Re: Email engine is a server group
In a server group the email engine runs on all of the servers but is put in a suspended state on all but the highest ranked. Should the highest ranked AR server fail then the next highest ranked email engine is signalled (by its AR server) to resume processing. When the higher ranked server comes back online it resumes processing and the lower ranked one is suspended. The messages you see during startup (java.net.ConnectException: Connection refused Email Engine currently is not up) happen because the server tries to signal the email engine before it has been started by armonitor - you can ignore them or put the email engine before the server in armonitor.cfg. The suspend/resume signal is sent by the server running a Java process - if you're on Unix you can enable arfork logging and see this - the commands are $ java -jar EmailAdminAgent.jar suspend/resume If you're trying to diagnose a problem with failover operations enable server group logging and you should see the secondary server detecting the primary fail and resuming the email engine. Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Grooms, Frederick W Sent: 30 January 2014 22:31 To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group The emaild.sh script in the directory has the following options usage: emaild.sh { start | stop | status } The status option gives something like ./emaild.sh status checking BMC Remedy Email Engine ... BMC Remedy Email Engine is running on port xx -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:49 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group Hi Fred, I can see the emaildaemon.jar but would that confirm the email engine is running? When I started the AR Server it displayed the following BMC Remedy Email Engine has started AR System Plugin Version 7.6.04 SP3 Remote Exception java.rm1.ConnectException: Connection refused to host: local host; nested exception is: java.net.ConnectException: Connection refused Email Engine currently is not up Is there another way to verify the email engine is running or not? Thanks Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Grooms, Frederick W Sent: Thursday, January 30, 2014 4:32 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group That means the server's sendmail daemon is running The ARS Email Engine would show up as a java process running emaildaemon.jar Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:27 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Hi Doug LJ, On Linux 5. Did a ps -ef|grep 'mail' and got this. Any idea what it means? root 27974 5433 0 14:15 ? 00:00:00 sendmail: server server name [server ip] cmd read thanks Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Tanner, Doug Sent: Thursday, January 30, 2014 3:08 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Yes, and the service does NOT auto-start if the other one stops, Doug -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:02 PM To: arslist@ARSLIST.ORG Subject: Email engine is a server group ** Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark Mark Brittain Remedy Developer ITILv3 Foundation, Continual Service Improvement NaviSite, Inc. - A Time Warner Cable Company mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
8.1-Blank column space is displayed in prefrences-Remove on Approval Central
Hi Team, I am facing an issue with the table list in Quick links - Approval Central -. Preferences in the table showing blank in the Remove columns option. Expectation - The blank columns should not be present in preferences of the table. Environment - ITSM 8.1. Any loop will be highly appreciated. Abhishek A Remedy Dev. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
User belonging to Task assigned group is not able to modify the Task Request
Hi all I am facing a big issue regarding tasks. I've tried to explain the situation below: User belonging to Task assigned group is not able to modify the Task Request Change created by member of support group A Change Coordinator Group = support group A Change Manager Group = support group B Task assigned to = support group C A user with change user permission and belong to support group C. Task Phase Management is enabled. After moving the change request further to Scheduled status, user opens the task. At this stage the task is getting opened in Modify mode however when user try to update something, workflow execute below error message: You do not have access to modify this request. (ARERR 48731) ACTUAL RESULTS: User belonging to Task assigned group is not able to modify the task EXPECTED RESULTS: User belonging to Task assigned group should be able to modify the task ENVIRONMENT: = ITSM 8.1 Patch 2 I have patched the environment with patch 2 and also tried manually to implement the hotfix below. Still the same issue. See knowledge article: KA304431 Ref.: https://kb.bmc.com/infocenter/index?page=contentid=S:KA304431 Best regards Rasmus Oplev Steria: www.steria.dk www.steria.com Steria leverer IT-baserede forretningsydelser til offentlige og private virksomheder over hele verden. Vi arbejder typisk som en Trusted Transformation Partner, der i taet samarbejde med kunderne videreudvikler deres IT systemer p? grundlag af vores forretningsforst?else og f?rende IT-ekspertise. Vi tager kundernes udfordringer op og bist?r dem med innovative IT-l?sninger, s? de bliver i stand til at optimere deres forretning. Vores 20.000 medarbejdere arbejder p? tvaers af 16 lande for at st?tte kundernes processer og systemer, der f?r hverdagen til at fungere for millioner af mennesker over hele kloden. This message is intended exclusively for the designated addressee. It may contain confidential material. If you are not the correct addressee, please notify the sender immediately and destroy the message. The content of this message will engage the responsibility of Steria only if it has been sent by an authorized person acting in the strict scope of his functions and for purposes that are related to his competence. Although reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Ad: User belonging to Task assigned group is not able to modify the Task Request
