Delivery set of users in a particular group in AD - custom or STANDARD?

Similar Questions

• LDAP attribute on user card match no group

  We currently have Anyconnect (client based) up and running on our ASA 5515 X 9.5 (1) running. I use AD LDAP for authentication and configuration of LDAP attribute maps and assigned to our LDAP on the ASA server config. Like many, we use these cards to allow ASA assign a group policy to a user based on the AD group membership. Basically I have one AD Group for regular of VPN users and a group for users Admin VPN advertising. It works pretty well, but there are cases where the user profile specific related to group policy 'Regular users of VPN' does not work for all users of this ad group. I was trying to find a way to adjust the settings for certain users based on the user name. Say the user needs setting up VPN from an RDP session, but I'm not all users have that so I would attribute a group different local\Configuration user profile based on the AD username that would allow the VPN from a RDP session. Still, the rest of the users would be blocked to the RDP VPN. Here is my map to attribute LDAP database:

  map-attribute LDAP
  name of the memberOf Group Policy map
  map-value memberOf "LDAP path."
  msRADIUSFramedIPAddress IETF-RADIUS-Framed-IP-Address card name

  Now I could do here with the above configuration, I think it's to create a new group policy on the SAA for a certain group of users and then create a new value of the card with a new LDAP path that would point to a new group in AD, say "RDP VPN users". I then add the users I want Anyconnect group policies\user specific profiles for this particular ad group. But the question is that I would prefer not to have to create as many groups in AD.

  I want to know is if there is a way to have a path of card value of LDAP attribute to a certain username AD somehow. As if the LDAP path was something like "CN =, OU = users, DC =, DC ='.»» This way I could affect a group policy to the majority of users in the group "Regular users of VPN" AD, but then assign a different policy to some users who require slightly different settings. That would allow me to match on a certain user, not one ad group? The Group cisco-attribute-name strategy addresses a user as if it were an ad group? I guess not, but not sure. I looked through the list of names of attributes-cisco - but didn't see anything that looked like it worked for AD user names.

  Also, if anyone knows a better way please let me know I am open to suggestions. I hope that makes sense. Thanks in advance to the community for help.

  I think that you need a completely different approach - DAP (dynamic access policies).

  DAP allows a lot of motion of things, and you can create additive strategies.  So if you are a member of the group 'A' you add to this URL.  If you are also a member of the group 'B' you add this ACL.  If it can also do other things, like checking the registry keys, etc.

  The Guide deployment of DAP.

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

  I pretty much don't use DAP now (and no attribute is mapped) due to the significant increase in flexibility.

• How to set a user account to have the same settings as the administrator account

  How to configure a user account to have the same settings as the administrator account. using windows xp pro with service pack 3

  Set the "parameters of same.

  If you want that the user has administrator privileges, then all you need to do is to add the user to the group "Administrators".  To do this, right-click on 'My computer', select 'Manage' and open the "local users and groups" section.  Click on 'Groups', double click on "Administrators" and add the user to the administrator group.

  If you set 'settings' and things like wallpaper and other preferences, there isn't a way to do that easily other than to simply set these parameters.

  Hope this helps,
  JW

• ISE ERS user access to some groups?

  Hello

  I am trying to create a simple operational interface for ISE 1.4 for the helpdesk people add mac addresses from endpoint to endpoint internal DB via REST.

  I would like to have the filtered helpdesk access (so that they can only create endpoints in a group given, not all groups), but it seems that the RBAC in ISE control for users of the RHS is all or nothing.

  I created a Custom Data Access Menu permissions then defined that a user in a group ERS Helpdesk would have access to it. On RBAC policy, I can not only specify a data access authorization, the system always makes me choose a permission to access the Menu as first option.

  If so I said that to the endpoint Group X, to access the data for a group of ERS Custom Data Access, the ERS user gets access denied to the DB.

  Only when I put the user on the RHS Admin by default, the default Super Admin Data Access group, it is able to have access to the DB.

