Re: Username Token authentication method
Hi, thank's for your answers. The web service isn't exposed from Remedy. I tried with a client for web services (with WebService Studio) but I was not able to consume too. I try with SoapUi and i upgrade you. Best Regard, David. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Username Token authentication method
Remedy webservices uses anonymous authentication method instead of Windows OR NTLM method. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Team Remedy Sent: Monday, October 08, 2012 1:09 PM To: arslist@ARSLIST.ORG Subject: Re: Username Token authentication method Hi, thank's for your answers. The web service isn't exposed from Remedy. I tried with a client for web services (with WebService Studio) but I was not able to consume too. I try with SoapUi and i upgrade you. Best Regard, David. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Hi John For the session timeout, i found the setting under web, in user preferences. looks like some people had no timeout setting at all, some had 5 hours. I have logged an internal RFC to globally reset everyone’s to one hour, and also to set mid-tier webserver timeout to the same to cover all bases. For the concurrent users, i confirmed that as long as the user does not have a fixed-license, + admin role, then they can not log in concurrently from multiple machines, so that one is closed. As for the auto-complete one, the specific comments from the pen-tester was as follows. he was not actually scanning cookies by the looks of it, more viewing the screen in front of him. he provided a screen show showing the web-browser offering the last 3 usernames used on that browser. it should be possible to stop browsers remembering a field value,. like online baking sites where no matter what the browser is set to, you can nOT remember the last value of the field from the last visit: Web applications allows user to store the password in the browser (remember password function). If auto complete feature is ON and an attacker gains access to the browser cache, can easily obtain the password in clear text and list down the complete user id’s present on particular application. cheers dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
Dan The Java servlet apidocs does allow a max inactive value to be set on a session so I guess that's how it's being done, but the preference is an interesting design choice. The form auto-complete functionality is easy to achieve: http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Data Management Tool in version 8 replaced by Atrium Integrator
Hi all, It appears that in version 8 the data management tool has been replaced by the Atrium Integrator. I am trying to find any documentation on how to use it for foundation data load or updates, but so far with not much luck. Hop it is just me. Can anybody point me in the right direction, i.e. documentation describing how to use the Atrium Integrator to run the pre-defined transformations for loading foundation data. Thanks Jiri Pospisil A copy of the LCH.Clearnet e-mail disclaimer can be found at: www.lchclearnet.com/disclaimer/email LCH.Clearnet Limited, Registered Office: Aldgate House, 33 Aldgate High Street, London EC3N 1EA. Recognised as a Clearing House under the Financial Services Markets Act 2000. Reg in England No.25932. LCH.Clearnet SA, Siège Social, 18 rue du Quatre Septembre, 75002 Paris, Chambre de Compensation conformément au Code Monétaire et Financier. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
hi John so if i open up login.jsp on each of my mid-tiers, and i modiofy the code on lines 4 and 8, to include autocomplete=off you think i will get what i need? i am not a coder, so the fact this is JSP, does that matter? 1 td class=login nowrap=nowrap width=20 nbsp;/td 2 td class=login nowrap=nowrap id=LoginLabel-id 3 blabel for=username-id%=MessageTranslation.getLocalizedText(locale,User Name)%/label/b 4 input name=%=Params.USERNAME% maxlength=%=Params.USERNAME_LENGTH% id=username-id value=%=com.remedy.arsys.share.HTMLWriter.escape(name)% class=loginfield size=30 type=text 5 td class=login nowrap=nowrap width=20nbsp;/td 6 td class=login id=PasswordLabel-id nowrap=nowrap 7 label for=pwd-id%=MessageTranslation.getLocalizedText(locale,Password)%/label 8 input name=%=Params.PASSWORD% maxlength=%=Params.PASSWORD_LENGTH% id=pwd-id class=loginfield size=30 type=password 9 td class=Login nowrap=nowrap width=20nbsp;/td 10 td class=Login name=auth_label nowrap=nowrap 11 label for=auth-id%=MessageTranslation.getLocalizedText(locale,Authentication)%/label 12 tdinput type=text NAME=%=Params.AUTHENTICATION_STRING% id=auth-id maxlength=%=Params.AUTHENTICATION_STRING_LENGTH% class=loginfield size=30/td 13 td class=Login nowrap=nowrap width=20nbsp;/td 14 td class=loginfield nowrap=nowrapnbsp;/td 15 input type=button name=login value=%=MessageTranslation.getLocalizedText(locale, Log In)% onClick=doLogin();!--;--nbsp; 16 input type=button name=clear value=%=MessageTranslation.getLocalizedText(locale, Clear)% onClick=clearLogin();!--;-- 17 td class=Login nowrap=nowrapnbsp;/td 18 td class=Login nowrap=nowrapnbsp;/td 19 input type=hidden name=%=Params.TIMEZONE% value= 20 input type=hidden name=%=Params.PASSWORD_ENCRYPTED% value=1 21 input type=hidden name=%=Params.GOTO_URL% value=%=com.remedy.arsys.share.HTMLWriter.escape(nextPage)% 22 input type=hidden name=%=Params.SERVER% value=%=com.remedy.arsys.share.HTMLWriter.escape(server)% 23 input type=hidden name=%=Params.IP_OVERRIDE% value=0 24 input type=hidden name=initialState value=-1 25 input type=hidden name=%=HttpSessionKeys.TARGET_URL% value= ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Data Management Tool in version 8 replaced by Atrium Integrator
Hi I believe there is no major change on most of the background forms and architecture in version 8 from version 7.6.04. In this case you can use DMT 7.6.04 to upload foundation data. Thanks, Anand -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jiri Pospisil Sent: Monday, October 08, 2012 4:50 PM To: arslist@ARSLIST.ORG Subject: Data Management Tool in version 8 replaced by Atrium Integrator Hi all, It appears that in version 8 the data management tool has been replaced by the Atrium Integrator. I am trying to find any documentation on how to use it for foundation data load or updates, but so far with not much luck. Hop it is just me. Can anybody point me in the right direction, i.e. documentation describing how to use the Atrium Integrator to run the pre-defined transformations for loading foundation data. Thanks Jiri Pospisil A copy of the LCH.Clearnet e-mail disclaimer can be found at: www.lchclearnet.com/disclaimer/email LCH.Clearnet Limited, Registered Office: Aldgate House, 33 Aldgate High Street, London EC3N 1EA. Recognised as a Clearing House under the Financial Services Markets Act 2000. Reg in England No.25932. LCH.Clearnet SA, Siège Social, 18 rue du Quatre Septembre, 75002 Paris, Chambre de Compensation conformément au Code Monétaire et Financier. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Data Management Tool in version 8 replaced by Atrium Integrator