Hi I've had the same issue. I got this one from BMC Support KA395105 https://kb.bmc.com/infocenter/index?page=contentid=KA395105actp=searchviewlocale=en_USsearchid=1391171543262 This is for ITSM 8.1 with no patch, but we had the issue even when running ITSM 8.1 patch 002. After applying this hotfix the issue was resolved Med vennlig hilsen/Best Regards - Rudi Martinsen Mob: +47 92 03 34 06 NorgesGruppen Data AS Postboks 130 Sentrum | Bedriftsveien 9 N - 0102 OSLO Tlf: +47 24 17 60 00, faks: +47 24 17 60 10 - PVennligst ikke skriv ut denne e-posten såfremt du ikke virkelig trenger det. This e-mail message may contain confidential or privileged information. If you are not the intended recipient, please delete the message and any attachments and notify the sender by return e-mail. You should not retain, distribute, disclose, or use any of the information in this message. Fra: Rasmus JORGENSEN rasmus.jorgen...@steria.dk Til: arslist@ARSLIST.ORG, Dato: 31.01.2014 13:26 Emne: User belonging to Task assigned group is not able to modify the Task Request Sendt av: Action Request System discussion list(ARSList) arslist@ARSLIST.ORG ** Hi all I am facing a big issue regarding tasks. I’ve tried to explain the situation below: User belonging to Task assigned group is not able to modify the Task Request Change created by member of support group A Change Coordinator Group = support group A Change Manager Group = support group B Task assigned to = support group C A user with change user permission and belong to support group C. Task Phase Management is enabled. After moving the change request further to Scheduled status, user opens the task. At this stage the task is getting opened in Modify mode however when user try to update something, workflow execute below error message: You do not have access to modify this request. (ARERR 48731) ACTUAL RESULTS: User belonging to Task assigned group is not able to modify the task EXPECTED RESULTS: User belonging to Task assigned group should be able to modify the task ENVIRONMENT: = ITSM 8.1 Patch 2 I have patched the environment with patch 2 and also tried manually to implement the hotfix below. Still the same issue. See knowledge article: KA304431 Ref.: https://kb.bmc.com/infocenter/index?page=contentid=S:KA304431 Best regards Rasmus Oplev Steria: www.steria.dk www.steria.com Steria leverer IT-baserede forretningsydelser til offentlige og private virksomheder over hele verden. Vi arbejder typisk som en ”Trusted Transformation Partner”, der i tæt samarbejde med kunderne videreudvikler deres IT systemer på grundlag af vores forretningsforståelse og førende IT-ekspertise. Vi tager kundernes udfordringer op og bistår dem med innovative IT-løsninger, så de bliver i stand til at optimere deres forretning. Vores 20.000 medarbejdere arbejder på tværs af 16 lande for at støtte kundernes processer og systemer, der får hverdagen til at fungere for millioner af mennesker over hele kloden. This message is intended exclusively for the designated addressee. It may contain confidential material. If you are not the correct addressee, please notify the sender immediately and destroy the message. The content of this message will engage the responsibility of Steria only if it has been sent by an authorized person acting in the strict scope of his functions and for purposes that are related to his competence. Although reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: User belonging to Task assigned group is not able to modify the Task Request
Hi Rudy Thanks for the quick response. BUT I already tried the hotfix which didn’t solve the issue. I have also cleaned all temp files, restarted tomcat etc. etc. Best Regards From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Rudi Martinsen Sent: 31. januar 2014 13:37 To: arslist@ARSLIST.ORG Subject: Ad: User belonging to Task assigned group is not able to modify the Task Request ** Hi I've had the same issue. I got this one from BMC Support KA395105 https://kb.bmc.com/infocenter/index?page=contentid=KA395105actp=searchviewlocale=en_USsearchid=1391171543262 This is for ITSM 8.1 with no patch, but we had the issue even when running ITSM 8.1 patch 002. After applying this hotfix the issue was resolved Med vennlig hilsen/Best Regards - Rudi Martinsen Mob: +47 92 03 34 06 NorgesGruppen Data AS Postboks 130 Sentrum | Bedriftsveien 9 N - 0102 OSLO Tlf: +47 24 17 60 00, faks: +47 24 17 60 10 - PVennligst ikke skriv ut denne e-posten såfremt du ikke virkelig trenger det. This e-mail message may contain confidential or privileged information. If you are not the intended recipient, please delete the message and any attachments and notify the sender by return e-mail. You should not retain, distribute, disclose, or use any of the information in this message. Fra: Rasmus JORGENSEN rasmus.jorgen...@steria.dkmailto:rasmus.jorgen...@steria.dk Til: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG, Dato: 31.01.2014 13:26 Emne: User belonging to Task assigned group is not able to modify the Task Request Sendt av: Action Request System discussion list(ARSList) arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG ** Hi all I am facing a big issue regarding tasks. I’ve tried to explain the situation below: User belonging to Task assigned group is not able to modify the Task Request Change created by member of support group A Change Coordinator Group = support group A Change Manager Group = support group B Task assigned to = support group C A user with change user permission and belong to support group C. Task Phase Management is enabled. After moving the change request further to Scheduled status, user opens the task. At this stage the task is getting opened in Modify mode however when user try to update something, workflow execute below error message: You do not have access to modify this request. (ARERR 48731) ACTUAL RESULTS: User belonging to Task assigned group is not able to modify the task EXPECTED RESULTS: User belonging to Task assigned group should be able to modify the task ENVIRONMENT: = ITSM 8.1 Patch 2 I have patched the environment with patch 2 and also tried manually to implement the hotfix below. Still the same issue. See knowledge article: KA304431 Ref.: https://kb.bmc.com/infocenter/index?page=contentid=S:KA304431 Best regards Rasmus Oplev Steria: www.steria.dk www.steria.com Steria leverer IT-baserede forretningsydelser til offentlige og private virksomheder over hele verden. Vi arbejder typisk som en ”Trusted Transformation Partner”, der i tæt samarbejde med kunderne videreudvikler deres IT systemer på grundlag af vores forretningsforståelse og førende IT-ekspertise. Vi tager kundernes udfordringer op og bistår dem med innovative IT-løsninger, så de bliver i stand til at optimere deres forretning. Vores 20.000 medarbejdere arbejder på tværs af 16 lande for at støtte kundernes processer og systemer, der får hverdagen til at fungere for millioner af mennesker over hele kloden. This message is intended exclusively for the designated addressee. It may contain confidential material. If you are not the correct addressee, please notify the sender immediately and destroy the message. The content of this message will engage the responsibility of Steria only if it has been sent by an authorized person acting in the strict scope of his functions and for purposes that are related to his competence. Although reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ Oplev Steria: www.steria.dk www.steria.com Steria leverer IT-baserede forretningsydelser til offentlige og private virksomheder over hele verden. Vi arbejder typisk som en ”Trusted Transformation Partner”, der i tæt samarbejde med kunderne videreudvikler deres IT systemer på grundlag af vores forretningsforståelse og førende IT-ekspertise. Vi tager kundernes udfordringer op og bistår dem med innovative IT-løsninger, så de bliver i stand til at optimere deres forretning. Vores 20.000 medarbejdere arbejder på tværs af 16
Re: Target Attack and BMC Software ITSM?