  I would like to ask if anyone of you has managed to control the data set that is at HIA outside access or read access and if so, how.

  Thank you

  Gustavo Novais

  PS: ERS debug logs:

  2015-09-19 09:38:47, 172 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-#--> getPathInfo = PAPFilter.doFilter / endpointgroup
  2015-09-19 09:38:47, 172 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> getMethod = GET
  2015-09-19 09:38:47, 172 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> getRequestURL =https://10.1.156.136:9060 / ers/config/endpointgroup
  2015-09-19 09:38:47, 172 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> getRemoteHost = 10.2.10.63
  2015-09-19 09:38:47, 174 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> passing the filter!
  2015-09-19 09:38:47, 174 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-#--> getPathInfo = AtnAtzFilter.doFilter / endpointgroup
  2015-09-19 09:38:47, 174 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter.doFilter--> getMethod = GET
  2015-09-19 09:38:47, 174 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter.doFilter--> getRequestURL =https://10.1.156.136:9060 / ers/config/endpointgroup
  2015-09-19 09:38:47, 174 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter.doFilter--> getRemoteHost = 10.2.10.63
  2015-09-19 09:38:47, 174 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter: adminName = RHS
  2015-09-19 09:38:47, 174 INFO [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-AtnAtzFilter 401Blocked: user is not authorized to access the requested resource.
  2015-09-19 09:38:47, 175 DEBUG [ers-http-pool732] [cpm.ers.app.web.MaxThreadsLimiterFilter] -:-# RateLimitFilter Servlet => continue with the response of the RHS, the current number of bucket: 49
  2015-09-19 09:39:15, 992 INFO [admin-http-pool279] [api.services.server.role.RoleImpl] -: admin:455184AE2B954C78C9EAD7AAECD913F8:-extract the list of roles for entityFQN Information: NAC group: NAC
  2015-09-19 09:39:20, 328 INFO [admin-http-pool295] [api.services.persistance.dao.UserDAO] -: admin:455184AE2B954C78C9EAD7AAECD913F8:-update of user as user name information: NAC Group: NAC:ers
  2015-09-19 09:39:20, 330 INFO [admin-http-pool295] [api.services.persistance.dao.MappingDAO] -: admin:455184AE2B954C78C9EAD7AAECD913F8:-creating new mapping with rolebundle ' Global: Default "context" Global Context context: Global ' user ' NAC Group: NAC:ers' role ' NAC Group: NAC:RBACGroups:ERS Admin»
  2015-09-19 09:39:20, 333 INFO [admin-http-pool295] [api.services.server.mapping.MappingImpl] -: admin:455184AE2B954C78C9EAD7AAECD913F8:-removing users from role with the name ' NAC Group: NAC:RBACGroups:ERS filters under contextFQN "Global Context context: Global", bundle Global role: by default "with transactional 'false' is
  2015-09-19 09:39:34, 682 INFO [ers-http-pool732] [cisco.cpm.nsf.impl.UserIdentityManagement] -:-the internal authentication method to check if the policies in correspondence of the user groups duration is 7
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.MaxThreadsLimiterFilter] -:-#--> getPathInfo = MaxThreadsFilter.doFilter / endpointgroup
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.MaxThreadsLimiterFilter] -:-# MaxThreadsFilter.doFilter--> getMethod = GET
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.MaxThreadsLimiterFilter] -:-# MaxThreadsFilter.doFilter--> getRequestURL =https://10.1.156.136:9060 / ers/config/endpointgroup
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.MaxThreadsLimiterFilter] -:-# MaxThreadsFilter.doFilter--> getRemoteHost = 10.2.10.63
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.MaxThreadsLimiterFilter] -:-# RateLimitFilter Servlet => continue with the request of the RHS, the current number of bucket: 49
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-#--> getPathInfo = PAPFilter.doFilter / endpointgroup
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> getMethod = GET
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> getRequestURL =https://10.1.156.136:9060 / ers/config/endpointgroup
  2015-09-19 09:39:34, 691 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> getRemoteHost = 10.2.10.63
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.PAPFilter] -:-# PAPFilter.doFilter--> passing the filter!
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-#--> getPathInfo = AtnAtzFilter.doFilter / endpointgroup
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter.doFilter--> getMethod = GET
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter.doFilter--> getRequestURL =https://10.1.156.136:9060 / ers/config/endpointgroup
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter.doFilter--> getRemoteHost = 10.2.10.63
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter: adminName = RHS
  2015-09-19 09:39:34, 693 DEBUG [ers-http-pool732] [cpm.ers.app.web.AtnAtzFilter] -:-# AtnAtzFilter: = RHS adminName is Admin ERS

