SNMP Support over VPNs—Context Based Access Control

Similar Messages

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Any best practice to apply role based access control?

  Hi,
  I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
  Can you please share the best practices or any built-in feature in JSF to achieve my goal?
  Regards,
  Faysi

  Hi,
  The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
  Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
  java package.
  Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
  This is according to Java EE 6 tutorial, section VII Security, page 471.
  A group, role or user is created with an Identity Management application or by a custom application.
  Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
  For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
  I've been in situations where end users very strict about the functionality of the application.
  If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
  Each of these actions should have suggester, approver and implementor.
  Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
  After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
  Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
  For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
  This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
  Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

• Time-based access controls

  Hello all,
  Is there a time-based access control that can be configured for a 4.2 WCS+WiSM setup either in the WCS or controller? Or am I limited to the ACLs for my Wireless VLAN on the switch. Ultimately, I would like to be able to configure certain APs to accept/deny connections at specific times of the day. Any suggestions would be appreciated. Thank you in advance for your time and help.
  Charles

  Currently, IP and IPX extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. Both named or numbered access lists can reference a time range.
  For the further description following URL for the Time-Based Access Lists will help you.
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html#wp10236
  I hope it may help you.

• How can I set the time in Time-based Access control ??

  I live in Denmark, where we use the 24 hour system.
  So I want to set the time-based access control to from 7.00 in the morning to 2.00 at night, but every time the Timecapsule says wrong time format, I can use the night time 23.59, but thats not late enough.

  Set two controls.. 7 to 23.59 and 00.01 to 00.20
  This is common as the control cannot handle times longer than 1day.

• Role Based Access Control and FIM

  Hi,
  Would these statements about RBAC and FIM (not BHOLD) be true:
  RBAC in FIM Sync is essentially governed by the built-in FIM Groups (e.g. FIMSyncAdmins, etc)
  RBAC in FIM Portal is essentially governed by FIM Portal Sets & MPRs
  Thanks,
  SK
  PS. not looking at BHOLD above, just FIM

  This can be true in a narrow sense. If we are just thinking of access to FIM and not on the managed organizational resources.
  FIM Synch:-
  Through FIM Synch groups, we are just controlling the access to FIM Synch service. We are not separating access based on roles(say organizational role).
  For FIM Portal, again it can be true if we are thinking of access to FIM Portal only and not the managed organizational resources.
  Thanks,
  Mann

• RBAC (Roles Based Access Control) "Broken" in WCS

  In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
  role0=SuperUsers
  task0=Users and Groups
  task46=Auto Provisioning
  task47=Voice Audit Report
  Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
  The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
  Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

  Hi,
  I believe all your questions are answered in "System Administrator's Guide - Security" manual.
  Applications Releases 11i and 12
  http://www.oracle.com/technology/documentation/applications.html
  You may also review this document.
  Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
  Regards,
  Hussein

• SCCM 2012 R2 Role Based Access Control Weird Issue

  Thank you in advance. I have 3 security groups added for remote control operators role. Users within all three groups are available and imported in to the SCCM users collection and verified. users in 1 group works fine without any issue. But users in the
  other 2 groups having trouble where when they try to connect SCCM console using their computers, it fails. Even i tried adding the user directly assigning full administrator role. But still it fails.
  It is weird because it kind of loads the SCCM console administration tab and suddenly shows the error message. the error is a generic error saying verify below things. Any advice would be appreciated.

  To clarify, you have three Active Directory groups, all of which are assigned the remote control operators role in ConfigMgr?
  If they are only remote control operators, what are they using in the administration workspace?
  What does the SmsAdminUI.log show on one of the PCs? Based on what you describe, it is unclear whether this is an RBAC issue or not.
  Jeff

• Setting a time based access control

  My teenage kids stay up too late, connected to our Tima Machine. I would like to set a timer so that the link is switched off at a certain hour. Can anyone please help me set that?

  Are they logging on using a Mac?
  If so, can't you just set up a new user account for them (not the same one that you, the administrator, uses and NOT an account with administrator rights) and then enable the parental controls and limit the logon time to the Mac?
  system preferences > users and groups
  click the padlock to make changes (assuming you have an administrator password for the main account - if not, set one)
  enter your administrator password
  create your user - make sure the account you create is NOT an administrator account (make sure the "allow user to administer this computer" option is not checked)
  make sure the "enable parental controls" option is ticked
  click "open parental controls"
  click "time limits" on the top
  do what you want to do (it is extremely flexible!)
  click the lock to prevent further changes
  That's it.
  You can also use the tabs on the top to limit access to apps, websites, messaging, DVD burning etc etc. for whatever person is logged on as that user.
  If they want to see how much time they have remaining, they can just click the menu bar clock (where the time is displayed) and a menu and readout will appear which says e.g. "Parental Controls: Time Remaining 1:05" or whatever is left.
  If you set logon limits between, say 6:00 PM and 9:00 PM on weeknights, and they try and logon outside those parameters, a little message box will pop up which can be used to grant extra time - but it will require the administrator's password to authorise the extension.
  As it gets to 9:00 PM they'll get a message telling them their time is almost up - with an option to grant more time.  Again, the administrator's password is required to authorise the extension.
  Dealing with the tantrum is your problem ;-)
  Works with Mountain Lion OS X 10.8.2
  Note - that will limit the computer use altogether for that user account so if that user is connected via a Mac to Time Machine it'll work.
  If they are not logging on through a Mac (e.g. they are using an iPad to connect to Time Machine) then I'm not sure - sorry.
  I'm also not sure if you can limit Time Machine to times of the day - I think you can only do it by limiting the individual users - but would love to be proved wrong!
  Good luck!
  Hope that helps.

