Web Access Policy for AD Users

Similar Messages

• PF attribute modification in Access Policy for existing users.

  Hi Guys,
  I have an access policy for provisioning a resource. Suppose if I make some changes for the process form attribute value inside the access policy,How can I have the same attribute value reflected in the process form of users who are already provisioned by the access policy?
  Direct database update wont be a good idea here as I am having multiple access policies for the same resource. Is there any table which is having the relation between provisioned resource and curresponding access policy if at all I have to go for a custom scheduled task?
  Thanks,

  Does this solution also supposed to work in OIM 11g? I Tried it but data on the main form does not get reflected on the process form of existing users. For child data it does work.
  Edited by: bsteen on Aug 5, 2011 5:21 AM

• Access Policy for Existing Users

  Hi,
  Here is the Scenario:
  1. We have AD resource object having "Allow Multiple" Unchecked
  2. We have Users who are already provisioned to AD
  We are trying to introduce Auto Provisioning into our system for AD, I know new users will be evaluated against Access policies and will be provisioned to the resource and hence groups management will be taken care automatically, Questions:
  1. If I disable resources (and not revoke) for these new users what will be the group membership status -will they be removed from group?
  2. How to pull existing users under this auto prov umbrella? My thoughts: by writing a custom scheduler that will check resource provisioned and make it as part of the group, but will resource be revoked automatically if group is removed for these users? If not what should be the approach for existing users?
  Thanks in advance

  I've completed a similar tasks using SQL.Take a look at the following table and you can do these tasks:
  UPP, UPD, USG, POG and AD group table 'UD_ADUSRC'

• How to Apply a Newly Created Access Policy on Existing Users in OIM????????

  How to Apply a Newly Created Access Policy on Existing Users in OIM?
  When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
  (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
  For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
  i even updated the form version too but still revoke doesn't work.
  I cant go for the below approach..
  In order to apply a newly created Access Policy on existing users, one has to make sure that:
  1) "Retrofit access policy" is checked on the Access Policy.
  2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
  Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
  Is there any other approach i can try.. if you have any idea please reply me asap
  Thanks..

  Thanks for the reply kevin..
  We decided to try the Schedule task (Set User Provisioned Date).
  But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
  According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
  Is there any custom way to achieve this??
  How does the access policy framework revoke resource work? (revoke if no longer applies)??
  Edited by: IDMuser19 on Jun 21, 2011 11:43 PM

• URGENT : How to retrieve Last Accessed Timestamp for all Users in GRC

  Dear Experts,
  Please help me with this urgent request. Appreciate your help in advance.
  My client is trying to understand the usage of the GRC application and would like to know information regarding the Last Accesse Time for all users who have logged into the Oracle's Governance, Risk and Compliance applcaition.
  Thank You,
  Rakesh

  If you still need the solution,
  Have a callback on OnSubtaskUpdated in your BPEL. This call back will be called for any updates in parallel approval pattern.
  Thanks
  --Sreeny                                                                                                                                                                                                                                                                                                                                                                           

• Access control for different user groups in APEX 4.0

  Hi guys,
  in Apex 4.0, is there any way to use the access control page to configure access control for different user groups?
  The access control page currently only has an access control list by users with 3 privileges namely, Administrator, Edit & View where Administrator has the highest access level & View the lowest. Therefore 1 user cannot have more than 1 different privilege, however if the user belongs to 2 or more different groups then we can control what access he can have in a more fine grained manner. We also want to have more than the 3 privileges given.
  Can we assign different groups to different users and let them have different privileges to be configured by page, region, process or item level?
  Now Apex will create 2 tables, Apex_Access_Control & Apex_Access_Setup to store the application access control mode & access control list. It will also create 3 authorization schemes "access control - administrator", "access control - edit" & "access control - view" based on the 2 tables.
  Does this mean we have to change the table structures & edit the authorization schemes to suit our usage? We are reluctant to do this because if we upgrade to a newer version of Apex then we would have to merge our pl/sql coding with Apex's updated code.
  How can we auto-configure more than the 3 authorization schemes in the access control page? Is there any way to achieve a finer grain of access control based on the current access control administration page given by Apex without writing it ourselves?
  We are afraid that we may have missed something on Apex access control & do not want to reinvent the wheel.

