Secondary group authentication

Similar Messages

• Groups Authenticated users & Everyone difference

  Hi Everyone,
  There are builtin groups Authenticated users & Everyone.  when i check for some iviews, folders, their permissions are set to Everyone with enduser as checked and for some objects, the permissions are given as Authenticated users group with enduser as checked. 
  What is the difference between these two.  All the ESS/MSS objects has given the permission as Authenticated users group with Enduser checked. 
  anyone clarify this doubt.
  Regards,
  EP.

  Hi,
  There are two kinds of Properties for an Portal Content Object,
  1. Administrator Permission- create/modify/read/ permissions etc privilatges on the object. These are Design Time Permissions
  2. EndUser- When a user is assigned a end User Permission, he can view the content at runtime i.e. If the iView is assigned to the User (via iView assigned to a role, and role has an entry point and assigned to the user) and he has only the end user Permission, then he can login and view the runtime content only. A kind of end user privilage.
  Now,
  1. Authenticated Users: the Users who have entered their logon info/ used a certificate to Login to the Portal/ to say users who have authenticated themselves to Portal  are the Authenticated Users. The User Group is named so.
  2. Everyone- All the Users- Authenticated or not fall in this group. Sometimes Content can be accessed directly with a URL without any Logon.
  Based on who can access the End user Content, the End User permission is provided in Permission settings, i.e.in the ACL of that Object.
  Hope this answers your question. Reward points for Helpful answers.
  Thanks,
  Vamshi

• What to enter in Group Authentication ?

  Hi People,
  I am connecting to the server however, i am entering the host as what i know. What do i need to enter in group authentication?? 

  What vpn client are you  using? Is this the Cisco ipsec vpn client
  Thanks
  John

• Support for Cisco VPN "mutual group authentication"

  Hi,
  Does anyone know of support plans for Cisco VPN mutual group authentication in the built-in VPN client on MacOSX?
  Thanks,
  John

  I would like to know the answer to this as well.
  Thanks,
  Josh

• Can we reconcile secondary group name from unix server

  Hi,
  Can we reconcile secondary group name from unix server using some own Customise code?

  Using JNDI this should not be very hard.
  Are you planning to store the secondary groups as a child table to a unix RO?
  Int hat case It might actually be easier and quicker to sidestep the recon system entirely and interact directly with the child form.
  Best regards
  /Martin

• AAA:How to separate the group authentication on Switches through Radius/Tac

  Hi,
  Currently my ACS is being integrated with AD and all the users can access my IOS devices (configured AAA). I only need one group in my AD to access my IOS devices and another group to use VPN access or any other authentications.
  Can anyone tell me how to restrick all other groups in AD to access my network devices except one group in AD which I only want to allow access to my network devices.

  I wanted to do the same thing with the Active Directory where I only wanted on group called "network admin" to have access to my switches. I have 3 ACSs appliances and 100 switches. This is my setup.
  On the ACS Create a "Network Device Group" under NETWORK CONFIGURATION. I called this group "TACACS+ Switches".Once the group is created add all your AAA clients which are your switches.
  (you can accomplish that by first going under INTERFACE CONFIGURATION-click on "Network Device Groups" this will enable the ACS to allow you to create "Network Device Groups" also check the "Group-Level Access Restrictions")
  Then click on GROUP SETUP. edit the 0:default group and disabled that group.Then select a agroup available from the group list and rename the group "Network Admin" and map that group against the AD group named "Network Admin".
  Once that group is correctly mapped.Go back to GROUP SETUP and edit the "Network Admin" group.Within the group you will see an option called "Netwrok Access Restriction (NAR)"
  Click the option DEFINE IP-BASED ACCESS RESTRICTIONS. From The AAA Client drop down menu select the "NDG:TACS+ SWITCHES" for the port enter "*" (asterick) for the address you can specified the the network in whic the switches are residing in my case I used "10.*.*.*" the wild cards will allow any network on the 10. network. then click "enter"
  This is a high level overview on how I did my setup. Remember to properly define your AAA statement under your Cisco IOS switches.
  I hope this help!!

