Security issues after catalog migration

Hello,
We have installed a new Sys (11.1.1.7.0) environment and now need to migrate the OBI objects from Dev (11.1.1.7.0). Everything works as expected in Dev with logging in and viewing the appropriate dashboards according to users permissions. Now, after the migrating to Sys when we try to login to hostname:9704/analytics all users cannot see the dashboard and catalog objects. Even Weblogic can't see any. I can view the catalog objects in offline mode via the Catalog Manager or Windows Explorer. If I look at the Catalog through the Catalog Manager my permissions do not allow me to view any objects under Shared Folders; however, in Dev I'm able to do so. It seems something is out of sync btwn the catalog and the Policy store even though users have the appropriate groups assigned in the weblogic LDAP. Any ideas on what might be happening or how to resolve?
Migration process:
1) Migrated Policy Store and Identity store from Dev to Sys. Confirmed objects were migrated.
2) Migrated RPD and Catalog from Dev to Sys. Confirmed objects were migrated.
3) Refreshed GUIDs in Sys
4) services successfully start
Regards,
Mike

Hi Saichand.
I'm working with Mike on this permissions issue, and can provide some feedback.
I'm comparing the "Shared Folders" privileges between two environments, DEV(works) and TEST(not working).
The DEV environment has:
Name - Permission - Details - Type
-- Authenticated User - Full Control - Full Control - Application Role
-- Presentation Server Admins - Full Control - Full Control - Catalog Role
The TEST environment has:
Name - Permission - Details - Type
-- BI Admin Role - Full Control - Full Control - Application Role
-- BI Consumer Role - Custom...- Read, Travers, etc. - Application Role
I'm changing the TEST environment to mirror our functioning DEV permissions:
Name - Permission - Details - Type
-- Authenticated User - Full Control - Full Control - Application Role
-- Presentation Server Admins - Full Control - Full Control - Application Role
I am now able to login as my Administrator user and have access to the appropriate objects.
I still have a couple questions I'm hoping you can clear up though.
1) Something in our migration process to our TEST environ. must have updated the Shared Folders privileges to not include the Authenticated User & Presentation Server Admins roles/groups. This is odd, since we migrated the entire environment from our functioning DEV environ. Any insight into what we did/missed would be helpful.
2) Re. "Shared Folders" permissions on my DEV server vs. TEST server, the role type is "Catalog" on one, and "Application" on the other. How did we accomplish converting the Role from a Catalog to an App role going from DEV to TEST?
DEV:
Name - - Type
-- Presentation Server Admins - - Catalog Role
TEST:
Name - - Type
-- Presentation Server Admins - - Application Role
Much obliged.
Ben

Similar Messages

  • Effictive Permissions not showing up for security groups after interforest migrations using ADMT

    Hi there,
    I"m trying to fix an issue with the effective permission, below is the description
    Two separate forests exist with respective domains DomainA and DomainB.
    A two-way trust has been established between these two domains.
    I migrate a user (using ADMT) from DomainA to DomainB.
    After migration the user account in DomainB has access to the same shares and folders on file servers in DomainA as it did with the user's account in DomainA.
    when i checked the effective permission of the migrated security group it does not show up any tick mark on the permissions. but still end users are able to access the resource on file server
    Thanks in advance for any advice you may have to offer.
    -Vijay

    Hi,
    After the user migration, did you finish the Security Translation?
    http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx#Group_Account_Migration
    Regards.
    Vivian Wang

  • Outlook Users connection issues after Mailbox Migration from 2007 to 2013

    Hi,
    We have a coexistance between Exchange 2007 SP3 and Exchange 2013 CU7. There is an issue when after migrating the user from exchange 2007 mailbox to exchange 2013, the outlook keeps on prompting for password when it is being launched. Checking the Connection
    Status we found that there is a connection to the old 2007 Server and the type is Exchange Public Folder. I have migrated the public folder and checked the Mailbox of the user and found that the DefaultPublicFolderMailbox is set to the 2013 Public Folder Mailbox.
    If I check my 2013 MailboxDatabase Properties, It sill shows that PublicFolderDatabase Properties is still pointing to the 2007 Public Folder Database. Any resolution on this?
    Another issue is, We set outlook anywhere on the 2013 to use basic authentication, however, when users are migrated to 2013 the Outlook client changes to NTLM. even if we set the outlook to basic to make it work, it still comes back to NTLM after a while.
    I did most of the resolutions online to use powershell to make changes to outlook anywhere but no luck. any suggestions is highly appreciated.
    Thanks & Regards,
    Arthur