Thanks Michelle, I didn't see it on the support page just now, but in their press release section: http://www.bmc.com/news/press-releases/2014/BMC-Software-Comments-on-Speculation-Concerning-the-Target-Breach.html?c=n David D. David Durling University of Georgia -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lucero, Michelle Sent: Thursday, January 30, 2014 8:04 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Hi, Nate: Thank you for pointing that out for everyone. The original Star Tribune article never specifically mentions ITSM. It says, ..an IT management software product. Also, BMC has placed a statement on the home page of the bmc.com/support. I read it, yesterday. It should still be there today. Thank you, Michelle -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Nathan Aker Sent: Thursday, January 30, 2014 5:22 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? This article states it was a user from the Performance Assurance suite, not ITSM. http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ Nathan Aker IT Service Management -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ortega, Jesus A Sent: Thursday, January 30, 2014 4:47 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. __ _ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ __ _ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years __ _ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. __ _ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
I thought Demo was an admin. Still think you can't do something? -John On Thu, Jan 30, 2014 at 10:21 PM, David Charters da...@charterstechnologies.com wrote: ** That bs. I know every inch of itsm and no back door exists. Even if some knuckle head left demo open you couldn't use it to do this type of attack. It's just political finger pointing! Sincerly, David Charters Charters Technologies 317-331-8985 Original message From: Nathan Aker Date:01/30/2014 6:21 PM (GMT-05:00) To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? This article states it was a user from the Performance Assurance suite, not ITSM. http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ Nathan Aker IT Service Management -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Ortega, Jesus A Sent: Thursday, January 30, 2014 4:47 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years _ARSlist: Where the Answers Are and have been for 20 years_ -- *John Sundberg* Kinetic Data, Inc. Your Business. Your Process. Save the date! *KEG14* February 24-25, 2014 *For more information, click here * - KEGhttp://www.kineticdata.com/Events/KEG.html 651-556-0930 I john.sundb...@kineticdata.com www.kineticdata.com I community.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Just so we are all using the same terminology, a backdoor is intentionally hidden (although it may be discovered), so anything documented, like Demo, is not a backdoor. http://en.wikipedia.org/wiki/Backdoor_(computing) Doug Mueller wrote: Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things I am sure all of you have used arcache to insert a new admin account into the system because [cough] someone ELSE changed the password of the admin account and forgot it. That is not a backdoor either, but a well-documented front door in breaking into the ARS server. I haven't had to use this in a while, so I don't know if the security parameters have changed, but you used to be able to install arcache on your laptop and run it against a remote server. One of the security measures NOT mentioned above is to secure arcache by using Disable-User-Cache-Utilities: T in the ar.cfg. This then requires that anyone wishing to use the utility must have access to the file ON the server, thus providing another layer of security. Doug also wrote: Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside Unfortunately, firewalls don't always help in this regard. Still waiting for details (that may never come), but malware inserted inside the firewall, and unfortunately masquerading as another BMC product (Bladelogic), was used as an intermediary between the POS malware and dumping the data outside. At least if I read the preliminary forensics report correctly. http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware From the above link Note: The reference to “bladelogic” is a method of obfuscation. The malware does not compromise, or integrate with, any BMC products in any way. The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software. Regards, Dale Hurtt SPEC IT LLC Contractor for US Army Information Systems Engineering Command (USAISEC) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Dale, arcache was updated a few versions ago to be able to only be run from the server, it no longer offers an option for what host to connect to...so it has to be run locally, which greatly increases it's securityand as you mentioned, if you have that config option set...you can't even do it locally without updating parameters :) On Fri, Jan 31, 2014 at 9:25 AM, Dale Hurtt dale_hu...@yahoo.com wrote: Just so we are all using the same terminology, a backdoor is intentionally hidden (although it may be discovered), so anything documented, like Demo, is not a backdoor. http://en.wikipedia.org/wiki/Backdoor_(computing) Doug Mueller wrote: Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things I am sure all of you have used arcache to insert a new admin account into the system because [cough] someone ELSE changed the password of the admin account and forgot it. That is not a backdoor either, but a well-documented front door in breaking into the ARS server. I haven't had to use this in a while, so I don't know if the security parameters have changed, but you used to be able to install arcache on your laptop and run it against a remote server. One of the security measures NOT mentioned above is to secure arcache by using Disable-User-Cache-Utilities: T in the ar.cfg. This then requires that anyone wishing to use the utility must have access to the file ON the server, thus providing another layer of security. Doug also wrote: Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside Unfortunately, firewalls don't always help in this regard. Still waiting for details (that may never come), but malware inserted inside the firewall, and unfortunately masquerading as another BMC product (Bladelogic), was used as an intermediary between the POS malware and dumping the data outside. At least if I read the preliminary forensics report correctly. http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware From the above link Note: The reference to bladelogic is a method of obfuscation. The malware does not compromise, or integrate with, any BMC products in any way. The executable name bladelogic.exe does not exist in any piece of legitimate BMC software. Regards, Dale Hurtt SPEC IT LLC Contractor for US Army Information Systems Engineering Command (USAISEC) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Dale, To address your question about arcache That utility can only run on and work against an AR System server running on the same machine. That was changed a number of years ago (probably as many as 4 or 5) from being able to be run remotely. It always was protectable from being run, but we decided to go one step further and allow it only to be run on the same machine. And again, even there, it can be disabled as you mention using a configuration setting -- and it is recommended for security purposes that you do indeed set that setting and only allow the recovery tool (which is what arcache is) to run when you are trying to do a recovery by temporarily resetting the option to allow the utility when needed. Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dale Hurtt Sent: Friday, January 31, 2014 8:25 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Just so we are all using the same terminology, a backdoor is intentionally hidden (although it may be discovered), so anything documented, like Demo, is not a backdoor. http://en.wikipedia.org/wiki/Backdoor_(computing) Doug Mueller wrote: Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things I am sure all of you have used arcache to insert a new admin account into the system because [cough] someone ELSE changed the password of the admin account and forgot it. That is not a backdoor either, but a well-documented front door in breaking into the ARS server. I haven't had to use this in a while, so I don't know if the security parameters have changed, but you used to be able to install arcache on your laptop and run it against a remote server. One of the security measures NOT mentioned above is to secure arcache by using Disable-User-Cache-Utilities: T in the ar.cfg. This then requires that anyone wishing to use the utility must have access to the file ON the server, thus providing another layer of security. Doug also wrote: Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside Unfortunately, firewalls don't always help in this regard. Still waiting for details (that may never come), but malware inserted inside the firewall, and unfortunately masquerading as another BMC product (Bladelogic), was used as an intermediary between the POS malware and dumping the data outside. At least if I read the preliminary forensics report correctly. http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware From the above link Note: The reference to “bladelogic” is a method of obfuscation. The malware does not compromise, or integrate with, any BMC products in any way. The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software. Regards, Dale Hurtt SPEC IT LLC Contractor for US Army Information Systems Engineering Command (USAISEC) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
view form magic
Greetings all, I had a couple quick questions on 8.1 1. Did they provide a way to instantly change the displayed view of a form without re-launching the form in the same window? Example: on a custom app, the desire to change from submit-custom1 view to search-custom3 view (arbitrary names) on the fly, which results in relative fields or entire tabs holders behind hidden or revealed due to view membership. 2. If not, did they bring back the ability to have a field on a tabbed panel be visible on all tabs, a feature I miss from 6.x and previous. Example: of the 5 tabs in a panel, 3 of the fields are relevant to all tabs 5 and should be drilled-down to be present on all tabs (without having to re-add 5 copies of them). As you might guess, I want to do some dynamically changes to a custom form based on actions/workflow elsewhere and would prefer this approach over a bunch of hide/reveal active links. Alternately... 3. Did they add a field/box that lets you display a form within that field and let you dynamically change/reload what form/view you display in that field/box? Similar to embedding a youtube video within a frame on your web page and/or dynamically changing the content of that frame based on workflow/triggers. thanks in advance. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: view form magic
Related, was there some form of ARList purge on 12/21? I stopped receiving ARList emails on that date after many years of membership. I'd hate to think there was a bug or, worse, some admin doing it intentionally. On Friday, January 31, 2014 11:05 AM, Ray Gellenbeck raygellenb...@yahoo.com wrote: Greetings all, I had a couple quick questions on 8.1 1. Did they provide a way to instantly change the displayed view of a form without re-launching the form in the same window? Example: on a custom app, the desire to change from submit-custom1 view to search-custom3 view (arbitrary names) on the fly, which results in relative fields or entire tabs holders behind hidden or revealed due to view membership. 2. If not, did they bring back the ability to have a field on a tabbed panel be visible on all tabs, a feature I miss from 6.x and previous. Example: of the 5 tabs in a panel, 3 of the fields are relevant to all tabs 5 and should be drilled-down to be present on all tabs (without having to re-add 5 copies of them). As you might guess, I want to do some dynamically changes to a custom form based on actions/workflow elsewhere and would prefer this approach over a bunch of hide/reveal active links. Alternately... 3. Did they add a field/box that lets you display a form within that field and let you dynamically change/reload what form/view you display in that field/box? Similar to embedding a youtube video within a frame on your web page and/or dynamically changing the content of that frame based on workflow/triggers. thanks in advance. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: view form magic
For #2 you can do it by not putting the fields on any of the tabs. I have a couple of forms in my 7.6.04 I do this with. Try the following Pull the fields completely off the tabs and then use the keyboard to position them where you want them and then bring the fields all the way to the front. NOTE: You can't use the mouse to move the fields or that will put them in the tab, but using the keyboard will not put them in the tab. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ray Gellenbeck Sent: Friday, January 31, 2014 1:08 PM To: arslist@ARSLIST.ORG Subject: Re: view form magic ** Related, was there some form of ARList purge on 12/21? I stopped receiving ARList emails on that date after many years of membership. I'd hate to think there was a bug or, worse, some admin doing it intentionally. On Friday, January 31, 2014 11:05 AM, Ray Gellenbeck raygellenb...@yahoo.commailto:raygellenb...@yahoo.com wrote: Greetings all, I had a couple quick questions on 8.1 1. Did they provide a way to instantly change the displayed view of a form without re-launching the form in the same window? Example: on a custom app, the desire to change from submit-custom1 view to search-custom3 view (arbitrary names) on the fly, which results in relative fields or entire tabs holders behind hidden or revealed due to view membership. 2. If not, did they bring back the ability to have a field on a tabbed panel be visible on all tabs, a feature I miss from 6.x and previous. Example: of the 5 tabs in a panel, 3 of the fields are relevant to all tabs 5 and should be drilled-down to be present on all tabs (without having to re-add 5 copies of them). As you might guess, I want to do some dynamically changes to a custom form based on actions/workflow elsewhere and would prefer this approach over a bunch of hide/reveal active links. Alternately... 3. Did they add a field/box that lets you display a form within that field and let you dynamically change/reload what form/view you display in that field/box? Similar to embedding a youtube video within a frame on your web page and/or dynamically changing the content of that frame based on workflow/triggers. thanks in advance. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: view form magic
