User management and Access Control in HCM Cloud

Similar Messages

• Difference between Identity Manager and Access Manager

  hi,
  Can any body tell me the difference between Identity manager and Access Manager.
  thanks in advance
  regards
  dhawanmayur

  Access Manager is for access control (web authentication, authorization), Identity Manager is for identity (userid,profile,role, password etc) provision/management across multi resources (such as unix, active directory, peoplesoft, SAP) etc.

• ATI Catalyst Install Manager and catalyst Control Center Help

  I just run the Windows 7 Upgrade
  advisor report and it said that I should uninstall the ATI Catalyst Install Manager and Catalyst Control Center then reinstall after upgrade..
  Could someone direct me where I might t find these programs for Windows 7

  You must not do this. Just continue upgrade installation.
  On my Satellite I got the same message but I have simply continued with upgrade.
  At the end everything went fine.

• Issue in User Management and Permissions

  Hi,
       There is an issue found while working on user management and security. When an asset is uploaded to the DAM, even with create and modify permission it is not able to      edit.
       While analyzing, it was due to the following reasons.
  When given “MODIFY” permission to the root folder, it is not applying to all the asset  in that folder and sub-folders.
  We have to provide “MODIFY” permission for each asset, in this case it won’t apply for newly added asset.
  When given “DELETE” permission to the root folder, “MODIFY” permission is applying automatically to all the asset  in that folder and sub-folders.
  But “myRole” only should modify the asset but not delete.
  Is it CQ functionality or an issue.?
  Note: Using CQ5.5 version
  Regards,
  Fazz

  In CQ5.4 "MODIFY" permission at folder level is enough for modifying the assets under that folder. But in CQ5.5 "MODIFY" permission is necessary for every asset for editing.
  Regards,
  Fazz

• Inside Identity and Access Control products

  Hello,
  For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
  http://identitycontrol.blogspot.com

  Latest Topics
  1) Video of Federated Access Control
  2) RSA Conference 2007

• Inside identity and access control products : blog

  Frinends,
  Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
  Latest topic i added is "SAML in action"
  Please post your comments also so I can improve the contents.
  Thanks

  Thanks a lot idmguru!!
  your efforts are simply awesome..
  -Yash Bansal

• Query user roles and access

  hi,
  How can query user roles and access in whole database? I want to list username, status, rights, and role
  thanks
  P

  Hi,
  The data dictionary view dba_users has one row per user.
  The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
  Are you interested in system privileges? See dba_sys_privs.
  Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
  I hope this answers your question.
  If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants.

• Inside of idm and access control products

  Hello Friends,
  For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
  blog URL --> http://identitycontrol.blogspot.com/
  Thanks
  idmguru

  Frinends,
  Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
  Latest topic i added is "SAML in action"
  Please post your comments also so I can improve the contents.
  Thanks

• Error while Authenticating sharepoint site with Azure AD users using Azure Access Control Namespace

  I have a Sharepoint site running on Azure virtual Machine. Now i want to authenticate my sharepoint site with Azure AD users.
  For this i have followed below link, but getting error after login.
  Using Microsoft Azure Active Directory for SharePoint 2013 authentication
  I have implemented as given on reference link, but still facing error. When i access my url from browser, it will ask me through which you want to logon.
  Then on selection of ACS Provider, it will redirect me to office365 login. After i submit my credentials, it will redirect me to
  https://testvm.cloudapp.net/_trust/
  and got error. So i checked in sharepoint log and found below error.
  Cannot find site lookup info for request Uri urn:sharepoint:spvms.
  SPAudienceValidator: Audience uri 'urn:sharepoint:spvms is not valid for the context.
  Getting Error Message for Exception Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The Audience URI could not be validated.
  SPSaml11SecurityTokenHandler: Audience validation failed for request 'https://testvm.cloudapp.net/_trust/' with
  the following audience URIs: 'urn:sharepoint:spvms', .
  Application error when access /_trust/, Error=The Audience URI could not be validated.
  at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
  at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

  I want 100,000 external users to have access to my SharePoint online Site collection.
  I was thinking of going the Azure AD route, where external users will have there ID's created in Azure AD cloud.
  Trying to figure how I can integrate Azure AD cloud with my SharePoint Online Site collection.
  Currently my site collection is tied to On-premise AD.
  Is there a way to integrate the SharePoint online to use both Azure AD and On-premise AD?
  Thanks
  Nate
  Any Answer here?

• Error in User Management and Assigning Role

  Hi,
  I have configured LDAP authentication on LiveCycle Server. I get the userlist with LDAP in my admin console under User Management - User & Groups. But as soon I click on any of the LDAP username I am getting error to contact administrator. Same also happens when I check the checbox infront of the username and tries to assing role.
  My Livecycle server is on WAS6.1, I also have server setup on my local where the same LDAP i have configured and I am able to access users and assign role. Is there any problem with WAS6.1 ?
  I checked the logs and i got following exception in server logs.
  [10/24/08 10:57:58:467 EDT] 00000039 IDPLoggedExce W com.adobe.idp.common.errors.Logger$LogConsumer run UserM:GENERIC_WARNING: [Thread Hashcode: 1028668752] | [com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean] errorCode:8193 errorCodeHEX:0x2001 message:getPrincipal public chainedException:java.lang.NullPointerExceptionchainedExceptionMessage:null chainedException trace:java.lang.NullPointerException
  at com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean.getCacheKey s(DirectoryServicesManagerBean.java:1583)
  at com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean.findPrincip al(DirectoryServicesManagerBean.java:1608)
  at com.adobe.idp.um.businesslogic.directoryservices.EJSLocalStatelessDirectoryServicesManage rBean_0dbf3d20.findPrincipal(Unknown Source)
  at com.adobe.idp.um.api.impl.DirectoryManagerImpl.findPrincipal(DirectoryManagerImpl.java:13 8)
  at com.adobe.idp.um.ui.user.CreateNewUserAction.doExecute(CreateNewUserAction.java:139)
  at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
  at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
  at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1075)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1016)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
  at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:1 73)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:113)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:771)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:679)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:546)
  at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
  at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.jav a:90)
  at com.ibm.ws.web

