WHIL
00
0002
0000
0000
0000
0000
0000
0000
SAPMSSY1
66
128
WHIL
00
0003
0000
0000
0000
0000
0000
0000
SAPMSSY1
66
132
BRAN
05
001E
SAPMSSY1
66
133
CALY
00
0003
0038
002A
0005
002B
0000
0000
SAPMSSY1
67
>>>>>
CALY
02
0000
0039
8000
0000
0000
0000
0000
SAPMSSY1
67
141
COMP
00
0002
0010
003A
SAPMSSY1
68
143
BRAF
02
000E
SAPMSSY1
68
144
SRFC
01
0000
003A
003B
SAPMSSY1
69
146
SRFC
01
0000
003C
C000
SAPMSSY1
69
148
SRFC
02
0000
0000
0000
SAPMSSY1
69
150
SRFC
01
0000
003A
003D
SAPMSSY1
81
152
SRFC
01
0000
003C
C000
SAPMSSY1
81
Thanks & Regards
Sudip

Same user in tacacs and local database with different privilege

Hi there,
i am just not sure if this is correct behavior.
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
aaa authentication login default group ACS
aaa authorization commands default group ACS local
aaa accounting default group ACS
a user test with priv 15 is craeted on ACS server, password test2
everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
e.g.:
username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,
if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
is this normal?
thank you for help...

Hello.
Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
So traditional IOS can use the "privilege" attribute but other operating systems can not.
Although IOS-XR, Nexus, ACE, Juniper have "roled-based authorization" feature, every single one of them use their particular attributes.
When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly documentation is not very good when talking about TACACS details.
If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
Please rate if it helps

Project Web App (PWA)/Sharepoint 2013: is there any way to display two different views of the Project Center PWA web part to the same user in a site collection?

i want some of my users to see all the projects in the Project Center at my top-level site, and those same users to see only the projects they own at a subsite level in Project Center. that way they could see an 'all project' view on the homepage and only
their projects on their dashboard pages (which also have an instance of Project Center web part on them). i have searched and searched but cannot find a solution to this. is there any way to acheive this functionality? thanks in advance for your assistance!

I have tried this in the past, but was not successful, as far as I can recall. Once you access the project center webpart in one page, the view will be retained regardless where you see it again. (until you apply a different view or clear your browser cache).
May be an easier solution is to display a 'report' on the home page with ALL projects (much easier to do), and use the Project Center webpart for the My projects view as it is easier to achieve via Project Server Security, than a report.
Cheers,
Prasanna Adavi, Project MVP
Blog:
Podcast:
Twitter:
LinkedIn:

"Accounting-Start" and "Accounting-Stop" with same "user name" and "session Id" recorded in different RADIUS servers.

Hi,
I have questions about "Accounting-Start" and "Accounting-Stop".
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,

vignesh and BalusC,
following is the code in front controller's doFilter method. is this not thread safe?
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        HttpSession session = req.getSession();
        somepackage.User user;
        if(session.getAttribute("user") == null){
            user = new somepackage.User();
            session.setAttribute("user", user);
        }else{
            user = (somepackage.User) session.getAttribute("user");
        }user object maintains all information about a user. if it is in session scope, everything should work fine.
another observation is after some time of usage, both people in different systems are getting same session.getId()
in my logout page i am using
session.invalidate();
thanks,
moses

Exchange 2010 disconnect AD user from mailbox and reconnect the mailbox to a new copy of the same user with a different username

How can i get the following done:
Exchange 2010 disconnect AD user from mailbox and reconnect the mailbox to a new copy of the same user with a different username?
i nmust do this for 16 users TODAY, SO PLEASE HELP ME OUT HERE.
Thanks in advance!!
kind regards,
Rene Veldman
System Administrator Teidem bv, The Netherlands.

