Security Profile with Assignment-level Security limitations

Similar Messages

• Reports XI: Infoview behavior with Row Level Security

  Post Author: pwilliamsbssp
  CA Forum: General
  I have a report that is based off a business view that has project information with an additional table used to assign report users to certain clients (each project has a client).  A filter is used to assign the report user to the current ce username.The report is scheduled by the administrator login.  Each user goes to view their report on Infoview and is able to view data for only those clients specifically assigned.   This functionality seems to work fine - everyone views one instance of the report and InfoView assigns the row level security.However, I'm running into a problem viewing report histories when adding or changing client assignments.   The historical reports come up either blank or with erroneous information (such as the current week's information instead of the previous week's data saved with the instance of the report).   I have not found a logical link between the behavior of the historical reports and the specific users.  Some can see one week and not another while others have the reverse, regardless of their security assignments.Does anyone understand the behavior of view historical reports with row-level security?  I have no idea what data/metadata is saved with each report instance and when the row-level security is being read.  Is it read when viewing the report? or, is it specific to the structure of the data when the report was run?With other reports using the same row-level security model I'm able to view the historical reports although it has the client assignments at the time the report was created.  But, at least I'm able to view the reports.Any insight welcome.Patrick Williams

  Post Author: pwilliamsbssp
  CA Forum: General
  Bump.  Anyone is welcome to tackle this question.  Please.

• Migrate SQL 2008 Analysis database to 2012 AS database along with data level security defined in current production cube

  I want to migrate Analysis Services 2008 database to 2012 AS database along with data level security defined in current production cube
  Note: Only Production environment have security, while no security is defined in development environment
  Potential Approach:
  1 - Using Synchronization Wizard: Gives me error : "The OLAP element at line1 can not appear under envelope......" and this is because Synchrinzation works only for same version
  and in my case, there are different versions of SQL (SQL 2008 and 2012)
  2 - Using Visual studio conversion wizard - Convert SQL 2008 AS project to 2012 and then process cube, so I can get the cube working but then how can I get data level security since 100's of data level security is defined in production Cube, so how can I
  migrate that across
  3 - Script out XMLA and deploy cube - But then again having issues with how can i script SSAS security
  4 - Would taking backup of SSAS 2008 database and restore to SSAS 2012 will help ?
  Any suggestions would be appreciated
  Thanks,
  Mihir

  Hi Mihir,
  According to your description, you want to migrate the SQL Server Analysis Services (SSAS) 2008 database which have some security setting with it to SSAS 2012, right? We can migrate existing Analysis Services databases either during Setup, by upgrading an
  existing instance of Analysis Services, or after Setup, by running the Migration Wizard. Generally, when migrating a database to another server, all the setting will be migrated. So in your scenario, you can refer to the steps on the links below to migrate
  your SSAS database.
  How to: Migrate Analysis Services Databases
  Migrating Existing Analysis Services Databases
  Regards,
  Charlie Liao
  TechNet Community Support

• Apple should make a server hardware/OS with iOS level security. This could compete well with the breach infested pre secure OS/hardware server systems like Windows Linux OSX.  It should be structurally immune to phishing etc

  Apple should make a server hardware/OS with iOS level security. This could compete well with the breach infested pre secure OS/hardware server systems like Windows Linux OSX.  It should be structurally immune to phishing etc and could be sold easily as a secure alternative.  It should be based on structural hardware based security as has been demonstrated in the iOS operating system and the hardware should be made in secure facilities in the US.  Those Chinese put weaknesses into the hardware they make as has been documented on 60 minutes.

  Apple's entry in the server market has come and gone - is there a question in there somewhere?

• /etc/security/limits.conf

  Hello
  OS : Redhat enterprise Linux Ver 5
  When installed as per install guide, I see that /etc/security/limits.conf updated with entry as :
  oracle hard nofile 65536
  1) Why is the default limit of 1024 not sufficient ?
  2) Does oracle opens more than 1024 files at a time ?
  3) How to find the exact list of files open by the oracle user at any given point in time ?
  Thanks in advance for your help.

  Hi,
  that's a good question. I don't neither have an answer but I assume that especially in the past (8i) when datafile size was limited that it was causing problems on huge databases. Making it enough high could also reduce their support effort. This is just may stomach feeling which I am telling you but the truth will tell you someone else. Maybe someone else here in the forum knows more than me.
  I am not 100% sure but:
  $ lsof|grep oracle|wc -l
  1762 shows me over 1024 open files. This with a running ASM instance, a DB and a listener.
  Cheers,
  David
  OCP 9i
  http://www.oratoolkit.ch/otn.php

• Problems with assign profile

  Hi,
  I want to make default an option "don't color manage this dokument".
  How can I do that?

