GANYMEDE for user in several groups

Hello

Quick question on GANYMEDE and a user who must be greater than 1 group

We have a group of networkAdmins that is bound to the Administrators group of the AD domain with an inside network admin

o then have another group to the firewall that is bound to the firewall access to AD user group is in both groups who all have both been created using a manual mapping in GANYMEDE but the user does only in the NetworkAdmin group not in the firewall administrators group

any ideas why the user does not or is it still possible

Thank you

No problem! I had problems in the past when the local and domain user are identical. You can always get around that by defining what identity stores are used (for example, excluding the user database internal) and/or by properly constructing your authorization rules.

Also, do you use ACS 4.x or 5.x?

Thanks for the note!

Tags: Cisco Security

Similar Questions

  • VCenter: User in several groups with different permissions, smaller approvals

    Hello

    We finally hit the use of our VCenter setup where we need to begin to use permissions group instead of the individual user's permissions.  I have set up several groups (QA, automation, App, VCenter users and administrators) for our users.  However - I ran into a problem where a user must be in QA Automation and administrators, and I put the appropriate permissions on a pool of resources (QA - unalterable, automation and administrators full control).

    When you connect as long as user is as VCenter uses by default the * least * permissions for the object being verified and the user has only read-only for the resource pool (and spread points).  Is this expected authorizations and vcenter behavior?  I guess the user must get the permissions for all the groups, they are in.

    Thank you

    Ben

    If you set permissions in vCenter level, then Yes, you need to uncheck spread it to child objects.  What you can do then is add permissions on each individual resource pool.

    Is the ultimate goal only allow these members to have access to resource pools, any VI?

  • This user in several groups in OBIEE 10 g

    In our OBIEE 10 g of the project a user u1 part of 2 groups G1 & G2.*G1 is for the operational hierarchy * and G2 is the geographic hierarchy. In accordance with the operational hierarchy U1 can display two U.K & U.S. dashboards but as U1 is the only UK customer does not want U1 views U.S. dasboard. We want to put the permission to both the geographical and operational point of view, i.e. only one manager can consult dashboard1 and dashboard2 , but if the Manager is of the British group it should be able to show only dashboard2*(Related to UK) * do not dashboard1(Related to US). Could someone please help me solve this problem.

    You are right. In this case, yet once divided groups in.
    (1) MANAGER-STATES-UNITED-OP and
    (2) OP-UK-MANAGER.
    and access accordingly.

  • We cannot draw power ratio cli for single user of VDI which is a member of VDI several groups in Active Directory?

    Hi all

    Is it possible to identify single user VDI which is a member of VDI several groups in Active Directory from power Cli script

    Thank you

    VM2014

    Oops, my mistake. Try this

    Get-ADUser-filter *-MemberOf properties |

    where {$m = $_.} MemberOf | where {$_-match 'app-view'}; $m - not $null - and @($m). {Count - gt 1} |

    Select the Name,@{N='#VDI groups; {E = {$m.Count}}.

    @{N = 'Groups of VDI'; E = {($m | Get-ad group | Select name - ExpandProperty) - join ' | '}}

  • Cisco ACS 4.2 a user in several local groups

    Currently, I like this group map

    ACS groups window

    GRP of GRP-A-B-1 and PDM - 2
    GRP - A. GRP - 1

    GRP - Grp-2 B

    For example currently a user test1 is part of two groups 1 and 2 under windows and is mapped to the Grp-A-B of the CSA. Is it possible if I delete the mapping of Grp-A-B in ACS and can see the user test1 speratley in both groups (Grp - A and Grp - B) to GBA?

    Salam Muhammad,

    If you have a local user in ACS, this user cannot be a member of both groups at the same time.

    The same concept applies to external users. They cannot be mapped to two different groups at the same time.

    If you delete the configuration of Grp-A-B, the test1 user will be mapped to the first group in the list because ACS 4.2 process mapping group in the order:

    ' the snip "'

    Order of group mapping

    ACS always maps users to a single group of TISA. However, a user can belong to several groups the group mapping. For example, a user named John could be a member of the ensemble of the engineering group and California, and at the same time be a member of the combination of Group Engineering and management. If the value of group ACS mappings exist for these two combinations, ACS must determine what group John should be affected.

    ACS prevents contradictory group set mappings by assigning an order of mapping for the whole group maps. When a user who is authenticated by an external user database is assigned to a group of ACS, ACS begins at the top of the list of groups for this database mappings. ACS sequentially checks group memberships of user in the database of the external user against each group mapping in the list. Where to find the first set group mapping corresponding memberships to external users in the user database, ACS assigns the user to the group this group map ACS and ends the process of mapping.

