Security setup design question

One of my databases has 1700 objects owned by a user (APPOWNER). Everyone -the web servers, the developers, the sys admins- all connect to the database as this same user. Effectively, there is no security on this database at all.
I want to get people logging on with their own names, but this obviously causes "issues".
Principally, I think code should continue to live in one all-encompassing schema. But this means DeveloperA needs to be able to create a package in the APPOWNER schema. I think that means granting ALL privileges to DeveloperA, and that's not really recommended, is it? How else could I organise things?
Also, people have got used to just typing 'begin someprocedure; end;', and they're going to forget to change that to 'begin appowner.someprocedure; end;'. How best to hide the fact that they're calling code from another schema? I could create public synonyms for the APPOWNER objects, but there are 1700 of them in all. Would doing so cause a maintenance or performance problem?
Any answers on these specifics, as well as more general thoughts on how best to organise a light-touch security environment on a 10gR2, Windows, Standard Edition database, please?

I wouldn't disagree with your argument, but it's not going to happen here, so it's a bit of a sterile debate to be having for our specific situation.
I don't mind granting them CREATE ANY PROCEDURE, as that seems to me a lot better than giving them APPOWNER's password: being able to create a procedure is nowhere near as nasty as letting the developers be allowed to DROP APPOWNER's stuff, which having the password would do. I can live with a pile of rubbish being created all over the place. I have a problem with important bits of code being accidentally dropped!
Besides, APPOWNER's password is also SYS and SYSTEM's!! So anything at all would be a lot better than what we've got! :-)
Thanks very much, though, for the CURRENT_SCHEMA idea. That will help immensely: and I see at http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:6265422366927 that Tom Kyte thinks this a better approach for schema name resolution than 1600 public synonyms, too, which clinches it for me.
I still haven't quite digested your last paragraph, so let me see if I can ask one last question to clarify things for myself (sorry to be slow about this).
Suppose UserA can now log on as UserA and gets CURRENT_SCHEMA set to APPOWNER. UserA has been granted 'create any procedure' privilege.
UserA creates a procedure as though he were APPOWNER, so it does insert into table X, which is APPOWNER's table. That will create fine, I think, and I think the procedure will be owned by APPOWNER, because that was the current schema when it was created.
But if UserA tries to execute the procedure, it will fail with insufficient privileges.
So if I then 'grant execute on appowner.proc1 to userA', I think UserA will now be able to run the procedure, and because it's an APPOWNER-owned procedure, the insert that it contains (to a table to which UserA does NOT have rights) will work fine?
So if I then revoke that grant, and instead do 'grant execute on appowner.proc1 to Role1' and 'grant role1 to userA', will userA still be able to execute the procedure successfully?

Similar Messages

  • Wireless Authentication/Security Design questions

    Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
    1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
    2) Should I be using some kind of supplicant client on the laptops?
    3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
    4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
    5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
    I have attached a diagram to help explain. Any help would be appreciated.
    v/r
    Chad

    1. LEAP is a form of EAP, so you must already have something terminating your EAP sessions. The WLC can do this to some extent, or ACS. Which one you chose will be based upon your requirements for manageability, scalability and feature-richness. I would suggest that PEAP-MSCHAPv2 provides a good balance of usability and security, and is significantly better than LEAP.
    2. No, stick with Windows XP SP2 supplicant. This can be configured using domain policy (2k3 SP1 or better) and is pretty good. Just make sure your laptops have new Intel drivers on them. Dell in particular have been quite bad with sending out old drivers in the builds.
    3. MAC authentication is now lergely regarded as a waste of time. It is so easy to spoof a MAC address it's ridiculous, and it's a fair amount of work for the admin(s).
    4. The LWAPP tunnel encrypts all management / config / security related traffic between the AP and WLC, while user data is simply encapsulated in LWAPP, so it can potentially be read if packets are captured.
    5. All APs will do rogue detection, don't really need to have dedicated APs unless you're REALLY paranoid. Main benefit is quicker detection, but drawback is that the 'detector' AP won't serve clients.
    Regards,
    Richard

  • Security Setup

    Hi,
    We are having HFM used for reporting and consolidation.
    Two Specific issues/questions
    1) We are having seperate Development, UAT and production environments. However the security setup/AD groups for all three environments are same. We cannot create different security groups in three different environments as it will affect meta data level changes.So the issue is that , person having UAT environment is also able to access the production system, as AD groups for security class are same. Is there a way we can diffentiate the security of three different environments?
    2) HFM offers application adminsitrator roles. However, we are having 3 different team:
    A) One performing change management such as meta data level changes
    B)Second one performing security
    C)Third one performing maintainance actiivites such as dispensation, bypass,validation tolerane limit load excahgne rate.
    Is there a way we can segregate these responsibilites by setting up different access/roles for the users.
    Your help would be much appreciated.