  He does not seem to have many options when it comes to control access to resource api ers, I ended up doing my own local map in my web application to ad vs access groups groups endpoint.

• Cisco ACS 4.2 a user in several local groups

  Currently, I like this group map

  ACS groups window

  GRP of GRP-A-B-1 and PDM - 2
  GRP - A. GRP - 1

  GRP - Grp-2 B

  For example currently a user test1 is part of two groups 1 and 2 under windows and is mapped to the Grp-A-B of the CSA. Is it possible if I delete the mapping of Grp-A-B in ACS and can see the user test1 speratley in both groups (Grp - A and Grp - B) to GBA?

  Salam Muhammad,

  If you have a local user in ACS, this user cannot be a member of both groups at the same time.

  The same concept applies to external users. They cannot be mapped to two different groups at the same time.

  If you delete the configuration of Grp-A-B, the test1 user will be mapped to the first group in the list because ACS 4.2 process mapping group in the order:

  ' the snip "'

  Order of group mapping

  ACS always maps users to a single group of TISA. However, a user can belong to several groups the group mapping. For example, a user named John could be a member of the ensemble of the engineering group and California, and at the same time be a member of the combination of Group Engineering and management. If the value of group ACS mappings exist for these two combinations, ACS must determine what group John should be affected.

  ACS prevents contradictory group set mappings by assigning an order of mapping for the whole group maps. When a user who is authenticated by an external user database is assigned to a group of ACS, ACS begins at the top of the list of groups for this database mappings. ACS sequentially checks group memberships of user in the database of the external user against each group mapping in the list. Where to find the first set group mapping corresponding memberships to external users in the user database, ACS assigns the user to the group this group map ACS and ends the process of mapping.

  ' the snip "'

  Reference:http://goo.gl/cvc474

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• WebVPN mapping of group policy-based user name not LDAP Group?

  Hi guys,.

  As the title says I'm looking for a way to map users who authenticate via LDAP to the webvpn to a particular group policy.

  The reason why I want to do, is to assign particular cifs on a per user basis. I know that you can map a LDAP group to group policy, but all users are in the same group. (I can't change that fact).

  So I was wondering if there is a way to map a "username", which authenticates via LDAP on group policy?

  Cheers.

  That's maybe what you are looking for:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008089149d.shtml

  It is similar to the use of RADIUS 25 attribute, but for LDAP.  Read it carefully and you should find the solution.

  Please evaluate the useful messages.

• Home page by default for OBIEE 11 g based on the users and the wise group

  Hi all

  I'm using OBIEE 11 g.

  I need set the page default dashboard for the user and the wise group.

  EX:

  User1 is belongs to Group1 and Role1 - they need to see the default homepage as Dashboard1.

  User2 is belongs to the Group 2 and Role2 - they need to see the default homepage as Dashboard2.

  Kindly guide me to achieve.

  Please answer as soon as POSSIBLE.

  Thanks in advance.