  Unfortunately, it appears that you can't - at least not with the default interface.
  There is an option "Don't Color Manage this Document" in the Advanced section of the New... dialog window but unlike the other options there, this doesn't remain for the next time and reverts (defaults) to the profile selected for the Working Spaces in the Color Settings. The problem is that this options is not available in the profile menus of the Color Settings. I think you have a good case for a feature request - to include this option in the Working Spaces section of the Color Settings.
  Meanwhile, you can create an action by recording Edit > Assign Profile with the option Don't Color Manage This Document and use it with a hot key which you have to press each time after creating a new document and when you want to remove a profile.
  You can check what color profile an image has in the Info palette (F8). To display this information make sure it is checked in the Info palette's options accessible from its menu located at the top right on the palette.

• I want to build a form with radio buttons to limited clients ticking every option.

  I want to build a form with radio buttons to limited clients ticking every option. I have a range of products and in order to quote accurately I want to get specific information.

  If I get this , you want to show form options to specific clients not to all site viewers ?
  You would need to create a secure zone for this where permitted viewers can login and view the form with all options , in form itself we cannot setup this as few customers will view other options and others will view a different one.
  This can be done from your hosting end. Or if you are using Adobe server for hosting then you can create some profiles for customers and then setup a separate form altogether to achieve this.
  Thanks,
  Sanjit

• LoadUserProfile() creates a profile with Chinese characters on a remote system

  Hi,
  I'm working on an application where LoadUserProfile() is being used to remotely load a user profile on a machine. The token being passed to LoadUserProfile() is obtained from LogonUser(). 
  When doing this only with a Domain Admin user which is added in Active Directory, it creates a profile with Chinese characters in the C:\Users\ folder of the remote machine. Note that this happens only when logging in for the first time with
  this Domain Admin account remotely on that machine.
       // code:
        PROFILEINFO pi;
        memset((void *) &pi, 0, sizeof(PROFILEINFO));
        pi.dwSize = sizeof(PROFILEINFO);
        pi.dwFlags = PI_NOUI;
        pi.lpUserName = (TCHAR *)strUser;   //strUser is the User name, and it shows correctly here when debugging
        if (LoadUserProfile(hToken, &pi))
  //It is actually successful, and comes here when debugging.
  Although the name shows up correctly when debugging (remotely), why is it creating a profile with Chinese characters on the remote machine? 
  TIA,
  Jy

  CreateProfile won't load the profile.  You need to use LoadUserProfile to load the profile, and you need to query for a roaming profile path to put in the lpProfileInfo parameter if you want to include that as well.  You need a token for a
  user to call LoadUserProfile, but not a profile handle.  LoadUserProfile will populate that for you before it returns if it was successful.  See this excerpt from
  https://msdn.microsoft.com/en-us/library/windows/desktop/bb762281%28v=vs.85%29.aspx:
  Upon successful return, the hProfile member
  of PROFILEINFO is
  a registry key handle opened to the root of the user's hive. It has been opened with full access (KEY_ALL_ACCESS). If a service that is impersonating a user needs to read or write to the user's registry file, use this handle instead of HKEY_CURRENT_USER.
  Do not close thehProfile handle.
  Instead, pass it to the UnloadUserProfile function.
  This function closes the handle. You should ensure that all handles to keys in the user's registry hive are closed. If you do not close all open registry handles, the user's profile fails to unload. For more information, see Registry
  Key Security and Access Rights and Registry
  Hives.
  WinSDK Support Team Blog: http://blogs.msdn.com/b/winsdk/

• AD "Log on to" restriction causes RDP connections with network level authentication to fail

  I am running a Server 2008 R2 environment and have recently enabled network level authentication for RDP connections. Since the change, users who have their logons restricted to specific servers via AD, now get an error when logging on via RDP:
  An Authentication error has occured
  The Local security authority cannot be contacted
  After investigating this error and reading technet I found that removing the "log on to" restriction within their user object solved the problem even tho they had rights to this server. Adding the users client PC name to the "Log on
  to" list also solves this issue.
  My question is, is there another way around this? We have an environment where some users may require an RDP connection from a client PC not on the same domain (over VPN) as the server. It will not be practical to add many different client PC names
  to the log on to list and I don't understand why client PC's must be specified in the Log on to list and not just the actual server they are logging onto.
  Any pointers appreciated

  I have just come across this problem on one of my client’s domains; they have recently enforced a policy to “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)”  and users with “Log on To” restrictions
  on their account are no longer able to RDP using their second account.
  After a lot of fiddling around I finally resolved the problem by adding the connecting computer name into “Log on To” list.  Ultimately it appears that Network Level Authentication (NLA) requires authentication to take place on both the host initiating
  the connection and the remote host.