• Prime Collaboration Role-based Access Control Issue

  Hello Support Community,
  we are using the Cisco Prime Collaboration Provisioning and would like to configure a user that would act as an admin for one of our domains.
  This user would be able to add, remove, change, etc. all the objects that are located in one remote office. So he should not be able to see the users, phones and so on, from all other offices.
  The issue is that we can not select the domain that should be assigned to him. When we select a user that should be configured as an administrator for the office, go to Manage Authorization Roles, under Roles for Domain there is only "Apply to all domains". We cant select one of the two domains that are currently configured.
  I've tried with different browsers, tried checking the boxes to see if one of those would trigger the change and let us select the domain but so far I had no luck.
  The cluster consists of 7 CUCMs on version 9.1.2.12900-11 (and 2x CUC, 2x IM&P, etc.) and the Prime Collaboration Provisioning is on version 10.5.1.320 (License Type Advanced).
  Thanks in advance!
  Ivan

  Hello Anthony,
  first of all, thank you for taking the time to answer and analyze!
  Your questions:
  "One sure way to check this is to look on the banner and there should be a check mark next to the word Advanced" -  in the top right Corner of the banner I can see a green check mark next to Advanced 
  "The Delegation feature should be set to 2, and not 0 or 1." - the Delegation Feature has the following Status - "Available : 1 | Used : 0 | Expiry : permanent". Does the value has to be "2" under Available ? Because in the Moment we are not using any (Used : 0).
  "I will assume the two Domain groups are already configured and have some users in them." - that is correct. Both Domains are already configured and we have multiple users in both of them. Domains are configured with appropriate Call Processors, Message Processors, LDAP Sync, Service Areas, User Roles and Service Templates.
  I have tested what you proposed in the last part. Selected one of the Users through Deploy > User Provisioning. Opened his User Records page (where we can see all the Services, etc.) > Manage Authorization Rules. In the Roles for Domain field it just says "Apply to all domains", I does not Display any other value when I click on the Dropdown button.
  Kind regards,
  Ivan

• Configuring ACS 5.4 to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 via TACACS+

  There is a great document on the site for configuring ACS 5.X to authenticate voa TACACS+ but with 5.4 - there is possibly an extra step required.
  https://supportforums.cisco.com/docs/DOC-14273
  In 5.4 where you map the Shell Profile to the Authorization Policy – you are now required to specify a Command Set undert eh Shell Profile, whihch 5.2 didnt have. Trying to accomplish using the default san-admin role in NX-OS.

  I think the command set does not matter.
  Because the Nexus takes only the role and does not use per-command authorization (AFAIK), then it will take the role from the shell profile but selecting the command set does not matter because it does not use per command authorization.
  I used command sets with CRS-1 and they had no effect. Only the shell profile configuration matters.
  What is the situation at your end? do things work fine with/without selecting the command set? or putting empty command set in place?
  Rating useful replies is more useful than saying "Thank you"

• Role based access control

  Hello ,
   Is there a RBAC in Windows 2012 R2?

  My client has a specific requirement like 
  Schema Management
  Management of the Schema
  Forest Configuration Operator
  Management of Functional Levels, domains, trusts, Operations Master roles
  Domain Operator
  DC Installation, Management of FSMO, OU
  Domain Controller Administrator
  Installing Software, Service Packs and hotfixes, Managing Sysvol, Starting up and stopping DCs.
  Security Policy Management
  Management of GPOs
  Service Admin Management
  Management of Service Management Role Membership
  DNS Management
  Installing DNS on DCs, configuring root hints, configuring and maintaining zones
  Replication Management
  Configuration of Replication Topology
  Replication Monitoring
  Monitoring of Replication Status and Performance
  Backup Operator
  Backup and Restore AD
  I wonder if there is such a customization possible in win 2012 !

• Role based access controle

  We tried to apply new roles definition to AP module.
  For example, we defined a role which allowed to see the suppliers created by the owner.
  It seems that the role definition have any effects on AP module.
  We successfuly created roles undo FND and CES.
  1- Is it true to say that the role feature does not cover all EBS module?
  2- On which modules the role have an effect?
  Regards
  JC

  I do not believe Oracle publishes which modules are (or are not) RBAC aware - for the modules that your are using or are interested in, you will have to read thru the Implementation and User Guides to see if the modules use RBAC.
  HTH
  Srini