sorry to hijack, but does anyone know is the integrator module is now supported in server group envirnment? i am pretty sure it was ont he proposed list for v8 great that DMT from 7604 will still work though ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Data Management Tool in version 8 replaced by Atrium Integrator
Dan, This is considered as an enhancement of AI in version 8.0. See here for more details : https://docs.bmc.com/docs/display/public/ac80/Atrium+Integrator+enhancements ** Atrium Integrator in server group environment and multiple Carte server support * BMC AR System server group is supported thus, allowing high availability installation of Atrium Integrator. * The Atrium Integrator server can be used in a server group environment to distribute the jobs across multiple Carte servers. In a BMC Remedy AR System server group environment, you can schedule your jobs to run from different Carte servers. This enables you to run multiple jobs at one time and also achieve load balancing. For more information, see Atrium Integrator in a server group environment and Managing Atrium Integrator job schedule. ** On Mon, Oct 8, 2012 at 1:54 PM, Dan Miller dan.mil...@bt.com wrote: sorry to hijack, but does anyone know is the integrator module is now supported in server group envirnment? i am pretty sure it was ont he proposed list for v8 great that DMT from 7604 will still work though ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
Hello Yes, you can add autocomplete=off to input elements, ie: input name=%=Params.USERNAME% maxlength=%=Params.USERNAME_LENGTH% id=username-id value=%=com.remedy.arsys.share.HTMLWriter.escape(name)% class=loginfield size=30 type=text autocomplete=off John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Dan, 1 - Privilege Escalation - I can't speak to the service catalog (I think that's by design)...but if you need the preference record to be only viewable by themselves, you could change the permission on field 1 to only allow the 'Submitter' group access. This isn't a case of privilege escalation, simply a case of being able to do something the evaluator felt they shouldn't be able to do 2 - Improper Error Handling - Yes and No...I vaguely understand the concern, but I'm not entirely seeing the 'attack vector' based on the content of the messages 3 - No Session Timeout - Already addressed 4 - Concurrent User Sessions - Already addressed 5 - Forced Browsing - I'm not familiar with the ability to get into forms without authentication, but you could look into applying a 'filter' to your tomcat 'arsys' context, thus enabling forced authentication at the web serverideally you would want this authentication to be automatic (SSO) so that you don't first need to authenticate to the context, then ALSO need to log onto the remedy app...that would simply be annoying to the users 6 - Autocomplete - Already addressed 7 - Banner Grabbing - I have no information about this one...sorry, hopefully someone else can assist. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Sunday, October 07, 2012 4:15 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes Hi forum, I hope you can help, and I am sorry in advance for the long post, but I am trying to get all this into one post, hoping that someone has gone through this exercise before. So basically, we had an application pen-test before releasing our remedy platform to the public internet. We got 7 things that we need to fix, some of them before we can go live, others that can wait a while. Summary: 1. Privilege Escalation 2. Improper Error Handling 3. No session time out 4. Concurrent User Sessions 5. Forced Browsing 6. Autocomplete feature 7. Banner Grabbing Below I have described them a little more with description, recommendation, but also the problem I have in getting them implemented. We are 18 months into our first ever Remedy journey, so security is something we have not really considered. Can you please help? 1. Privilege Escalation -- Description: - Privilege escalation in Remedy application allows a user to gain elevated access to resources that are meant a privileged user. It was observed that in Remedy a user can view / read other user’s Service catalogue and preference details. The privilege values should be checked from the database and not be stored in a client side cookie. Vulnerable Urls: https://hostname/arsys/forms/server-mame/SRS%3ACFGApplicationPreferences/Dialog+Console/?cacheid=aeabdc61format=html https:// hostname/arsys/forms/server-mame/SRS%3AServiceRequestConsole/enduser/?cacheid=1bc6c61format=html https:// hostname /arsys/atrium/ServiceCatalog.swf this means the user can get more rights than they are entitled too. In this case a test user was able to see other users preferences, this may need to go back to BMC if TT are unable to resolve as it may be an application fault. Recommended fix is to enable server side authentication and not client side which is currently in place. Recommendation: - It is strongly recommended to check the privilege values from the database before granting access to secured recourses applications. Problem: How do I even start with this one…. Is there something I am not doing in terms of application lock down? Is it something to do with object-list within mid-tier so URLs can be directly browsed to? 2. Improper Error Handling --- Description --- If a web application encounters an error condition it may need to display an appropriate error message. Sometimes these messages can be detailed enough to give away crucial information about the application. This information may include database schema/table names, user names, platform specific information etc. Applications giving out detailed error messages run the risk of exposing crucial information which can be used later to launch further attacks. Our Remedy installation seems to have been configured in an insecure way. Whenever the application encounters any kind of error condition (such as failed execution of an SQL query), an error message of failure SQL operation is sent back to the user’s browser. Example typical error: “The SQL database operation failed. : The data types text and varchar are incompatible in the equal to operator. (SQL Server 402) (ARERR 552)” Recommendation: In a live environment, application error messages should be kept as short as
Re: SRM - Work Order (automatic activation?)