1 - No, you need to open the new window, and close the current one still. But, Field permissions are not view specific, so your scenario of switching a view to hide tabs based on user permission wouldn't work, even if they had this ability. 2 - No, they removed this capability when they changed it from 'Page Holders' to 'Panel Holders'. the reason behind this is that with all of the various panel types, it's not possible to have the same field in the same position on all panels. With that said, it's still possible to modify the form in a Admin Tool/Dev Studio that supports that, and the new server still supports that feature in backwards compatibility, as far as I know...but I honestly can't recommend doing that because it could really cause unexpected behaviors. 3 - Yes, it's an advanced setfield on View fields. You can open a form in a view field, and then the form that's opened can interact with the outside form through event workflow. Regarding Fred's comments of putting it behind the panelyes it works...in some ways...it works because of the fact that it's not on ANY of the tabs, and because of the way the screen draw works, it ends up 'bleeding through'...but this is certainly not an approved method, nor is it supported by BMC, and that 'feature' could change at any moment when BMC changes code during a release...so I wouldn't personally rely on it. On Fri, Jan 31, 2014 at 12:05 PM, Ray Gellenbeck raygellenb...@yahoo.comwrote: Greetings all, I had a couple quick questions on 8.1 1. Did they provide a way to instantly change the displayed view of a form without re-launching the form in the same window? Example: on a custom app, the desire to change from submit-custom1 view to search-custom3 view (arbitrary names) on the fly, which results in relative fields or entire tabs holders behind hidden or revealed due to view membership. 2. If not, did they bring back the ability to have a field on a tabbed panel be visible on all tabs, a feature I miss from 6.x and previous. Example: of the 5 tabs in a panel, 3 of the fields are relevant to all tabs 5 and should be drilled-down to be present on all tabs (without having to re-add 5 copies of them). As you might guess, I want to do some dynamically changes to a custom form based on actions/workflow elsewhere and would prefer this approach over a bunch of hide/reveal active links. Alternately... 3. Did they add a field/box that lets you display a form within that field and let you dynamically change/reload what form/view you display in that field/box? Similar to embedding a youtube video within a frame on your web page and/or dynamically changing the content of that frame based on workflow/triggers. thanks in advance. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion)
Everyone, As an adjunct to this conversation, there has come up again a topic that is asked about periodically - What does the Disable mean on the User form for a user. Well, out of the box, it doesn't mean anything. We always are considering what it should mean, but a bit part of the discussion is what does it mean in conjunction with AREA and external authentication. If a user is disabled, should they fail in an AREA authentication? Or do they succeed. If they succeed, do we still add on permissions from the user record (cross-reference-blank-password) or do we authenticate them but not authorize them (confusing). Or, do we just let them succeed and attach permissions or whatever that is cross-referenced but if you chain AREA and ARS, we would be OK with AREA but not if that didn't pass and we moved to (chained to) ARS for authentication. Anyway, for those who want to make the disable operation be meaningful, there is a simple workflow technique you can use. To offer a complete solution, we are talking about 3 or 4 filters. This would be for handling ARS validation - essentially using the 3rd option above for AREA, if the user validates with AREA, it is OK and any information on the AR System user record that is cross referenced is used - but we would not pass any authentication that is chained to ARS. OK, the filters: Disable an existing user Filter that fires on Modify with a run if of TR.Status = Disabled. Action is to perform a Direct SQL command to update the password in the user_cache table to INVALID Update user_cache SET (password = 'INVALID') WHERE entryId = '$1$' entry ID is the key we link by although you could also user username = '$101$' as well to set for matching user name. Either would work. Yes, the word INVALID. This is the same value we put in the password field of the user_cache record when a user is blocked for too many bad password attempts. This user can NEVER login unless his password is reset by someone else as they cannot login to change it. (depending on your DB as some DBs want parenthesis around the set clause and others do not if there is only one item in the clause) Prevent work on a disabled user Filter that if Status = Disabled and Password != $NULL$ will return an error that you cannot change the password of a disabled user. Or you could block all change to a disabled user or do whatever you want here to prevent a password change for a disabled user which would then reset the password and reactivate them. Reactivate a disabled user Filter that if TR.Status = Enabled and DB.Status = Disabled will run check that there is a password specified (must change password on enable) and that if you are using the user password feature you set the option to require the user to change password on first login for this user so that they have to change after login as their password is known by someone else. Create a disabled user Now if you want to create a disabled user, there is a bit more effort. The problem is that the user_cache entry doesn't exist for you to modify as the User record is being created. You could just disallow Status = Disabled on Create/Merge. Argument is why are you creating disabled users? Of if you want to, you need to do something to disable the user right after create (phase 3 run process that comes back and updates the user_cache entry after it is there or something similar). Whether we add this or not is under discussion, but it is clearly something you can do on your own system if desired. I just wanted to get a solution out there for folks who wanted to do something in this area. I hope this is useful, Doug Mueller ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Boom, you hit the nail on the head David. I find it interesting that Target uses ServiceNow for ITSM. It’s probably connected in some way. I can see the SNOW people using this as fodder for the follow up PR newswire that says… Target replaces BMC automation suite with ServiceNow to enhance security, improve automation, etc… Lee Cullom | Northcraft Analytics IT Metrics Specialist | Business Intelligence for ITSM Direct - 678-438-7244 | http://www.northcraftanalytics.comhttp://www.northcraftanalytics.com/ Main - (678) 664-ITSM [Description: Description: http://t0.gstatic.com/images?q=tbn:ANd9GcSo4qhIq-bDh4Z1UzKXet0tiAZqqejjd1BT8lVOHdrzZQwqeZun]http://www.linkedin.com/in/leecullom[Description: Description: http://t0.gstatic.com/images?q=tbn:ANd9GcSWE5AoudybparNXkh21Br8ZWGNBqdra5ylZ63igCoZ36o5b5iFEA]http://twitter.com/#!