Using SSDs to limit user access to hosts

I have a question about limiting user access to a host using SSDs. Is there any reason I should not do the following?:
In the profile for the ldap client, myhost:
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?sub(|(host=myhost)(host=production)(host=ALL))
Then in the users account:
dn: uid=juser, ou=People,dc=example,dc=com
host: myhost <---------------------------------------------------------------
loginShell: /bin/ksh
gecos: Joe User
cn: juser
uidNumber: 5555
gidNumber: 5555
homeDirectory: /export/home/juser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
uid: juser
etc
I can add a single host, an environment (production), or all hosts for admins by editing user account. It seems to work fine in testing. I just don't want to get blind-sided by some glitch later. I am using Solaris 8,9, and 10 native clients and SunONE 5.2 DS with TLS.

Thanks Gary. I sent you an email before I posted here. I wasn't sure if this is where you "hang out". :)
I was thinking after posting here that I might want to do it with shadow instead of passwd so that permissions of files still showed the owner instead of id even if the owner were not allow to login. A somewhat rare situation, but it happens.

Similar Messages

  • Oracle App Server limit user access

    Hi guys!
    Is there such function in OAS where I can limit a users access to a certain page?
    I have registered my users in OID and I want to set limits to specific pages (limiting which user can access which page or not)...
    Appreciate any help..

    They are different. Oracle Application Server is Oracle's application server prior to the BEA acquisition. WebLogic Server is a completely separate product and will be the strategic application server going forward at Oracle, although Oracle Application Server will still be maintained and supported.

  • Using Profile to limit resource access

    Hello,
    I'm trying to use the profile feature to limit access for specific users the featue I want to limit is:
    CPU_PER_CALL defined as follow: Limits the amount of CPU time that can be consumed by any single database call in any session established by a user with this profile. The specified value is in hundredths of a second and applies to a parse, an execute, or a fetch call. These calls are implicitly performed by the database for any SQL statement executed in SQL*Plus and can be explicitly called from OCI, Java, or PL/SQL programs. When this limit is breached, the statement fails and is automatically rolled back, and an exception is raised.
    My question is:
    How can I from a SQL stmt, measure the number of cpu per call ? I cannot guess this value otherwise if wrong the SQL stmt will fail evry time!
    I'm on 10g, windows server 2003
    Thank for your help

    You can see that information at sql_trace files.
    Turn on traces in session using
    SQL> alter session set sql_trace=true; --to current session
    SQL> exec dbms_system.set_sql_trace_in_session(SID, SERIAL#, TRUE) -- to another session
    After stmt executes make a plain text by tkprof tool
    # tkprof xxx.trc xxx.txt explain=user/pass aggregate=no
    The file xxx.txt mensures the CPU per call for stmts ... the option aggregate=no it's mandatory if you execute more than 1 binded sql statement
    Regargs.
    Marcio Paiva

  • Limit users access to Spotlight

    We have an IBook lab at our school with users accounts for all grades, K-8. I just noticed that using Find in any of our otherwise managed user accounts allows that account to access files in all shared folders. Is there any way of turning this off?

    at my school they've just disabled the find feeature altogether which can be done through spotlight prefs, if you just want to stop spotlight from searching certain places you can do that too.
    really though I didn't know that this was a problem. oh and a warning, it's extremely easy to disable this if you don't have Open Firmware enabled.

  • Limit user Access to Return Data in Report

    Have reporst that I need to limit what is returned. The person running the report should only see the data that they own. Is this possible. Can I set an attribute based on the person who has signed on to Discoverer and use that in the select to limit the data returned.
    Thanks,
    Dan

    Yes, it's possible!
    You can use the VPD (Virtuall Private Database) feature of the database.
    Check out the following stuff:
    http://www.oracle.com/oramag/oracle/99-Jul/index.html?49sec.html
    http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec02.htm
    http://www.oracle-base.com/Articles/8i/VirtualPrivateDatabases(VPD).asp

  • Limit user access to settings and problematic options..