    Hi,
    In regards to question #1 :
    Option a - Use Native Groups. If you were using Native Groups as opposed to the AD groups, you could keep everyone assigned to the same groups and simply have different levels of access between the apps. A lot of systems will use Native Groups with external directories (i.e. Active Directory) for users. This probably isn't something of interest since you already have everything in AD and would be a lot of hassle to rework....
    The other options I propose really depend on what exactly are you trying to accomplish in DEV vs PROD in regards to security. They are somewhat hackish but would solve your issue....
    Option b - If you want everyone to have full access to everything in DEV as opposed to more limited access in prod, give the WORLD built in group access to all of your security classes in DEV only.
    Option c - If you want everyone to have the same entity / account access just a different level (i.e. Read to Write), then you can just extract the production security file and replace all the security class access items from Read to All, etc.
    Option d / e - If you want to give people different account / entity access as opposed to level of access, this is a bit trickier because any moves you make in AD would apply for all of the apps.... I would think this wouldn't be that common and maybe you only need this for a couple people? For the few instances of this, I think the best bet optiosn are : d.) create a Native Group and put them in that with the proper security class access. e.) Assign the user directly to the security class with the proper access in the environment. Security class access is not contained in AD and the changes would not automatically propagate..... If you have to do this for a "ton" of users, it wouldn't be much fun though.
    In regards to question #2 -
    A) - First of all, if someone has the HFM client or a text editor and access to the metadata file, anyone can make the changes. Your best bet is to control the extracting and loading aspect of this. The 'Load System' role will control who can load metadata to HFM.
    B) - Provisioning Manager will allow changes to user access to the App
    C) Not sure what you're looking for here. Exchange rates would be a data load so they would need to be able to load data to the system. This sounds like more of an Account / Entity access item so you would need to make sure the user has proper security class access in HFM.

  • SOA real-time design question

    Hi All,
    We are currently working with SOA Suite 11.1.1.4. I have a SOA application requirement to receive real-time feed for six data tables from an external third party. The implementation consists of five one-way operations in the WSDL to populate the six database tables.
    I have a design question. The organization plans to use this data across various departments which requires to replicate or supply the data to other internal databases.
    In my understanding there are two options
    1) Within the SOA application fork the data hitting the web-service to different databases.
    My concern with this approach is what if organizations keep coming with such requests and I keep forking and supplying multiple internal databases with the same data. This feed has to be real-time, too much forking with impact the performance and create unwanted dependencies for this critical link for data supply.2) I could tell other internal projects to get the data from the populated main database.
    My concern here is that firstly the data is pushed into this database flat without any constraints and it is difficult to query to get specific data. This design has been purposely put in place to facilitate real-time performance.Also asking every internal projects to get data from main database will affect its performance.
    Please suggest which approach should I take (advantage/disadvantage. Apart from the above two solutions, is there any other recommended solution to mitigate the risks. This link between our organization and external party is somewhat like a lifeline for BAU, so certainly don't want to create more dependencies and overhead.
    Thanks

    I had tried implementing the JMS publisher/subscriber pattern before, unfortunately I experienced performance was not so good compared to the directly writing to the db adapter. I feel the organization SOA infrastructure is not setup correctly to cope with the number of messages coming through from external third party. Our current setup consists of three WebLogic Servers (Admin, SOA, BAM) all running on only 8GB physical RAM on one machine. Is there Oracle guideline for setting up infrastructure for a SOA application receiving roughly 600000 messages a day. I am using SOA 11.1.1.4. JMS publisher/subscriber pattern just does not cope and I see significant performance lag after few hours of running. The JMS server used was WebLogic JMS
    Thanks
    Edited by: user5108636 on Jun 13, 2011 4:19 PM
    Edited by: user5108636 on Jun 13, 2011 7:03 PM