We have a simple request in SRM that we would like to create a Work Order that is active from the beginning. Is this possible without customization? I can assign it automatically of course, but is there something I can configure to have the WO start with a status of In Progress so the Tasks are assigned and notifications go out automatically? Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Remedy AIE Question
Good Day, All: I'm having trouble with an AIE job and am hoping someone else may have run into this issue. I'm trying to use the process| feature to set a field with the return value of an external process. Really I'm not interested in the return value, I just want the process to run. The process is c:\windows\system32\cmd.exe /c c:\temp\filename.bat and the contents of the .bat file are: set Path=C:\Windows\System32;%Path% dir c:\temp | find filename.ext c:\temp\filename.log exit That's it - pretty darn simple. So the data field mapping in AIE is process|c:\windows\system32\cmd.exe /c c:\temp\filename.bat . The AIE exchange runs successfully, but nothing is logged to the file. There's no indication of any failure in the AIE debug logs. Any thoughts on what I could try? Thanks, --Phil Phil Murnane, Principal Consultant Windward IT Solutions, Service Management Practice Email: pmurn...@windwardits.commailto:pmurn...@windwardits.com Mobile: +1-703-896-6435 Web:www.WindwardITS.comhttp://www.windwardits.com/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy AIE Question
Phil, I assume you have executed the batch file with the same command line without issue? -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Murnane, Phil Sent: Monday, October 08, 2012 7:24 AM To: arslist@ARSLIST.ORG Subject: Remedy AIE Question ** Good Day, All: I'm having trouble with an AIE job and am hoping someone else may have run into this issue. I'm trying to use the process| feature to set a field with the return value of an external process. Really I'm not interested in the return value, I just want the process to run. The process is c:\windows\system32\cmd.exe /c c:\temp\filename.bat and the contents of the .bat file are: set Path=C:\Windows\System32;%Path% dir c:\temp | find filename.ext c:\temp\filename.log exit That's it - pretty darn simple. So the data field mapping in AIE is process|c:\windows\system32\cmd.exe /c c:\temp\filename.bat . The AIE exchange runs successfully, but nothing is logged to the file. There's no indication of any failure in the AIE debug logs. Any thoughts on what I could try? Thanks, --Phil Phil Murnane, Principal Consultant Windward IT Solutions, Service Management Practice Email: pmurn...@windwardits.com Mobile: +1-703-896-6435 Web:www.WindwardITS.com http://www.windwardits.com/ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Dan, For the session timeout, i found the setting under web, in user preferences: As Mr. Baker pointed out, there is also a global timeout setting in the Mid-Tier Configuration that's not changeable by the end user. Tim -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Monday, October 08, 2012 6:21 AM To: arslist@ARSLIST.ORG Subject: Re: Results of a application pen-test - need to close holes Hi John For the session timeout, i found the setting under web, in user preferences. looks like some people had no timeout setting at all, some had 5 hours. I have logged an internal RFC to globally reset everyone’s to one hour, and also to set mid-tier webserver timeout to the same to cover all bases. For the concurrent users, i confirmed that as long as the user does not have a fixed-license, + admin role, then they can not log in concurrently from multiple machines, so that one is closed. As for the auto-complete one, the specific comments from the pen-tester was as follows. he was not actually scanning cookies by the looks of it, more viewing the screen in front of him. he provided a screen show showing the web-browser offering the last 3 usernames used on that browser. it should be possible to stop browsers remembering a field value,. like online baking sites where no matter what the browser is set to, you can nOT remember the last value of the field from the last visit: Web applications allows user to store the password in the browser (remember password function). If auto complete feature is ON and an attacker gains access to the browser cache, can easily obtain the password in clear text and list down the complete user id’s present on particular application. cheers dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running onbut I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit. Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
LJ Yes, the SQL error documented contains little value, but other messages could contain value. However, this all has to be balanced with, as you suggest, the type of data held in AR System. Service desk information is probably less sensitive than HR data, although infrastructure-related tickets may be of interest to a third party. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Could the FORCED BROWSING be a case of the tester having an open browser on a form and then opening another browser? Because they are logged in under one browser session a second will see the login and not ask for credentials. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Longwing, LJ CTR MDA/IC Sent: Monday, October 08, 2012 7:57 AM To: arslist@ARSLIST.ORG Subject: Re: Results of a application pen-test - need to close holes Dan, 1 - Privilege Escalation - I can't speak to the service catalog (I think that's by design)...but if you need the preference record to be only viewable by themselves, you could change the permission on field 1 to only allow the 'Submitter' group access. This isn't a case of privilege escalation, simply a case of being able to do something the evaluator felt they shouldn't be able to do 2 - Improper Error Handling - Yes and No...I vaguely understand the concern, but I'm not entirely seeing the 'attack vector' based on the content of the messages 3 - No Session Timeout - Already addressed 4 - Concurrent User Sessions - Already addressed 5 - Forced Browsing - I'm not familiar with the ability to get into forms without authentication, but you could look into applying a 'filter' to your tomcat 'arsys' context, thus enabling forced authentication at the web serverideally you would want this authentication to be automatic (SSO) so that you don't first need to authenticate to the context, then ALSO need to log onto the remedy app...that would simply be annoying to the users 6 - Autocomplete - Already addressed 7 - Banner Grabbing - I have no information about this one...sorry, hopefully someone else can assist. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Sunday, October 07, 2012 4:15 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes Hi forum, I hope you can help, and I am sorry in advance for the long post, but I am trying to get all this into one post, hoping that someone has gone through this exercise before. So basically, we had an application pen-test before releasing our remedy platform to the public internet. We got 7 things that we need to fix, some of them before we can go live, others that can wait a while. Summary: 1. Privilege Escalation 2. Improper Error Handling 3. No session time out 4. Concurrent User Sessions 5. Forced Browsing 6. Autocomplete feature 7. Banner Grabbing Below I have described them a little more with description, recommendation, but also the problem I have in getting them implemented. We are 18 months into our first ever Remedy journey, so security is something we have not really considered. Can you please help? 1. Privilege Escalation -- Description: - Privilege escalation in Remedy application allows a user to gain elevated access to resources that are meant a privileged user. It was observed that in Remedy a user can view / read other user’s Service catalogue and preference details. The privilege values should be checked from the database and not be stored in a client side cookie. Vulnerable Urls: https://hostname/arsys/forms/server-mame/SRS%3ACFGApplicationPreferences/Dialog+Console/?cacheid=aeabdc61format=html https:// hostname/arsys/forms/server-mame/SRS%3AServiceRequestConsole/enduser/?cacheid=1bc6c61format=html https:// hostname /arsys/atrium/ServiceCatalog.swf this means the user can get more rights than they are entitled too. In this case a test user was able to see other users preferences, this may need to go back to BMC if TT are unable to resolve as it may be an application fault. Recommended fix is to enable server side authentication and not client side which is currently in place. Recommendation: - It is strongly recommended to check the privilege values from the database before granting access to secured recourses applications. Problem: How do I even start with this one…. Is there something I am not doing in terms of application lock down? Is it something to do with object-list within mid-tier so URLs can be directly browsed to? 2. Improper Error Handling --- Description --- If a web application encounters an error condition it may need to display an appropriate error message. Sometimes these messages can be detailed enough to give away crucial information about the application. This information may include database schema/table names, user names, platform specific information etc. Applications giving out detailed error messages run the risk of exposing crucial information which can be used later to launch further attacks. Our Remedy installation seems to have
Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard [cid:image001.gif@01CDA542.A1DA1120]http://www.coxenterprises.com/ Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.commailto:howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) [cid:image002.png@01CDA542.A1DA1120][cid:image003.png@01CDA542.A1DA1120]http://innovation.coxenterprises.com/ideas/Badge%20Library/Badge20-Lg.png[cid:image004.png@01CDA542.A1DA1120]http://innovation.coxenterprises.com/ideas/Badge%20Library/Badge50-Lg.png Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are inline: image001.gifinline: image002.pnginline: image003.pnginline: image004.png
ITSM 7.6.4 - sharing searches
Is there an easy way to share a search, which I've created, with others now that we're on the browser client? (One department wants to search on Work Orders, and since all of the detail fields are unlabeled, they have no realistic way to make the search themselves.) Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
The CWE database does a good job of enumerating and outlining various weaknesses in applications. For this specific case, see CWE-209. http://cwe.mitre.org/data/definitions/209.html The pen-testing tools that are out there wrap around these commonly agreed upon weaknesses to generate a report of issues or potential issues. Manual pen-testing takes the same approach. Axton Grams On Mon, Oct 8, 2012 at 8:46 AM, Longwing, LJ CTR MDA/IC lj.longwing@mda.mil wrote: John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running onbut I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit. Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
ITSM 7.6.4 - sharing searches
Did you look at ar central preferences form. I believe there is a form to store searches which you can use for your purpose. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Listers, Sounds to me like you guys need to set a Birds of a Feather session about hardening the MidTier for use on the public Internet at WWRUG12 next week, huh? WWRUG12 has more than a hundred sessions this year, and some of them will touch on security issues, but what better way to bring together all of this expertise and interest? Of course, this would be the very first time that a bunch of experts, interested parties, customers, software designers and engineers changed the world with a couple of beers! We'll buy the first round :-). Second one too if it helps. Seriously, the number of presentation topics and the breath of the curriculum has been impressive this year, but even with all this expertise we cannot think of or organize every single thing you might want to talk about. We can, however, bring all of this talent to the same place and time. The number of ad hoc conversations at WWRUG's, BMC User World's and RUG's in their day just doesn't happen in other forums. So, in addition to all the formal instruction and shared knowledge, the opportunity to organize your own discussion among like interests is one of the best reasons to come to WWRUG. See you in SanJose! Next week! Doug -- Doug Blair +1 224-558-5462 Sent from my new iPad Auto-corrected typos, misspellings and non-sequiturs are gratefully attributed to Steve Jobs :-) On Oct 8, 2012, at 8:46 AM, Longwing, LJ CTR MDA/IC lj.longwing@mda.mil wrote: John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running onbut I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit. Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ITSM 7.6.4 - sharing searches
If you know how to create a web report from the report console, there is an option to specify the type of report, public or private. If you select public, anyone should be able to access and run the report -Karthik On 8 October 2012 20:28, patchsk vamsi...@gmail.com wrote: Did you look at ar central preferences form. I believe there is a form to store searches which you can use for your purpose. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Hi, I'm no SQL Server expert ;) But you do have a snapshot functionnality that may be the source of your problems. Disabling or at least having it tuned could also benefit the whole application. You can use WITH NOLOCK with your select statement to force it at run time. You have the equivalent in AR System configuration with Select-Query-Hint: NOLOCK in ar.cfg, see configuration guide. HTH On Mon, Oct 8, 2012 at 4:51 PM, Richter, Howard (CEI - Atlanta) howard.rich...@coxinc.com wrote: ** Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Howard, When we performed the same upgrade, ironically from same app/db versions to same app/db versions, Part of the upgrade recommended running some commands to prevent deadlocksdid you by chance run those commands? You should be able to check the db guide for 7.6.04, or even the what's new. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Richter, Howard (CEI - Atlanta) Sent: Monday, October 08, 2012 8:52 AM To: arslist@ARSLIST.ORG Subject: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver ** Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard Description: Description: Description: Description: Cox Enterprises, Inc http://www.coxenterprises.com/ Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.com mailto:howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) Description: Description: Description: http://innovation.coxenterprises.com/ideas/Badge%20Library/BadgeA-Md.pngDescription: Description: Description: http://innovation.coxenterprises.com/ideas/Badge%20Library/Badge20-Md.png http://innovation.coxenterprises.com/ideas/Badge%20Library/Badge20-Lg.png Description: Description: Description: http://innovation.coxenterprises.com/ideas/Badge%20Library/Badge50-Md.png http://innovation.coxenterprises.com/ideas/Badge%20Library/Badge50-Lg.png Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Howard Which SP you are on 7604 Overview console 7604 default installation is single threaded causing perfomance issues. BMC has a hot fix for this. Also check SNAPSHOT ISOLATION and READ COMMIT SNAPSHOT value on DB Side Regards Ravi Rai Date: Mon, 8 Oct 2012 10:51:59 -0400 From: howard.rich...@coxinc.com Subject: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver To: arslist@ARSLIST.ORG ** Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are attachment: image001.gifattachment: image002.pngattachment: image003.pngattachment: image004.png
Re: Remedy AIE Question
Thanks LJ Karthik: The batch file runs fine on its own directly from the command prompt. I've run various tests and some can produce .log files, so I know AIE has permissions to execute cmd.exe. I can summarize the tests if it'd be helpful, but I didn't want to bias opinions right off the bat. :) Thanks, --Phil From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthik Sent: Monday, October 08, 2012 09:59 To: arslist@ARSLIST.ORG Subject: Re: Remedy AIE Question ** What is the user account AIE is running on? Does it have necessary privillages to Run the btch file? - Karthik On 8 October 2012 18:53, Murnane, Phil pmurn...@windwardits.commailto:pmurn...@windwardits.com wrote: ** Good Day, All: I'm having trouble with an AIE job and am hoping someone else may have run into this issue. I'm trying to use the process| feature to set a field with the return value of an external process. Really I'm not interested in the return value, I just want the process to run. The process is c:\windows\system32\cmd.exe /c c:\temp\filename.bat and the contents of the .bat file are: set Path=C:\Windows\System32;%Path% dir c:\temp | find filename.ext c:\temp\filename.log exit That's it - pretty darn simple. So the data field mapping in AIE is process|c:\windows\system32\cmd.exe /c c:\temp\filename.bat . The AIE exchange runs successfully, but nothing is logged to the file. There's no indication of any failure in the AIE debug logs. Any thoughts on what I could try? Thanks, --Phil Phil Murnane, Principal Consultant Windward IT Solutions, Service Management Practice Email: pmurn...@windwardits.commailto:pmurn...@windwardits.com Mobile: +1-703-896-6435 Web:www.WindwardITS.comhttp://www.windwardits.com/ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy AIE Question
Hi try dir c:\temp | find filename.ext c:\temp\filename.log is append, sometimes if the file does not exist The append fails, I have no idea why. also for some weird reason the space matters. The command will run fine from a DOS prompt but will fail if run from within Remedy. Also since you are uisng the /c option, you don't need the exit at The end. windows\system32 is always in the global path so you do not need to set that, also since you are running the bat file from within Remedy, it does not set the path anyway. Shafqat Ayaz From: Longwing, LJ CTR MDA/IC lj.longwing@mda.mil To: arslist@ARSLIST.ORG Sent: Monday, October 8, 2012 2:28 PM Subject: Re: Remedy AIE Question Phil, I assume you have executed the batch file with the same command line without issue? -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Murnane, Phil Sent: Monday, October 08, 2012 7:24 AM To: arslist@ARSLIST.ORG Subject: Remedy AIE Question ** Good Day, All: I'm having trouble with an AIE job and am hoping someone else may have run into this issue. I'm trying to use the process| feature to set a field with the return value of an external process. Really I'm not interested in the return value, I just want the process to run. The process is c:\windows\system32\cmd.exe /c c:\temp\filename.bat and the contents of the .bat file are: set Path=C:\Windows\System32;%Path% dir c:\temp | find filename.ext c:\temp\filename.log exit That's it - pretty darn simple. So the data field mapping in AIE is process|c:\windows\system32\cmd.exe /c c:\temp\filename.bat . The AIE exchange runs successfully, but nothing is logged to the file. There's no indication of any failure in the AIE debug logs. Any thoughts on what I could try? Thanks, --Phil Phil Murnane, Principal Consultant Windward IT Solutions, Service Management Practice Email: pmurn...@windwardits.com Mobile: +1-703-896-6435 Web: www.WindwardITS.com http://www.windwardits.com/ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Thoughts on Remedy administration
Hello, I wonder if anyone can share any experience or recommendations on how do you organize your Remedy administration team, specially in large companies, since I believe there has too be at least two teams, one team focused on the technical side of Remedy and its related infrastructure, mosty having to do with troubleshooting, tuning, interaction with OS, DB, network teams, etc., and then there is the other team focused on the tool administration tasks such as monitoring users, controlling licenses, adding, deleting or modifying users, roles, permissions, ITSM foundation data, etc. If you customize or develop apps in Remedy there would be maybe a third team Thank you and Best Regards, -Mauricio ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Ravi, We are on SP3 of the ARserver and SP2 of ITSM. I have asked my DB to look at the two snapshot values you talked about. By the way what should they be to prevent this type of issue. Thanks again and take care, Howard Sent from one of Howard's iPads On Oct 8, 2012, at 11:29 AM, ravi rai ravira...@hotmail.com wrote: ** Howard Which SP you are on 7604 Overview console 7604 default installation is single threaded causing perfomance issues. BMC has a hot fix for this. Also check SNAPSHOT ISOLATION and READ COMMIT SNAPSHOT value on DB Side Regards Ravi Rai Date: Mon, 8 Oct 2012 10:51:59 -0400 From: howard.rich...@coxinc.com Subject: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver To: arslist@ARSLIST.ORG ** Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard image001.gif Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) image002.pngimage003.pngimage004.png Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Howard, ALLOW_SNAPSHOT_ISOLATION and READ_COMMITTED_SNAPSHOT Turning on these help Read operations retrieve a consistent snapshot of the database. SELECT statements do not lock data during a read operation (readers do not block writers, and vice versa). SELECT statements can access the last committed value of the row, while other transactions update the row without being blocked. Fewer deadlocks and lock escalations occur. Fewer locks required by a transaction occur, which reduces the system overhead required to manage locks. Please refere the below white paper for othet Performance tuning options BMC Remedy AR System Server 7.6- Performance Tuning for Business Service Management Regards Ravi Rai Remedy Consultant HCL-America Date: Mon, 8 Oct 2012 12:44:19 -0400 From: hbr4...