[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference microw::acmsxp

Title:	ACMSxp product questions and comments
Notice:	Refer to notes 1 through 11 for conference information
Moderator:	DUCAT::ROSCOE

Created:	Tue Oct 05 1993
Last Modified:	Thu Jun 05 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	282
Total number of notes:	1134

261.0. "Q: How allow the another principal access?" by TKOV60::OKAMURA (H.Okamura PS4-2/EJD3/NSIS, Japan) Tue Mar 04 1997 05:35

I have simple question regarding to ACMSxp security issue.

Background:

My customer want to restrict the user access to the task servers using DCE
security feature. So, he provides several DCE principal belonging to the
individual groups.

Question:

I've confirmed to reject the user access to the task server which owned by
another principal. For instance, the 'acmsuser' tpsystem which created by
'acmsuser' principal rejects the access by the 'nttuser' principal.

How do I set the ACL for ACMSxp and CDS to allow the access by 'nttuser'
principal to the 'acmsuser' tpsystem? Although I've added same ACL to the
TPsystem and servers and CDS directory, nothing has happened.

According to the ACMS log file, this rejection occurred ACMSxp authorization
phase.

Thanks,
Hiroaki

********************************************************************************
USER:  acmsuser
TIME:  1997-03-04-09:55:30
POSTED BY:  Server Process
PID:  419
TYPE:  security
EXECUTION CONTEXT INFORMATION:  
    TPSystem:  /.:/acmsxp010/acmsuser
    Server:  banktg_svr
    Interface:  banktg
    Device:  WINDOW
    Request ID:  e5a59494-9464-11d0-9e28-08002b3c1af8
    PRINCIPAL:  /.../jwblue_cell/nttuser
    Procedure:  CUSTOMERVALIDATE_TASK
PERMISSIONS:  x
PRINCIPAL:  /.../jwblue_cell/acmsuser

Authorization attempt failed on PROCEDURE entity
ENTITY CLASS:  Procedure
    TPSystem:  acmsuser
    Server:  banktg_svr
    Interface:  banktg
    Procedure:  customervalidate_task

********************************************************************************
USER:  acmsuser
TIME:  1997-03-04-09:55:30
POSTED BY:  Server Process
PID:  419
TYPE:  fault
EXECUTION CONTEXT INFORMATION:  
    TPSystem:  /.:/acmsxp010/acmsuser
    Server:  banktg_svr
    Interface:  banktg
    Device:  WINDOW
    Request ID:  e5a59494-9464-11d0-9e28-08002b3c1af8
    PRINCIPAL:  /.../jwblue_cell/nttuser
    Procedure:  CUSTOMERVALIDATE_TASK
SEVERITY:  fatal

tps MESSAGE TEXT:  %TPS-F-ACCESSDENIED, Access denied

T.R	Title	User	Personal Name	Date	Lines
261.1		DUCAT::ROSCOE		`Tue Mar 04 1997 09:40`	4
	Please show us the acl that you added. Also to what entity do you add the acl to? Have you read chapter 20 (security) of the developing and managing applications Guide. This chapter explains how to do this. The book can be found in ACMSXP$PUBLIC:[v30_documentation]ACMSXP_V30_APPS_SSB.PS
261.2	Thanks	TKOV60::OKAMURA	H.Okamura PS4-2/EJD3/NSIS, Japan	`Wed Mar 05 1997 09:49`	8
	Thanks Rich, >can be found in ACMSXP$PUBLIC:[v30_documentation]ACMSXP_V30_APPS_SSB.PS This material is excellent! I've added ACE to the interface and could invoke the task with other principal rights. Hiroaki
261.3	another question	TKOV60::OKAMURA	H.Okamura PS4-2/EJD3/NSIS, Japan	`Thu Mar 13 1997 07:19`	14
	I have a another question regarding to access control. I've understood to be able to control the user access for several unit (ex. SERVER, INTERFACE, PROCEDURE, etc.) using acmsadmin utility. I'd like to know the resolution or unit to manipulate using acl_edit utility. I found similler discussion on Conf. DCE-PRODUCTS topic 1436 posted by Kyungae-san. Is it possible to modify the ACE for task server entry in CDS by acl_edit? Does acmsadmin use its own ACL manager to manipulate the ACE for this entry? Thanks, Hiroaki
261.4		CAMINO::ROSCOE		`Thu Mar 13 1997 22:25`	15
	>>>Is it possible to modify the ACE for task server entry in CDS by acl_edit? Yes. If you have a windows NT machine that is part of your DCE cell a nice acl editor exists that can be used to help you do this. In fact if a windows NT machine isn't part of your DCE cell you should consider adding a Windows NT machine running DCE V1.1C to your cell. DCE V1.1C on the NT platform has a lot of nice GUI interfaces for the DCE utilities. >>>Does acmsadmin use its own ACL manager to manipulate the ACE for this entry? No, you would have to use the DCE acl edit utility to do this. The acmsadmin utility manipulates data that is stored in the ACMSxp CDB. CDB stand for configuration database.
261.5	check the acmsxp NT GUI also	SIOG::KEYES	Digital Appliation Gen. DTN 827-2705	`Fri Mar 14 1997 04:17`	13
	>In fact if a windows NT machine isn't part of your DCE cell you should consider adding a Windows NT machine running DCE V1.1C to your cell. I would second that..very nice GUI for control. Also (unrelated to this specific topic) but the ACMSXP V3.0 NT GUI is excellent also. Well worth putting on if you will have an NT machine around set up as Rich suggests. This is very helpful viewing your TP systems..be they on NT,UNIX etc etc..real nice work rgs Mick