  • Security setup operations failed: creating system keys

    I have just downgraded my T60 laptop from Vista to windows xp using the lenovo CD's.
    Everything seems to be working well, except that each time I boot up the computer, the lenovo security setup software runs.  If I follow the menus all the way through, I get to the following error on the last screen:
    "your security settings have been configured however, one or more setup operations failed: creating system keys"
    There was also a message that previously briefly flashed during the bootup (on the "bios" screen?) which stated that the system was designed to use fingerprints to protect something or other, but this was not enabled.  However:  I then ran all updates for windows xp and for lenovo drivers etc.  This message has now gone away (and unfortunately I didn't write it down).
    I'm guessing the failure to "create system keys" results in the software running each time I boot up.
    Another possibility:  I have not yet enabled the symantec security, as I intend to uninstall it and use other virus protection software.  Could this be causing the"failure to create system keys"?
    (The fingerprint reader works fine, and reads my fingerprint at the windows logon screen.)
    **UPDATE**:  uninstalled symantec security software, and this had no effect.
    Message Edited by orson_m on 12-29-2008 02:47 PM

    I have just downgraded my T60 laptop from Vista to windows xp using the lenovo CD's.
    Everything seems to be working well, except that each time I boot up the computer, the lenovo security setup software runs.  If I follow the menus all the way through, I get to the following error on the last screen:
    "your security settings have been configured however, one or more setup operations failed: creating system keys"
    There was also a message that previously briefly flashed during the bootup (on the "bios" screen?) which stated that the system was designed to use fingerprints to protect something or other, but this was not enabled.  However:  I then ran all updates for windows xp and for lenovo drivers etc.  This message has now gone away (and unfortunately I didn't write it down).
    I'm guessing the failure to "create system keys" results in the software running each time I boot up.
    Another possibility:  I have not yet enabled the symantec security, as I intend to uninstall it and use other virus protection software.  Could this be causing the"failure to create system keys"?
    (The fingerprint reader works fine, and reads my fingerprint at the windows logon screen.)
    **UPDATE**:  uninstalled symantec security software, and this had no effect.
    Message Edited by orson_m on 12-29-2008 02:47 PM

  • ISE Design Question

    I have few design questions regarding ISE v.1.0.4.573
    Do ISE 3395 gigabit ports support Link aggregation?  how can i utilize all 4 ports for uplink ?
    When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
    I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
    Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?
    Thanks for the help.
    Regards,
    Zohaib

    1. The current version does not support Link aggregation..
    2. They will use the same uplink to the network for heartbeat and synchronizing.
    3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
    4. They will use the same session.

  • SCA design question - PIX and SCA with dual logical SSL server.

    I have a SCA design question. please correct or verify my solution.
    1. connectivity.
    <Client with port 443>--<ISP>--<PIX>--<SCA>--<SERVER(two IP on single NIC and each IP associates to WEB server) with port 81>
    * client will access WEB server with x.x.1.100 or x.x.1.101
    2. physical IP address
    - PIX outside=x.x.1.1
    - PIX inside=x.y.1.1
    - SCA device=x.y.1.2
    - SERVER NIC1=x.y.1.10
    - SERVER NIC2=x.y.1.11
    3. PIX NAT
    - static#1=x.x.1.100 map to x.y.1.10
    - static#2=x.x.1.101 map to x.y.1.11
    4. SCA configuration.
    mode one-port
    no mode one-port
    ip address x.y.1.2 netmask 255.255.255.0
    ip route 0.0.0.0 0.0.0.0 x.y.1.1
    ssl
    server SERVER1
    ip address x.y.1.10
    localport 443
    remoteport 81
    server SERVER2
    ip address x.y.1.11
    localport 443
    remoteport 81
    Thanks,

    The document http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/scacfggd/ has a link to a page which describes how to use the configuration manager command line interface to configure the Secure Content Accelerator. Several configuration examples are also included in this page.

  • Security Setup Wizard keeps appearing on startup

    For some reason, the Security Setup Wizard keeps appearing everytime I logon.  There seems to be an error when it is completing the last steps of the process.  I enter all the information requested and get to the last page and I get an error message that it cannot create the "system keys."  What are the system keys and how do I fix this error?
    If I cannot fix the error so that the wizard can complete its tasks, how do I prevent it from running on startup in the first place?  I checked the run list in the registry but it doesn't seem to be listed there.

