VDI Access Control with ISE

Similar Messages

• Access Control with Custom Groups

  I am rather new to APEX. I am trying to implement access control/authorization using custom groups (not the built-in View, Edit, and Administrator groups). I did search the discussion forums and the web in general but so far I have come up empty. I was hoping someone could point me into the right direction as to how to get started. Are there stored procedures that need to be customized/implemented? Where do I store the user groups? Can I use the built-in tables or should I create custom security group tables? Those are just some of the questions I am trying to figure out and any help would be much appreciated.
  And BTW, due to client requirements, we are currently using version 3.2. Not sure if there are any significant changes between that version and the latest version.
  Thank you all!
  Mischa

  Custom authentication is fairly easy to set up with your own tables, here is an example
  http://djmein.blogspot.com.au/2007/07/custom-authentication-authorisation.html
  This leads on to authorisation, again using your own tables. You need to look into using authorization schemes
  http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/sec_authorization.htm#BABEDFGB
  This can simply be queries on your own group tables, which presumably would control membership by username.
  You ask the question about using built-in tables, yet don't want to the built-in administrator groups?
  Plenty of significant changes, but none that should affect you in regard to authentication/authorisation.
  Scott

• Configuring Access Control with OIM 11gR2

  Hi,
  I have to configure Access Control resource with OIM 11gR2. Kindly share relevant pointers.
  Best Regards,
  Varun

  I think this link will be Helpful
  22.5.1 Configuring Oracle Application Access Controls Governor
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/segduties.htm#OMDEV3394

• SAP Business Objects Access control with BI4.1 and enterprise authetication

  Hi Team,
  We are on BI 4.1 with enterprise authentication. We are using IDM (oracle waveset 8) for access management. Currently we receive request from IDM and we manually configure user in BI4.1. We are now planning to automate this process, like as soon as user request place request through IDM , his access wil lget configure in BI 4.1
  can we achieve this using SAP Business Objects Access controle or with any other method ? Need your guidance
  Thanks,
  Nivedita

  Hi Andrea,
  1. you configure the BOE Server with the SAP authentication for your SAP server
  1b you configure trust between the portal server and the SAP system
  2. you import the portal iView template as part of the SAP Kit into the portal server
  3. you create a new system (or use an existing one) in the portal system landscape and configure the properties of the Crystal Enterprise properties
  4. you create a new iView based on the portal iView template
  ingo
  I have some difficulties to create a new system, I don't know witch option i should choose.
       System (from template)     
       +BI JDBC System
       BI ODBO-Compliant OLAP System
       BI SAP Query System
       BI XMLA-Compliant OLAP System
       EP 5.0 System
       HTTP System
       JDBC System
       KM Lotus System
       KM WebDAV System
       KM Windows System
       SAP system using connection string
       SAP system using dedicated application server
       SAP system with load balancing
       Web Service System using WSDL URL+
       System (from PAR)
       com.sap.km.cm.repository.manager
       com.sap.km.common.domino
       com.sap.netweaver.coll.appl.gw
       com.sap.netweaver.coll.appl.sync
       com.sap.portal.httpconnectivity.urlsystem
       com.sap.portal.ivs.sl.connector.helper
       com.sap.portal.runtime.application.soap
       com.sap.portal.systems.bi
       com.sap.portal.systems.datasource
       com.sap.portal.systems.EP5
       com.sap.portal.systems.jdbc
       com.sap.portal.systems.sap
       com.sap.portal.systems.webservices
       com.sap.portal.unification50.template
  Thanks a lot
  Selvam

• Access control with JSP

  We have been working with a design company to design our website HTML. However, a portion of these HTML files need to be password protected, all of these files are stored in one particular folder called "/tools". The problem here is that these files should only be accessible if the user has logged into the site, and the design firm has given all of these files an .html extension, which means that they will not be able to run embedded JSP code.
  From what I understand, if I want to create access control in these .html files I will need to rename them all to .jsp and then update all the links to these files to use the .jsp extension. But the design firm is telling me that their other clients never needed to do this and were able to use JSP to control access to the folder itself. They said that it is possible using JSP to prevent access to a particular folder on the webserver, and that anybody without a valid login or session who tries to access the files in the folder can be redirected to the login page. All of this can be achieved without having to insert JSP code into the password-protected HTML files and renaming them with a .jsp extension. Is this true? We want to avoid doing this because there are a lot of HTML files and links that will need to be changed if we rename the files to .jsp.
  I'm still a relative beginner with JSP and have never heard of any functionality which allows JSP to stop a browser from accessing a particular folder on the server. Am I missing something here? Is there really a better way of doing this without using JSP code?
  I have thought about putting the folder in an offline location and then using a controller JSP/servlet to check the user's login status and then read & display the HTML file from the offline folder. But I am not sure if this is really an efficient way of doing this.
  Any suggestions?
  Thanks,
  Phil

