Setting global Negative permissions (restrictions)

The question: can a column's global permission be NO, instead of YES, and then overridden with explicit grants of permission?
Situation: If no security permissions are applied on a column, then every user can see that column. This means that for a column like 'Salary', access permissions must be explicitly denied for all users who aren't allowed to see that column.
Is there any way that you can think of to flip that behavior, to restrict access to a column globally, then explicitly PERMIT certain users to see it? That would make security maintenance much easier when users are members of multiple groups. For example, User A is a member of Groups G, H, and I. If there was a Group P that could see Payroll data, then we would only have to assign User A into Group P in order for him to see the Payroll information. All other users who are NOT members of Group P would not be able to see Payroll data.
My current method is to create a group containing everyone EXCEPT the Payroll department, and deny that group the permission to access Payroll columns. The big downside there is that if a new hire doesn't get assigned into that Group, then he/she can see the Payroll columns.
So can a column's default "permission to view" be set to NO, then overridden with explicit group or individual YES permissions?

I figured it out. I had forgotten that you can apply Permissions to specific columns or tables in the Presentation Layer. I simply marked the Payroll table as NO access for the "Everyone" group, then assigned "Yes" access for the Payroll group.

Similar Messages

  • Advise about setting up a permissons on Lion server for a small office.

    What is the common wisdom and advise about setting up permissions optimally for a small office using OS X Lion Server as a file server?  I thought I had this solved by setting the ACL permissions so that all users and appropriate groups can read and write all files on the server.  This works great until a new file is created.  Then it appears that the POSIX umask kicks in and takes priority over the ACL permissions.  I need to allow group write permissions on all new files.  My options seem to be:
    Make everyone an admin - not great for obvious security reasons
    Change the umask for the whole machine - also security problems, though perhaps fewer than the everyone-an-admin route above
    Write a folder action applescript to add group write permission on all new files.  This works fine if you have a static number of folders  With new folders it has the problem: How do new folders created by non-admin users get this folder action automatically applied to them - some cronjob to hunt down the new folders; an applesscrpt folder action that adds a folder action to all new folders (sounds recursively complicated)?
    Have a cron job regularly do something like  `chmod -R 664` on all files.  This will break during those between the cracks times between when someone creates a new file and when the cronjob runs - not ideal.
    Seems like this should be easier which makes me think I'm missing something obvious.
    Any help great appreciated.  Thank you in advance!

    Good-heart's advice is certainly your first step, but if you've already done that and still have the problem you've described, you might have the 10.7.3 ACL bug, particularly if your users and groups are in an OD or AD rather than being local accounts on the server. The problem is that ACL's for directory accounts are incorrectly ignored, resulting in POSIX permissions coming into play.
    I've descibed my workaround for this here;
    https://discussions.apple.com/message/18037703
    I haven't yet tried the other trick I've read about, which is to ensure your Share's data directories are at least one level down on the volume - there is a post here on the Communities that mentions this;
    https://discussions.apple.com/message/18028746
    I seem to remember that this helped with an earlier version of AFP, if using external firewire or usb storage.
    Let us know if you find a fix, it seems a number of people have problems with this.
    Regards,
    Ian

  • How to set default file permissions for applicatio...

    I have the nokia n86 and was wondering if there was any way of setting the file permissions of a program via the phone. To put it in context, i downloaded a program that edits photos but everytime i try to load a picture from my phone it asks me (for every single folder in my phone, not just the photo ones) if the program can open it. I can be there clicking yes all day as i there is a lot of folders and subfolders on the phone. I know sony ericssons had an option where you could select the programs permissions to always ask or never ask but i cant seem to find a similar option on the nokia.
    Does anyone have any ideas?

    Same issue here. Everything I put on the drive is set to Read-only for the group.