@gmail.com Subject: Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver To: arslist@ARSLIST.ORG ** Ravi, We are on SP3 of the ARserver and SP2 of ITSM. I have asked my DB to look at the two snapshot values you talked about. By the way what should they be to prevent this type of issue. Thanks again and take care, Howard Sent from one of Howard's iPads On Oct 8, 2012, at 11:29 AM, ravi rai ravira...@hotmail.com wrote: ** Howard Which SP you are on 7604 Overview console 7604 default installation is single threaded causing perfomance issues. BMC has a hot fix for this. Also check SNAPSHOT ISOLATION and READ COMMIT SNAPSHOT value on DB Side Regards Ravi Rai Date: Mon, 8 Oct 2012 10:51:59 -0400 From: howard.rich...@coxinc.com Subject: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver To: arslist@ARSLIST.ORG ** Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard image001.gif Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) image002.pngimage003.pngimage004.png Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are__attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver
Ravi, Thanks I will. Howard Sent from one of Howard's iPads On Oct 8, 2012, at 12:55 PM, ravi rai ravira...@hotmail.commailto:ravira...@hotmail.com wrote: ** Howard, ALLOW_SNAPSHOT_ISOLATION and READ_COMMITTED_SNAPSHOT Turning on these help Read operations retrieve a consistent snapshot of the database. SELECT statements do not lock data during a read operation (readers do not block writers, and vice versa). SELECT statements can access the last committed value of the row, while other transactions update the row without being blocked. Fewer deadlocks and lock escalations occur. Fewer locks required by a transaction occur, which reduces the system overhead required to manage locks. Please refere the below white paper for othet Performance tuning options BMC Remedy AR System Server 7.6- Performance Tuning for Business Service Management Regards Ravi Rai Remedy Consultant HCL-America Date: Mon, 8 Oct 2012 12:44:19 -0400 From: hbr4...@gmail.commailto:hbr4...@gmail.com Subject: Re: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG ** Ravi, We are on SP3 of the ARserver and SP2 of ITSM. I have asked my DB to look at the two snapshot values you talked about. By the way what should they be to prevent this type of issue. Thanks again and take care, Howard Sent from one of Howard's iPads On Oct 8, 2012, at 11:29 AM, ravi rai ravira...@hotmail.commailto:ravira...@hotmail.com wrote: ** Howard Which SP you are on 7604 Overview console 7604 default installation is single threaded causing perfomance issues. BMC has a hot fix for this. Also check SNAPSHOT ISOLATION and READ COMMIT SNAPSHOT value on DB Side Regards Ravi Rai Date: Mon, 8 Oct 2012 10:51:59 -0400 From: howard.rich...@coxinc.commailto:howard.rich...@coxinc.com Subject: Getting deadlock issue when querying data directly, from a MSSQL 2008 DB and on 7.6.4 ARserver To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG ** Good morning, afternoon and evening all, Before we upgraded to 7.6.4 (ITSM and Arserver) we were on 7.5.6 and ITSM 7.6.1, and was able to query the MSSQL 2005 database directly, to pull some reporting data back. Since upgrading to 7.6.4 (ITSM and ARserver) and going to MSSQL 2008, when our user load is high we are getting deadlock issue when querying data directly. When the user load is low (like 3am) we have no issues. Any ideas? Take care, Howard image001.gifhttp://www.coxenterprises.com/ Howard Richter, Remedy Administrator 6205 Peachtree Dunwoody Road, Atlanta, GA 30328-4524 Email = howard.rich...@coxinc.commailto:howard.rich...@coxinc.com Office = 678.645.4633, Cell = 404.226.2745 Cox Innovation Agent (CIA) image002.pngimage003.pnghttp://innovation.coxenterprises.com/ideas/Badge%20Library/Badge20-Lg.pngimage004.pnghttp://innovation.coxenterprises.com/ideas/Badge%20Library/Badge50-Lg.png Submit your idea today for a chance to earn a badge and be entered into a monthly drawing for a $10 gift card. Submit your idea: http://innovation.coxenterprises.com/ideas View your badges: http://innovation.coxenterprises.com/ideas/SitePages/yourbadges.aspx _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com/ ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com/ ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: [EXTERNAL] Thoughts on Remedy administration
Mauricio: I'm not sure how you're defining large, but in our enterprise we have around 10,000 employees across two main sites and several smaller satellite locations. In terms of our Remedy support, we have a single team with people who do everything you mention, including custom Remedy apps. Our team members are considered to be Tier 1 - 3, similar to how Support Groups define themselves, more or less as follows: Tier 3 - advanced troubleshooting, tuning, mid-tier management, interaction with DB, network server teams, monitoring users, controlling licenses, data migrations Tier 2 - custom Remedy apps, Kinetic Surveys and Service Requests, foundation data requests, *testing Tier 1 - reporting, adding, deleting or modifying users, roles, permissions, basic application troubleshooting, monitoring incoming requests and assigning them appropriately. We additionally have a person who serves as our team leader and whose work is a combination of project management and Tier 3 support (he's basically our Tier 3 backup.) Most of our developers are considered Tier 2 and can back each other or our Tier 1 person up as needed. We have a couple of Tier 2s who were hired specifically to work on a subset of our custom apps, though both of them helped with our ITSM implementation, and if we have a customer who is willing to fund a Tier 2 full-time, that person can be sucked into that project for however long the customer is willing to pay. *An exception at Tier 2 is testing, which is my only responsibility and which the other Tier 2s don't do aside from what a developer would do normally. I like to say that I'm the harmony to the rest of my team's melody. I'm not sure there's a best way or a right way to run your Remedy team, just a way that makes sense for how your organization works and how much support you have from management, and that's most likely going to be different in different places. I would just say there are advantages to being one big team because often what one person does, particularly at Tier 3, impacts the rest of us. Plus we've been able to streamline how some of our requests get worked owing to knowing what requests the others are actively working on. Hope that helps! Natalie Stroud SAIC @ Sandia National Laboratories ARS-ITSM Tester Albuquerque, NM USA nkst...@sandia.govmailto:nkst...@sandia.gov ITSM 7.6.04 SP2 - Windows 2003 - SQL Server 2008 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mauricio M. Sent: Monday, October 08, 2012 10:38 AM To: arslist@ARSLIST.ORG Subject: [EXTERNAL] Thoughts on Remedy administration ** Hello, I wonder if anyone can share any experience or recommendations on how do you organize your Remedy administration team, specially in large companies, since I believe there has too be at least two teams, one team focused on the technical side of Remedy and its related infrastructure, mosty having to do with troubleshooting, tuning, interaction with OS, DB, network teams, etc., and then there is the other team focused on the tool administration tasks such as monitoring users, controlling licenses, adding, deleting or modifying users, roles, permissions, ITSM foundation data, etc. If you customize or develop apps in Remedy there would be maybe a third team Thank you and Best Regards, -Mauricio _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ITSM 7.6.4 - sharing searches