  You can set up a servlet filter in the web.xml. That lets you intercept every single request to certain areas of the app, and modify/redirect it if necessary.
  Example: This sets up a filter that runs on all requests to the "/tools" directory:
  In web.xml:
     <filter>
       <filter-name>testFilter</filter-name>
       <filter-class>com.TestFilter</filter-class>
     </filter>
     <filter-mapping>
       <filter-name>testFilter</filter-name>
       <url-pattern>/tools/*</url-pattern>
     </filter-mapping>And an example java class of a filter. This one just logs the request URI.
  package com;
  import java.io.IOException;
  import javax.servlet.Filter;
  import javax.servlet.FilterChain;
  import javax.servlet.FilterConfig;
  import javax.servlet.ServletException;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.http.HttpServletRequest;
  public class TestFilter implements Filter{
       public void init(FilterConfig arg0) throws ServletException {}
       public void destroy() {}
       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            if (request instanceof HttpServletRequest){
                 HttpServletRequest req = (HttpServletRequest)request;
                 System.out.println("Servicing request for " + req.getRequestURI());
                 chain.doFilter(request, response);
  }

• Cross-enterprise integration of SAP GRC Access Control with PeopleSoft

  Friends,
  Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
  If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
  Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
  I tried to search, but could not get good results.
  Any help would be highly appreciated.
  Best Regards,
  Amol Bharti

  Amol-
  From my experience:
  CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
  AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service.  You have the capability to provision to SAP HR.
  FF 5.2 with Peoplesoft: N/A
  RE 5.2 with Peoplesoft: N/A
  I am not sure if there are any standalone docs out there for AC integration with Peoplesoft.  And the 5.2 manuals have sparse information on integration.  However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
  Sorry, I couldn't share more info, as that is all I know for now...
  Ankur
  GRC Consultant

• War file and access control with WebLogic

  I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
  This is how my weblogic.properties file looks like:
  weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
  weblogic.password.koko=kokokoko
  weblogic.password.arnebelinda=arne1234
  weblogic.security.group.ppuseradmins=arnebelinda
  and my weblogicURL.policy:
  deny Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
  and finally, my web.xml-file:
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app>
       <session-config>
            <session-timeout>30</session-timeout>
       </session-config>
       <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>admin</web-resource-name>
                 <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
            <auth-constraint>
                 <role-name>ppuseradmins</role-name>
            </auth-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>WebLogic Server</realm-name>
       </login-config>
       <security-role>
            <role-name>ppuseradmins</role-name>
       </security-role>
  </web-app>
  it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
  Does anybody have a clue? I would really appreciate it!
  I am using WebLogic 5.1 sp 9
  best regards,
  PJ

  In you pocily file entry, you have specified "/admin/-"
  However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
  Could that be the problem ?

• Ssid access control with WPA Ent and RADIUS author

  Hi, I'd like to control the ssid requested in WPA Enterprise with RADIUS authorization: how to ?
  Is there an attribute in RADIUS IOS or Cisco Aironet ?
  thanks

  Depends on what you are using for a radius server.
  Here are some links that might help.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

• Access Control - MDM Integration

  Hi All,
  We are trying to integrate Access Controls with SAP MDM but it doesn't appear that this is out of the box functionality. Has anyone had experience with this integration? From a ruleset perspective is this possible? It doesn't appear CUP will provision to it.
  I have heard that Greenlight provides RTAs for non-SAP systems, does anyone know if they work with SAP MDM? Any guidance is greatly appreciated.
  Thanks,
  Grace Rae

  Hi Grace,
  Please refer the below links which may help you to integrate MDM with GRC:
  http://help.sap.com/saphelp_nwmdm71/helpdata/en/48/956cd09521062de10000000a42189d/frameset.htm
  SRM MDM 5.5 AND GRC 5.3 INTEGRATION
  Warm Regards,
  Raghu

• Is there any way I can control which specific access point I connect (and stay connected) to from amongst a set of access points with the same SSID?

  I'm working from a boat in a harbor in which the ISP has deployed numerous access points around the periphery.  All the access points share the same SSID and each is configured to use either channel 1, 6 or 11.   From my location, there are over a dozen of these access points "visible" (based on the the output of WiFi Scanner) with a range of RSSI and S/N values that vary over time.
  The ISP has told me that the quality of my connection should be "perfectly fine" for any access point with an RSSI value better than -75, but I know from experience that my connection quality is miserable (i.e. < 50Kbps download) for almost all of these, including those with RSSI values better than -75.  There is at least one exception, however, which gives me on the order of 2Mbps download, which is "great" in this context.
  I've tried using a more powerful USB antenna plugged into my MacBook Air (mid 2011), but as far as I can tell, it really doesn't make much difference.  Neither does my location within the boat.   The overriding factor seems to be which access point I happen to connect up to.
  I should point out that the closest access points are about 75 yards away, with many of them being several hundred yards away or more.  I'm guessing that even though the signal strength of some of the distant access points is causing them to get "chosen" some times, the results are unacceptable due to the distance.
  I'm hoping that I can determine, through experimentation, which access point(s) provide(s) acceptable performance and then configure my Mac to limit my connection to those points through whatever mechanism I need to use (e.g. channel, MAC id, etc.).

