Security - Invalid members restriction

Similar Messages

• Java.lang.SecurityException: Security: Invalid Subject: principals

  I am getting the following exception intermittently:
  java.lang.SecurityException: Security: Invalid Subject: principals=[XXX, Administrators]
  What i am doing is, i have two weblogic servers both running Weblogic 10.0 and running on different domains, a war is deployed on one server (server A) which sends a message to queue on another server (Server B), now everything works but if i restart B then A throws the above Security Exception while looking up the queue on Server B?? Any ideas why, i haven't configured any security credentials.
  If i restart A after restarting B then everything works again but restarting all the servers each time one gets restarted is cumbersome,so does someone knows answer to the question above?
  Edited by: user4828945 on Feb 11, 2009 5:41 PM

  If you dont require authentication, then enable the global trust between the domains.
  When this feature is enabled, identity is passed between WebLogic Server domains over an RMI connection without requiring authentication in the second domain. When inter-domain trust is enabled, transactions can commit across domains. A trust relationship is established when the Domain Credential for one domain matches the Domain Credential for another domain.
  By default, the Domain Credential is randomly generated and therefore, no two domains will have the same Domain Credential. If you want two WebLogic Server domains to interoperate, you need to replace the generated credential with a credential you select, and set the same credential in each of the domains.
  Link :[http://e-docs.bea.com/wls/docs100/ConsoleHelp/taskhelp/security/EnableGlobalTrustBetweenDomains.html]

• "Document Security" and "Document Restrictions Summary" different

  Why is there a mismatch of permissions between 'Document Security' and Document Restrictions Summary'?
  I have a pdf file generated with the following security options enabled -- Printing, Commenting (Annotations), fill-in, Content Modification, Assembly. Even though these options show up as enabled in 'Document Security' section of Security tab in Properties (File->Properties->Security->Document Security), they are different to the ones in 'Document Restriction Summary'.
  This results in the inability to use highlighting/commenting tools of Adobe Acrobat Reader (ver. 7 and 8).
  The pdf file is generated using Open Office 3.0 Writer from a file in a .doc (word) format. I have also tried using tools like 'pdftk' with same results.
  According to my interpretation, the 'Document Restrictions Summary' should be in tandem with the 'Document Security'. Am I missing something obvious here? Could anyone kindly clarify how to enable the commenting feature and use it within Acrobat Reader (the free tool)?
  Needless to say this will be environment friendly option, which Adobe has been a strong advocate of.
  Rahul Iyer

  Yes, thats right. I used Open Office 3 to generate the pdf. I have also tried using pdftk and Adobe Distiller 5 with the same result.
  Your statement implies, the 'Adobe Reader' features cannot be fully utilized without a valid Adobe Acrobat Pro.
  This is a document to which I have the source. I have been able to create the pdf with the required set of permissions based on standards. But I am being hassled because I didn't generate it with Adobe Pro! Well, I suppose this must have been a business decision, but its one thats standards contrary and morally low!
  Adobe just lost an avid Reader user. I shall circulate my findings within my work and social circles. Thanks to competition and open source, I am sure to find a standards compliant reader without much delay.
  Thanks for your help - graffiti
  Rahul Iyer

• Security deposit - Setting restriction automatically after payment

  Hello,
  After Iu2019ve created a security deposit (FPSEC1) and paid it for example with the cash desk. What I understand is that before you can release the security deposit you first have to u201Clocku201D the deposit using FPSEC2. This sets the restriction (DFKKOP-AUGST) to 2.
  Is there a way to set this restriction automatically so you donu2019t first have to go back to the FPSEC2 to set the lock. Or with a batch program oru2026u2026
  Could you please help me out here??
  Thanks a lot,
  Lukas Molenaar

  Lukas:
  It is not clear what you are looking for.  Standard functionality exists as follows:  A deposit is created - the payment of the deposit automatically restricts the payment with value '2'.  THis prevents the payment from being used to clear other receivables. This restriction is in place until the deposit is released.  There is standard release functionality with ISU when the customer moves out, or when the customer has met certain good payment requirements.  Those do not require any user interaction.  Additionally, user can access the security deposit in change mode (FPSEC2) and release it manually.
  After release by any technique, the restriction is removed from the payment document which enables it to clear open recievables OR to be paid back to the customer.
  regards,
  bill.