  RR

  It is generally considered poor form to scream as soon as POSSIBLE to a question. http://www.CatB.org/ESR/FAQs/smart-questions.html

  As far as your question goes, it is that the CHEMINPORTAIL variable is for:

  http://docs.Oracle.com/CD/E23943_01/bi.1111/e10540/variables.htm#i1013436

  OBIEE - system (reserved variables) session variables | GerardNico.com (BI, OBIEE, data warehouse and OWB)

• Verification of the users belonging to the Group spasfic weblogic server

  I built a simple service application web with jdeveloper 11.1.1.7 strategy (Wssp1.2 - 2007-Https-UsernameToken - Plain.xml) and deploy the weblogic 10.3. Everything works very well in both the client side and server.

  The client side is unable to call any method without specifying the username and password properties. The server automatically checks the user in users values define in weblogic server in the following path (summary of the areas of security > myrealm > users and groups). Hereby, the customer can access the system if he takes one of the users in this group even with the default user weblogic/weblogic.

  Question: How to limit the name to username/password check with specific usergroup?. That is, if the client mentions the name of user and password outside of the Group (even if the values are correct) the server rejects the request

  Problem, solved by (user name: Roque)

  in this link: java - verification of users within the spasfic group of weblogic server for the web service application - Stack Overflow

  Here is his answer for your reference:

  If you use the 'default' weblogic for users authentication method, you can follow these steps to set up an access group policy:

  • Connect to the weblogic administration console
  • Click on the links of deployments
  • Select your webservice
  • Click the Security tab
  • Click the sub-tab political
  • Choose your authorization provider in the menu drop-down (looks like by default)
  • Choose Add Conditions-> Group-> Type in the name of the Group
  • Finishing

  Now that the group you added should be able to invoke the web service. All other users should see something like:

  javax.xml.ws.soap.SOAPFaultException: Access denied to operation myWebService

• Can I limit some users to a particular question pool?

  I have 2 sets of learners who will be tested on a content different slighty in the same course of Captivate. How can I restrict the set of users to a set of questions?
  Thanks in advance.

  Hello

  What Captivate version are you on?

  Are your users aware to what group they belong?

  If it is 6 +, then rather than using two Question pool. You can create a Question of pre-test, ask questions about their GroupName (say A or B)

  And A choice you can create a branch to a set question and B, you can lead to another. (Select make-'branch to the current' Quiz - preferences settings-)

  You may need to refine it. But it would then depend on doing what the user chooses and the dynamically the course will line up for their group of Question.

  Thank you

  Anjaneai

• users authenticated in IBOTS group

  Hello
  
  I use permission process.i created 9 obiee repository groups and I can see these 9 groups in presentation services (responses) .but when in the book, when I tried to add recipients to the ibot, I could see a new group of authenticated users, but I'm not the see presentation catalog groups and users.is that a default group established in book?
  
  
  Thank you

  Here you go...

  "Authenticated users" group is a group of Web system defined and set by the system of Web groups are preconfigured and required for successful operations of Siebel Web Analytics...

  Authenticated users group--> when a user is authenticated by the Analytics Server, the user automatically becomes member of the authenticated users group. The authenticated users group is a member of the Everyone group.

  For more information, see link below

  http://download.Oracle.com/docs/CD/E12103_01/books/AnyWebAdm/AnyWebAdm_SecPermPriv3.html

  Thank you
  Ashish

• I use iMessage to the text of my Macbook. For some reason, it will not let me send a text message to a particular group (everyone has iMessage/iPhones) to my computer, but works well on my iPhone. All messages always appear on my Macbook iMessa

  I use iMessage to the text of my Macbook. For some reason, it will not let me send a text message to a particular group (everyone has iMessage/iPhones) to my computer, but works well on my iPhone. All messages always appear on my Macbook iMessage, but when I click in the conversation, no text box for me to write as he does with everyone. It's driving me crazy. How should I do? The two contacts are in my address book and identified on my computer but I can't their message from my computer and have to keep spending on my phone to text their return. Their new messages are always also highlighted on my computer. In the photo I've included, you can see there is no text box for the text of the group with "Franny, dad."

  

  Thanks for any help!