  Hi Errol,
  to build your own application authorization scheme around the security model supplied by Apex for administration of the Apex environment would be a bad idea.
  This was never intended for authorization scheme management in custom built Apex applications, it was solely intended to control access in the Apex environment overall. The API for it is not published, and making changes to it, such as adding more roles, would run the risk of breaking the overall Apex security model. It would not be supported by Oracle and Oracle would not guarantee the upwards compatibility of any changes you make in future versions of Apex.
  In short, you should follow Tyson's advice and build your own structure. As he indicated, there are plenty of examples around and provided your requirements are not too complicated, it will be relatively simple.
  Regards
  Andre

• Activate Accessibility Features for all users?

  Is there a way to activate Accessibility Features for all users by editing a table on the Portal side?
  EP6 SP2 and NW04S.
  Thanks
  Jean Seguin

  Hi Jean,
  not that I would know of. But you can easily write a small portal component which sets the accessibility level of all users to your preferred level.
  The code snippet below should give you an idea of what I mean
  IUserFactory userFactory = UMFactory.getUserFactory();
  IUserSearchFilter filter = userFactoy.getUserSearchFilter();
  ISearchResult result = userFactory.searchUsers(filter);
  while (result.hasNext()){
    String userId = (String)result.next();
    IUserMaint user = userFactory.getMutableUser(userId);
    user.setAccessibilityLevel(IUser.SCREENREADER_ACCESSIBILITY_LEVEL);
    user.commit();
  Best regards,
  Martin

• Install Lync Web App Plugin For Another User

  I'm wondering if there is a way to install the plugin for the Lync Web App for another user. The reason why is that administrative permissions are required and our users are not allowed to have those permissions. I have the MSI but when I look at it, it
  says
  "Cannot install [ProductName].Setting the AllUsers property is not allowed because [ProductName] is a per-user application."
  Is there a way that I can install the MSI, maybe through the command line or another method, and specify another user so it installs to their profile?
  Thanks!

  Hi,
  This is typically achieved by allowing exceptions in your software control strategy for the required executable;
  LWAPlugin.exe
  LWAVersionPlugin.exe
  AppSharingHookController.exe
  AppSharingHookController64.exe
  This typically occurs in VDI deployments where users are not able to install software onremote server, so the above rule is added to the Software Restriction Policy (providing that's what you're using to control application installation).
  I'm not familiar with any associated cmd line switches I'm afraid.
  Kind regards
  Ben
  Blog:www.gecko-studio.co.uk/ 
  Twitter:
    LinkedIn:
    Facebook:
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems
  or queries.

• How to retrieve access rights for an user/usergroup ?

  Hello everybody.
  I'm working on BO XI 3.1. And I have to develop with the .NET SDK package an application that retrieves the following data :
  - the access rights to WEBI application and properties for each user/user group.
  - the access rights to each folder and properties for each user/user group.
  etc
  The idea is to retrieve for an user/usergroup the access right on each property of WEBI application and softwares. and same thing for folders....
  I'm looking at the .NET SDK package contents but it takes me a lot of time, even too compared to my deadlines. So I'm looking for help.
  Does anyone have an idea about class of objects, properties and methods to use ?
  Thank you in advance for your help.

  Thanks for these samples.
  The list of user and usergroups is very interesting to audit CMC but my need is different : for example, I'm looking a method to retrieve the level access (full control, no access, ...) of an usergoup on each webi's property. The reason ? To know for example which usergroups have fullcontrol access on the right name "edit SQL" ?
  I think it's hard to retrieve but very interesting to audit CMC...