    I don't want the user to have access to settings, and other options
    they
    should not be playing with.
    Is there any way to do that with ZfH5 ?

    fabian,
    It appears that in the past few days you have not received a response
    to your posting. That concerns us, and has triggered this automated
    reply.
    Has your problem been resolved? If not, you might try one of the
    following options:
    - Do a search of our knowledgebase at
    http://support.novell.com/search/kb_index.jsp
    - Check all of the other support tools and options available at
    http://support.novell.com in both the "free product support" and "paid
    product support" drop down boxes.
    - You could also try posting your message again. Make sure it is
    posted in the correct news group. (http://support.novell.com/forums)
    If this is a reply to a duplicate posting, please ignore and accept
    our apologies and rest assured we will issue a stern reprimand to our
    posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Best Practice - Securing Schema from User Access

    Scenario:
    User A requires access to schema called BLAH.
    User A is a developer that built an application using this schema in a separate development environment, although has the same privileges mirrored to production (same roles etc - required for operation of the application built).
    This means that the User has roles that grant Select, Update etc rights for the schema / table in order to use (and maintain) the applications.
    How can we restrict access to the BLAH schema in PRODUCTION, enforcing it to only be accessible via middle tier / application (proxy authentication?)?
    We've looked at using proxy authentication, however, it's not possible to grant roles and rights to the proxy account and NOT have them granted to the user (so they can dive straight in using development tooling and hit prod etc)>
    We've tried granting it on a session basis using proxy authentication (i.e. user a connects via proxy, an we ENABLE a disabled role on the user based on this connection), however, it causes performance issues.
    Are we tackling this the wrong way? What's the best practice for securing oracle schemas (and objects in general) for user access where the users actually get oracle user account (or even use SSO) for day to day business as usual.
    To me this feels like a common scenario, especially where SSO comes into play ...

    What about situations where we have Legacy Oracle Forms stuff? In these cases the user must be granted select etc rights to particular objects, as this can't connect via a middle tier.
    The problem we have is that our existing middle tier implementation is built expecting the user credentials to be passed to it during initial authentication and does not use a proxy, or super user style account.  We have, historically, been 100% reliant on Oracle rights and controls to validate and restrict access to our underlying data.  From what you are saying, we should start to look at using proxy or super user access and move this control process further up - i.e. into Code or Packages ?  If so, does this mean that there is no specific way to restrict schema access to given proxy accounts and then grant normal user accounts to connect through these to get access (kind of a delegated access scenario), without using disabled roles?

  • Removing user access after hours

    All,
    We are running Oracle 10g. What is the best way to remove user access after hours say from 5:00 pm to 6:00 am? I have searched this site and the only thread that I found was Can I limit user access to Oracle DB based on time?? which is not helpful to me. My manager wants users to access the Database only during the user's work hours which is M-F 8:00 am - 5:00 pm. Any suggestions would be greatly appreciated.
    Seyed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

    >
    Creating a logon trigger will need a restart of the database, but I think it is the best approach.
    Am not sure why restart would be required?
    Possibly creating a seperate listener entry on a different port especially for the users could also be a solution.
    Then after 05:00 pm, stop that perticular listener only
    HTH
    What if I know the port number of another listener?
    FJFranken
    My Blog: http://managingoracle.blogspot.com
    If this answer satifies your question, mark the question as answered and award the points. It is appreciated!Regards
    Anurag

  • Can my wife use her iPad to get access to my music via iTunes Match and still retain her iTunes store user id?

    my wife has a new iPad and iPad Store user ID.  I have a seperate iTunes store user id and subscribe to iTunes Match.  All my music is now in the "cloud".  Can my wife get access to my music via match and still retain her iTunes store user id? 
    The only way I seem to be able to get Match to work on her iPad is if she uses both my iCloud user ID and my iStore user ID.

    Essentially I have the same problem.  My spouse and I have a shared music collection on 1 computer.  We've used different id's for our various devices for years.  Currently we both use iPad minis iPhones and AppleTV.  I have iTunes Match on my account.  Recently we haven't been able to access songs bought or downloaded by the other id.  iTunes says that the computer is associated with another id.  In fact we have 1 song that didn't finish downloading when an album was bought on my spouses account while the rest of the album is there.  My suspicion is that I will need to go down to a shared id when we buy our new MacBook Pro for Boxing Day.  But, if we do that are we able to have separate calendars and passbooks and other features?  Is there another option?  I'm willing to stop using iTunes Match if necessary.

  • Access KM using API as predefined user

    Hello, dear experts!
    Currently I am going to use KM as file storage for my application. I want to prevent direct access to KM content for all users and allow them to upload and download files only using my application.
    The problem is:
    I use not context of current user but some user found in UME.
    IUser user = UMFactory.getUserFactory().getUserByLogonID("Administrator");
    com.sapportals.portal.security.usermanagement.IUser ep5User = portalUserFactory.getEP5User(user);
    context = new ResourceContext(ep5User);
    When I try to operate KM (for instance create new folder) I get error: "User <Administrator> is not authenticated"
    But user "Administrator" has all rights to access KM.
    Is it possible to access KM using API as different user? Or is there another way to solve the problem?
    Best regards,
    Anton.

