How to know which user has write access to Clearcase database? It mainly means authorization to perform check-in but not only, for example modify a Clearcase value of a defined attribute...
How to have a list of all the user identifiers who modify something in a given VOB? In any of the VOBs?
Does exist specific roles and profile in Clearcase? Or just the Unix root?
For information:
- ClearCase 8.0.1.4 (AIX 1 7)
- BASE CLEARCASE only is used, not UCM.
Start with "VOB and view access control"; the main access criteria is user and groups:
A user's name and group memberships are the principal credentials evaluated by Rational® ClearCase® when access is requested.
So any user which is has, as a primary group (first group when typing id -a) the same group as the one of a Vob can access that Vob. See for example "ClearCase won't allow Check-In" (note: the view itself must be correctly protected as well)
On AIX, you can use lsuser to list users of a given group.
See more with "Access control for elements".
But since ClearCase 9, you also have ACL authorization:
You can use ACLs to protect the VOB object, policies, rolemaps, and elements (other object types, such as branch types and label types, must be secured by the protection mechanisms of the operating system
You can setup policies (see cleartool lspolicy), and rolemaps
You use a rolemap to specify the principals that take on roles listed in a policy, and to apply the access controls to one or more VOB objects.
The intention is that you can define a small number of policies that determine ‘how' you apply permissions to objects. You then define a number of rolemaps for each policy describing ‘who' takes on the roles in the policy.
By listing rolemaps (cleartool lsrolemap), you can back a list of groups, from which you can deduce the list of users:
Role:Reader --> Group:DOMAIN/developers
Role:Manager --> Group:DOMAIN/mgrs
Role:Developer --> User:DOMAIN/danny
Role:Integrator --> Group:DOMAIN/integs
Role:Developer --> Group:DOMAIN/devs
Role:Administrator --> User:DOMAIN/vobadmin
Related
I've created a new page of type List from wizard to show all the fields License Permission (2000000043) system table in NAV 2015.
This field is populated only in the records where Object Type is LimitedUsageTableData and it's an option with the following
Option Strings = , Included, Excluded, Optional
I haven't found an official documentation that explain the meaning of the different values and how to change them (The License Permission table is read-only).
I think this might be related to the limits a user with Limited User license can have.
Just for an example, the table Service Order Allocation 5950 has Limited Usage Permission = Optional. What does it mean?
Limited users licensing is explained in detail in the document named "Microsoft Dynamics NAV Licensing Guide". You can download the latest version from here:
https://www.microsoft.com/en-us/download/details.aspx?id=54248
In short, limited users are allowed to read any table and write to any 3 tables only. You do not need to specify which 3 tables would that be, NAV just counts database writes until there will be an attempt to write to 4th table.
In addition to this rule, there are granted tables which are not counted when you write to them, and there are restricted tables you can never write to.
Limited Usage Permission = Included - means that table is granted and does not count towards maximum of 3.
Limited Usage Permission = Excluded - means that table is restricted to write (e.g. G/L Entry)
Limited Usage Permission = Optional - means all the rest
You are not able to change these values as they are changed by Microsoft only and are part of a license. But partners are able to elect some of the tables in their ranges to be "Included" (which has to be approved by Microsoft).
I am new to this ADLDS ,Looking into this group ownership concept in ADLDs,
suppose I have a group, and I want set permission OWNER access to groups,
for multiple user, depend upon requirement.
I had checked ADLDS had groups owner, by default is Administrator, but didn't find any how to set Groups Owner in particular group,
using ADSI, or LDP.exe , how can I assign OWNER for group
what I need to configure,
As far as I know there's no GUI for what you're trying to do in ADSI. I'm not sure about LDP.
To accomplish what you're trying to do is you can use a tool called DSACLS
You can find this tool in this location:
%WINDIR%\ADAM
Viewing container permissions
dsacls.exe \testserver:50000\CN=Users,CN=TestApp,O=Test
Granting general permissions on a container
dsacls.exe \testserver:50000\CN=TestApp,O=Test /I:T /G CN=MembershipProvider,CN=Roles,CN=TestApp,O=Test:GR
There are a couple of things to notice here. "/I:T" sets permissions to the container and its sub objects, while we could've used "/I:S" to include only the sub objects. "/G" means grant ("/D" is deny). The "user or group DN" is the distinguished name of the user, group or role that we grant access to the container. The "permission" part can be GR for read and GW for write (other more specific permissions are also available).