• Different Password Policy for Different User Groups in ACS 4.2

  Hi All,
  Can some one provide a solution for the below requirement?
  We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?
  It seems that these password policies are global & affects all the users.
  This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.
  For my knowledge, i think that this is not possible. But, thought to cross-check with experts!
  -Jags.

  Hi jags,
  Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users
  Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.
  HTH
  Regards,
  JK

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Need help in setting up Group Policy for same user in local system and Terminal server

  Hi All,
  Currently our remote users are using our network using VPN client over internet.
  They are generally at their home computer and doing VPN as they have to work only in one RDP server for application.
  We actually have a OU created for these RDP users and assign then some strict policy like they can not use any other .exe,they can not user any explorer ,they can not even use windows explorer when they are on RDP they just use one exe of their application.
  Now what my management want is they want their home computers in Domain and want them to login via their same credentials they are using for RDP but they don't want them to restrict in their home computers with any strict policy.
  Now my confusion is how can I configure different policies for same users or same OU.
  Can any one guide me please...

  you can achieve this fairly easily with group policy.
  create an OU and put your remote desktop servers in that OU.
  configure both user and computer policies in a group policy and link it to that ou.
  you need to enable loopback mode - you may want it in merge or replace depending on your other policies you have. Probably replace though I would guess. this is set in the computer configuration > admin templates > system / group policy section.
  now remove the policy you have currently setup for your users on the users OU containing the rdp users. If you want you can move these users back to your main users OU.
  when your users login to the RDP server the settings in the user section of the GPO linked to the RDP Servers OU will apply.
  when the user logs in to their own computer the policies from the user OU and computer OU will apply - but not the more restrictive RDP OU.
  hope that makes sense.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• How to set password policy for apps users

  Hi All,
  Can anyone please help me.
  I am working on apps 11i.
  How to set password policy for users
  Thanks

  Check Note: 189367.1 - Best Practices for Securing the E-Business Suite
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=189367.1

• OBIEE access denied for some users only

  Hi All,
  we are using OBIEE 10.1.3.4 version on windows envorinment .The users can access the OBIEE reports using 'PORTALPATH' session varible in RPD.For some of the users are got "access denied" while they are accessing for thir particular dashboard.Eariler these user got access this dashboard with out any errors.We dnt changed in our system anything from last three months.
  We have no idea why we are getting these error for particular users only.Its Prod issue we need to reslove these error ASAP.
  we are getting these error"acess denied for user to path/shared/shared/_test/testdashboard
  Error Codes:09XNZMXB"
  but last one year its working without any issues .From our side we dnt did any changes in production like RPD level,Catalog level and config file changes , we have no idea why suddenly we are getting these kind of error for some users only not for all users.
  Could u please advice me how to reslove this PROD issueASAP.
  Thanks,

  Well its Prod (you have a dashboard called testdashboard in Prod?) anyway - someone might have changed the presentation catalogue permissions on the dashboard. All it takes is for someone to remove 'Everyone' or change a Group permission and it could effect.
  If they changed the Parent folder and cascaded the changes down this might cause this issue.
  You have a folder called 'Shared' - check the groups that the people are in have 'Traverse' , 'Read' or higher. Also chek dashboard permissions themselves from Settings-Manage Interactive Dashboards - Check the Padlock icon.
  Are you users getting allocated into the correct WEBGROUPS ? Is this assisngment done explicitly in the webcat or via an RPD Variable ? Have you checked NQQueryl.log to make sure any init blocks are completing successfully?
  Either persmissions have changed or group memebership is not completing.
  Good luck
  Alastair

• What is default web access password for hp laserjet 2200 ?

  I tried to logon to the printer's web access interface, but do not know the username and password.
  I need to know either the default username and password, or how to reset it to the default.
  Thanks,

  Hi thuynh7,
  There was no username and password setup for the EWS - Embedded Web Server by default. This would have been setup from within the EWS by you or your IT department.
  I am an HP employee.
  Say Thanks by clicking the Kudos Star in the post that helped you.
  Please mark the post that solves your problem as "Accepted Solution"