I can't assign yourself the security_admin role (or assign it to anyone else unless you already have the role). If I look at the sys_user_role table and search for security_admin without having the role, you'll get a security error.
Somehow security_admin role is not visible to admins in Helsinki and Istanbul (Strange) . You can try below script to assign yourself security_admin privileges
var sr = new GlideRecord("sys_user_role");
sr.addQuery("name","security_admin");
sr.query();
if (sr.next())
{
var hh = new GlideRecord("sys_user_has_role");
hh.initialize();
hh.user = gs.getUserID();
hh.role = sr.sys_id;
hh.insert();
}
This is intentional as of the Helsinki release. In the past, a normal Admin could elevate their own privileges to the Security Admin, which is not always desirable. Just as no user should be able to elevate their own access, nor should an Admin be able to elevate their own access. This is why only someone with Security Admin access can grant the same access to another person.
Related
We have created a new user account with CAL Access Mode: Administrative and Security Role: System Administrator just for managing the user accounts in CRM 2015 on premise. But this user account doesn't have access to read or select the Position while creating user accounts. Since we have some business logic based on the selected position, we do not want to create user accounts without position. I am curious to know why Administrative account cannot access Position which is system entity.
Appreciate if you have any solution for this issue.
Thanks
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
In magento , I can create a sub-admin giving access to limited resources. But if I allow any sub-admin to create new sub-admin role and user then he is allowed to give all the access to the new sub-admin even which are not available to him..
(I mean all the module are available to him in Role Resources Tree Under add New Role, even which are not assigned to him)
For example: If sub admin is not having access to reports,Order he can not allow the reports,Order access to the other user he is creating from his access.
Any suggestions?
If you are giving User & Role access to sub-admin, then he/she can create new user as well as role. Magento doesn't check it's own access level. According to your requirement, you have to override admin Permission module.
Create custom extension to overcome from this issue or try any ready extension for it.
I am unable to grant a user to ISC Admin or Administrator role in the ISC portal, how do i grant an LDAP user administrator role in ISC without using the ISC portal?
Reason being because the ISC portal, after I click "OK" to process, there is nothing happening.
This is how you add users to an administrative role, such as Administrator role or iscadmin role (taken from http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.doc/info/exp/ae/rxml_7libsecurity.html):
Syntax
AdminAuthorizations.mapUsersToAdminRole(authGroupName, adminRole, userIDs)
Example usage
AdminAuthorizations.mapUsersToAdminRole("myAuthGroup", "administrator", "user01 user02 user03")
Also have a look at the links in the InfoCenter as they will help you with all the related tasks as this will help you with all related wsadmin commands.
AuthorizationGroupCommands command group for the AdminTask object
Authorization group configuration scripts
In case someone is looking for this (like me) in WAS9 ND - the method has changed slightly.
Now it's been documented in https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rxml_atauthorizationgroup.html and it's not in the AdminAuthorizations object anymore, but in the AdminTask object like that:
AdminTask.mapUsersToAdminRole('[-authorizationGroupName groupName -roleName administrator -userids user1]')
I would like to list Windows user accounts but ONLY those that are visible at login screen, one that is displayed after windows boots.
I googled and all I found boils down to this method:
http://www.mydigitallife.info/how-to-create-hidden-user-account-hide-user-account-from-welcome-screen-in-windows/
However, on my computer there are no registry keys that are mentioned in the above article - I don't want to create them, I want to check something that already exists.
I use the following query:
List<string> list = new List<string>();
SelectQuery query = new SelectQuery("Win32_UserAccount");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
foreach (ManagementObject obj in searcher.Get())
{
if (isInteresting(obj))
{
list.Add(obj.GetPropertyValue("Name").ToString());
}
}
With properties of objects that are returned by the above query I managed to filter some accounts (full list of those properties: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx#properties), but there is still some junk from the point of view of everyday user (like accounts used for updates by driver vendors).
That registry key isn't the only reason why an account might not be displayed on the logon screen. Here are a few others:
The account is disabled
The account does not have interactive logon privilege (SeInteractiveLogonRight)
The account is explicitly denied interactive logon privilege (SeDenyInteractiveLogonRight)
Usually SeInteractiveLogonRight is granted to the Guest user, plus members of the Administrators, Users, and Backup Operators groups. Any account (other than Guest) that isn't a member of one of these groups will probably not be shown on the logon screen. (I'm not sure what happens if SeInteractiveLogonRight has been removed from one of these groups, I wouldn't be surprised if the logon screen showed the accounts anyway.)
You can use LsaEnumerateAccountRights to check whether an account has SeDenyInteractiveLogonRight applied, or LsaEnumerateAccountsWithUserRight to get a list of affected accounts. Usually individual accounts, rather than groups, are granted this right, so it is likely that the logon screen checks accounts in this way.