Users assigning in EPM System Security mode

Similar Messages

• EPM system security is not initialized properly

  Hi,
  We are in the process of installing 11.1.2.2 on Windows 2008 server.
  Step 1. we installed Foundation Service, Reporting and FM
  Step2. 1st did configuration of foundation service and Performance Management Architect
  Result - Successful. Was able to login to workspace ans shared service
  Step 3. 2nd we Configured Financial Management.
  Configuration was successful.
  All services are running but we are not able to login into workspace.
  We are geting following error in log file of HyS9EPMServer
  "EPM system security is not initialized properly"
  Any help will be appreciated.
  Edited by: user8638468 on Aug 15, 2012 9:42 AM

  Yes Vivek.
  We did run Foundation Service --> Configure Web Server after configuring HFM module. It was susccessful.
  After that we run "Start EPM System". Then everything stopped.
  While installing HFM in 2nd leg on "Configure Database" screen we selected "Perform first-time configuration of database".
  Entered username HFM.
  We noticed that after installation EPMSystemRegistry-jdbc got changed.
  Path is C:\Oracle\Middleware\user_projects\domains\EPMSystem\config\jdbc\EPMSystemRegistry-jdbc.xml
  <value>HSS</value> got changed to <value>HFM</value>
  I are not sure but I think we should have selected "Connect to a previously configured database".
  I am going to install it again and will update the forum.
  -Devidas

• EPM system security externalize

  Hi Masters,
  Recently I have setup EPM system 11.1.2.4 for Essbase on my servers. As you all know this version doesn't support for standalone Essbase security and by default all the users/ groups would be maintained through shared services, I have a stupid doubt here,.... what is the purpose of having the option 'Externalize users' still in EAS? is it like we need to do 'externalize users' as soon as we installed and configured the Essbase and EAS?.
  Please, help me in understanding this point.
  Thanks,
  Siva

  Yes you are correct they are automatically externalized so there is not really point in having the option in EAS anymore, I am sure it will be removed in the future.
  Cheers
  John

• Essbase native security mode and MSAD users

  Hi guys,
  I'm trying to solve following question:
  I need to keep Essbase in native security mode, ie. to assign security for users directly in EAS, not in HSS console. And I need to grant access to MSAD users, ie. to allow users to connect to Essbase using their MSAD usernames and passwords.
  How to do that?
  Thanks!
  Vladino

  You don't state what release you're on -- I think it varies slightly from release to release although the concept is mostly the same.
  Have you read this in the EAS help?
  http://download.oracle.com/docs/cd/E17236_01/epm.1112/eas_help/extauthen.html
  I think this help is missing the step where you tell Essbase what the external authenticators are. From reading about the AUTHENTICATIONMODULE Essbase.cfg setting:
  http://download.oracle.com/docs/cd/E17236_01/epm.1112/esb_tech_ref/authenticationmodule.html
  It seems that:
  When you run Oracle's Hyperion Enterprise Performance Management System Configurator, Essbase is automatically registered with Shared Services (unless you select the option to deploy Essbase in standalone mode) and this setting is automatically added to essbase.cfg.So I'm not quite sure where that leaves you -- where do you config the external authentication? Hopefully someone more installation-centric than I (which would be just about everyone in the known universe) can jump in here. I have to say that I haven't used non-Shared Services authentication since System 9 came out -- it just makes life too easy for my clients to manage security in one place.
  Regards,
  Cameron Lackpour

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Missing user rights assignment entries for many security policies in list exported via secedit

  Hello,
  First of all, I posted this same question on The Official Scripting Guys Forum! but didn't get the answer to this exact question (even though I received a lot of useful relevant info). That is why I am posting here. This is a more appropriate
  forum for the question. (Also posted on Windows Server 2012 General two days ago and didn't get a response at all).
  OK, question time:
  I want to modify the user rights assignment for a local security policy. In the GUI, find User Rights Assignment as follows: Win+R -> Enter "secpol.msc" -> Go to Local Policies -> Go to User Rights Assignment.
  So, to modify a particular use rights assignment via a script, I need to export the INF file using secedit, modify it and then configure using the modified file using secedit. To export the INF file, I am using:
  secedit /export /db C:\Windows\security\database\secedit.sdb /mergedpolicy /cfg SecPolicy
  Now, the problem is that the INF file exported doesn't have all the user rights assignments that I see in the GUI. For example, the policy "Restore files and directories" has users/groups in its settings but it doesn't show up in the INF file.
  In fact, most don't. Only five do and all these five have a different symbol next to them in the GUI. How are these policies different? What do I need to do to export all the policies?
  EDIT: Adding screenshot of what I see:
  Thanks!
  -Rohan.