/NorthcraftIT What is Northcraft Analytics? Find out in 87 Seconds. http://www.youtube.com/watch?v=SRNyPNK_HJc THE CONTENTS OF THIS EMAIL, INCLUDING THE CONTENTS OF ANY ATTACHMENTS HERETO, CONSTITUTES “CONFIDENTIAL INFORMATION” AND IS SUBJECT TO A CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT BETWEEN THE RECIPIENT AND NORTHCRAFT ANALYTICS LLC (If such an agreement is in place). From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of David Charters Sent: Thursday, January 30, 2014 11:21 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? ** That bs. I know every inch of itsm and no back door exists. Even if some knuckle head left demo open you couldn't use it to do this type of attack. It's just political finger pointing! Sincerly, David Charters Charters Technologies 317-331-8985 Original message From: Nathan Aker Date:01/30/2014 6:21 PM (GMT-05:00) To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? This article states it was a user from the Performance Assurance suite, not ITSM. http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ Nathan Aker IT Service Management -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ortega, Jesus A Sent: Thursday, January 30, 2014 4:47 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org Where the Answers Are, and have been for 20 years _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.jpginline: image002.jpg
Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion)
Hi Doug, I guess a direct sql against the user_cache will work as long as you do not run an arrelod -U command, or copy the records from the User-form to another server using ARX-files or the API... The above steps would reactivate the user, right? Best Regards - Misi, RRR AB, http://www.rrr.se (ARSList MVP 2011) Ask the Remedy Licensing Experts (Best R.O.I. Award at WWRUG10/11/12/13): * RRR|License - Not enough Remedy licenses? Save money by optimizing. * RRR|Log - Performance issues or elusive bugs? Analyze your Remedy logs. Find these products, and many free tools and utilities, at http://rrr.se. Everyone, As an adjunct to this conversation, there has come up again a topic that is asked about periodically - What does the Disable mean on the User form for a user. Well, out of the box, it doesn't mean anything. We always are considering what it should mean, but a bit part of the discussion is what does it mean in conjunction with AREA and external authentication. If a user is disabled, should they fail in an AREA authentication? Or do they succeed. If they succeed, do we still add on permissions from the user record (cross-reference-blank-password) or do we authenticate them but not authorize them (confusing). Or, do we just let them succeed and attach permissions or whatever that is cross-referenced but if you chain AREA and ARS, we would be OK with AREA but not if that didn't pass and we moved to (chained to) ARS for authentication. Anyway, for those who want to make the disable operation be meaningful, there is a simple workflow technique you can use. To offer a complete solution, we are talking about 3 or 4 filters. This would be for handling ARS validation - essentially using the 3rd option above for AREA, if the user validates with AREA, it is OK and any information on the AR System user record that is cross referenced is used - but we would not pass any authentication that is chained to ARS. OK, the filters: Disable an existing user Filter that fires on Modify with a run if of TR.Status = Disabled. Action is to perform a Direct SQL command to update the password in the user_cache table to INVALID Update user_cache SET (password = 'INVALID') WHERE entryId = '$1$' entry ID is the key we link by although you could also user username = '$101$' as well to set for matching user name. Either would work. Yes, the word INVALID. This is the same value we put in the password field of the user_cache record when a user is blocked for too many bad password attempts. This user can NEVER login unless his password is reset by someone else as they cannot login to change it. (depending on your DB as some DBs want parenthesis around the set clause and others do not if there is only one item in the clause) Prevent work on a disabled user Filter that if Status = Disabled and Password != $NULL$ will return an error that you cannot change the password of a disabled user. Or you could block all change to a disabled user or do whatever you want here to prevent a password change for a disabled user which would then reset the password and reactivate them. Reactivate a disabled user Filter that if TR.Status = Enabled and DB.Status = Disabled will run check that there is a password specified (must change password on enable) and that if you are using the user password feature you set the option to require the user to change password on first login for this user so that they have to change after login as their password is known by someone else. Create a disabled user Now if you want to create a disabled user, there is a bit more effort. The problem is that the user_cache entry doesn't exist for you to modify as the User record is being created. You could just disallow Status = Disabled on Create/Merge. Argument is why are you creating disabled users? Of if you want to, you need to do something to disable the user right after create (phase 3 run process that comes back and updates the user_cache entry after it is there or something similar). Whether we add this or not is under discussion, but it is clearly something you can do on your own system if desired. I just wanted to get a solution out there for folks who wanted to do something in this area. I hope this is useful, Doug Mueller ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion)
Doug, With the below, would we not also have to create a filter (or escalation maybe) that fires on a system restart to set the user_cache password to INVALID? Otherwise, I assume that a system restart will put the users pwd back in cache. Would be nice if BMC had some way to simply identify that the user is no longer a valid user of the system and cannot log in? Seems like once a support person, always a support person. Is it possible to change the 'support person' flag to 'No' and remove the user record? thank you - Original Message - From: Doug Mueller doug_muel...@bmc.com To: arslist@ARSLIST.ORG Sent: Friday, January 31, 2014 3:59:04 PM Subject: Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion) ** Everyone, As an adjunct to this conversation, there has come up again a topic that is asked about periodically – What does the Disable mean on the User form for a user. Well, out of the box, it doesn't mean anything. We always are considering what it should mean, but a bit part of the discussion is what does it mean in conjunction with AREA and external authentication. If a user is disabled, should they fail in an AREA authentication? Or do they succeed. If they succeed, do we still add on permissions from the user record (cross-reference-blank-password) or do we authenticate them but not authorize them (confusing). Or, do we just let them succeed and attach permissions or whatever that is cross-referenced but if you chain AREA and ARS, we would be OK with AREA but not if that didn't pass and we moved to (chained to) ARS for authentication. Anyway, for those who want to make the disable operation be meaningful, there is a simple workflow technique you can use. To offer a complete solution, we are talking about 3 or 4 filters. This would be for handling ARS validation – essentially using the 3 rd option above for AREA, if the user validates with AREA, it is OK and any information on the AR System user