    ' the snip "'

    Reference:http://goo.gl/cvc474

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • VPN access query remote ASA - several group policies for the unique connection profile

    Hi all

    Two quick questions here that I need to help.

    1. in an ASA 5525, is it possible to have several group policies for a single connection profile?

    Scenario: A customer is running F5 Firepass to their VPN solution and this device is used by them to have multiple strategies group by the connection profile. We plan to migrate them to ASA (5525) and I don't know if the ASA can support that.

    2. in an ASA-5525 for Clientless Remote access VPN, can pass us the page to connect to an external server? For example, if I have a connection with a URL profile setup: "'https://wyz.vpn.com/ ';" for the LDAP/Radius Authentication, but for https://wyz.vpn.com/data and https://wyz.vpn.com/test I want to HTTP based authentication form and this page needs to be sent to an external server that is to say ASA step will manage this page, but rather the first page for this is served by the external server.

    Scenario: One of our clients is running F5 Firepass to their VPN solution. On the F5 they have pages of configuration such as the https://wyz.vpn.com/ that the F5 shows to the user when they connect via VPN without client; However if the user types https://wyz.vpn.com/data in the browser, the traffic comes to the F5, but F5 redirects this traffic to an external server (with an external url as well). Then it's this external server that transfers the first page of the user requesting authentication for HTTP form based authentication information.

    Thanks in advance to all!

    Hello

    You can have fallback to LOCAL only primary method.

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa90/configuration/gu...

    HTH

    Averroès.

  • User in several Windows/ACS group. Deny a permit

    I have several groups on ACS each tied to a group of AD windows.

    I have a VPN concentrator and a wireless Lan controller.

    I use ACS to authenticate access to the time, but I would like some VPN users have wireless users too, not all.

    If I use NAR to limit the "VPN users" to access WLC device all users with access to the VPN is not wireless, even those who are in the wireless group.

    Is - it there anyway to operate?

    This is how it works.

    Lets say you have three different groups on ad for NetworkAdmin, RouterAdmin,.

    Wireless.

    Go to the external user database == database group mappings == Windows NT/2000 == select the field

    to which you log == Add mapping.

    Select the ad NetworkAdmin group and ciscosecure Group 1 card select the ad RouterAdmin group and map it to ciscosecure Group 2

    Select the ad wireless Group and map it to ciscosecure Group 3

    Mappings of working groups in the order in which they are defined, first set up mapping is

    considered first and then second, third and so on. If a user is in AD Group NetworkAdmin and

    which is mapped to the ACS 1 group and it's the first configured mapping is

    First of ALL (if there is a user in the Group NetworkAdmin, it is always mapped to ciscosecure

    1 and NO further mappings for this user group is enabled and the user is authenticated or

    rejected)

    Scenario: If you have a user called cisco, group NetworkAdmin, cisco1 in RouterAdmin

    Group and cisco2 wireless. They will be always dynamically mapped to group 1, 2 ACS

    and 3 respectively as above mappings.

    You can see the mappings on authentication passed to users as to which group are

    they are mapped to.

    SCENARIO:

    Now if you want a NetworkAdmin user to authenticate to the NetworkAdmin devices and not

    devices or wireless RouterAdmin you should apply NARs for Group 1 because

    NetworkAdmin users connect to this group. Which will allow you access on the Group

    basis for a particular NetworkAdmin NDG or NetworkAdmin individual NAS device.

    NOTE:

    If you are applying NARs for VPN or wireless devices, you must configure two IP

    Base AND CLI/DNIS founded together as NARs were originally designed for cisco IOS for

    routers and switches.

    IMPORTANT: If a user authenticates successfully to the database AD once, his user name is cached on the database of ACS (NOT password) the only way to remove the previously cached user name is to go to usersetup find this user and manually remove it.

    ACS will not support the following configuration:

    * A user active directory which is a member of the 3 AD groups (groups A, B and C) * 3 people

    groups are mapped within FAC as follows-> A Group1, Group2-> B and group 3-> C.

    * The user is in the 3 groups, however it will be always authenticated by Group 1 because

    This is the first group, it appears in, even if there is a configured NAR summons

    the group-specific AAA clients.

    However there are if your maps are below order...

    Groups NT groups ACS

    A, B, C ===> Group 1

    A ===> group 2

    B ===> group 3

    C ===> Group 4.