  Hello Do anyone get anything about above exception, or is there any other information needed, please let me know ?
  I still cannot found the solution for above problem, and it stops me to configuring users on Adobe LiveCycle ES, we have purchased Livecycle ES version 8.0

• War file and access control with WebLogic

  I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
  This is how my weblogic.properties file looks like:
  weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
  weblogic.password.koko=kokokoko
  weblogic.password.arnebelinda=arne1234
  weblogic.security.group.ppuseradmins=arnebelinda
  and my weblogicURL.policy:
  deny Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
  and finally, my web.xml-file:
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app>
       <session-config>
            <session-timeout>30</session-timeout>
       </session-config>
       <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>admin</web-resource-name>
                 <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
            <auth-constraint>
                 <role-name>ppuseradmins</role-name>
            </auth-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>WebLogic Server</realm-name>
       </login-config>
       <security-role>
            <role-name>ppuseradmins</role-name>
       </security-role>
  </web-app>
  it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
  Does anybody have a clue? I would really appreciate it!
  I am using WebLogic 5.1 sp 9
  best regards,
  PJ

  In you pocily file entry, you have specified "/admin/-"
  However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
  Could that be the problem ?

• War file and access control

            I am trying to put some access control on different files in my war-file, but just
            can't get it to work... It seems like all roles defined in weblogic.properties
            gives the user access to all files in the war. I just don't understand the connections
            between the security realm, the weblogicURL.policy file and the web.xml file...
            If I do not specify a weblogic.security.URLAclFile, no access control is done
            at all.
            This is how my weblogic.properties file looks like:
            weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
            weblogic.password.koko=kokokoko
            weblogic.password.arnebelinda=arne1234
            weblogic.security.group.ppuseradmins=arnebelinda
            and my weblogicURL.policy:
            deny Principal weblogic.security.acl.GroupImpl "everyone" {
            Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
            and finally, my web.xml-file:
            <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
            "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
            <web-app>
            <session-config>
            <session-timeout>30</session-timeout>
            </session-config>
            <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
            </welcome-file-list>
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>admin</web-resource-name>
            <url-pattern>index.jsp</url-pattern> </web-resource-collection>
            <auth-constraint>
            <role-name>ppuseradmins</role-name>
            </auth-constraint>
            </security-constraint>
            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>WebLogic Server</realm-name>
            </login-config>
            <security-role>
            <role-name>ppuseradmins</role-name>
            </security-role>
            </web-app>
            it does not matter which user is part of the ppuseradmins group. The user koko
            is not a member, but is given access to my whole .war anyway (after submitting
            correct username/password). Omitting the <realm-name> does not seem to work either;
            the default realm is not used, instead null is used.
            Does anybody have a clue? I would really appreciate it!
            I am using WebLogic 5.1 sp 9
            best regards,
            PJ
            

  In you pocily file entry, you have specified "/admin/-"
  However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
  Could that be the problem ?

• Computer Lists and Access Control

  Hi
  I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
  Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
  I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
  All users can still login to these 'access controlled' servers, in effect the list is ignored.
  Has anyone got this working or can shed some light on what I'm doing wrong ?
  Thanks,
    Mac OS X (10.4.6)  

  Hi, Tropic
  You must to load the class into an jar file
  Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
  Hear a sample script to do it.
  javac SomeApplet.java
  jar cvf SomeJarFile.jar SomeApplet.class
  keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
  jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
  Regards,

• EJB and access controll???

  Hi all,
  I have a question about access control via EJB,
  For example I have a client app�ication and on start I will prompt user for user name and password, and now what to do with this information how to pas it to the ejb server, or??? Or may be some of you have any link to tutorial as an answer? My EJB will access database and I want to use the access control from database.
  Thank you in advance.

  Hi Eshwa,
  thank you for your reply, I found a nice developer guide on the link that you give me, but I steal have a problem with undestanding of practical way to pas user information from client application to ejb server, may be you can give mi a pice of code or an small example, where is geted 2 String (user name and password) and sent to the ejb server to be autentificated, and then to have acces to the resources that is accessable for this user (discribed in the deployment description user - role).
  Anyway thank you again.
  Best regards Alexander Hincu .

• 2-way SSL and access control using the client certificate

  Hi,
  I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
  Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
  - The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
  - The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
  - Validate whether the client should be trusted (via the list in the trusted credentials)
  - Check whether the resource should be granted based on the "username".
  The on-line manual says
  "If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
  "The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
  So the questions I have are:
  - If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
  - Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
  Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
  - Without defining the security policy for the application, the debugging messages show that
  getRoles(): input arguments: subject:0
  Entitlement - <Role:Annonymous with expr:Grp(everyone)>
  Any suggestions? Thanks.

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's