• Using the Security Manager to restrict access to a single package

  After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
  Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
  Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
  But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
  Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
  It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
  The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

  You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

• Multiple Fix with invalid members.

  Hello!I trying run calculations like this:Fix("01/10/2002") CLEARBLOCK ALL;EndFix;Fix("02/10/2002") CLEARBLOCK ALL;EndFix;Fix("03/10/2002") CLEARBLOCK ALL;EndFix;Some members maybe invalid, and the calculation ends without finish the outers. There's some workaround?Thanks in advance, and sorry about the terrible english! :)

  True, CLEARDATA is very slow. Try this:"01/10/2002" = #Missing;"02/10/2002" = #Missing;"03/10/2002" = #Missing;All three should clear in a single pass. If it does not work, let me know.Good Luck,Tim

• BI Security Implementation and restrictions at Infocube levels

  Dear all,
  I am trying to update myself on BI security and practical implementations. I read expert guide and other relevant documentation. We have BW security integrated with CRM and Portal.
  Please explain or provide me some direction in understanding how BI security works at key figure level.
  <b>Is it necessary to set the following InfoObjects as “authorization-relevant” . Is it MANDATORY to make the following settings as "Authorization-Relevant" before we start the BI Security
       0TCAACTVT
       0TCAIPROV
       0TCAVALID
       0TCAKYFNM</b>
  and
       Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV
  When I changed above infoobjects to Authorization relevant, BI Portal Users are complaining that they have Access issues. I have to change this setting back.
  Can someone explain me the implication of making the above objects as Authorization Relevant. What making these objects, Do I need to complete some steps to make it work.
  All users have 0BI_ALL object defined in S_RS_AUTH. I don't know how 0BI_ALL works for users.
  I greatly appreciate if anyone can explain how I can achieve the following scenarios:-
  1. How Can I restrict user access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG.
  2. How can I restrict User access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG (Sales Organization CRM) and Key Figure ZVOLSU.
  3. How can I restrict User Access to all Infocubes EXCEPT ZEN_T001 infocube.
  I tried using PFCG but it does not work. 3rd scenario worked fine. I really need help in resolving scenario 1 and 2.
  please eMail me if I need to go thru any other step-by-step procedure.
  I am trying my best to resolve and at the same time reading other documentation and experimentation.
  Waiting for a Positive Reply
  Kumar