    You can create a rule DIFFERENT for users a, B, C by configuring the NARS in Group1.

    This rule applies for use ONLY if it is present in ALL three groups (A, B and C).

    You can create a rule for users in Group A (Group 2)

    You can create a rule for users in Group B (Group 3)

    You can create a rule for users in Group C (Group 4)

    Here I am also attaching links related to the group mapping in the user guide:

    Order of group mapping:

    http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs33/user/QG.htm

    #wp940485

    Kind regards

    ~ JG

    Note the useful messages

  • The opportunity to identify a specific storage for each user or security group.

    Hi all

    I asked how to specify storage for each user or security group on the server of the University Complutense of Madrid. ex. I want user 'weblogic' unable to download a document on the server of the University Complutense of Madrid, more than a gigabyte. the user can check in several files, but thetotal space for all files are not a gigabyte.

    Thank you

    I asked how to specify storage for each user or security group on the server of the University Complutense of Madrid. ex. I want user 'weblogic' unable to download a document on the server of the University Complutense of Madrid, more than a gigabyte. the user can check in several files and the total space for all files not exceeding a gigabyte.

    You can write a rule to achieve this where in the xStorageRule is evaluated based on any set of metadata such as dDocAuthor or dDocSecurityGroup etc., or a combination of metadata.

  • Python script to search for users who belong to a group of weblogic

    Hello

    We know

    Python script to search for users who belong to a particular group in weblogic

    That's what I showed you already. You just need to add the function connect() and disconnect() around it and evaluate the slider that went back.

    If you don't want to learn how to write your own script and that you just want to use an existing one, try this one Weblogic Scripting Tool 101: WLST list users, groups, and users in groups

  • Card AD single user to multiple groups identity ACS 5.8

    It is possible to map a single to several groups of identitiy ACS AD user account?

    I tried to create two different security groups AD with the same user in the two groups.  I then created two different maps each SEO group.  It's only the first mapping is hit.

    Thank you.

    John

    John,

    Unlike ACS 4 (and earlier versions), the need to map users to groups is much diminished, because you can create policies for leave with a lot of flexibility and to make reference to ad groups and many other criteria.

    You can consider creating strategies authorization that don't depend on identity groups and group membership just reference AD and/or any other criteria.

    Javier Henderson

    Cisco Systems

  • Several groups of ACS/announcements in NDG

    Hello

    I've been racking my brain on this for a few days, and it's just not coming to me.  I'll try and also be suscinct as possible. I am in the process of transition of my users of IPSEC to SSL VPN client/web.  During this process, I want to limit users to what they need to get to only.

    ASA firewall configured for SSL VPN and IPSEC VPN (8.2.1)

    Cisco ACS for Windows (4.2)

    Active Directory Windows domain

    We have several departments who will each of the different levels of access.  We currently have a group of users who belong to an ad group that is mapped to an ACS group.  Everthing is going fine for the IPSEC VPN and SSL VPN as it is.  The problem that I am running is adding a new group (s) adding to the mix and get the right checks up to join this group.

    Example: If you are in the OWA ad group, you should only have access to OWA when you access SSL VPN.

    Example: If you are in the ad Marketing Group, you should have access to the actions and resources that are predefined.

    There could be up to 10 groups.

    I have added a new group to the ACS server and it mapped to the corresponding group.  But I guess I don't understand how to get the ASA--> ACS to verify membership in this group.  I tried the DAP of ASA with controls against the Radius attributes - but it fails. I feel just like I'm missing something in the ACS server, I need to do first.

    Thanks in advance for the help.

    Hi Chris,

    By checking groups, ASA, GBA package access attribute class only reads accept, depending on the value of class the asa will map like you on a policy of group as your configuration.

    ACS will read the first memberOf value retrieved from the profile AD and map the user to the group, accordingly, so if you have multiple groups on one user it will always match one on the list (don't ask me what is the order that AD sends the group for GBA)

    The first statement, I think you will need that many strategies of groups like the functions you need and based on the value of the class they will be mapped to this group policy and then these features will be enabled. I believe that with the radius authentication plain and RADIUS atts or DAP (dap gives you more customization options), so you can skip ACS and use ASA - ldap - AD) and use memberOf attributes.

    Let me know if this has any sense at all.

  • Several groups of RADIUS auth on a single Windows Server

    We have several groups RA VPN on a 3845 router.

    Authentication RADIUS which is currently happening between the 3845 and one Windows 2008 Server.  We have a group of specific windows which AD users are members, and they are allowed to connect through the VPN.