  • Setting SharePoint folder permissions

    Our school has just got SharePoint 2013, and I have been tasked with setting up a folder structure for the Teachers.
    What they want is a Department Folder in the Root, and inside the Department Folder the Facility  Folder, and inside that the Subject Folder, and lastly a private Teacher Folder for storing and preparing work.
    EG:
    Department/Science/Biology/MGreen
    Department/Languages/French/RSmith
    Department/Languages/Latin/TJones
    I have setup the directory structure already, my question is how do make the Teacher Folder Private, so only they can view files inside?
    Many thanks

    Hi,
    According to your description, my understanding is that you want to make the Teacher Folder with unique permissions so that only the specific teacher has permissions to it.
    The following are the steps to set up unique permissions: 
    Navigate to the subfolder you want to configure with unique permissions.
    On that subfolder, select Manage Permissions from the drop-list under that subfolder.
    Under Permissions Tools, click: Stop Inheriting Permissions.
    A dialog box that says, "You are about to create unique permissions for this folder. Changes made to the parent folder will no longer affect this folder."  Click OK.
    Then delete all SharePoint security groups. After that, assign permissions to the specific teacher.
     Best Regards,
    Wendy
    Wendy Li
    TechNet Community Support

  • How to set global transactions for XA.

    Hello,
    I have configured 9i RAC active/active database into a active/passive.
    The users were not able to connect using XA drivers.
    I have run the xaview.sql script as sys in @O_H/rdbms/admin and granted select privs as below.
    grant select on v$xatrans$ to public;
    grant select on pending_trans$ to public;
    grant select on dba_2pc_pending to public;
    grant select on dba_pending_transactions to public;
    Still users are not able to connect to the databases using XA drivers.
    What is needed more to be set up on the database side?
    Can any one let me know the detailed method to set global transactions(that is what I was told needs to be set up) on the oracle database.
    Thanks
    SKH

    Further to give more info the error users are facing is
    Could not connect to 'oracle.jdbc.xa.client.OracleXADataSource'.

  • Setting MS Access Permissions

    I have a MS Access 2013 web app hosted on the Microsoft Office Sharepoint 2013 site.  I want the team members to be able to add/modify/delete only within the web forms.  How do I set permissions so that other team members cannot delete or update
    the actual application and the application data outside of the web form?  What permissions should I use?  I tried to create a new group with custom permissions, for example group "XYZ".  When I tried to add permissions to group "XYZ",
    I was not given a choice of using the custom permissions that I set up.
    Thank you in advance.

    Hi,
    According to your post, my understanding is that you wanted to set Microsoft Access Permissions.
    If you already created an app and now you've decided you want your app to have unique permissions from the site where you created it, see Set
    permissions for an Access app on Office.com.
    More information:
    Set permissions on an Access Web App
    Set permissions for an Access App - SharePoint 2013
    Best Regards,
    Linda Li
    Linda Li
    TechNet Community Support

  • SQ01 (How to set Global Area as default)

    Hi All
    In SQ01, i find 2 environments in Query Areas - Global Area & Standard Area. Everytime i execute SQ01 transaction, it takes me to Standard Area, then i have to change it to Global Area & then select the user group. I would like to know how i can set Global Area as default & also a particular user group, so that everytime i run SQ01, it directly takes me to Global Area & the particular user group, so i can execute my query directly instead of having to change it each time.
    Hope my problem is clear, await inputs.
    Vivek

    Hello Vivek,
    You need to maintian some default parameters in your User master record.
    Parameter ID :
    AQB for User Group
    AQW for Query Area.
    Select the AQB from the drop-down and give your default user group in the parameter value.
    Regards,
    Naimesh Patel

  • Best way to set global environment variables?

    What is the best way to set global (i.e. for all users of the computer, ideally all shells as well) environment variables under Leopard?
    I know that they can be set via ~/.bashrc, ~/.profile or in my case ~/.zshrc files in the terminal on a per user basis.
    Also, they can be set for GUI apps as well via ~/.MacOSX/environment.plist on a per user basis.
    http://developer.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Artic les/EnvironmentVars.html
    The path can apparently be set globally by adding files to /etc/paths.d/*
    http://blog.plotdevice.org/2008/04/global-path-in-mac-os-x-leopard/
    Is there a way to set environment variables globally so that they are accessible to all users and all programs including nonstandard shells like zsh?
    My inclination is to set them in /etc/rc.common but that seems like it might be a bad idea. I'd prefer something more like the /etc/paths.d/* solution that only involves adding files, not modifying existing ones. They should be less likely to be overwritten in a system update later.