  On Fri, 11 Apr 2014 18:26:50 +0000, Rohan PN wrote:
  Now, the problem is that the INF file exported doesn't have all the user rights assignments that I see in the GUI. For example, the policy "Restore files and directories" has users/groups in its settings but it doesn't show up in the INF
  file. In fact, most don't. Only five do and all these five have a different symbol next to them in the GUI. How are these policies different? What do I need to do to export all the policies?
  Can you post a screen shot? My guess is that what you're seeing is that
  secpol is only exporting the local settings and not ones that are set by a
  GPO in AD and that will also be the difference between the icons.
  Paul Adare - FIM CM MVP
  Although the Buddhists will tell you that desire is the root of suffering,
  my personal experience leads me to point the finger at system
  administration.
  -- Philip Greenspun

• Can't access safe mode to delete System Security fake anti virus virus. HELP.

  Hi, our SL500 has become infected with "System Security" fake anti virus software. We have tracked down how to remove it.
  http://www.geekstogo.com/forum/system-security-malware-t222291.html
  However when we get to the "reboot your computer in safe mode" (see instructions below) we can't as this is not possible.
  We have tried F8...........Repeatedly . And also  Run->msconfig->BOOT.INI->/SAFEBOOT . But to no avail . Actually we get a pop up stating that Windows  can not find said command and have we typed it in correctly . Please could some one help us as this is driving us insane . One last thing . A computer WITHOUT a "safe mode " option, isn't that kinda of unsafe and a tad.....
  Thanks in advance.  
  Instructions for malware removal. 
  You will need to print out a copy of these instructions, or save them to NotePad and put a shortcut to the file on the desktop so that you can refer to while you complete this procedure as you will be required to boot into Safe Mode where you wont have internet access.
  Please download ATF Cleaner by Atribune.
  Caution: This program is for Windows 2000, XP and Vista only
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  If you use Firefox browser
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser
  Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  Run MBAM again, only this time perform a full scan and post the log.
  Please click here to download AVP Tool by Kaspersky.
  Save it to your desktop.
  Reboot your computer into SafeMode.
  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.
  Double click the setup file to run it.
  Click Next to continue.
  It will by default install it to your desktop folder.Click Next.
  Hit ok at the prompt for scanning in Safe Mode.
  It will then open a box There will be a tab that says Automatic scan.
  Under Automatic scan make sure these are checked.
  System Memory
  Startup Objects
  Disk Boot Sectors.
  My Computer.
  Also any other drives (Removable that you may have)
  After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
  Then choose OK again then you are back to the main screen.
  Then click on Scan at the to right hand Corner.
  It will automatically Neutralize any objects found.
  If some objects are left un-neutralized then click the button that says Neutralize all
  If it says it cannot be Neutralized then chooose The delete option when prompted.
  After that is done click on the reports button at the bottom and save it to file name it Kas.
  Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  Note: This tool will self uninstall when you close it so please save the log before closing it.
  In your next reply I would like to see:
  C:\RSIT\info.txt
  MBAM log
  Kaspersky AVP scan results
  Also let me know how the computer is behaving. 
  This post has been edited by Octagonal: Dec 27 2008, 08:08 AM 

  Thanks for trying to help. Sadly, I followed the instructions and it rebooted to the blue screen again.
  It's going to have to go to Apple for repairs now. I'm out of options.
  I am wondering how much easier it would have been if I'd created a time machine restore point. I got what I deserved for failing to do that, but I'm doubtful even that would have worked in this case. It does seem to be because of that piece of widely reported malware that didn't want to leave without causing damage.
  The most frustrating aspect is the safe boot. I get to the desktop but without any menu, finder or dock. It seems to be similar to the problem below...
  http://www.macsmarts.com/?p=109
  But that's for Tiger. I tried that to no effect.
  Like I said, it's going to have to go to Apple now because I've done so many things I don't know if I'm just digging myself a deeper hole.
  Thanks again for offering help.