Rene,
Why are you not changing the username of the existing account, instead of deleting the existing one and creating a new one?
If you truly need to delete and create new, you can save the GUID for the mailbox (Get-MailboxStatistics <mailbox alias> | Fl MailboxGuid), mail disable the existing account (Disable-Mailbox <mailbox alias>
will work), clean the mailbox database it was hosted on (Clean-MailboxDatabase
<database name>), then create your new account and recover the existing mailbox to that new account (Connect-Mailbox -Identity <Guid from before> -Database <Database name> -User <SAM account name of new account> -Alias
<what you wish to set the alias to>). In PowerShell, for all steps, you would do the following:
$MbxAlias = <mailbox alias>
$NewMbxAcct = <SAM Account Name for new account>
$NewMbxAlias = <new alias for mailbox>
$DomCtrl = (dir env:\LOGONSERVER).Value.Substring(2)
$MbxGuid = (Get-MailboxStatistics $MbxAlias -DomainController $DomCtrl).MailboxGuid
$MbxDb = (Get-Mailbox $MbxAlias -DomainController $DomCtrl).Database
Disable-Mailbox $MbxAlias
Clean-MailboxDatabase $MbxDb
Connect-Mailbox -Identity $MbxGuid -Database $MbxDb -User $NewMbxAcct -Alias $NewMbxAlias -DomainController $DomCtrl
You will need to supply the information in bold in the above commands, and you will need to create the new account before you run the above commands. I include direct use of a specific domain controller so you won't need to worry about replication.
If you are changing the account from one domain to another, this will not help, and you will need to wait for replication throughout the process, running the commands individually.

User license problem of same user but different client for ERP

Hi ,
Our customer have many region, some region config is totally different from other region
so we want to separate it by two client
But in head office, the user will need to do operation for different region,
so they need to login to different client,
same people use the same user name but login to different client
So how to count the license?
as our customer bought named user license.
Thanks

hi
licenses are per client

Same user, 2 different macs

So this is a very elementary question but is it possible to have the same user account (admin in my case) on different macs...without using OS X 10.x Server? I have zero need for anything that server edition has to offer and this would be a convenience thing. Essentially, I am always using 2-3 different macs in my home network, sometimes at the same time, and I wonder if I just need to keep using the different accounts on those machines. Make sense?

You need an account on each Mac you want to access.
If you have File Sharing turned on in System Preferences>Sharing you can access files on your various Macs on the network from any Mac you happen to be on.
Matt

Different output format on pdf, same report same data same user Report 10g

Hi
I’ve recently came up with a very strange problem
I have the same report ( DevSuite 10g ) running on a win2003 server and without any obvious reason the output format changes from the original –correct one - ( the underlined text is not correct , font size is decreased , line spacing differs)
The report is executed with the same user, the same parameters and the same data...
Problem is solved only after a full server restart ( restarting only the report server, web cacle will not make any difference )
Once the report is formatted strangely we cannot run it correctly (reboot is needed)
Trace and log files shows nothing strange about the execution.
Can you please tell me how to start investigate or suggest a solution?
Thank you,
M

This is a wild guess, but it could be the result of there being no default printer. If you're using an in-process Reports Server, this runs by default under the LocalSystem operating system account. By default, this account does not have a default printer. Without a default printer, Reports may not format fonts correctly when producing PDF output.
For more information, see "Printing and Font Errors When Using In-process Server" in Appendix D (Troubleshooting OracleAS Reports Services) of Oracle Application Server Reports Services Publishing Reports to the Web 10g Release 2 (10.1.2). It (like Metalink note 272017.1) suggests changing the registry to set a default printer that the LocalSystem account can "see"). Metalink note 370150.1 offers a more drastic solution -- configuring the Reports Server to run under a different operating system account that does have a default printer.
Still, the theory that this "default printer" issue is the problem is not exactly consistent with the fact that your reports do work as expected at first, although there could be explanations for why the default printer is periodically changing (startup scripts, user intervention, etc.).
Hope this helps.

Same user different roles within different organizations

Similar Messages

Maybe you are looking for