record that is cross referenced is used – but we would not pass any authentication that is chained to ARS. OK, the filters: Disable an existing user Filter that fires on Modify with a run if of TR.Status = Disabled. Action is to perform a Direct SQL command to update the password in the user_cache table to INVALID Update user_cache SET (password = 'INVALID') WHERE entryId = '$1$' entry ID is the key we link by although you could also user username = '$101$' as well to set for matching user name. Either would work. Yes, the word INVALID. This is the same value we put in the password field of the user_cache record when a user is blocked for too many bad password attempts. This user can NEVER login unless his password is reset by someone else as they cannot login to change it. (depending on your DB as some DBs want parenthesis around the set clause and others do not if there is only one item in the clause) Prevent work on a disabled user Filter that if Status = Disabled and Password != $NULL$ will return an error that you cannot change the password of a disabled user. Or you could block all change to a disabled user or do whatever you want here to prevent a password change for a disabled user which would then reset the password and reactivate them. Reactivate a disabled user Filter that if TR.Status = Enabled and DB.Status = Disabled will run check that there is a password specified (must change password on enable) and that if you are using the user password feature you set the option to require the user to change password on first login for this user so that they have to change after login as their password is known by someone else. Create a disabled user Now if you want to create a disabled user, there is a bit more effort. The problem is that the user_cache entry doesn't exist for you to modify as the User record is being created. You could just disallow Status = Disabled on Create/Merge. Argument is why are you creating disabled users? Of if you want to, you need to do something to disable the user right after create (phase 3 run process that comes back and updates the user_cache entry after it is there or something similar). Whether we add this or not is under discussion, but it is clearly something you can do on your own system if desired. I just wanted to get a solution out there for folks who wanted to do something in this area. I hope this is useful, Doug Mueller _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: view form magic
Cheers, Frederick. The whole reason for going custom was customer specification of a singular smart form for a variety of related but unique requests. Each class of request shares some common elements but they can't logically be grouped into similar areas and only hide/reveal the unique sections. similarly, they want to do all their operations from the custom display form and push/pull data to the underlying real ticket tables, so re-loading the form every time I want to change configuration/views is an undesired delay every time the form has to reload in the browser. Not very agile/slick. Oh well, I get to build a brick-ton of hide/reveal/changefield active links I suppose. Doing it via views would be so much more efficient for the client/browser as well as code overhead. Bah... Ray On Friday, January 31, 2014 12:32 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: ** For #2 you can do it by not putting the fields on any of the tabs. I have a couple of forms in my 7.6.04 I do this with. Try the following Pull the fields completely off the tabs and then use the keyboard to position them where you want them and then bring the fields all the way to the front. NOTE: You can’t use the mouse to move the fields or that will put them in the tab, but using the keyboard will not put them in the tab. From:Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ray Gellenbeck Sent: Friday, January 31, 2014 1:08 PM To: arslist@ARSLIST.ORG Subject: Re: view form magic ** Related, was there some form of ARList purge on 12/21? I stopped receiving ARList emails on that date after many years of membership. I'd hate to think there was a bug or, worse, some admin doing it intentionally. On Friday, January 31, 2014 11:05 AM, Ray Gellenbeck raygellenb...@yahoo.com wrote: Greetings all, I had a couple quick questions on 8.1 1. Did they provide a way to instantly change the displayed view of a form without re-launching the form in the same window? Example: on a custom app, the desire to change from submit-custom1 view to search-custom3 view (arbitrary names) on the fly, which results in relative fields or entire tabs holders behind hidden or revealed due to view membership. 2. If not, did they bring back the ability to have a field on a tabbed panel be visible on all tabs, a feature I miss from 6.x and previous. Example: of the 5 tabs in a panel, 3 of the fields are relevant to all tabs 5 and should be drilled-down to be present on all tabs (without having to re-add 5 copies of them). As you might guess, I want to do some dynamically changes to a custom form based on actions/workflow elsewhere and would prefer this approach over a bunch of hide/reveal active links. Alternately... 3. Did they add a field/box that lets you display a form within that field and let you dynamically change/reload what form/view you display in that field/box? Similar to embedding a youtube video within a frame on your web page and/or dynamically changing the content of that frame based on workflow/triggers. thanks in advance. _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion)
user_cache is a PERMANENT table (don't get hung up on the word cache). No, there would be no action needed at a restart. The user would remain disabled across a restart. As far as removing the User record... You could always remove a user record and still have the support person record. Or, set the user record to INVALID or Doug -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of pritch Sent: Friday, January 31, 2014 1:24 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion) Doug, With the below, would we not also have to create a filter (or escalation maybe) that fires on a system restart to set the user_cache password to INVALID? Otherwise, I assume that a system restart will put the users pwd back in cache. Would be nice if BMC had some way to simply identify that the user is no longer a valid user of the system and cannot log in? Seems like once a support person, always a support person. Is it possible to change the 'support person' flag to 'No' and remove the user record? thank you - Original Message - From: Doug Mueller doug_muel...