    Hi,
    For the first problem, please check the msExchHomePublicMDB attribute for mailbox database in Exchange 2013, you can check this attribute in ADSIEdit.
    If this attribute is pointing to Exchange 2007 public folder database, please set to blank. After that, please restart the information service.
    And for the second question, I suggest we open a new case for this issue. In order to avoid confusion and keep track of troubleshooting steps, we usually troubleshoot one
    issue per thread in order to find a resolution efficiently.
    Thanks for your understanding.
    Best regards,
    If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Belinda Ma
    TechNet Community Support

  • TS1963 Issues after file migration from PC

    Hi, I'm new to Mac and I've just done a file migration of my photo's from my old PC (using migration assistant after I've been using the mac i.e. not at initial start-up) and I now can't find the files. Looking at previous similar issues on forums people seem to suggest that a new account will be set up and the photo's will be in there, however there is no new account when I look for it.
    Can anyone help to steer me in the right direction?

    Welcome to the Apple Support Communities
    Migration Assistant creates a new user. Open Apple menu > Log Out to go to the login screen, and you must see the user

  • Security issues after upgrade

    Can any body please tell me what could be the security related issues may come after an upgrade to ECC 6.0.
    Thanks in advance.

    Hi, it's not an exhaustive list but some common things are:
    New authorisation objects
    New transactions
    Different authorisation checks in existing transactions
    Changes to the check indicators
    You may also find slight changes to behaviour of existing authorisation objects, you can also have problems when connecting to non-SAP systems if passwords are mixed case
    If you test your main processes and perform the upgrade steps then you usually will catch the problems.

  • ZFS dataset issue after zone migration

    Hi,
    I thought I'd document this as I could not find any references to people having run into this problem during zone migration.
    Last night I moved a full-root zone from a Solaris 10u4 host to a Solaris 10u7 host. It has a delegated zfs pool.
    The migration was smooth, with a zoneadm halt, followed by a zoneadm detach on the other node.
    An unmount of the ufs SAN LUN (which contained the zone root) on host A and a mount on host B (which is sharing the storage between the two nodes).
    The zoneadm attach worked after complaining about missing patches and packages (since the zone was Solaris 10 u4 as well).
    A zoneadm attach -F started the zone on host B, but did not detect the ZFS pool.
    After searching for possible fixes, trying to identify the issue, I halted the zone again on host B and did a zoneadm attach -u (which upgraded the zone to u7).
    At which point, a zoneadm attach and zoneadm boot resulted in the ZFS dataset being visible again...
    In all a smooth process, but I got a couple of gray hairs on my head trying to figure out what the problem with seeing the dataset after force-attaching the zone was...
    Any insights from Sun Gurus are welcome.

    I am looking at a similar migration scenario, so my question is did you get the webserver back up as well?
    Cheers,
    Davy

  • Report Authorization issues after Authorization Migration in BI 7.0

    Hi SAPians,
    we are facing report access for the customers after migration of authorizations (3.x to 7.0). All these are Customer reports and need to restrict their customer codes only. In two ways, i have tried to resolved this.
    1. Roles - Maintained Customer Number in the authorized object CUSTOMER - Not working.
    2. Created new authorization object through RSECADMIN and maintained the Customer Number with proper activity, validity etc.. - Not Working
    (For Ex. Customer Number is "11500" and length of Char is 10)
    While executing the report, i am getting below error:
    Value "0000011500" for variable "Customer Authorization(Multiple Optional)" is invalid
    Message no. BRAIN643
    Diagnosis
    Characteristic value "0000011500" is not valid for variable Customer Authorization(Multiple Optional).
    Thanks and Regards,
    Venkat

    Hi,
    It depends of the way your authorizations has been setup. If you did it role based or profiles direct to the customer. You should also look into the fact that the migration tool can create direct a profile (not a role with a profile). My way of working in a role based application was that I looked for the roles with objects s_rs_mpro, s_rs_icub, s_rs_odso, s_rs_iset(these are the objects that needs to be replaced with RSECADMIN) and the own build objects with rssm. I added the authorization object s_rs_auth to the role and the new objects made with RSECADMIN. If you transport then the roles and objects made in RSECADMIN it works good. Bottom line beaware of profiles that are not created by the profile generator.
    Have fun
    Jan van Roest

  • Security issue after  publishing planning book on internet.