The closest I've found so far is going into 'AR System Searches Preference' and making a copy of the search I saved for each of the users involved. Functional, but annoying to maintain. Vamsi - I'm not sure what form you mean for ar central preferences. Karthik - Web report would be a good option, but the search involves the Request Detail fields, which do not appear to be exposed to the Report console (probably because they don't have field labels). Unless there is a way to 'hard-code' field ids into the report... Note: The search itself is simple and static: 'Summary*' LIKE Employee Termination% AND '300070005' LIKE Yes AND '303408700' LIKE Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthik Sent: Monday, October 08, 2012 11:10 AM To: arslist@ARSLIST.ORG Subject: Re: ITSM 7.6.4 - sharing searches ** If you know how to create a web report from the report console, there is an option to specify the type of report, public or private. If you select public, anyone should be able to access and run the report -Karthik On 8 October 2012 20:28, patchsk vamsi...@gmail.commailto:vamsi...@gmail.com wrote: Did you look at ar central preferences form. I believe there is a form to store searches which you can use for your purpose. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org attend wwrug12 www.wwrug12.comhttp://www.wwrug12.com ARSList: Where the Answers Are _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
SRD Functional Role Bulk Import (Work Order Assignee, Work Order Manager)
The knowledge article below references that this is not support out-of-the-box but that there has been success manually adding these values to the Data Import Tool load forms for Support Functional Roles. Has anyone has success with this? Data Load Tool is not recognizing these new values on 7.6.004 https://kb.bmc.com/infocenter/index?page=contentid=KA308976actp=searchviewlocale=en_USsearchid=1349714094716 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ITSM 7.6.4 - sharing searches
Kelly, I think the Defined Search in the form properties will allow you to create a search that anyone with filed/form permissions can use. The properties are view based so I would also assume that you can have a different defined search . There are multiple slots for defined searches. Thank you, --- John J. Reiser Remedy Developer/Administrator Senior Software Development Analyst Lockheed Martin - MS2 The star that burns twice as bright burns half as long. Pay close attention and be illuminated by its brilliance. - paraphrased by me From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Logan, Kelly Sent: Monday, October 08, 2012 1:56 PM To: arslist@ARSLIST.ORG Subject: EXTERNAL: Re: ITSM 7.6.4 - sharing searches ** The closest I've found so far is going into 'AR System Searches Preference' and making a copy of the search I saved for each of the users involved. Functional, but annoying to maintain. Vamsi - I'm not sure what form you mean for ar central preferences. Karthik - Web report would be a good option, but the search involves the Request Detail fields, which do not appear to be exposed to the Report console (probably because they don't have field labels). Unless there is a way to 'hard-code' field ids into the report... Note: The search itself is simple and static: 'Summary*' LIKE Employee Termination% AND '300070005' LIKE Yes AND '303408700' LIKE Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthik Sent: Monday, October 08, 2012 11:10 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: ITSM 7.6.4 - sharing searches ** If you know how to create a web report from the report console, there is an option to specify the type of report, public or private. If you select public, anyone should be able to access and run the report -Karthik On 8 October 2012 20:28, patchsk vamsi...@gmail.commailto:vamsi...@gmail.com wrote: Did you look at ar central preferences form. I believe there is a form to store searches which you can use for your purpose. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org attend wwrug12 www.wwrug12.comhttp://www.wwrug12.com ARSList: Where the Answers Are _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Random MidTier Error
Hi all, I'm getting an error in our Remedy 7.6.4 midtier. It appears randomly and then goes away after restarting the midtier server. It happens in the ClientCore.js file. Uncaught TypeError: Cannot call method 'WorkflowComplete' of undefined There is also an error that appears along with this one: Failed to load resource. The missing resource is a file called a99a2af9.js What is that file? Thanks in advance for your help. Scott This email is subject to certain disclaimers, which may be reviewed via the following link. http://compass-usa.com/Pages/Disclaimer.aspx ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ITSM 7.6.4 - sharing searches
That's a good idea too, John, though that requires modifying the Work Order form (view) itself. I would prefer a solution on the configuration level, as parameters in the search could change over time. Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Reiser, John J Sent: Monday, October 08, 2012 2:04 PM To: arslist@ARSLIST.ORG Subject: Re: ITSM 7.6.4 - sharing searches ** Kelly, I think the Defined Search in the form properties will allow you to create a search that anyone with filed/form permissions can use. The properties are view based so I would also assume that you can have a different defined search . There are multiple slots for defined searches. Thank you, --- John J. Reiser Remedy Developer/Administrator Senior Software Development Analyst Lockheed Martin - MS2 The star that burns twice as bright burns half as long. Pay close attention and be illuminated by its brilliance. - paraphrased by me From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Logan, Kelly Sent: Monday, October 08, 2012 1:56 PM To: arslist@ARSLIST.ORG Subject: EXTERNAL: Re: ITSM 7.6.4 - sharing searches ** The closest I've found so far is going into 'AR System Searches Preference' and making a copy of the search I saved for each of the users involved. Functional, but annoying to maintain. Vamsi - I'm not sure what form you mean for ar central preferences. Karthik - Web report would be a good option, but the search involves the Request Detail fields, which do not appear to be exposed to the Report console (probably because they don't have field labels). Unless there is a way to 'hard-code' field ids into the report... Note: The search itself is simple and static: 'Summary*' LIKE Employee Termination% AND '300070005' LIKE Yes AND '303408700' LIKE Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthik Sent: Monday, October 08, 2012 11:10 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: ITSM 7.6.4 - sharing searches ** If you know how to create a web report from the report console, there is an option to specify the type of report, public or private. If you select public, anyone should be able to access and run the report -Karthik On 8 October 2012 20:28, patchsk vamsi...@gmail.commailto:vamsi...@gmail.com wrote: Did you look at ar central preferences form. I believe there is a form to store searches which you can use for your purpose. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org attend wwrug12 www.wwrug12.comhttp://www.wwrug12.com ARSList: Where the Answers Are _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ITSM 7.6.4 - sharing searches
