One of our user want to save her current filter selections of report using "save current customization" on BI. But its giving error as access denied for user to path /users//<>.
She also complaints that her previously saved customisations are missing after recent deployment.
I understand that, its related to some user permission but not aware how to resolve it via analytics.
Can anybody suggest anything on this?
"after recent deployment" .... So let me guess you overwrote her /users/HerName folder with the one from a different environment. And since 11.1.1.9 still uses GUIDs - guess what you probably just really messed up her folder and those of all users.
Edit: Refreshing user GUIDs : https://docs.oracle.com/middleware/11119/biee/BIESC/privileges.htm#BIESC721
Related
I'm setting up a new share that I've enabled enumerated access on. I'm looking to limit people access to files on a certain folder. I've setup other folders that restrict access unless your in a security group. This folder thats giving me trouble was copied over from another network share. When I create a folder from scratch everything works fine so I'm curious if thats whats giving me issues.
The folder I'm trying to access is
x:/Limerock/Projects/"Project Name"
If I go into the security tab and check my effective access it says that I have full control:
The user I'm signed into is joe.jankowiak which is part of the Domain Admins security group. Domain Admins owns all the folders in above this and has full control.
When trying to enter the folder it tells me I need to request permission. I'm an admin so it goes through and adds "joe.jankowiak" to the full control list in the security permissions.
Why is it not taking my domain admin credentials to enter this folder? I'm seeing other weird behavior such as it saying "Unable to display current owner." and "You must have read permissions to view the properties of this object". Clicking continue lets me see it.
Everything looks right, I've setup 6 other new folders in the exact same manner and they work fine. I've signed in and out many times but it hasn't fixed it. Weird enough, another computer I signed into lets me access the folder just fine. Is there a way to reload file permissions since logging in/out doesn't seem to do it. Is there a command like gpupdate that I should run?
I have seen this before andyou might need to do the following operations in order:
-Replace Ownership on the folder and replace all child object ownership too=>apply or OK
-Close the security properties and re-open it again
-Add Domain Admins as full control and Replace all child object permissions... =>apply/OK
That should do it
I've upgraded a 1.5 Joomla to actual verison 3.9.x and I have now a special permission problem.
Users are categorized by standard groups, coming with Joomla, so there are 2 super users and some "Managers". Super users usually create articles, managers are finalizing und publishing them.
So, in System -> Global Configuration -> Articles -> Permissions is set to "Edit - Allow" and "Edit state - allow", which means that on every new created article managers can edit the articles.
Now, the super user clicks on Content -> Articles -> New and check that (not-yet-saved) permission tab. The "Calculated permission" shows a green "Allowed" state in "Manager" tab - as set in the global configuration.
Now, the article will be saved, and re-opened, now the permission tab in manager shows RED "Forbidden" although its saved with explicit "Allowed".
When changing and saving the corrected state again (on the existing article), the permissions are set correctly and the managers can edit the article.
In the actual state, the super user must create an article, close and re-open it and set the right permissions to make it available to other backend users.
How can I fix that?
My guess:
On the first save, the permissions are not set correctly, so Joomla is using "fallback permissions" which means that just super users can edit that article.
Edit:
Here's an interesting comment in joomla core source code, where permissions are saved:
#to do: incorrect info When creating a new item (not saving) it uses the calculated permissions from the component (item <-> component <-> global config).
But if we have a section too (item <-> section(s) <-> component <-> global config) this is not correct.
Also, currently it uses the component permission, but should use the calculated permissions for achild of the component/section.
Try to open and save your superusers. This might at least correct any issue with the actual user, that arised after your wishful upgrade attempt :)
If there are many issues after your upgrade, and your web site is not huge, i would consider doing a fresh install of the latest Joomla, and importing data in a more manual /semi manual way. Else I guess you'll be having issues for a while...
I have a question similar to this one, but I am using VS 2008 and an Oracle database (with Oracle SQL Developer). How do I get rid of the report credentials in VS? Thank you.
One of the easiest ways to get rid of this is to supply a username and password for the database in question on the reporting server. The URL is usually something like http://localhost/reports. Usually, users created for this type of connection have minimal read-only rights needed for the specific report. The disadvantages to this type of connection is that it's a one-user-fits-all situation. But because of the error message you are getting, it appears that your wish is to supply a specific user name and password rather than use Windows security--which is just fine.
To get here, click Security from the report drop-down list on the main page. Then, click the Credentials stored securely on the report server. Then, here's an issue that get's lots of folks--click the Apply button at the bottom to save the changes. Sometimes the Apply button is not visible and you need to scroll down to click it.
Now, if you're accessing your report through ReportViewer in VS then the following link may provide some help:
http://www.sql-server-performance.com/2012/accessing-ssrs-reports-report-viewer-web-page/
Alternately, you can create or add to a web.config file:
https://msdn.microsoft.com/en-us/library/microsoft.reporting.webforms.ireportservercredentials.aspx
p.s. based on our chat, try adding the following to your web.config connection string--if you have one(with the respective user name and password)--if, indeed you're using Oracle's ODP.net:
providerName="Oracle.ManagedDataAccess.Client" connectionString="User Id=oracle_user;Password=oracle_user_password
http://www.oracle.com/technetwork/topics/dotnet/downloads/odpnet-managed-nuget-121021-2405792.txt
I have not figure out how to solve this from the database. What I did was, comment out this line of code from the XML of the report:
<Prompt>Specify a user name and password for data source XXX</Prompt>
If you have the correct credential info in the <value> tag, your report should be loaded with username and password parameters without problems.