• Roaming Profile at User level simply not copying...no error

  Little rusty on setting this up but if I recall if I choose to setup roaming profiles at the user object level then I simply need to create a share with the appropriate share/NTFS permissions then assign the UNC path in the Profile tab in ADUC?  We
  are running Win 2008 R2 with Win 7 SP1 clients.
  If this is correct then I have done this and the profile will simply not roam...no errors in event log, the test user simply logs in and has a normal local profile.  While I am logged in as this user I can access the above UNC and create a folder so
  I think permissions are ok.
  Originally this computer and test user were in an OU where I set a GPO setting up Folder Redirection.  Thinking that I possibly configured something incorrectly there I moved the user and computer object to a basic OU where only the default domain policy
  is applied.  No change.
  I don't remember getting this part working to be such a hassle so I am at a loss now how to troubleshoot further.
  Thanks

  Hi,
  Since Roaming Profile doesn’t work correctly, and you could not find any error in the event logs. At this time, I suggest you’d better first check for the correct permissions on the profile
  share. In addition to logging events in the Application Event log, User Profiles can provide a detailed log to aid troubleshooting. To create a detailed log file for user profiles:
  1. Start regedit and locate the following path: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
  2. Create a new value called UserEnvDebugLevel as a REG_DWORD, and set the value to 30002 in hexadecimal format.
  The log file can be found at: %windir%\debug\usermode\userenv.log
  Regarding how to troubleshoot Roaming Profile issue, please try to refer to the following article to see if it helps.
  Troubleshoot User Profiles with Events
  http://technet.microsoft.com/en-us/library/jj649075.aspx
  Here are some guide about how to configure Roaming Profile, they may be useful to us.
  Configuring Roaming User Profiles
  http://technet.microsoft.com/en-us/library/cc738596(WS.10).aspx
  Group Policy Recommendations for Roaming User Profiles
  http://technet.microsoft.com/en-us/library/cc781862(v=ws.10).aspx
  How to configure Roaming Profiles and Folder Redirection
  http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• RA Simulation on Profiles with "Include Users" Option

  Hi ,
  We have SAP RAR 5.3 SP8 P1.
  When running the Risk Analysis simulation for profiles/roles, we are presented with an option to set Yes/No for "Include Users" .
  Can somebody explain how this flag setting affects the simulation and what we can expect in the report?
  With "Include Users" set to Yes, are we expected to see the users with the combination / one of the profiles???.
  We are trying to simulate permission level risk analysis for profiles. So the simulation Values are set to check another profile with:
  Exclude Values - No
  Risk From Simulation Only - No
  Include Users - Yes
  Include Composite Roles - No
  Once we set "Include Users"  to Yes, we can only run the simulation as a background job. But unable to see any user info in the results. Hope somebody can explain what the report is expected to display.
  Thanks,
  Anil

  I am not logged on, but from memory this was an option to include "Reference Users" in the analysis. This means, authorizations (not profiles or roles!) are assigned indirectly via another user whos access I can inherit.
  If it makes no difference and is refering to the reference user concept, then obviously you do not have any reference users...
  > We are trying to simulate permission level risk analysis for profiles.
  Are you sure about this? You are building manual profiles?
  Cheers,
  Julius

• How to Manually Create Wi-Fi Profiles with Open Authentication & WEP Encryption

       I clicked Control Panel > Network and Internet > Network and Sharing Center> Set up a new connection or network > Manually connect to a wireless network, but I wasn't able to select WEP for Encryption type when I selected
  Open System for Security type. Why not? I hear Open authentication & WEP encryption is more secure than WEP authentication & encryption. Doesn't Windows support Open authentication & WEP encryption?
       I tried it on several computers: Win8.1/8/7, hp/DELL/ASUS/acer, but on neither of them was I able to select Open authentication and WEP encryption at the same time. Wi-Fi is enabled, and every user account that I tried it from is admnistrator
  one.
       I can manually create Wi-Fi profiles with WEP authentication and WEP encryption. What I wanted to create is, however, those with Open authentication and WEP encryption.
       I'll appreciate your help.
  cf. http://answers.microsoft.com/en-us/windows/forum/windows8_1-networking/how-to-manually-create-wi-fi-profiles-with-open/20306f4a-6909-44a5-a715-745a922b97e0?rtAction=1420438873802

  Hi,
  Acctually speaking, Both type of WEP encryption is not secure. I'm agree with SenneVl's opinion, it would be better to use WPA encryption. You can refer to the contents of the link belwo for more details:
  Set up a security key for a wireless network:http://windows.microsoft.com/en-hk/windows/set-security-key-wireless-network#1TC=windows-7
  Roger Lu
  TechNet Community Support

• Is it OK to share system profile with support

  I'm having a problem with a game, CoD4, and the support staff at Aspyr has asked me to share my system profile with them. Are there any security or other concerns that I should be aware of before doing so?
  Many thanks,
  Brian

  I agree you should send your profile to a bona fide company. I did this recently to help OnOne Software debug a problem they are having with one aspect of the ATI graphics card in the i7 iMac.