• Please help: WebLogic + BI + SQL Group Authenticator

  Hi all, i have big problem with solution on my company project. I please somebody help me.
  This is my problem:
  I have bifoundation_domain :
  WebLogic Server Version: 10.3.5.0
  EM 11g
  Oracle Business Intelligence 11.1.1.7.0
  with this structure:
  bifoundation_domain
  |- AdminServer
  |- bi_cluster
    |- bi_server1
  So and i need use Weblogic embedded LDAP (DefaultAuthenticator in realms security providers) and i need loading GROUPS from DATABASE. I read and tried a lot of articles, blogs, manuals but
  within positive result.
  My procedure is:
  In WLS console :
  - create jdbc datasource with name "bip_apps_DS"
  - create BI SQL Group provider (with name BIGroupLoader) with this settings
  <sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:bisql-group-providerType">
    <sec:name>BIGroupLoader</sec:name>
    <sec:control-flag>OPTIONAL</sec:control-flag>
    <ext:data-source-jndi-name>bip_apps_DS</ext:data-source-jndi-name>
    <ext:sql-list-member-groups>SELECT ROLE_NAME FROM V_SYS_AUTH_ROLES WHERE LOGIN_NAME = ?</ext:sql-list-member-groups>
    <ext:sql-list-groups>SELECT NAME FROM UA_ROLES WHERE NAME LIKE ?</ext:sql-list-groups>
    <ext:sql-group-exists>SELECT NAME FROM UA_ROLES WHERE NAME = ?</ext:sql-group-exists>
    <ext:sql-is-member>SELECT LOGIN_NAME FROM V_SYS_AUTH_ROLES WHERE ROLE_NAME = ? AND LOGIN_NAME = ?</ext:sql-is-member>
    <ext:sql-get-group-description>SELECT DESCRIPTION FROM UA_ROLES WHERE NAME = ?</ext:sql-get-group-description>
  </sec:authentication-provider>
  (my DB schema is correct)
  and i move him on first place in providers list.
  So after these steps in WLS console i see in security realm->groups my groups from DB. Everything is OK.
  Now i need use GROUPS from my database in EM in the context of create BI users roles (maping BI application roles on GROUPS (enterprise roles)).
  So i created a database adapter for the Virtualized Identity Store
  this is it:
  <?xml version = '1.0' encoding = 'UTF-8'?>
  <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
    <dataBase id="directoryType" version="0">
    <root>%ROOT%</root>
    <active>true</active>
    <serverType>directoryType</serverType>
    <routing>
    <critical>true</critical>
    <priority>50</priority>
    <inclusionFilter/>
    <exclusionFilter/>
    <plugin/>
    <retrieve/>
    <store/>
    <visible>Yes</visible>
    <levels>-1</levels>
    <bind>true</bind>
    <bind-adapters/>
    <views/>
    <dnpattern/>
    </routing>
    <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
    <plugins>
    <plugin>
    <name>VirtualAttribute</name>
    <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
    <initParams>
    <param name="ReplaceAttribute" value="uniqueMember={cn=%uniquemember%,ou=people,ou=myrealm,dc=bifoundation_domain}"/>
    </initParams>
    </plugin>
    </plugins>
    <default>
    <plugin name="VirtualAttribute"/>
    </default>
    <add/>
    <bind/>
    <delete/>
    <get/>
    <modify/>
    <rename/>
    </pluginChains>
    <driver>oracle.jdbc.driver.OracleDriver</driver>
    <url>%URL%</url>
    <user>%USER%</user>
    <password>%PASSWORD%</password>
    <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
    <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
    <maxConnections>10</maxConnections>
    <mapping>
    <joins/>
    <objectClass name="groupofuniquenames" rdn="cn">
    <attribute ldap="cn" table="V_SYS_AUTH_ROLES" field="ROLE_NAME" type=""/>
    <attribute ldap="description" table="V_SYS_AUTH_ROLES" field="ROLE_NAME" type=""/>
    <attribute ldap="uniquemember" table="V_SYS_AUTH_ROLES" field="LOGIN_NAME" type=""/>
    </objectClass>
    </mapping>
    <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
    <connectionWaitTimeout>10</connectionWaitTimeout>
    <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
    <validateConnection>false</validateConnection>
    </dataBase>
  </adapters>
  and run command to register:
  ./libovdadapterconfig.sh -adapterName BIGroupLoader -adapterTemplate bi_sql_groups_adapter_template.xml
  -host localhost -port 7001 -userName weblogic -domainPath /OFM/BI/user_projects/domains/bifoundation_domain
  -dataStore DB -root ou=people,ou=myrealm,dc=bifoundation_domain -contextName default -dataSourceJNDIName bip_apps_DS
  Adapter is creatted successfully within errors!
  I restarted managed server(bi_server1) and AdminServer, all bi commponets etc. BUT WITHOUT RESULT. I still dont see GROUPS in Enterprise manager in
  BI->coreapplication->security->application roles
  I tried set in security setting of webLogic domain in EM virtualize=true.
  This procedure is described on all sites but not funkcionaly for me. Do you know somebody where is mistake? Etc. need i installing OVD server? I dont know. Please helm me. after 10 days i really hopeless :( ..so sorry for my english