I am trying to integrate the SSRS report to my web page.
The code is as follows:
ReportViewer1.ProcessingMode = rocessingMode.Remote;
ReportViewer1.ServerReport.ReportServerUrl = new Uri("http://localhost/reportserver");
ReportViewer1.ServerReport.ReportPath = "/Report Project1/Reconciliation";
List<ReportParameter> paramList = new List<ReportParameter>();
paramList.Add(new ReportParameter("StartDate", startdate.ToString(), false));
paramList.Add(new ReportParameter("EndDate", enddate.ToString(), false));
this.ReportViewer1.ServerReport.SetParameters(paramList);
ReportViewer1.Visible = true;
I get this error when I try to run this report:
The permissions granted to user 'COMPUTERNAME\\ASPNET' are insufficient for performing this operation. (rsAccessDenied)"}
System.Exception {Microsoft.Reporting.WebForms.ReportServerException}
Can anyone tell me what I am doing wrong?
To clarify Erikk's answer a little bit.
The particular set of security permissions you want to set to fix this error (there are at least another two types of security settings in Reports Manager) are available in the "security" menu option of the "Properties" tab of the reports folder you are looking at.
Obiously it goes without saying you should not give full permission to the "Everyone" group for the Home folder as this is inherited to all other items and subfolders and open a huge security hole.
You need to give your web app access to your reports. Go to your report manager (http://servername/reports/). I usually just give the whole web server "Browser" rights to the reports.
The account name of your server is usually Domain\servername$. So if you server name is "webserver01" and your domain is Acme, you would give the account Acme\servername$ Browser rights.
I think you could also fix it by disabling anonymous access (in IIS) on the web application you are running the report from, that way reporting services would authenticate using the users credentials instead of the ASPNET account. But that may not be a viable solution for you.
The problem is that your ASP.NET worker process does not have the permissions to do what you want.
Edit this user on the server (MACHINENAME\ASPNET), and give it more permissions (It may need write permissions etc).
You also will need to add MACHINENAME\ASPNET as a user to the SQL database SSRS is working with.
I'm looking for a way to find a the windows login associated with a specific group. I'm trying to add permissions to a tool that only allows names formatted like:
DOMAIN\USER
DOMAIN\GROUP
I have a list of users in active directory format that I need to add:
ou=group1;ou=group2;ou=group3
I have tried adding DOMAIN\Group1, but I get a 'user not found' error.
P.S. should also be noted that I'm not a Lan admin
Programatically or Manually?
Manually, i prefer AdExplorer, which is a nice Active directory Browser. You just connect to your domain controller and then you can look for the user and see all the details. Of course, you need permissions on the Domain Controller, not sure which though.
Programatically, it depends on your language of couse. On .net, the System.DirectoryServices Namespace is your friend. (I don't have any code examples here unfortunately)
For Active Directory, I'm not really an expert apart from how to query it, but here are two links I found useful:
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
http://en.wikipedia.org/wiki/Active_Directory (General stuff about the Structure of AD)
You need to go to the Active Directory Users Snap In after logging in as a domain admin on the machine:
Go to start --> run and type in mmc.
In the MMC console go to File -->
Add/Remove Snap-In Click Add Select
Active Directory Users and Computers and select Add.
Hit Close and then hit OK.
From here you can expand the domain tree and search (by right-clicking on the domain name).
You may not need special privileges to view the contents of the Active Directory domain, especially if you are logged in on that domain. It is worth a shot to see how far you can get.
When you search for someone, you can select the columns from View --> Choose Columns. This should help you search for the person or group you are looking for.
You do not need domain admin rights to look at the active directory. By default, any (authenticated?) user can read the information that you need from the directory.
If that wasn't the case, for example, a computer (which has an associated account as well) could not verify the account and password of its user.
You only need admin rights to change the contents of the directory.
I think it is possible to set more restricted permissions, but that's not likely the case.
OU is an Organizational Unit (sort of like a Subfolder in Explorer), not a Group, Hence group1, 2 and 3 are not actually groups.
You are looking for the DN Attribute, also called "distinguishedName". You can simply use DOMAIN\DN once you have that.
Edit: For groups, the CN (Common Name) could also work.
The full string from Active Directory normally looks like this:
cn=Username,cn=Users,dc=DomainName,dc=com
(Can be longer or shorter, but the important bit is that the "ou" part is worthless for what you're trying to achieve.
Well, AdExplorer runs on your Local Workstation (which is why I prefer it) and I believe that most users have read access to AD anyway because that's actually required for stuff to work, but I'm not sure about that.
Install the "Windows Support Tools" that is on the Windows Server CD (CD 1 if it's Windows 2003 R2). If your CD/DVD drive is D: then it will be in D:\Support\Tools\SuppTools.msi
This gives you a couple of additional tools to "get at" AD:
LDP.EXE - good for reading information in AD, but the UI kinda stinks.
ADSI Edit - another snap-in for MMC.EXE that you can both browse AD with and get to all those pesky AD attributes you're looking for.
You can install these tools on your local workstation and access AD from there without domain admin privileges. If you can log on to the domain, you can at least query/read AD for this information.
Thanks adeel825 & Michael Stum.
My problem is, though, i'm in a big corporation and do not have access to log in as the domain admin nor to view the active directory, so i guess my solution is to try and get that level of access.