@bmc.com To: arslist@ARSLIST.ORG Sent: Friday, January 31, 2014 3:59:04 PM Subject: Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion) ** Everyone, As an adjunct to this conversation, there has come up again a topic that is asked about periodically – What does the Disable mean on the User form for a user. Well, out of the box, it doesn't mean anything. We always are considering what it should mean, but a bit part of the discussion is what does it mean in conjunction with AREA and external authentication. If a user is disabled, should they fail in an AREA authentication? Or do they succeed. If they succeed, do we still add on permissions from the user record (cross-reference-blank-password) or do we authenticate them but not authorize them (confusing). Or, do we just let them succeed and attach permissions or whatever that is cross-referenced but if you chain AREA and ARS, we would be OK with AREA but not if that didn't pass and we moved to (chained to) ARS for authentication. Anyway, for those who want to make the disable operation be meaningful, there is a simple workflow technique you can use. To offer a complete solution, we are talking about 3 or 4 filters. This would be for handling ARS validation – essentially using the 3 rd option above for AREA, if the user validates with AREA, it is OK and any information on the AR System user record that is cross referenced is used – but we would not pass any authentication that is chained to ARS. OK, the filters: Disable an existing user Filter that fires on Modify with a run if of TR.Status = Disabled. Action is to perform a Direct SQL command to update the password in the user_cache table to INVALID Update user_cache SET (password = 'INVALID') WHERE entryId = '$1$' entry ID is the key we link by although you could also user username = '$101$' as well to set for matching user name. Either would work. Yes, the word INVALID. This is the same value we put in the password field of the user_cache record when a user is blocked for too many bad password attempts. This user can NEVER login unless his password is reset by someone else as they cannot login to change it. (depending on your DB as some DBs want parenthesis around the set clause and others do not if there is only one item in the clause) Prevent work on a disabled user Filter that if Status = Disabled and Password != $NULL$ will return an error that you cannot change the password of a disabled user. Or you could block all change to a disabled user or do whatever you want here to prevent a password change for a disabled user which would then reset the password and reactivate them. Reactivate a disabled user Filter that if TR.Status = Enabled and DB.Status = Disabled will run check that there is a password specified (must change password on enable) and that if you are using the user password feature you set the option to require the user to change password on first login for this user so that they have to change after login as their password is known by someone else. Create a disabled user Now if you want to create a disabled user, there is a bit more effort. The problem is that the user_cache entry doesn't exist for you to modify as the User record is being created. You could just disallow Status = Disabled on Create/Merge. Argument is why are you creating disabled users? Of if you want to, you need to do something to disable the user right after create (phase 3 run process that comes back and updates the user_cache entry after it is there or something similar).
Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion)
The fourth case of create is a create or merge to put whatever protection you wanted about bringing in a user from another environment. You could even check on the merge whether the user exists and do the modify control or the create control. So, that is covered however you want. Yes, an arreload would reload the passwords and cause a reset of the password. Note that it would also reset the password for the case of a user who was invalidated because of too many bad passwords. arreload is a brute force reset of the user list. Of course if there were a productized disable, arreload would protect this (and it is probable that we should have arreload not clear INVALID to not reset accounts where they are disabled by bad passwords either -- but that is a discussion to have and a decision to make. We never run arrload so you are in complete control of whether or not it is run and if you run it, you can always disable users again by setting their status to Disabled (notice the logic will run to remark INVALID if they are an disabled user already and you reset the status to Disabled so you could have an Escalation that never runs and do a one time run that finds all Disabled users and sets them to Disabled that you do a one time run after any run of arreload The key to this message is that if this is something that is of interest, there is a way you can do it yourself and the idea of keying of the feature of too many bad passwords and the INVALID user is an interesting way to do it. Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Misi Mladoniczky Sent: Friday, January 31, 2014 1:19 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? (Disable user sub-discussion) Hi Doug, I guess a direct sql against the user_cache will work as long as you do not run an arrelod -U command, or copy the records from the User-form to another server using ARX-files or the API... The above steps would reactivate the user, right? Best Regards - Misi, RRR AB, http://www.rrr.se (ARSList MVP 2011) Ask the Remedy Licensing Experts (Best R.O.I. Award at WWRUG10/11/12/13): * RRR|License - Not enough Remedy licenses? Save money by optimizing. * RRR|Log - Performance issues or elusive bugs? Analyze your Remedy logs. Find these products, and many free tools and utilities, at http://rrr.se. Everyone, As an adjunct to this conversation, there has come up again a topic that is asked about periodically - What does the Disable mean on the User form for a user. Well, out of the box, it doesn't mean anything. We always are considering what it should mean, but a bit part of the discussion is what does it mean in conjunction with AREA and external authentication. If a user is disabled, should they fail in an AREA authentication? Or do they succeed. If they succeed, do we still add on permissions from the user record (cross-reference-blank-password) or do we authenticate them but not authorize them (confusing). Or, do we just let them succeed and attach permissions or whatever that is cross-referenced but if you chain AREA and ARS, we would be OK with AREA but not if that didn't pass and we moved to (chained to) ARS for authentication. Anyway, for those who want to make the disable operation be meaningful, there is a simple workflow technique you can use. To offer a complete solution, we are talking about 3 or 4 filters. This would be for handling ARS validation - essentially using the 3rd option above for AREA, if the user validates with AREA, it is OK and any information on the AR System user record that is cross referenced is used - but we would not pass any authentication that is chained to ARS. OK, the filters: Disable an existing user Filter that fires on Modify with a run if of TR.Status = Disabled. Action is to perform a Direct SQL command to update the password in the user_cache table to INVALID Update user_cache SET (password = 'INVALID') WHERE entryId = '$1$' entry ID is the key we link by although you could also user username = '$101$' as well to set for matching user name. Either would work. Yes, the word INVALID. This is the same value we put in the password field of the user_cache record when a user is blocked for too many bad password attempts. This user can NEVER login unless his password is reset by someone else as they cannot login to change it. (depending on your DB as some DBs want parenthesis around the set clause and others do not if there is only one item in the clause) Prevent work on a disabled user Filter that if Status = Disabled and Password != $NULL$ will return an error that you cannot change the password of a disabled user. Or you could block all change to a disabled user or do whatever you want here to prevent a password change for a disabled user which would then reset the