  If you are still looking for sol? send me email  [email protected]

• OBIEE Group Authentication Maintenance

  Hi All,
  I have set up Authorisation Via ms ADSI Server for OBIEE 10g , I have also setup Group Authorisation via Table .. Works well. But my problem is " Each user and group has to be created in the table" , Is there way around this or any common practise or procedure i can run to Maintain the groups and users within the Authorisation Table...
  The ADSI (LDAP) is fine... Just problem with maintaining the groups. How does everyone else maintain their groups if you have the table authorization method...
  Thanks
  Bibi

  That's up to you to decide how to do it. There are cons and pros on every approach. Personally I wouldn't stahe any LDAP data as this would require frequent updates or a big delay on new users/permissions feeding to OBIEE. People expect new permissions to be applied instantly. If that's not the case you might get pointless support calls etc. I would either use LDAP to store all permissions or OBIEE. There is little point in having security tables if you have to maintain them manually. We use tables because we have a custom permissioning tool which the help desk manage so we don't need to touch any permissions. You be better of maintain them manually using the Web Catalog and the web Administration console if you can't use LDAP.
  Here is a way of getting a list of users from LDAP:
  http://support.microsoft.com/kb/237677

• NFS Resharing, and secondary groups

  Hi there.
  This might get a bit wacky, so bear with me...
  Anyway, I'm trying to reshare an NFS export from an AIX cluster in order to do away with a Helios EtherShare install that is causing much grief with our designers. I have the re-share set up, and you can see the shares there, but I can't see any files or folders inside them unless I change my primary group ID from 20 (Staff) to one of the GIDs in use on the AIX system.
  I have created groups in Open Directory with GIDs that match what is in use on AIX for those share points, and assigned them to my test user, but it doesn't seem to be working as it should.
  Am I going to have to have the AIX admin repermission a couple million files, or is there a way to make his group IDs work through the re-share?

  The oinstall group adds an extra layer of security and allows the separation of the installation groups from the DBA. This is useful if there are separate groups that maintain the software and the database. You could use DBA for both if you do not have such a requirement.

• SharePoint 2010 - Claims Based Authentication - Access Denied for AD Group members

  We're in the process of migrating our SharePoint 2003 system to 2010 and have used Metavis to migrate the data. We had to do the data migration in a lab environment and then move/attach the content database to our production server. The database attached successfully
  and I, as a site collection administrator, can see all sites and the data therein. We are using claims-based auth with ADFS 2.0 as the provider.
  My users, however, get access denied trying to go anywhere on the site. I have added the Active Directory groups to the appropriate SharePoint groups and have confirmed the groups are appearing with the c:0-.t|adfs|group_name syntax. If I add them as individual
  users (i:05.t|adfs|[email protected]) they can authenticate fine, but not by AD group membership.
  I enabled ADFS tracing and I see that the claim being provided includes the SIDs for all the groups the user belongs to. Using ULS Viewer I can see that SharePoint sees the correct number of claims (it doesn't show what those claims are, just the number) but
  it doesn't seem to be connecting the SIDs passed to the group name used in the permissions list. I have also updated the portalsuperreader and portalsuperuser accounts after the database was moved, just in case there was something weird there.
  The ADFS and SharePoint servers are all in the same AD domain, so they should be able to resolve SIDs ok. I suspect the issue is somehow related to the migration of the content database from a separate
  environment (different domain), but I can't figure out for the life of me how to get the group authentication to work.
  Thoughts?

  Brilliant idea. Unfortunately that didn't work - I can get to the new site as the site collection owner, but members of groups to which I assigned permissions still get Access Denied. :-(

• Everyone Group vs. Authenticated Users Group

  Two questions.....
  1.) What is the difference between the "Everyone" group and the "Authenticated Users" group.
  2) We are starting to use some new BI content (NW04s) in our federated portal and have found that we have to grant permissions to "Authenticated Users" instead of the "Everyone" group. Any ideas why?
  Regards,
  Diane