  Hello Kumar,
  <b>here are my statements:</b>> Is it necessary to set the following InfoObjects
  > as “authorization-relevant” . Is it MANDATORY to make
  > the following settings as "Authorization-Relevant"
  > before we start the BI Security
  >      0TCAACTVT
  >      0TCAIPROV
  >      0TCAVALID
  >      0TCAKYFNM
  <b>Be careful when checking 0TCAKYFNM. If you do so EVERY user will be influenced because reporting is based on key figures. But as you need to restrict to certain key figures you will have to check 0TCAKYFNM  authorization relevant. As a consequence every user will need key figure authorizations.</b>> 
  > and
  > Add 0TCAIFAREA as an external hierarchy
  > characteristic to 0INFOPROV
  <b>This is not mandatory but may be helpful if you want to restrict authorizations on InfoArea Level.</b>
  > When I changed above infoobjects to Authorization
  > relevant, BI Portal Users are complaining that they
  > have Access issues. I have to change this setting
  > back.
  <b>They might complain because they do not have authorizations for any key figure.As I explained above checking this object has impact on every query because every query contains key figures and when you check 0TCAKYFNM users will need the authorizations for this object.</b> >
  > Can someone explain me the implication of making the
  > above objects as Authorization Relevant. What making
  > these objects, Do I need to complete some steps to
  > make it work.
  >
  > All users have 0BI_ALL object defined in S_RS_AUTH. I
  > don't know how 0BI_ALL works for users.
  <b>0BI_ALL is SAP_ALL on analysis level - you must not assign this to your reporting users!</b>>
  > I greatly appreciate if anyone can explain how I can
  > achieve the following scenarios:-
  >
  > 1. How Can I restrict user access to all the
  > Characteristics and Key Figures of Infocube ZEN_XXX1
  > except for Characteristic 0CRM_SALORG.
  <b>Figure out if characteristic 0CRM_SALORG has to be marked as authorization relevant or not. If not - there's nothing to do. If yes - you will have to setup analysis authorizations.
  Create an analysis authorization in RSECADMIN like:
  ZEN_XXX1_ALL
  0CRM_SALORG  = *
  specify your other auth. relevant characteristics and enter ":" as values
  0TCAIPROV = ZEN_XXX1
  0TCAACTVT = 03
  0TCAVALID = *
  Do not forget to allow authorizations for these auth. relevant characteristics in your other infoproviders (where applicable).
  Assign the authorization to the users in RSU01 or create a role containing S_RS_AUTH with the analysis auth. as value.
  </b>
  >
  > 2. How can I restrict User access to all the
  > Characteristics and Key Figures of Infocube ZEN_XXX1
  > except for Characteristic 0CRM_SALORG (Sales
  > Organization CRM) and Key Figure ZVOLSU.
  <b>Create an analysis authorization in RSECADMIN like:
  ZEN_XXX1_KEY
  0CRM_SALORG  = CRM
  specify your other auth. relevant characteristics and enter ":" as values
  0TCAIPROV = ZEN_XXX1
  0TCAACTVT = 03
  0TCAVALID = *
  0TCAKYFNM = ZVOLSU
  And also do not forget to allow authorizations for these auth. relevant characteristics and all key figures in your other infoproviders.
  Assign the authorization to the users in RSU01 or create a role containing S_RS_AUTH with the analysis auth. as value.</b>
  > 3. How can I restrict User Access to all Infocubes
  > EXCEPT ZEN_T001 infocube.
  <b>Enter in auth object (PFCG) S_RS_COMP and S_RS_COMP1 your cube ZEN_T001 in field RSINFOCUBE,  RSZCOMPTP =  REP, ACTVT =  16
  </b>
  >
  > I tried using PFCG but it does not work.
  <b>Why? What was the problem? Keep in mind that you always will need the three special dimensions since BI 7.0</b>
  3rd scenario
  > worked fine. I really need help in resolving scenario
  > 1 and 2.
  >
  > please eMail me if I need to go thru any other
  > step-by-step procedure.
  >
  > I am trying my best to resolve and at the same time
  > reading other documentation and experimentation.
  >
  > Waiting for a Positive Reply
  >
  > Kumar

• LRT224 OpenVPN Server Security Subnet Mask restriction

  I would like to use a Security Subnet Mask of 255.255.252.0 with OpenVPN Server, but the LRT224 limits my choices to the masks shown in the snippet below. I don't understand this restriction. If Class B, 255.255.0.0, is allowed, why not allow sub Class B like 255.255.252.0, 255.255.248.0, etc? I know I could switch to 10.x.0.0/255.255.0.0, but I don't want to re-address my existing network. 

  This is a good thought. Now, this got me wondering as well. I would like to believe this is as designed. Maybe some sort of  product limitation.

• Port-security MAC address restrictions and flexconnect

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

• R12 SLA drilldown security:How to restrict drilldown based on source/AppI

  Hi All,
  We are on R12 and SLA is configured and working fine.
  However we have a special requirement while performing drilldown from GL- SLA
  Navigation GL Super user -->Inquiry--> Journal -->Review Journal--> Line Drilldown
  Currently we can drilldown fo all sources AR/AP/PAYROLL etc
  We want to restrict drilldown functionality for certain responsibility/s only to AR/AP sources
  We want to restrict drilldown functionality for certain responsibility/s to only Payroll Sources
  Please let me know the approach to meet the requirement.
  Cheers
  Sam