    Hi sclexman,
    Thank you for your good instructions and prompt reply.  I don't often see such patient or helpful people outside of the ThinkPad community!
    My system has been running beautifully for well over a year.
    I am running Windows XP Professional on my IBM ThinkPad T60p.
    Typing something like ThinkPad "Security Setup Wizard" into Google with quotation marks, you will get better results.
    I literally get exactly what is described above by the other people.
    My problem is the Wizard which keeps popping up every time the computer restarts, but the "system keys" step is where the wizard gets stuck, so I thought that might be the cause of the problem.
    I put off setting up my security software with fingerprint reader for years, and I just got around to it yesterday.  The wizard popped up every time I started up since I got it, but when I went through the wizard and set everything up, it finally stopped popping up.
    Shortly after, I  went poking through the advanced settings of the ThinkVantage Client Security Solution program and accidentally clicked "Reconfigure security settings".  This brought up the same wizard again, and made me re-enter all of my passwords and security questions, which was quite a hassle.  This is the time it failed at the "system keys" part of setup; the first time took longer, but it was successful.
    My big reward at the end of this was supposed to be the wizard leaving me alone at startup, but he will not stop his familiar haunt!
    Any help is appreciated.
    Thanks,
          Thomas
    Security Setup Wizard that won't stop popping up:
    Wizard after initial successful completion.  If done over, it won't get past the second step.
    I don't want to try creating my own system key as your WikiHow link describes, as I'm not entirely sure what I'm doing, and I don't want to actually break my system's security!  Everything is working perfectly now security-wise, except for this pop-up window!!!
    P.S.
    I took so long to reply because when I tried to change my e-mail address to the one I check most often, I was completely locked out of my account.  I did not receive any confirmation e-mail no matter how many times I clicked re-send.  Today I changed it back to my Hotmail account, and it came within five minutes, so I'm back in. Since Hotmail works, I am guessing that the spam filter on my school's e-mail servers is cranked up too high, rather than any problem on Lenovo's part.

  • What does 'security setup forms that accept sql statement' mean?

    I was referring one white paper 'Best Practices for Securing Oracle E-Business Suite'.
    I would like to know what does 'security setup forms that accept sql statement' mean in that?
    My question is
    Where can the SQL statements be entered?
    It would be better if I can have some examples of the same. I am trying to understand this statement.
    Edited by: Kavipriya on 30 Mar, 2011 3:37 PM

    It is explained in the same docs.
    Best Practices for Securing the E-Business Suite [ID 189367.1] -- Page 26, under "LIMIT ACCESS TO FORMS ALLOWING SQL ENTRY" section.
    Best Practices For Securing Oracle E-Business Suite Release 12 [ID 403537.1] -- Page 22, under "LIMIT ACCESS TO FORMS ALLOWING SQL ENTRY" section.
    Thanks,
    Hussein

  • Architecture/Design Question with best practices ?

    Architecture/Design Question with best practices ?
    Should I have separate webserver, weblogic for application and for IAM ?
    If yes than how this both will communicate, for example should I have webgate at both the server which will communicate each other?
    Any reference which help in deciding how to design and if I have separate weblogic one for application and one for IAM than how session management will occur etc
    How is general design happens in IAM Project ?
    Help Appreciated.

    The standard answer: it depends!
    From a technical point of view, it sounds better to use the same "midleware infrastructure", BUT then the challenge is to find the lastest weblogic version that is certified by both the IAM applications and the enterprise applications. This will pull down the version of weblogic, since the IAM application stack is certified with older version of weblogic.
    From a security point of view (access, availability): do you have the same security policy for the enterprise applications and the IAM applications (component of your security architecture)?
    From a organisation point of view: who is the owner of weblogic, enterprise applications and IAM applications. In one of my customer, application and infrastructure/security are in to different departments. Having a common weblogic domain didn't feet in the organization.
    My short answer would be: keep it separated, this will save you a lot of technical and political challenges.
    Didier.

  • Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question

    Hello there:
    Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
    Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
    We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
    We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
    We have several 10GB connections to servers.
    We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
    No ip phones, no POE.
    Inter-VLAN connectivity/throughput and security are priorities.
    Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
    Thank you.

    If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job.  If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers.  These memory buffers get swamped when servers do non-stop traffic. 
    Ideally, Cisco recommends the Nexus solution to connect servers to.  One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
    In a DC environment, if you have a lot of VM stuff, then stick with Layer 2.  V-Motion and Layer 3 don't go hand-in-hand.