    I create a new group of VPN, which should only allow different users of the AD.  Is it possible to create another association of RADIUS on the same server, or do I need to authenticate to a different Windows Server?

    Thank you

    Tyler

    Hey Tyler,

    If I understand the question, here's what you have to say.

    There are several groups on the announcement. currently 1 user group special on AD connect very well to the RAVPN.

    Now you want to connected VPN or authorized for another group on AD. Basically, you want to control access to resources based on the groups that they belong to the advertising. Am I wrong?

    You use the aaa server is the RADIUS. I don't think you can do authentication and control of access based on the ad groups using RADIUS.

    I would say try LDAP.

    http://www.Cisco.com/en/us/docs/iOS/sec_user_services/configuration/guide/sec_cfg_ldap.html

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please evaluate the useful messages

  • WebLogic with problem supplier Active Directory Authentication: < DN for user...: null >

    I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:

    -J' set an Active Directory authentication provider

    -changed it's order in the list of authentication providers so that it is first

    -l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:

    <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
        <sec:name>MyOwnADAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
        <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
        <wls:host>10.20.150.4</wls:host>
        <wls:port>5000</wls:port>
        <wls:ssl-enabled>false</wls:ssl-enabled>
        <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
        <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
        <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
        <wls:cache-enabled>false</wls:cache-enabled>
        <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>

    I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.

    After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.

    Here's what I see in the log file:

    <BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)

    So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:

    #!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject   : CN=wl,DC=at,DC=com
# scope        : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit    : 1000
# timeLimit    : 0
# typesOnly    : False
# filter       : (&(cn=tadmin)(objectclass=user))
# attributes   : objectClass


#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1

    (the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)

    As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.

    I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.

    So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?

    I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»

    Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).

    Here are some other things I tried, but doesn't change anything:

    -other attributes '-FS' were not resolved, so I tried their initialization to a value

    -J' tried other users defined in AD LDS, not tadmin

    -in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin

    -J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)

    Any thoughts?

    Thank you.

    In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.

    See also:

    Re: could not connect to the WLS console with the user of the directory

  • 10g: unable to set the default dashpoard (CheminPortail) to several groups

    Hi all

    I am facing a problem while defining the portal path for several groups.
    I have two RPD groups and each group need to have its own default table in the form of ready page.

    We use authentication RPD and cannot use the database table to record the CheminPortail for each user or group.


    What I've tried so far is the following:

    We have two groups, Group1 , Group2 , who need to have the default dashboard * \shared\_portal\dashboard1* and * \shared\_portal\dashboard2* respectively.


    Approach 1: Create a block INIT of Session with the following query:
    Select case when ""="Group1: GROUP ' then '\shared\_portal\dashboard1' another '\shared\_portal\dashboard2' end of the double"

    Result: Failure - because all users are directed to "\shared\_portal\dashboard2". Somehow *': group ' * Gets not the affected GROUP.

    Even tried to replace ": GROUP ' with"VALUEOF (GROUP)"in the SQL query, however, it did not help."


    Help to get the same functionality will be appreciated.


    Kind regards
    Khalid

    Khalid,

    Here you go... use example below and change as you need.

    Create a SESSION - INIT BLOCK with this query... Say CRTAP

    SELECT CASE WHEN ' VALUEOF (NQ_SESSION. GROUP)' = "DASH_usr" THEN "/ shared/test ' WHEN ' VALUEOF (NQ_SESSION. GROUP)' = "DASH_ctr" THEN "test1/shared / ' END OF DOUBLE

    Set it to a variable with the name CHEMINPORTAIL and default to say anything ' / abc / ".

    This will work for sure... You can test this by RPD as well.

    Hope this helps

  • Several group

    Hello

    Could someone tell me how I might have several group from the different count function?
    Here's what I'm trying to do.

    select x.prev_categ, x.next_categ,
       count(distinct user_id) as countprev2next,
       count(distinct user_id) as countprev2any,
       count(distinct user_id) as countany2next,
       count(distinct user_id) as countany2any
(
     select user_id, prev_categ,  next_categ,
               dense_rank() over (order by prev_categ, next_categ) as rankprev2next,
               dense_rank() over (order by prev_categ) as rankprev2any,
               dense_rank() over (order by next_categ) as rankany2next,
               dense_rank() over() as rankany2any
        from next_categ_data
        where x.prev_categ IS NOT NULL and x.next_categ IS NOT NULL
)x
group by x.prev_categ, x.next_categ
;
    In the group by clause, I would like to have group by in the following terms:
    (1) prev_categ and next_categ as shown in the query
    (2) only prev_categ
    (3) only next_categ
    (4) user_id