    They may be less likely to be overwritten than you fear. A lot of things depend on modifications to the system scripts like /etc/profile. Although I'd expect these to be broken by an upgrade to Leopard, for example, they have survived all Tiger upgrades on my machine. You could always have them source scripts in /usr/local, say, so that the work involved in reconfiguring them if they are overwritten is minimal. (Or you could just install your versions in /usr/local and make the system scripts symlinks to those versions - if anything is overwritten, it would be the symlink rather than the file itself. An automated start up script could even check and recreate the symlink if necessary.)
    - cfr

  • Any way to set global variables except EAS console?

    Hi pros,
    I am searching for a way to set global variables (used by business rules) automatically.
    I got several variables which should change each month. I know the rule to set them.
    However, I cannot find any way to set them through scripting or something else.
    I tried to research EAS repository. The one that I found relevant is HBRVariables table.
    I cannot find any tool can help this.
    Any one knows how?
    Appreciated......
    Casp Huang

    Yes you can use substitution variables in business rules and they are widely used, it is relatively easy to automate the changing of values for subtitution values.
    You can also put a sub var into the default value for a global variable in business rules.
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Unable to set send-as permissions because of hundrets of duplicate permissions

    hello,
    we are unable to set send-as permissons to mailboxes where more than 10 users already habe send-as permissions.
    when i use get-adpermission -identity "mailbox_abc" i get 4309 lines with permissions. But most are duplicates. every permission is set 31 times.
    when i remove a user there are 4278 lines, when i add an user there are 4309 lines.
    it seems that every account has between 1000 and 4000 permission lines
    when i use the GUI i only see 10 different permissions
    how can i fix it?
    thankyou in advance boris

    my problem are the hundreds of duplicates
    this is the output
    Get-ADPermission -Identity "mailbox_abc" | ?{($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self")} | select identity,user
    Identity                                                   
    User
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           NT-AUTORITÄT\SELBST
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\gka
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\ma
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\zr
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\fh
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\MT
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           NT-AUTORITÄT\SELBST
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\gka
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\ma
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\zr
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\fh
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\MT
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           NT-AUTORITÄT\SELBST
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\gka
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\ma
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\zr
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\fh
    sample.domain/MyBusiness/Users/SBSUsers/sample Mitglied           SAMPLE\MT
    alltogether 4300 duplicate lines but only 5 different accounts
    rg. borris

  • My Camera mode set to "Negative Filter" in Iphone 4 and updated to IOS 7.

    My iphone's camera mode is set to Negative Filter, that is whenever I take a photograph it is displayed in the form of a negative rather than the usual image. I am using Iphone 4 and IOS 7. I am not able figure it out how to do.

    Hi, RameshMichaels. 
    Camera effects are only available on the iPhone 4s and later.  It sounds like Invert Colors is enabled in Accessibility.  This will usually cause the whole display to reflect an inverted color scheme.  Go to Settings > General > Accessibility and turn Invert Colors off.  Check to see if the camera functions as expected. 
    iOS: Configuring accessibility features
    http://support.apple.com/kb/HT5018
    Cheers,
    Jason H. 

  • Correct syntax to set "send as" permissions through Powershell

    Hello,
    A colleague of mine gave me a Powershell command to set "send as" permissions on a mailbox. His syntax is the following:
    Add-ADPermission -Identity UserBeingGrantedPermission -User UserWhoseMailboxIsBeingConfigured -ExtendedRights 'Send-As'
    In that example the user mentioned after "-User" is the one who's mailbox is being configured. Easy enough. Earlier Technet articles also use this syntax.
    However, I stumbled across the
    following article. Which clearly says:
    This example grants Send As permissions for Aaron Painter to Terry Adams's mailbox.
    Add-ADPermission -Identity "Terry Adams" -User AaronPainter -AccessRights ExtendedRight -ExtendedRights "Send As"
    In this example "-User" is not the one mailbox that is being configured but the person that gets the rights.
    So who is right? Technet or Technet?