  Hi Anil,
  Thanks for the Reply.
  Following actions happens on Review Journal form
  Currently in our r12 instance the following actiosn and details are shown, Click Line drilldown button
  1) Opens SLA html page,
  showing GL journal like infirmation
  Showing Journal Line information
  2) On this page we have two buttons
  2.1 View Transactions
  Will take to subledger Transaction, You are right it would take to AR/AP etc but not payroll
  2.2 View Journal Entry
  will take to subledger journal entry details, it would show details for all source ap/ar etc inclusing payroll.
  This is fine for one set of responsibility
  We require for another reposnsibility when we click line drilldown when source is AR/AP it should show sla page
  but when the source is PAYROLL, when we click lines drilldown
  1)it should either not launch sla page or
  2)launch sla page but no details are shown or
  Can we acheive this identifying right functions in xla_sl_drilldown, create a new abc_xla_sl_drilldown menu with only functions for AR AP.
  Any ideas about the approach.
  Appreciate your feedback.
  Cheers
  sam

• Problem with FC security when data restrictions are based on RU dimention

  Dear Sirs,
  The data access restrictions for users in our system is configured, that reporting unitu2019s data can be accessed only by users that are responsible for ancestor's data based on RU hierarchy (restriction by RU dimension in data analysis).
  When reporting unit is moved in hierarchy from one parent to another -  old ancestor canu2019t access itu2019s data as only new ancestor do. But in that case we have a very big problem as users can't build old ancestoru2019s consolidated reports for previous periods - they are incorrect since RU dimension access is restricted for all periods.
  Are any ideas how the issue can be solved ?

  Dear Egle,
  Indeed,  the historical data within the reports will not be accessible after the data analysis modifications and this is the normal behavior of BO Financial Consolidation.
  Please note that an enhancement request was escalated to allow users to belong to more than one Data Access Group. This enhancement is referenced under the reference ADAPT01028492 ( for more information, you can refer to  the SAP Note 1405946 - BOFC - Allowing multiple Data Access Groups).
  This new feature is not implemented yet in  Financial Consolidation  and the current  workaround is to create 2, 3 or 4 users for the same person.
  However, this workaround will oblige users to disconnect/reconnect many times or open more than one session  to apply necessary changes on BO Financial Consolidation.
  If this request is quite important for you, we recommend you to enter this enhancement in our new site ( Idea Place): https://ideas.sap.com. Indeed, SAP has defined a new process and a new tool that is now available to customers  which allow them to log Enhancement Requests themselves and have the ability to work more directly with our technology and Development group.
  If the request sent by the customer is pertinent and voted by 10 other customers at minimum, the Enhancement Request will be probably accepted by the Product Group(to have more information  about this new process, you can refer to the SAP note 1515837 - NEW Enhancement Request Process - "Idea Place" )
  Let me know if you will need further details.
  Best regards,
  Emna.

• Kids security - How to restrict online or usage time per account

  OSX enables you to restrict applications (e.g. safari, restriction of loadable web-sites). But how to give children a fixed amount of time per day to use their account or to access the internet?

  Some of the better routers allow you to set a schedule according to machine hardware number and services.

• Auto-Fill Secure Zone Members' Information to a webform?

  Hi, everyone:
  I'm working with webforms in a secure zone and the system is insisting on having users enter their information - name & e-mail address.  Since they've already provided this information when registering for the secure zone, I'd prefer to use a {module_firstname} etc. insert for their information rather than ask them to type it repeatedly.  I've tried removing the input fields and replacing them with the tags, but this results in an error message.  Is there any way to do this?
  Thanks!
  Linda

  Hi Linda,
  If customer is logged into a secure, the data can be pulled from the customer's info and can be populated in the form fields. Please refer to the following article : http://kb.worldsecuresystems.com/924/cpsid_92481.html
  The above mentioned article has the steps to achieve this. If you still face the problem, please reply with the exact error message you get and your site's URL.
  You can also contact support directly via Chat from http://helpx.adobe.com/contact.html and select Business catalyst from the dropdpwn or log a ticket.
  Cheers,
  Aishvarya Raj Rastogi

• How do I fix this, certin web sites i get this message . this connection is untrusted, cant confrim that connection is secure ,invalid secutity certificate. web sites like google, chase rewards,and unc charlotte

  please help

  I just tried that, and now I get a sad face in a box when I hit the play button for a tutorial:
  THat's how I'm feelling too!

• Any ideas on restricting userID Role Assigment within the SAP Security Team

  Hello,
  I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
  Thanks in advance for your help!
  John

  Hi John,
  There can be a manual control in place and individual should not assign role/s to himself / herself.
  Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
  Thanks
  Prasanna