  Diane,
  The following asnwer is not a SAP answer but I did a quick check on our system and:
  1. the difference between the group Everyone and Authenticated users is exactly 1 user assignment.. I looked further and see that it has to do with the J2EE_GUEST user. this user is member of the group Everyone but NOT of the group Authenticated users.
  2. Can not give you a sure anser on this question but maybe it has to do with security that this is needed?!?!\
  Hopfully another SDN community member can fill me in here...
  Good luck and Kind Regards,
  Benjamin Houttuin

• Reg Authenticated Users Group

  Hello Everyone.
  We created two Roles Role1 and Role2 for this Roles we have assigned the Group "Authenticated Users"
  Now the client requirement is they wants to remove couple of users who are assigned to Role1(who belong to "Authenticated Users" group.
  Though it is not a good practise One thing I can do is search for the group "Authenticated Users" in portal  then choose modify and choose assigned users and remove the users from this group.So,that they can not see Role1
  If I remove the users from the group "Authenticated Users" then they will not be able to see Role2 as they are removed from the "Authenticated Users" group which is assigned to Role2
  Can anyone help me out regarding this issue.

  Hi Shailesh,
  What you understood is correct ie  "Both the users have been added to Role 1 and Role 2, and both the roles have been assigned to "Authenticated Group".
  I tried the step what you have stated.
  once I login to portal --- User administration -- identity management
  search for the user.
  choose modify
  if I click on assigned roles I do not see either Role1 or Role2 under assigned roles
  but if i click on assigned groups I see " Authenticated  Users"
  thanks in advance

• New files and folders on a Linux client mounting a Windows 2012 Server for NFS share do not inherit Owner and Group when SetGID bit set

  Problem statement
  When I mount a Windows NFS service file share using UUUA and set the Owner and Group, and set the SetGID bit on the parent folder in a hierarchy. New Files and folders inside and underneath the parent folder do not inherit the Owner and Group permissions
  of the parent.
  I am given to understand from this Microsoft KnowledgeBase article (http://support.microsoft.com/kb/951716/en-gb) the problem is due to the Windows implmentation of NFS Services not supporting the Solaris SystemV or BSD grpid "Semantics"
  However the article says the same functionality can acheived by using ACE Inheritance in conjunction with changing the Registry setting for "KeepInheritance" to enable Inheritance propagation of the Permissions by the Windows NFS Services.
  1. The Precise location of the "KeepInheritance" DWORD key appears to have "moved" in  Windows Server 2012 from a Services path to a Software path, is this documented somewhere? And after enabling it, (or creating it in the previous
  location) the feature seems non-functional. Is there a method to file a Bug with Microsoft for this Feature?
  2. All of the references on demonstrating how to set an ACE to achieve the same result "currently" either lead to broken links on Microsoft technical websites, or are not explicit they are vague or circumreferential. There are no plain Examples.
  Can an Example be provided?
  3. Is UUUA compatible with the method of setting ACE to acheive this result, or must the Linux client mount be "Mapped" using an Authentication source. And could that be with the new Flat File passwd and group files in c:\windows\system32\drivers\etc
  and is there an Example available.
  Scenario:
  Windows Server 2012 Standard
  File Server (Role)
  +- Server for NFS (Role) << -- installed
  General --
  Folder path: F:\Shares\raid-6-array
  Remote path: fs4:/raid-6-array
  Protocol: NFS
  Authentication --
  No server authentication
  +- No server authentication (AUTH_SYS)
  ++- Enable unmapped user access
  +++- Allow unmapped user access by UID/GID
  Share Permissions --
  Name: linux_nfs_client.host.edu
  Permissions: Read/Write
  Root Access: Allowed
  Encoding: ANSI
  NTFS Permissions --
  Type: Allow
  Principal: BUILTIN\Administrators
  Access: Full Control
  Applies to: This folder only
  Type: Allow
  Principal: NT AUTHORITY\SYSTEM
  Access: Full Control
  Applies to: This folder only
  -- John Willis, Facebook: John-Willis, Skype: john.willis7416