• Is this legit?             Confirm your email address  Dear Email Users,  As part of our security measures, we regularly screen activity in the E-mail system and after noticing an issue on your account password, we are requesting confirmation from you for

    Is this legit?
     Apple Support Team <applsupporteam @icloud.com>
         Confirm your email address
  Dear Email Users,
  As part of our security measures, we regularly screen activity in the E-mail system
  and after noticing an issue on your account password, we are requesting confirmation
  from you for the following reason:
  Our system requires further password verification.
  In accordance with E-mailUser Agreement, your account access will remain limited
  until the issue has been resolved. Unfortunately, if access to your account remains
  limited for an extended period of time, it may result in further limitations or
  eventual account closure.
  To verify your E-mail account, you must reply to this email
  immediately and enter your following
  information.
  First Name:
  Last Name:
  Email Username :
  Email Password :
  Thank you for using webmail
  Icloud. com support team
  <Edited By Host>

  Apple requests that you forward these types of emails to them as follows (from http://support.apple.com/kb/HT4933):
  If you receive a suspicious email, select the message text so that it is highlighted. Choose Forward as Attachmentfrom the Message menu (OS X Mail) or the Actions menu (Outlook). Send the email to [email protected] This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.

• Users assigned directly to a SharePoint group can access a site if a user is in a security group that is a member of the SharePoint group, it doesn't work

  I recently installed SharePoint 2013 SP1 and thus far all seems to be going well. I do have one issue concerning permissions to a team site I have created:
  1. If  add a user User1 only to a SharePoint group that has edit permissions to the site, that user can log in successfully.
  2. If  add a user User1 only to a security group that is a member of the aforementioned SharePoint group, the  user gets "the site has not been shared with you. The security group is a global SG, though I tried changing it to universal 
  but that did not help
   I have tried updating the SPSecurityTokenServiceConfig  as briefly described at this link:
  http://macaalay.com/2014/05/27/active-directory-groups-and-access-denied-in-sharepoint-2013/.  I performed the steps and it did not work. I also
  tried rebooting the server after that, and that did not work either.  any thoughts?
  Thanks in advance for your help

  Hi,
  I tested the issue on SharePoint server 2013 without sp installed. It worked and I used global security group. I will test the issue on SharePoint 2013 sp1 later, and please provide more information to narrow down the issue.
  Please go to site settings > site permissions > check permission, type in domain\user1, and post the result here.
  If the user has been granted permission, please try logging on another machine to test if Windows credential casues the issue.
  Did the issue occur to one site collection? Please test on other sites or web applications?
  Please create new user to test the issue again.
  Regards,
  Rebecca Tu
  TechNet Community Support

• Performance Issues with Acrobat Reader 11.0.0.2 when secure mode is enabled

  Hello All,
  We are experiencing sporadic issues with Acrobat 11.0.0.2 across our domain, users are reporting performance issues when opening PDF documents whether locally or from a network share.
  We have found that turning off Secure Mode helps towards reducing this delay and in the cases it doesn't we are repairing the installation and/or reinstalling the application.
  Due to the security implications we need to leave this turned on, I am wondering if anyone has encountered this issue and what steps were taken towards resolving it?
  I also wonder whether the white list function in the new release 11.0.0.3 would be a solution to this issue?
  Kind Regards,
  Ryan McCarty

  No probelm, so....
  We had no problems with Adobe Reader 9 and 10, we encountered the issues when upgrading to 11.0.0.2.
  Initially we found that turning off the Protected Mode, helped but did not resolve the issue.
  We tried;
  1. Turn off protected mode - issue still present
  2. Clearing the recent file registry using the below registry path and deleting the keys underneath it.
  HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles (this does not turn recent files off permanently). - works but needs clearing regularly
  3. Turning off welcome screen by creating -  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\cWelcomeScreen - works to improve app open speed.
  4. uninstall/reinstall of 11.0.0.2 - works most likley due to the recent files being cleared.
  5. upgrade to 11.0.0.3 - issue still present
  Following reboots the issue is still present.
  When Adobe Reader is the only application open this issue is still present.
  As mentioned I have no systems available which I could test this issue using 11.0.0.1 as we have fixed them, albeit temporarily using the reinstall method.
  I am concious that this issue is going to reoccur once that cache (recent files) builds back up because the fix above (#2) is clearing the recent files cache NOT disabling it.