    Hello experts,
    I have published Planning Book of SCM4.1 on internet via integrated ITS.
    Now the users can access /SAPAPO/SDP94 i:e planning book via internet.
    All the services related to it have been activated in SICF and obejects related to it are published via SE80 like CLPSDP, CLPGLOBAL etc.
    Now when a user who does not have authorization for that transaction logins via internet the explorer screen shows the authorization failure below but at the same time also gives SAP EASY ACESS button on the page. On clicking on the icon  the users login into the SAP as per the roles assigned to him.
    And he can access the system in the same way via internet as we do via SAPGUI.
    I dont want to give this access.
    Moreover this happens only when authorization for transaction SDP94 fails. If user has authorization he directly sees the planning book and does not gets this button.
    Is there any extra service started in SICF which is giving the access even after user is not authorized???
    I have checked almost all the services in SICF and tried deactiavting them But no positive results.
    Is there any user parameter for the same.??
    Kinldy help ???
    System information:- SAP release 640 SCM4.1 server.
    Best Regards,
    Yatindra

    This URL should answer your question
    http://www.cisco.com/en/US/tech/tk86/tk89/technologies_tech_note09186a00800b123c.shtml

  • Pages/Keynote issue after Mac migration

    Hello! I just purchased an Intel MacBook Pro 15" and migrated my old 17" PowerBook to it. However, I can't use iWork now. When I try to open Pages (or Keynote) I get the message "You cannot open the application "Pages" because it is not supported on this system." There is also a big "no" symbol over the grayed-out app icons.
    Is there an update I need to do, or do I need to find my CDs (good luck to me on that; still in a moving box somewhere!) and reinstall?
    Thanks so much for any help!

    Your best may be to re-install, unfortunately. I am not sure what might have gone wrong, but it is probably faster to re-install than to try and troubleshoot.

  • Possible Unified mailbox iPad security issue after iOS 4.2 upgrade?

    On an iPad with multiple email accounts (Gmail, Yahoo & Exchange Active Sync) you are able to forward an Enterprise email received in Exchange Active Sync out through a personal email account. This has been reproduced multiple times with the following configuration. The order of operations does not seem to matter.
    a. Setup a personal account with Gmail, Yahoo, etc. & sync email
    b. Setup Exchange Active Sync on the iPad & sync email
    c. Go into your corporate inbox on Exchange to view email
    i. Select a message
    ii. Forward that message
    iii. Double click on the from field – you will be able to select the email address that will be sending the message out
    iv. Select an external mailbox address and send it to you verizonwireless.com address.
    v. The VZW email will be received with the external address as a sender
    With all of the focus on DLP (data Leak prevention) I believe that this is a big issue that enterprises will be concerned about.

    "This is how ANY email client with multiple accounts would work?" Yes, but with the caveat that normally in the enterprise there would be controls in place (or available) to prevent this.
    It doesn't seem to be something that's getting a lot of publicity on the web but would appear to be a significant risk for companies.
    I don't think it's possible to limit iPads to only corporate mail either natively or using any 3rd party management software, so that leaves the only solution to be some sort of encrypted sandbox for corporate mail along the lines of Good Technology or similar. Unless you can force some sort of persistent VPN through some other mgmt software and monitor all traffic ... doesn't seem ideal but maybe it would work.
    Is anyone aware of any other approaches to this or other vendors in this space? Seems like with the well publicised enterprise iPad adoption that this is an issue Apple would want to address.

  • Outlook cant open PST permissions issue after server migration

    Yesterday I spent the day consolidating files on our server.Users my Doc folders are redirected to the server.I moved the central file share \\server\User Home Folders$ from the soon to be decommissioned G: volume to the New central storage D:I used emcopy64 for this to retain all file permissions and owner etc.This is the command I used:G:\emcopy64 "g:\User Home Folders" "d:\User Home Folders" /o /s /secforce /c /r
    :3 /sdd /w:5 /log:"d:\emclog/txt"Then I stopped sharing on g:\User Home Folders and enabled sharing on d:\User Home Folders with the same name and permissions. I checked and all attributes, ownership, time stamps and NTFS permissions followed nicely, it felt great. Then this morning as I was starting things up before anyone got into work, I discovered it. When outlook 2010 was started it reported "Access is denied. You don't...
    This topic first appeared in the Spiceworks Community

    Great little pod cast.
    EXCLUSIVE INTERVIEW WITH THE WALL OF SOUNDINVENTORNever before heard stories of the GratefulDead's Wall of Sound from its inventor, Bob Heil. Heil used all the knowledgehe gained from Paul W. Klipsch to create the modern architecture for live rockaudio as we know it today. LEARN MOREhttp://www.klipsch.com/blog/wpwk-podcast-ep-5-bob-heil-pwk-grateful-dead/?utm_source=Shopatron+Email...

  • IPHONE 4 SECURITY ISSUE

    IPHONE 4 SECURITY ISSUE
    After installing software ver 5.0.1.  I have found that even with a passcode present you can still access your phone contacts and have full calling features.  If you have a missed call on the front screen and NO SERVICE displayed in the top bar, by sliding the missed call bar across you are given the option of DONE at the bottom of the screen. Click on this and your phone brings you to the recent calls list, where you have full access to all calling features including contacts!!
    If anyone has a resolution to this issue PLEASE help me.