  Establishing a wireless connection with a client computer is left to the access point for various reasons. One reason that your Mac may not connect to the strongest access point is that it may have reached a limit of the number of clients it can serve, leaving it unable to accept a connection with another. The limit may not be very large.
  Suppose that happens, and your Mac establishes a connection with a more distant access point having a weaker signal. Then, suppose a client drops off the network. Doesn't this mean your Mac will switch to the stronger access point? Not necessarily. The throughput delivered to and from your Mac would have to drop below a threshold specified in the AP for it to drop the client, leaving your Mac free to connect with another one. The reason for this is to prevent rapid switching from one AP to another in an area in which two signals are of approximately equal quality. If that were to occur the frequent and repetitive handshaking between the two devices would slow throughput to zero.
  In an environment in which several access points are broadcasting the same SSID, Apple provides no insight as to how it determines which access point to choose. This is the reason I suspect this "choice" is a function of the router, or access point. The connection originates with it, not the Mac.
  Now, what would solve your dilemma would be to determine a way to control the access point with which your Mac connects, by specifying the access point's unique MAC address for example. In this happy circumstance, you could maintain an editable "whitelist" or "blacklist" of the harbor's access points and be able to choose which among them you prefer.
  I do not believe OS X maintains such a record of MAC addresses though, only those of the routers it uses. If I am correct about that, such a solution is unlikely to exist. Don't let that discourage you from searching for one though... I would concentrate on something like "selecting access point by specific MAC address".
  I did find this patent application though:
  Roaming Network Stations Using A Mac Address Identifier To Select New Access Point
  Perhaps it's a start

• Creating SOD matrix with the help of Access control default ruleset

  I am creating the SOD matrix for the existing roles of CRM and HR modules.  As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset.  We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
  For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll". 
  Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
  Maybe I am thinking the wrong way, please provide your inputs so I can work on it.  Any help appreciated.
  Thanks,
  Sanjay Desai

  The most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
  What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
  You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
  But the real challenge is to identify the risks as perceived/accepted by the business!
  Frank.

• NWBC no option "Access Control" - can't start working with GRC 10.0

  I have installed GRC AC 10.0 and have followed the post-installation documentation. All seems to be fine so far.
  But when I run NWBC, I do not get the Icon/Option "Access Control".
  What can go wrong? My user has sap_all and sap_grac_all, so it shouldn't be the access rights...what else can I check?

  I have installed GRC AC 10.0 and have followed the post-installation documentation. All seems to be fine so far.
  But when I run transaction NWBC, the web-browser (Iexplorer) opens the HTML-NWBC, but I do not get the Icon/Option "Access Management". I see this option however on the screenshots of the documentation. And it seems to be the only way to work with the application - or can I work directly within SAP-GUI ?
  I see however the Icons "Office", "Cross-Application Components", "Accounting", "Information Systems", "Tools" and I can well drill down into the submenus and use the fonctionality.
  What can go wrong? My user has sap_all and sap_grac_all assigned, so it shouldn't be the access rights...what else can I check? any ideas are welcome... - thanks in advance...

• Integrating with external access control system

  Hi,
  I am new at the network but have read a lot recently about the above subject as much as I could. However, I am a bit mixed up at something. I understand in order to update SAP HR module with employees time and attendance logs I need to interface with a certified PDC interface => (SAP ECC - PLANT DATA COLLECTION - TIME & ATTENDANCE AND EMPLOYEE EXPENDITURES (HR-PDC)
  I wish to develop a system that updates the the SAP HR with employee attendance logs. In addition I also wish enroll new employees into my access control system database by polling the SAP HR database.
  Now my question is if I use .NET connector:
  1. Does the connector it include functions that can help with the above requirements?
  2. Is the use of PDC interface here still a must?
  Thanks

  For time management with the help of transaction pt80 you can download the information about employees with the help of idoc. And there are some programs a.k.a connectors that link access control systems and SAP so that you do not hire the same employee in the access control problem. You hire the employee in SAP and SAP sends the information (HR Minimaster DATA) to the related program.
  It is also do the same thing for the employees who resign. I mean if an employee is fired or resigned from the company than it is sent to the related system.
  These can be found under PDC integrated systems. You can find information about the systems from Ecohub. http://ecohub.sap.com/
  I hope this answer will help.

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• Business Rules Framework (BRF) with Access Controll V10 (ERM and CUP)

  Hi Experts,
  where can I find some information about the usage of BRF with respect to Access Controll (especially ERM and CUP)?
  Thanks in advance and best regards,
  Marlen

  Hi Marlen,
  For ramp-up customers we have ramp-up knowledge transfer to be found here:
  http://service.sap.com/rkt
  If you are not participating in the AC 10.0 ramp-up you would need to wait until the product is general available.
  For general information on BRF have look here:
  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/43/8b85c9db2f614fe10000000a1553f7/frameset.htm
  Best,
  Frank