    By this motion, I am trying to accomplish the following:
    For example, I have a transaction in which category A is passed to category B.
    I want to count distinct users who moved from category:
    (1) A to B (A2B)
    (2) A to any category (A2X)
    (3) any to B (X2B)
    (4) all for the whole (X2X)

    This must be done for all possible transactions.
    Sample Data
create table final as

(
select 1 user_id,2 product_id,A categ_id, to_Date('1/1/2009','MM/DD/YYYY') dt from dual union all
select 1 user_id,3 product_id,B categ_id, to_Date('1/1/2009','MM/DD/YYYY') dt from dual union all
select 1 user_id,4 product_id,C categ_id, to_Date('1/3/2009','MM/DD/YYYY') dt from dual union all
select 1 user_id,5 product_id,D categ_id, to_Date('1/3/2009','MM/DD/YYYY') dt from dual union all
select 1 user_id,6 product_id,E categ_id, to_Date('1/3/2009','MM/DD/YYYY') dt from dual union all
select 1 user_id,7 product_id,F categ_id, to_Date('1/10/2009','MM/DD/YYYY') dt from dual union all
select 1 user_id,8 product_id,G categ_id, to_Date('1/11/2009','MM/DD/YYYY') dt from dual union all

select 2 user_id,2 product_id,A categ_id, to_Date('1/1/2009','MM/DD/YYYY') dt from dual union all
select 2 user_id,3 product_id,B categ_id, to_Date('1/2/2009','MM/DD/YYYY') dt from dual union all
select 2 user_id,4 product_id,C categ_id, to_Date('1/4/2009','MM/DD/YYYY') dt from dual union all
select 2 user_id,5 product_id,F categ_id, to_Date('1/5/2009','MM/DD/YYYY') dt from dual union all
select 2 user_id,6 product_id,H categ_id, to_Date('1/6/2009','MM/DD/YYYY') dt from dual union all
select 2 user_id,7 product_id,F categ_id, to_Date('1/12/2009','MM/DD/YYYY') dt from dual union all
select 2 user_id,8 product_id,G categ_id, to_Date('1/15/2009','MM/DD/YYYY') dt from dual union all

select 3 user_id,2 product_id,A categ_id, to_Date('1/11/2009','MM/DD/YYYY') dt from dual union all
select 3 user_id,3 product_id,C categ_id, to_Date('1/12/2009','MM/DD/YYYY') dt from dual union all
select 3 user_id,4 product_id,B categ_id, to_Date('1/13/2009','MM/DD/YYYY') dt from dual union all

) ;
    Sample output
Prev_categ | Next_categ | countprev2next | countprev2any | countany2next | countany2any
---------------------------------------------------------------------------------------
  A            B              2                 3              3               3
  A            C              1                 -              3               3
  B            C              2                 2              -               3
  C            B              1                 3              -               3
  C            D              1                 -              1               3
  C            F              1                 -              2               3
  D            E              1                 1              1               3
  E            F              1                 1              -               3
  F            G              2                 2              2               3
  F            H              1                 -              1               3
  H            F              1                 1              -               3
    Could you also tell me how I could make the County be repeated? For example, I want to count 3 to print for the two A to B and a-C
    under column of prev2any.

    I appreciate all help.

    Thanks again,

    Hello

    You can do it with the analytical COUNT function:

    SELECT DISTINCT
,       prev_categ
,       next_categ
,       COUNT (DISTINCT user_id) OVER (PARTITION BY prev_id
                          ,           next_id
                         )               AS countprev2next
,       COUNT (DISTINCT user_id) OVER (PARTITION BY prev_id)     AS countprev2any
,       COUNT (DISTINCT user_id) OVER (PARTITION BY next_id)     AS countany2next
,       COUNT (DISTINCT user_id) OVER ()               AS countany2any
FROM       next_categ_data
WHERE       next_categ     IS NOT NULL
ORDER BY  prev_categ
,       next_categ
;

    Sorry, I'm not a database now, so I can't test it for 12 hours.

    Looking at the code you posted, it seems as if you were on the right track with the partitions, only you were trying the wrong analytical function.

    You really have a table like next_categ_data? Most people would use a view, if this isn't a subquery for this, unless the query speed was very important.

Maybe you are looking for