  I'm making some "major" progress on this problem.
  1. Apparently the "semantics" issue to honor SGID or grpid in NFS on the server side or the client side has been debated for some time. It also existed as of 2009 between Solaris nfs server and Linux nfs clients. The Linux community defaulted to declaring
  it a "Server" side issue to avoid "Race" conditions between simultaneous access users and the local file system daemons. The client would have to "check" for the SGID and reformulate its CREATE request to specify the Secondary group it would have to "notice"
  by which time it could have changed on the server. SUN declined to fix it.. even though there were reports it did not behave the same between nfs3 vs nfs4 daemons.. which might be because nfs4 servers have local ACL or ACE entries to process.. and a new local/nfs
  "inheritance" scheme to worry about honoring.. that could place it in conflict with remote access.. and push the responsibility "outwards" to the nfs client.. introducing a race condition, necessitating "locking" semantics.
  This article covers that discovery and no resolution - http://thr3ads.net/zfs-discuss/2009/10/569334-CR6894234-improved-sgid-directory-compatibility-with-non-Solaris-NFS-clients
  2. A much Older Microsoft Knowledge Based article had explicit examples of using Windows ACEs and Inheritance to "mitigate" the issue.. basically the nfs client "cannot" update an ACE to make it "Inheritable" [-but-] a Windows side Admin or Windows User
  [-can-] update or promote an existing ACE to "Inheritable"
  Here are the pertinent statements -
  "In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares."
  "Note About the Permissions That Are Set by NFS Clients
  The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client will
  only apply to that file or folder, so the resulting ACEs created by an NFS client will
  not have inheritance set."
  "So
  If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from the Windows NFS server because the permissions that are set by NFS clients only apply to the folder itself."
  http://support.microsoft.com/default.aspx?scid=kb;en-us;321049
  3. I have set up a Windows 2008r2 NFS server and mounted it with a Redhat Enteprise Linux 5 release 10 x86_64 server [Oct 31, 2013] and so far this does appear to be the case.
  4. In order to mount and then switch user to a non-root user to create subdirectories and files, I had to mount the NFS share (after enabling Anonymous AUTH_SYS mapping) this is not a good thing, but it was because I have been using UUUA - Unmapped Unix
  User Access Mapping, which makes no attempt to "map" a Unix UID/GID set by the NFS client to a Windows User account.
  To verify the Inheritance of additional ACEs on new subdirectories and files created by a non-root Unix user, on the Windows NFS server I used the right click properties, security tab context menu, then Advanced to list all the ACEs and looked at the far
  Column reflecting if it applied to [This folder only, or This folder and Subdirectories, or This folder and subdirectories and files]
  5. All new Subdirectories and files createdby the non-root user had a [Non-Inheritance] ACE created for them.
  6. I turned a [Non-Inheritance] ACE into an [Inheritance] ACE by selecting it then clicking [Edit] and using the Drop down to select [This folder, subdirs and files] then I went back to the NFS client and created more subdirs and files. Then back to the
  Windows NFS server and checked the new subdirs and folders and they did Inherit the Windows NFS server ACE! - However the UID/GID of the subdirs and folders remained unchanged, they did not reflect the new "Effective" ownership or group membership.
  7. I "believe" because I was using UUUA and working "behind" the UID/GID presentation layer for the NFS client, it did not update that presentation layer. It might do that "if" I were using a Mapping mechanism and mapped UID/GID to Windows User SIDs and
  Group SIDs. Windows 2008r2 no longer has a "simple" Mapping server, it does not accept flat text files and requires a Schema extension to Active Directory just to MAP a windows account to a UID/GID.. a lot of overhead. Windows Server 2012 accepts flat text
  files like /etc/passwd and /etc/group to perform this function and is next on my list of things to see if that will update the UID/GID based on the Windows ACE entries. Since the Local ACE take precedence "over" Inherited ACEs there could be a problem. The
  Inheritance appears to be intended [only] to retain Administrative rights over user created subdirs and files by adding an additional ACE at the time of creation.
  8. I did verify from the NFS client side in Linux that "Even though" the UID/GID seem to reflect the local non-root user should not have the ability to traverse or create new files, the "phantom" NFS Server ACEs are in place and do permit the function..
  reconciling the "view" with "reality" appears problematic, unless the User Mapping will update "effective" rights and ownership in the "view"
  -- John Willis, Facebook: John-Willis, Skype: john.willis7416

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

• Use require group in virtual host

  Hi,
  I have set up several virtual hosts in my middle tier, and configured them as partner applications so that OID/SSO can be used for authentication. It works fine, but the only supported method I can see is 'require valid-user' which allows any user in OID access to all virtual hosts. Does anyone know of a way around this using OID (not mod_auth). We want to allow users within a group access to individual virtual hosts.
  Thanks,
  Karen

  Hi there,
  I just wanted to clarify my question, has anyone been able to use group authentication using OID to restrict access to websites hosted using AS10g? My website is just plain html, but maybe someone has done something similar by adding a java wrapper to perform the authentication (that seems like overkill to me but maybe there is a more elegant workaround)?
  Thanks,
  Karen