• System.Security.VerificationException: Operation could destabilize the runtime during code coverage run in visual studio

  I have a unit test that basically does the following:
  Creates an app domain using minimum priviledges.  The MarshalByRefObject that is living in the app domain, loads another assembly to execute.  This new assembly basically takes in a data object defined in a separate assembly, and returns a
  new data object of that type.
  All this works fine in debug mode, or when running w/out code coverage.  The Sandbox assembly is signed.
  The exception that gets thrown is this:
  Test method TestProject1.UnitTest1.TestMethod1 threw exception:
  System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.VerificationException: Operation could destabilize the runtime.
  ClassLibrary3.Bar..ctor()
  ClassLibrary2.Foo.TestMethod(Bar testBar)
  System.RuntimeMethodHandle._InvokeMethodFast(IRuntimeMethodInfo method, Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeType typeOwner)
  System.RuntimeMethodHandle.InvokeMethodFast(IRuntimeMethodInfo method, Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeType typeOwner)
  System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
  System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
  System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)
  ClassLibrary1.RemoteSandBox.Execute(String assemblyPath, String scriptType, String method, Object[] parameters)
  ClassLibrary1.RemoteSandBox.Execute(String assemblyPath, String scriptType, String method, Object[] parameters)
  ClassLibrary1.SandBox.Execute(String assemblyPath, String scriptType, String method, Object[] parameters) in c:\users\la22426\documents\visual studio 2010\Projects\TestProject1\ClassLibrary1\Sandbox.cs: line 43
  TestProject1.UnitTest1.TestMethod1() in c:\users\la22426\documents\visual studio 2010\Projects\TestProject1\TestProject1\UnitTest1.cs: line 21
  Unit Test code:
  [TestClass]
  public class UnitTest1
  [TestMethod]
  public void TestMethod1()
  using (SandBox sandbox = new SandBox())
  string assemblyLocation = Path.Combine(Environment.CurrentDirectory, @"..\..\..\ClassLibrary2\bin\Debug\ClassLibrary2.dll");
  object result = sandbox.Execute(assemblyLocation, "ClassLibrary2.Foo", "TestMethod", new Bar() { X = "test" });
  Assert.IsNotNull(result);
  Data Object code:
  namespace ClassLibrary3
  [Serializable]
  public class Bar
  public Bar() { }
  public string X { get; set; }
  Assembly to execute code:
  namespace ClassLibrary2
  public class Foo
  public Bar TestMethod(Bar testBar)
  return new Bar() { X = testBar.X };
  Sandbox code:
  namespace ClassLibrary1
  public class SandBox : IDisposable
  AppDomain Domain { get; set; }
  RemoteSandBox RemoteSandBox { get; set; }
  public SandBox()
  var setup = new AppDomainSetup()
  ApplicationBase = AppDomain.CurrentDomain.BaseDirectory,
  ApplicationName = Guid.NewGuid().ToString(),
  DisallowBindingRedirects = true,
  DisallowCodeDownload = true,
  DisallowPublisherPolicy = true,
  //DisallowApplicationBaseProbing = true,
  var permissions = new PermissionSet(PermissionState.None);
  permissions.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
  permissions.AddPermission(new ReflectionPermission(PermissionState.Unrestricted));
  this.Domain = AppDomain.CreateDomain(setup.ApplicationName, null, setup, permissions,
  typeof(RemoteSandBox).Assembly.Evidence.GetHostEvidence<StrongName>());
  this.RemoteSandBox = (RemoteSandBox)Activator.CreateInstanceFrom(this.Domain, typeof(RemoteSandBox).Assembly.ManifestModule.FullyQualifiedName, typeof(RemoteSandBox).FullName).Unwrap();
  public object Execute(string assemblyPath, string scriptType, string method, params object[] parameters)
  return this.RemoteSandBox.Execute(assemblyPath, scriptType, method, parameters);
  public void Dispose()
  if (this.Domain != null)
  AppDomain.Unload(this.Domain);
  class RemoteSandBox : MarshalByRefObject
  public RemoteSandBox()
  public object Execute(string assemblyPath, string scriptType, string method, params object[] parameters)
  //we need some file io permissions to load the assembly
  new FileIOPermission(FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery, assemblyPath).Assert();
  Assembly assembly;
  try
  assembly = Assembly.LoadFile(assemblyPath);
  finally
  CodeAccessPermission.RevertAssert();
  Type type = assembly.GetType(scriptType, true);
  MethodInfo methodInfo = type.GetMethod(method);
  object instance = (methodInfo.IsStatic) ? null : Activator.CreateInstance(type);
  object returnVal = null;
  returnVal = methodInfo.Invoke(instance, parameters);
  return returnVal;