  What happens if you start a new conversation with Franny & Dad from the IOW computer do not try to "catch" the conversation

  Click on new message and put their names in there

  If this does not work - remove the wire from the Mac and try again

• user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

  WinXP
  user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

  I did a gpupdate/force and restart twice PC
  Yet, user indicate it is always admin when we right click on Start menu and see the possibility to open all users

  Hi elena_ad,

  Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the public on the TechNet site. Please post your question in the below link:

  http://social.technet.Microsoft.com/forums/en/winserverManagement/threads

• ACS 3.2 - users 'ghosts' of a group

  It is a bit of a strange. We run ACS 3.2 (1) on a Windows 2000-based computer. We have about 30 groups for different users. The only group (Group 1) always tells us that we have 30 users that are actually part of the group. The group says 90 users but when you list users there is only 60. I moved all users to a new group and now it says there are 30 users in the group, but when you a list of people, it gives you nothing. I have backed up the database, did a new install of 3.2 (2) on another machine and perform a restore to this area and I always get the same result. I'm trying to find out if the Group has not correctly or if there are 30 users 'ghosts' somewhere! I recently inherited the ACS boxes so I don't know when this problem started.

  There seems to be all known bugs related to this. Has anyone else seen this before?

  Thank you!

  We have definitely corrected the issue and the matter is now closed. What we did that I sent him a copy of backup of ACS server so he could watch. He then sent back me a backup file saying they found the problem and restore the backup file to the ACS. The TAC Guy sent email me looked like this:

  "We cannot create a Dump.txt we can do on ACS installed on Windows Server by the csutil-d option basically on the device.

  This dump.txt is a readable format of the database unlike the .dmp

  I downloaded the .dmp sent by you on the ACS (Windows Server) service at my end created a dump.txt, corrected by running the perl script and downloaded and then turn it back on to the ACS server by the-l option of csutil. They I took a backup of the ACS and sent it. I have check the .dmp even on the device at my end to confirm the correction.

  It basically an indexing problem, caused when the admin deletes users and link pointer not are deleted in the registry of the origin of the problem.

  As discussed, regular backup, and performance of the dbcompact should help prevent this problem.

  I have attached the perl script, you can use it if necessary in the future.

  Hope this helps, feel free to contact me if you have further questions. At this point I go ahead and close the request service, as discussed. »

  If you want I can send you the email of the script that the guy sent me. But obviously as it said and what I thought, it's a matter of pointer in the database.

• ASA VPN - allow user based on LDAP Group

  Hello friends

  I have create a configuration to allow connection based on LDAP Group.

  I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

  http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Anyone know how I can do?

  Thank you

  Marcio

  I like to use the Protocol DAP (dynamic access policies) to control this.  Follow this guide:

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

• Apex 5, user "Is in the group" works for authorization seems to not work

  Hello team Apex,

  Apex 5

  I would use the construction Type of plan (user) "Is in the group" authorization feature, but it seems to not work.

  The user is in the group but nevertheless is not allowed.

  I checked this with "& APP_ALIAS. ' in the group element - that's how I would use it - and the Group static 'true' name too.

  (We have a group for all applications, where the group name is the same name of the App - just to understand the call below.)

  When I use it to place a further authorization scheme with "PL/SQL function body:

  Return apex_util.current_user_in_group (v ('APP_ALIAS'));

  -It works as expected.

  Can you please verify this?

  Thank you in advance!

  Concerning

  André

  Hi Andre,

  What type of authentication scheme you use? Because, according to the text of the authorization scheme aid groups will be just picked up for the authentication of the account of the APEX.

  • Group: enter a group name. Authorization succeeds if the group is activated as a dynamic group for the session (see APEX_AUTHORIZATION. ENABLE_DYNAMIC_GROUPS). If the application uses authentication to accounts Express request, this check also includes workspace groups that are granted to the user. If database authentication is used, this check also includes database roles that are granted to the user.

  I just tried "Is in the group" and had no problem to check my groups.

  BTW, in your PL/SQL code, there is no need to use the function of V, just use bind variables as syntax: APP_ALIAS

  Concerning

  Patrick