    Hi, Praveen!
    Thank you for your answer. Your code works fine!
    But when I created my own service user "service_user" under Content Management  -> Utilities -> System Principals I cannot get resource context even after restarting servlet engine.
    I get an exception java.security.PrivilegedActionException: com.sapportals.wcm.repository.ResourceException: User management exception: Could not get service user "service_user".
    This user has the same permissions as "cmadmin_service".
    Also user with the same name was created in UME.
    May be I should execute some additional administrating task?
    Best regards,
    Anton.

  • After recording text using the dragon dictation app, it is converted, it can be copied to the iOS system clipboard for use in any app, how does the user access the clipboard to retrive this information if it is no longer on the screen?

    after recording text using the Dragon dictation app, it can be copied to the iOS systme clipboard for use in any app, how does the user access the clipboard to retrive this information if it is no longer on the screen?

    You need to do a long-press in any data entry field, then select Paste.

  • Allow a user access to start and stop a particular service in Solaris 11 using RBAC controls

    So, using svcbundle I created a service called "oracle" that starts and shutdown a db. I'm aware of how to grant RBAC access to be a "service operator" to be able to control start/stop ALL services. But I'd like to grant a user access to start and stop JUST this service.
    in this document on page 15, it states that it's possible to do this kind of granularity but doesn't explain how to do it step by step.
    how does one achieve this?
    thanks.

    You need to add a property group such as
    <property_group name='general' type='framework'>
      <!-- to start stop oracle -->
      <propval name='action_authorization' type='astring'
      value='solaris.smf.manage.oracle' />
    </property_group>
    Then add the solaris.smf.manage.oracle authorization to the user profile.
    As an example, see Less known Solaris features: RBAC and Privileges - Part 2: Role based access control - c0t0d0s0.org

  • How to select which RFC USERS have been accessed my host ?

    Hi, guru
    how to select which RFC USERS have been accessed my host ?
    or how to record the RFC users's trace ?
    because the auditor wants to know it.
    Best regards,
    Michael

    how to select which RFC USERS have been accessed my host ?
    did you check ST03N->User profile ?
    or how to record the RFC users's trace ?
    Check ST01 for system trace.

  • Power Shell Web Access - How to limit the cmdlets and give regular users, access to perform tasks

    It is possible to give to regular/standard users, powershell web access to give only, for example, "get-" cmdlets?
    The ideia is to provide help desk tech users, a minimum level of access on some servers, and it will be usefull to give then, basic and restrcted access to a few cmdlets, performe harmless activities and mybe some level of access, not alloweing to to using
    RDP, but PS, insted

    While PowerShell Web Access (PSWA) does require authorization rules to function, these rules do not specify what cmdlets can be used in a PSRemoting session. The PSWA authorization rules define what user, or group of users, can remotely connect to what computer,
    or group of computers, through the PSWA gateway (the PSWA server).
    What you need to research are session configurations and/or endpoints. These are separate from PSWA, but can be used in conjunction with PSWA (PSWA website > Optional connection settings > Configuration >
    NameOfConfiguration), just as they can in a standard console-based PSRemoting session (Enter-PSSession -ComputerName
    server01 -Configuration NameOfConfiguration -or- Invoke-Command -ComputerName
    server01 -Configuration NameOfConfiguration).
    Start your research with New-PSSessionConfigurationFile and then Register- and Unregister-PSSessionConfiguration. These have been great for our environment, allowing non-admin users access to run very specific cmdlets as an admin, without being an admin
    on the computer.

  • Would like to limit application use to one active user...

    I would like to limit the application use to one active user. Is there an easy way to do this without building a custom solution. Also when a different user tries to logon, they will get a message saying that the application is currently in use by the currently active user's name....
    Thanks,
    ML

    Hm,
    I think this could be problematic. You need to think of many things that could happen and take care of those. These postings may help you further:
    Session timeout ?
    Re: Session Timeout Function
    Re: view current active sessions & currently the active user who are logged in
    Denes Kubicek
    http://deneskubicek.blogspot.com/
    http://www.opal-consulting.de/training
    http://apex.oracle.com/pls/otn/f?p=31517:1
    -------------------------------------------------------------------

Maybe you are looking for