This article explains more in depth...
I am in an organization with an Active Directory with a very deep nested group structure. I would like to query the directory to recursively find user members of a group from a Linux machine. On a Windows machine,
dsget group "dn_of_group" -members -expand
does exactly what I want and does it very quickly. When I tried to get the same results via LDAP with
(memberOf:1.2.840.113556.1.4.1941:=dn_of_group)
the query takes almost a minute to run. Does dsget use LDAP under the hood or does it use some other means to query the directory? And if so, is there any way for me to also use that?
Edit:
Clarified that I need the members which are users.
The framework 3.5 with System.DirectoryServices.AccountManagement Namespace provides a method that searches all groups recursively and returns the groups in which the user is a member. The returned set may also include additional groups that system would consider the user a member of for authorization purposes.
UserPrincipal.GetAuthorizationGroups()
The groups that are returned by this method may include groups from a different scope and store than the principal. For example, if the principal is an AD DS object that has a DN of "CN=SpecialGroups,DC=Fabrikam,DC=com, the returned set can contain groups that belong to the "CN=NormalGroups,DC=Fabrikam,DC=com
In the other direction you've got :
GroupPrincipal.GetMembers(bool recursive)
See Remarks
i'm writing an AD sync tool, which takes an LDIF file exported from an AD A, applies some replaceing and skip rules and creates another LDIF file that can then be applied to an AD B.
During the creation, i have read access on the AD B, so i can get the Schema to know what attribute-value pairs i can or can not set, and to see if there are allready objects that already exist in B that i only have to modify , but not to create. So far so good.
Right now, my rules do not copy the objectSid (and others), since they won't be right. As far as i checked, a SID is always composed of the domainSid and and an ID, like SOME-DOMAIN-SID-513 which is the SID of the Domain Users of that domain.
So IDs < then 1024 seem to be reserved for internal use while IDs > 1024 will be part of objects that where created on the way.
My question is now, can i create own objectSIDs for new entries that i want to create and set them in the LDIF file?
Any hints on that?
I don't think you can. I'm intrigued as to why you'd want to.
I have a problem with manager attribute in Sun Directory Server.
I set this attribute for a user in the directory, e.g. cn=testmanager,dc=test,dc=com and when I change manager's dn this change is not propagated in manager attributes.
For example:
I have two users:
dn: cn=testmanager,dc=test,dc=com
and
dn: cn=testperson,dc=test,com
manager: cn=testmanager,dc=test,dc=com
Then I modify manager's dn to:
dn: cn=testmanagerchange,dc=test,dc=com
But manager attribute in cn=testperson,dc=test,com doesn't change is still equal to cn=testmanager,dc=test,dc=com. In Active Directory it works fine.
Exact definition of attribute:
Name: manager
OID: 0.9.2342.19200300.100.1.10
Aliases: -
Origin: RFC 1274
Description: Standard LDAP attribute type
Syntax: 1.3.6.1.4.1.1466.115.121.1.12 (DN)
Multivalued: Yes
This may not directly help, but it may depend on how Sun Directory Server handles DN syntax attributes. I can speak with experience for eDirectory, where DN syntax attributes do what you want automagically.
I.e. You can rename, move, or delete an object, and all DN syntax references to it will automatically update themselves. (Actually for renames and moves they do not actually update, rather when they convert the internal database ID value for the object to display the pretty human readable name, it always shows the current value. Clean up after deletes are handled differently).
The question becomes, how does Sun Directory Server handle these cases.
Though it is interesting that manager can be multivalued. That would suck, having several managers!
I found the answer.
In Sun Directory Server you have to set the list of attributes that should keep reference integrity. Some attributes are set by default, however you have to manually add manager attribute.
This is an article that explains this issue: http://docs.sun.com/app/docs/doc/820-2763/fsush?a=view.
Thanks for your help.