    Re-boot the phone. It shouldn't do this.

  • SAP PI7.11 adapter RFC sender issue after migrating to SAP ECC6

    Hi,
    After the migration of our backend from SAP 4.700 x 200 to SAP ECC6 unicode (kernel 7.20)), we have a issue of connexion to our SAP PI 7.11.
    A part of the field in ECC6 are not well mapped by the abapter sender RFC to the xml in PI.
    I join a screen shot what I have in SAP ECC6 (inquiryECC6.jpg) and the result in SAP PI 7.11in xml format ofcourse (Inquiryxml.jpg).
    Is there someone who can help me?
    Regards.
    Eric Koralewski

    In SM59, there is a new tab <unicode>.
    In that tab, I checked the unicode checkbox  and that's ok.
    Regards

  • Issue after Migration: ID and Content-ID are different in SOAP Payload

    Hi Experts,
    I am facing a strange issue in the PI landscape after the migration from XI 3.0 to PI 7.1.
    The scenario is from R/3 system to TIBCO System (Proxy-to-SOAP). The TIBCO system receives the file in SOAP Format. The message is sent from PI via SOAP adapter to TIBCO System.
    There is a attachment coming from the R/3 System along with the main message and the main payload/message has a "attachment-ID" as a field. Earlier what used to happen in XI 3.0 that the "Attachment-ID" used to equal to the "Content-ID" when the SOAP payload was generated at the TIBCO end. Now after migration, in PI 7.1 the "Attachment-ID" and "Content-ID" are different. We have control over the "Attachment-ID" as it is coming from the source payload but we do not have any control over the "Content-ID" as we are not creating it.
    Can anyone of you please let me know how the SOAP Payload is created and how the content-ID gets populated in the Header of the SOAP Envelope? Also, can anyone help me to fix this issue? Is it something which needs to be handled by us or the BASIS Team?
    Thanks,
    Arkesh
    Edited by: Arkesh Sharma on Dec 16, 2011 12:53 PM

    Hi Ramesh,
    Thank You for the very Helpful Answer. Before I proceed and close this thread, I have one more question which comes to my mind:
    I create my own SOAP Header if I apply the solution provided by you then will the rest of the details in the SOAP Header payload will change or do I need to customize it for myself? For e.g., there is a field named MessageId in the SOAP Header. If I write a Java Mapping, do I need to manually populate the MessageId field in the SOAP Header of my java code or will it be automatically populated?
    My requirement is to change only the content ID of the SOAP Header Payload and the rest of the fields should remain the same as it is. Is it possible with the approach that you mentioned above?
    Thanks,
    Arkesh

  • Issue after migration of test environment to production

    Hi guys,
    After I migrate the test environment to production enviroment I am getting the following errors:
    java.sql.SQLException: ORA-00001: unique constraint (SNPPW.PK_PACKAGE) violated
    java.sql.SQLException: ORA-00001: unique constraint (SNPPW.PK_SNP_GRP_STATE) violated
    java.sql.SQLException: ORA-00001: unique constraint (SNPPW.PK_FOLDER) violated
    java.sql.SQLException: ORA-00001: unique constraint (SNPPW.PK_TRT) violated
    The version of ODI used is ODI 10.1.3.5
    Any help will be appreciated.
    Thanks in advance.

    Hi,
    How exactly are you doing the migration?
    Regards,
    K

Maybe you are looking for

  • Sort Key Figure in a Query

    I have a situation where I have to use a query (not possible to use a view - long story, but limitations on views make it so) I have a simple query that has products on rows, and Month and Sales Value on the columns. I want to sort the Sales value de

  • I somehow lost my iMovie app when I upgraded to Snow Leopard

    I bought my MBP in late 2008. Leopard was installed on it, and it came with iMovie. When I upgraded to Snow Leopard, I can't seem to find iMovie. So after spending $26 to upgrade to Snow Leopard, do I have to spend $75 to buy iLife to get iMovie?

  • Is mountain lion can out put 10 bit colour? I nee to buy EIzo Monitor

    Is mountain lion can out put 10 bit colour? I nee to buy EIzo Monitor.

  • XI pre-prd (distributed system) is very slow

    Hi, Our XI pre-prd which is on distributed configuration is very very slow. CI host is having 8 GB RAM, db host is having 6 GB RAM. When we look at SM50, all the dialog proceses gets occupied by PIAPPLUSER user even though we run a single interface.

  • IPhone 4,include pictures to spotlight

    Hi there and good day,I have an iPhone 4 with iOS 4.2.1 ,I need to know if there is a way to include pictures to spotlight! It would be very useful for my work to be able to search through my pictures(not the pictures that I took with the phone,but t