  • Design question: Scheduling a Variable-timeslot Resource

    I originally posted this in general java programming, because this seemed like a more high-level design descussion. But now I see some class design questions. Please excuse me if this thread does not belong here (this is my first time using the forum, save answering a couple questions).
    Forum,
    I am having trouble determining a data structure and applicable algorithm (actually, even more general than the data structure -- the general design to use) for holding a modifiable (but more heavily read/queried than updated), variable-timeslot schedule for a given resource. Here's the situation:
    Let's, for explanation purposes, say we're scheduling a school. The school has many resources. A resource is anything that can be reserved for a given event: classroom, gym, basketball, teacher, janitor, etc.
    Ok, so maybe the school deal isn't the best example. Let's assume, for the sake of explanation, that classes can be any amount of time in length: 50 minutes, 127 minutes, 4 hours, 3 seconds, etc.
    Now, the school has a base operation schedule, e.g. they're open from 8am to 5pm MTWRF and 10am to 2pm on saturday and sunday. Events in the school can only occur during these times, obviously.
    Then, each resource has its own base operation schedule, e.g. the gym is open from noon to 5pm MTWRF and noon to 2pm on sat. and sun. The default base operation schedule for any resource is the school which "owns" the resource.
    But then there are exceptions to the base operation schedule. The school (and therefore all its resources) are closed on holidays. The gym is closed on the third friday of every month for maintenance, or something like that. There are also exceptions to the available schedule due to reservations. I've implemented reservations as exceptions with a different status code to simplify things a little bit: because the basic idea is that an exception is either an addition to or removal from the scheduleable times of that resource. Each exception (reservation, closed for maintenance, etc) can be an (effectively) unrestricted amount of time.
    Ok, enough set up. Somehow I need to be able to "flatten" all this information into a schedule that I can display to the user, query against, and update.
    The issue is complicated more by recurring events, but I think I have that handled already and can make a recurring event be transparent from the application point of view. I just need to figure out how to represent this.
    This is my current idea, and I don't like it at all:
    A TimeSlot object, holding a beginning date and ending date. A data structure that holds list of TimeSlot objects in order by date. I'd probably also hold an index of some sort that maps some constant span of time to a general area in the data structure where times around there can be found, so I avoid O(n) time searching for a given time to find whether or not it is open.
    I don't like this idea, because it requires me to call getBeginningDate() and getEndDate() for every single time slot I search.
    Anyone have any ideas?

    If I am correct, your requirement is to display a schedule, showing the occupancy of a resource (open/closed/used/free and other kind of information) on a time line.
    I do not say that your design is incorrect. What I state below is strictly my views and should be treated that way.
    I would not go by time-slot, instead, I would go by resource, for instance the gym, the class rooms (identified accordingly), the swimming pool etc. are all resources. Therefore (for the requirements you have specified), I would create a class, lets say "Resource" to represent all the resources. I would recommend two attributes at this stage ("name" & "identifier").
    The primary attribute of interest in this case would be a date (starting at 00:00hrs and ending at 24:00hrs.), a span of 24hrs broken to the smallest unit of a minute (seconds really are not very practical here).
    I would next encapsulate the availability factor, which represents the concept of availability in a class, for instance "AvailabilityStatus". The recommended attributes would be "date" and "status".
    You have mentioned different status, for instance, available, booked, closed, under-maintainance etc. Each of these is a category. Let us say, numbered from 0 to n (where n<128).
    The "date" attribute could be a java.util.Date object, representing a date. The "status", is byte array of 1440 elements (one element for each minute of the day). Each element of the byte array is populated by the number designation of the status (i.e, 0,1,2...n etc.), where the numbers represent the status of the minute.
    The "Resource" class would carry an attribute of "resourceStatus", an ordered vector of "ResourceStatus" objects.
    The object (all the objects) could be populated manually at any time, or the entire process could be automated (that is a separate area).
    The problem of representation is over. You could add any number of resources as well as any number of status categories.
    This is a simple solution, I do not address the issues of querying this information and rendering the actual schedule, which I believe is straight forward enough.
    It is recognized that there are scope for optimizations/design rationalization here, however, this is a simple and effective enough solution.
    regards
    [email protected]

  • LDAP design question for multiple sites

    LDAP design question for multiple sites
    I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
    Currently we have 3 sites with different NIS domains.
    Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
    1. 3 LDAP servers + replica for each sites.
    2. Single username and password for every end user cross those 3 sites.
    3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
    So the questions are
    1. Should I need to have 3 domains for LDAP?
    2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
    3. How to make auto map work on LDAP as well as mount local home directory?
    I really appreciate that some LDAP experta can light me up on this project.