    Hi Fr0ns,
    Your colleague mistook it a little bit, (and I don't think he can compete with the Technet library :)
    -User <is always someone who is given permissions to>. In the Technet example - AaronPainter gets the permission to
    Send As Terry Adams.
    You can check it yourself pretty easily - enable command logging and attempt to assign the permissions with GUI where you clearly know who gets what.
    ▲ Vote if Helpful / Mark if Answer
    MCSE: Messaging 2013 Charter / Private Cloud / Server Infrastructure
    MaximumExchange.ru

  • Set global roles

    Hi,
    Is there a way to set global roles through weblogic ant tasks or command line utilities ?
    I am using weblogic 8.1SP5
    Thanks,
    Manish
    Edited by manish25 at 02/02/2007 1:24 PM

    Hi,
    There certain things you need to check
    1. Did you do user comparsion?
    2. Did you check the SCUL log?
    SCUL  ->choose (error,unconfirmed & warning)  user / roles / profiles execute -> you will get list of users
    Priority of resolving would be the same order   1. Error (red) 2. Unconfirmed (Gray) and 3. Warnings.(Yellow).
    based on the error you can re distrubute the idoc.
    Procedure :
    Select the user which you would like to re-distribute for a particular system -> it will display user  / roles / profile ->
    Let stay roles  are Grayed -> highlight on the role -> click on F7 button or  cross mark(Distrbution)  . You will receive new window with selection of IDOC type. Select appropriate IDOC type -> choose roles -> continue.
    3. Text comparsion
    To get a newly created role to a system quickly avoiding  Text Comparison to all systems i.e from CUA. Instead you can do text comparsion from child systems.
    Finallly your SCUM settings are correct.
    Thanks,
    Sri

  • Is there any way to set global language as english for users  in portal

    Hi,
    Is there any way to set global language as english for all the users  in portal (for all the screens,applications etc) irrespective of browser settings,language in jco,user settings in backend .
    the reason why i am asking is we are implementing global implementation project and for some users in switzerland because of their browser is not english they are getting language other than english.we dont want to ask each user to change their browser language.we just want to force the portal to display content only in english
    Thanks
    Bala Duvvuri

    Hi ,
    You can add property  'request.mandatorylanguage=<your_language>'
    and property  'request.mandatorycountry'
    on file 'prtDefault.properties' located in :
    ..server0\apps\sap.com\irj\servlet_jsp\irj\root\WEB-INF\portal\system\properties\prtDefault.properties
    Then restart the server.
    See :
    http://help.sap.com/saphelp_nw70/helpdata/EN/42/938297a5061d69e10000000a1553f6/frameset.htm
    Regards,
    Gilad

  • Setting CUIC user permissions for all reports at once

    Hi all,
    We are using CUIC 8.0(4) Standard Edition and trying to set CUIC user permissions, such as Read, Exec and Write, for reports.
    If we need to give access to all reports then we should set permissions for each report separately.
    Is there any way to set those permissions for all reports at once?
    We attempted to set Read, Exec and Write premissions for the Reports, Stock and UCCE folders but no luck.
    Thanks.
    Nikolay

    Hi all,
    We are using CUIC 8.0(4) Standard Edition and trying to set CUIC user permissions, such as Read, Exec and Write, for reports.
    If we need to give access to all reports then we should set permissions for each report separately.
    Is there any way to set those permissions for all reports at once?
    We attempted to set Read, Exec and Write premissions for the Reports, Stock and UCCE folders but no luck.
    Thanks.
    Nikolay

Maybe you are looking for

  • MUDE - How to add an existing table to an existing project

    Hi, I am new to MUDE. We have two projects. One of the projects has been around for a while and the other is quite new. When the new project was created only one table and two aliases were added to it. I have done quite a bit of work on the Business

  • IMovie 10 download will not launch

    Hello. My iMovie 10 dock icon just bounces without launching App? If I click a second time the screen launches but with errors, it is incomplete with a broad black column on the left hand side with no menu options. I can't do anything with it?  Using

  • Business sytem

    Hi, can i assign one business sytem to two scenarios in XI-ID, secondly can i assign one technical system to 2 business sytem in SLD. regards, Gayatri.

  • Legal to use Lithos Pro in graphics?

    Hello, I am creating graphics for an online game, including the background, buttons, animations etc, and I am wondering whether it is legal to use the Adobe font Lithos Pro for the labels for some of the buttons and other graphical elements-- the tex

  • Bridge Adaptor for MQSeries

              I'm trying to utilize a message driven bean to get messages off queues in MQSeries.           I read the documentation to setup a messaging bridge and it seems fairly straightforward,           but I'm having trouble finding a bridge adapto