  I marked the shared data library with the attributes:
  [assembly: AllowPartiallyTrustedCallers]
  [assembly: SecurityRules(SecurityRuleSet.Level2, SkipVerificationInFullTrust = true)]
  And then marked  the data class Bar with the attribute:
  [SecuritySafeCritical]
  And got a little more insight into what's going on:
  Test method TestProject1.UnitTest1.TestMethod1 threw exception:
  System.MethodAccessException: Attempt by security transparent method 'Microsoft.VisualStudio.Coverage.Init_d2f466df4c65e2a7bb5d7592c49efef0.Register()' to call native code through method 'Microsoft.VisualStudio.Coverage.Init_d2f466df4c65e2a7bb5d7592c49efef0.VSCoverRegisterAssembly(UInt32[],
  System.String)' failed.  Methods must be security critical or security safe-critical to call native code.
  Microsoft.VisualStudio.Coverage.Init_d2f466df4c65e2a7bb5d7592c49efef0.Register()
  ClassLibrary3.Bar..ctor() in c:\users\xxx\documents\visual studio 2010\Projects\TestProject1\ClassLibrary3\Bar.cs: line 13
  TestProject1.UnitTest1.TestMethod1() in c:\users\xxx\documents\visual studio 2010\Projects\TestProject1\TestProject1\UnitTest1.cs: line 21
  Since the injected code coverage il is doing some native stuff, it's throwing.  Any ideas on how to allow this?

• Issue in Step 12-Maintain User Assignment in Portal (RSPOR_SETUP)

  Hi,
  I had issue with step 12--Maintain User Assignment in Portal when running prog RSPOR_SETUP [to setup BEx Web configuration] with error " System failure during call of function module RSWR_RFC_SERVICE_TEST".
  Note: BI certificate was already exported & imported to Portal.
  Evaluate Ticket Login Module is done with trustedsys, trustediss & trusteddn.
  Evaluate Assertion Ticket Login Module is done with trustedsys, trustediss & trusteddn.
  User-id: bex_admin with SAP_ALL in ABAP and mapping is done in Portal as per step 12 intruction.
  <b>Error in dev_jrfc.trc:</b>
  Exception thrown [Tue Jan 16 09:24:46,102]:Exception thrown by application running in JCo Server
  com.sap.engine.services.rfcengine.RFCException: Incoming call is not authorized
          at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.handleRequest(RFCDefaultRequestHandler.java:74)
  Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Authentication failed.
  Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Authentication failed: Issuer of SAP Logon Ticket is not trusted. Authentication stack: evaluate_assertion_ticket
          at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:167)
  It looks like the issue with <b>evaluate_assertion_ticket</b> & somehow Portal is not trusted the BI certificate.  I tried SAP note 917950, 888687, 878455, 721815, etc. & many more but cannot resolved the issue.
  SAP system: NW04s with Java add-in in the same server.
  SP stack 9
  I appreciate if someone already resolved the same issue and share the solution. I already opened a ticket with SAP but they have no solution yet.
  Thanks.
  Mimosa

  Hi
  Try maintaining the following property values for the SAP BW System:
  Authentication Ticket Type = SAP Assertion Ticket
                    Logon Method = SAPLOGONTICKET
            User Mapping Type = admin,user
  Regards,
  Trikanth Basetty

• How can Manage Permissions for DB in Shared Services Security Mode

  In shared services security mode, after provisioning users for Essbase applications, only can assign database calculation and filter access. How can I grant permissions "Access Databases" like in native mode?

  Essbase will be default be in shared services security mode in 11.1.2, the wizard will not migrate security when in this mode.
  It is possible to revert it back but if you don't know the process then it is worth looking at alternatives first.
  You could use LCM to export the provisioning and then import into your target environment.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Scale 802.1X ACS in High Security Mode any Idea's?

  Scenario
  Platform ACS V 5.1.0.44
  Switch 4510R with 8 48 port modules (384 ports)
  802.1x authentication of the ports in High Security Mode (VLAN assignments required)
  Authentication Method Cert based eap-tls to machine
  we currently have 4 Data Vlans that users and assets drop into on this switch
  How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?
  I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.

  Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's
  and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)
  12.2(52)SE
  IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.
  12.2(52)SE
  3750-E, 3560-E
  But then you get bit with even using VLAN assignments on large stacks
  •When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.
  The workaround is not use the VLAN assignment option. (CSCse22791)

• Restrict Moving roles with user assignment

  Hi There,
  Need your help...
  How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
  Thanks and Regards,
  Gnanaprakasam

  Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
  This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
  Cheers,
  Julius