    Thanks for your information.
    My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
    So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
    I would like to migrate NIS to LDAP.
    I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
    Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
    On location Y, userA's home directory will mount FilerY:/vol/user/userA.
    So the mount drive is determined by auto_user map in NIS.
    In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
    So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
    But the username and password will be the same on three sites.
    That'd my goal.
    Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
    It would be appreciated if some LDAP guru can give me some guideline at start point.
    Best wishes

  • Security Setup not working

    Hi,
    As a part of security setup we have done the following things:
    - Users created and assigned as members of groups. One group is created per entity.
    - Groups have been provisioned for the application and given security class access
    - Security classes have been created and attached to metadata. for e.g, all entities have been attached a Sec class in properties.
    - In application settings, Node Security = Entity, Security for Entities is Checked, Enable Metadata Sec Filtering is also checked.
    Even after this, the security setup doesnt seem to be working. A user with minimal provision (only Data Form Writeback from Excel) and no security class access is also able to see all the entities, also other forms, grids, etc which have been attached diff security classes. He is able to edit the forms and grids.
    Can anyone help out as to what is it that we are missing?

    What role(s) do the users have? Any user with the Administrator role bypasses class access checking and is assumed to have full access to everything. No other role provides this bypass.
    Editing forms and grids has nothing to do with Entity security. If the forms and grids have no class assigned to them, they use the [Default] class which I suggest all users have All rights to anyway. If there are grids/forms you do not want users to change, you should assign a specific class to them, other than [Default].
    Enable Metadata security filtering should restrict users from seeing the members for which they have None access to, but as long as they have Read or All access, they will see the members in a pick list.
    --Chris                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • Design question for database connection in multithreaded socket-server

    Dear community,
    I am programming a multithreaded socket server. The server creates a new thread for each connection.
    The threads and several objects witch are instanced by each thread have to access database-connectivity. Therefore I implemented factory class which administer database connection in a pool. At this point I have a design question.
    How should I access the connections from the threads? There are two options:
    a) Should I implement in my server class a new method like "getDatabaseConnection" which calls the factory class and returns a pooled connection to the database? In this case each object has to know the server-object and have to call this method in order to get a database connection. That could become very complex as I have to safe a instance of the server object in each object ...
    b) Should I develop a static method in my factory class so that each thread could get a database connection by calling the static method of the factory?
    Thank you very much for your answer!
    Kind regards,
    Dak
    Message was edited by:
    dakger

    So your suggestion is to use a static method from a
    central class. But those static-methods are not realy
    object oriented, are they?There's only one static method, and that's getInstance
    If I use singleton pattern, I only create one
    instance of the database pooling class in order to
    cionfigure it (driver, access data to database and so
    on). The threads use than a static method of this
    class to get database connection?They use a static method to get the pool instance, getConnection is not static.
    Kaj

Maybe you are looking for

  • How do you make a folder on my home screen? It doesn't seem to be liking the simply drag. Why?

    I have tried to make a folder on my home screen the way everyone is saying I should but it just isn't working. I don't see what I am doing wrong. Is there a button I have to push to make it happen? Thanks so much.

  • How to search for a fields ?

    Hello, I know it's an easy question but I've not find, how to search for a fields in Database on CR XI R2 ? Thanks in advance

  • Feel of the MacBook Pro

    I was considering buying a 15in MacBook Pro and was wondering if it feels lighter and looks thinner than I would expect? Thanks   Windows XP   Slow Celeron

  • Sort key error

    I am getting sort key error when I run the below error. what is the problem with this query select a.table_name child_table, a.constraint_name child_constraint, max(decode(a.position, 1, a.column_name,NULL)) || max(decode(a.position, 2,', '||a.column

  • Best way to split 3D project with constantly moving cameras

    I created a 1 minute project in which the camera travels between 3 sets, while there is an animated 2D background. The background consists of overlaying .psd files which move around. The camera sweeps each set and then zooms to the next. Within each