• Need help with multi-level categorization

  Hi,
  We have the following scenario:
  A complaint has a subject profile with two catalogs:
  1. Problem - 60 problem codes
  2. Solution - 30 solution codes
  Each catalog has code groups and codes assigned as above.
  In GUI we can address this using the catalogs, code groups and codes under "Analysis" tab at complaint header / item level. However, we want to switch over to categorization schema in CRM 7.0 Webclient UI.
  I tried creating a categorization schema in Web UI. However, if I understand correct, for each of the 90 codes (60 + 30 mentioned above) I need to a add category id under the root schema id and assign a subject code under the general data of the category (while maintaining the category hierarchy). Is this true? I really cannot do it since I have already created the catalogs with the mentioned number of codes under the relevant code groups. Isn't it a duplication of effort? Whats the whole point of creating subject profiles / catalogs / code groups / codes if it has to be redone in webclient's categorization schema? Moreover, every time I add a problem code (say number of codes become 61 from 60), do I need to change the schema and release it again?
  I believe there would be a simpler way to do it.
  My exact requirement is:
  1. I want to use only the first two drop downs of the categorization view in complaints component
  2. First drop down to have all the problem codes (60 of them)
  3. The second drop down to have all solution codes (30 of them).
  Request the gurus to provide the exact steps to achieve this (_details in terms of exact steps will be appreciated and suitably rewarded_). Please note that the customizing in terms subjects, catalogs, code groups, codes etc is already in place.
  Regards,
  DP

  Hello DP,
  we have in sum 4 categorie-fields in the service request.
  And we did it like you explained it. First customizing of code / codegroups, etc.
  Afterwards you have to create the categorization schema in WebUI.
  And yes, everytime we add a code we need to change the categorization schema as well.
  We maintain categorization schema in WebUI only in TCR and we use the RFC-Import for the QCR and PCR system.
  You are right this is a duplication of effort. In our case it is needed because we use the SLA determintation based on catogorization and we have multilevel categories, which means depend from catagory A we have different entries in category B.
  If you just need two dropdown boxes idependently from each other i would suggest to create to customer own fields with z-table behind. That´s much less effort if you often add or delete codes.
  Best regards
  Manfred

• After refusing an update now all I get is a white screen with the firefox logo. If I have to reinstall firefox 3.66, how can I transfer my firefox profile with bookmarks etc, to the new installation?

  After refusing an update now all I get is a white screen with the firefox logo. If I have to reinstall firefox 3.66, how can I transfer my firefox profile with bookmarks etc, to the new installation?
  == This happened ==
  Every time Firefox opened

  -> press '''F11''' to bring the computer out of FullScreen
  -> Tap '''ALT''' key or press '''F10''' to show the Menu Bar
  -> go to View Menu -> '''Zoom''' -> click '''Reset''' -> '''Page Style''' -> select '''Basic Page Style'''
  -> go to View Menu -> Toolbars -> select '''Menu Bar''' and '''Navigation ToolBar''' -> unselect All Unwanted/Incompatible Toolbars
  -> go to Tools Menu -> Options -> General -> '''When Firefox starts : select "Show My Home Page"''' -> Type the address of the website which you want to be your HomePage e.g. http://www.google.com
  -> go to Tools Menu -> Options -> Content -> place Checkmarks on:
  1) Block Pop-up windows 2) Load images automatically 3) Enable JavaScript
  -> go to Tools Menu -> Options -> Privacy -> History section -> '''Firefox will: select "Remember History"'''
  -> go to Tools Menu -> Options -> Security -> place Checkmarks on:
  1) Warn me when sites try to install add-ons 2) Block reported attack sites 3) Block reported web forgeries 4) Remember Passwords for sites
  -> Click OK on Options window
  -> go to Tools Menu -> Add-ons -> Extensions section -> REMOVE All Unwanted/Suspicious/Incompatible Extensions (Add-ons)
  -> go to Tools Menu -> Add-ons -> Appearance section -> REMOVE All Unwanted/Suspicious/Incompatible Themes (Persona)
  Now Restart Firefox. Check and tell if its working.