Sorry I was referring the Search Preferences form only. I was not able to remind the actual form name. It that is too much work then how about creating this search and making it available to all users through Defined Searches in the Form View properties? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re-use Login ID in Remedy
Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Re-use Login ID in Remedy
Jason, There was a rather lengthy discussion of that topic a few months ago that may be able to answer some of your questions. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jase Brandon Sent: Monday, October 08, 2012 1:26 PM To: arslist@ARSLIST.ORG Subject: Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Re-use Login ID in Remedy
Jase, What do you mean by re-use login id? Re-use login-Id for what purpose you mean? -Karthik On Oct 9, 2012 12:57 AM, Longwing, LJ CTR MDA/IC lj.longwing@mda.mil wrote: Jason, There was a rather lengthy discussion of that topic a few months ago that may be able to answer some of your questions. -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Jase Brandon Sent: Monday, October 08, 2012 1:26 PM To: arslist@ARSLIST.ORG Subject: Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Re-use Login ID in Remedy
It is an incredibly bad security practice because it destroys any accountability for identity management. It is akin to reusing the social security numbers of deceased persons for newborns (try that analogy on them). We do battle with our PeopleSoft drones over this regularly, but it's really a problem with them not having a unique index on the table for workforce ids; the LDAP login names almost never get duplicated, and our AD syncs to LDAP for that data. If you ever get a security audit, and they are reusing login ids in AD as a standard practice, your organization will fail the audit (unless the audit is by Arthur Andersen LLP). Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing IT Center http://itsm.unt.edu/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jase Brandon Sent: Monday, October 08, 2012 2:26 PM To: arslist@ARSLIST.ORG Subject: Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy AIE Question
Thanks, Shafqat - I'll try with adding the space after the sign. I do need to use though; to keep a running log of files that were processed (filename.ext is replaced frequently, and the log file keeps track of the date/time size of each file). If necessary I'll 'touch filename.log' to create the file for appending. You're right that the exit command shouldn't be needed, but some of my testing resulted in AIE creating the file, but never exiting cmd.exe. The result was that the first run of the AIE exchange would work, but second and subsequent runs failed because the file was still locked open by the orphaned cmd.exe. Also a new orphan cmd.exe was created each time the exchange ran, which is very bad. It should work without forcing c:\windows\system32 into the path, and when I get this running I'll try removing the line from the .bat file. Until that time I'll leave it in and hope it doesn't hurt anything. Thanks Again, --Phil From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Shafqat Ayaz Sent: Monday, October 08, 2012 12:34 To: arslist@ARSLIST.ORG Subject: Re: Remedy AIE Question ** Hi try dir c:\temp | find filename.ext c:\temp\filename.log is append, sometimes if the file does not exist The append fails, I have no idea why. also for some weird reason the space matters. The command will run fine from a DOS prompt but will fail if run from within Remedy. Also since you are uisng the /c option, you don't need the exit at The end. windows\system32 is always in the global path so you do not need to set that, also since you are running the bat file from within Remedy, it does not set the path anyway. Shafqat Ayaz From: Longwing, LJ CTR MDA/IC lj.longwing@mda.milmailto:lj.longwing@mda.mil To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Sent: Monday, October 8, 2012 2:28 PM Subject: Re: Remedy AIE Question Phil, I assume you have executed the batch file with the same command line without issue? -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of Murnane, Phil Sent: Monday, October 08, 2012 7:24 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Remedy AIE Question ** Good Day, All: I'm having trouble with an AIE job and am hoping someone else may have run into this issue. I'm trying to use the process| feature to set a field with the return value of an external process. Really I'm not interested in the return value, I just want the process to run. The process is c:\windows\system32\cmd.exe /c c:\temp\filename.bat and the contents of the .bat file are: set Path=C:\Windows\System32;%Path% dir c:\temp | find filename.ext c:\temp\filename.log exit That's it - pretty darn simple. So the data field mapping in AIE is process|c:\windows\system32\cmd.exe /c c:\temp\filename.bat . The AIE exchange runs successfully, but nothing is logged to the file. There's no indication of any failure in the AIE debug logs. Any thoughts on what I could try? Thanks, --Phil Phil Murnane, Principal Consultant Windward IT Solutions, Service Management Practice Email: pmurn...@windwardits.commailto:pmurn...@windwardits.com Mobile: +1-703-896-6435 Web:www.WindwardITS.comhttp://www.WindwardITS.com http://www.windwardits.com/ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org attend wwrug12 www.wwrug12.comhttp://www.wwrug12.com ARSList: Where the Answers Are _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Re-use Login ID in Remedy
To echo Chris, I hope you don't work for a public company because that has to be against some sort of Sarbanes-Oxley regulation. Sent from my iPhone On Oct 8, 2012, at 4:11 PM, strauss stra...@unt.edu wrote: ** It is an incredibly bad security practice because it destroys any accountability for identity management. It is akin to reusing the social security numbers of deceased persons for newborns (try that analogy on them). We do battle with our PeopleSoft drones over this regularly, but it’s really a problem with them not having a unique index on the table for workforce ids; the LDAP login names almost never get duplicated, and our AD syncs to LDAP for that data. If you ever get a security audit, and they are reusing login ids in AD as a standard practice, your organization will fail the audit (unless the audit is by Arthur Andersen LLP). Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing IT Center http://itsm.unt.edu/ *From:* Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG arslist@ARSLIST.ORG] *On Behalf Of *Jase Brandon *Sent:* Monday, October 08, 2012 2:26 PM *To:* arslist@ARSLIST.ORG *Subject:* Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Re-use Login ID in Remedy
I said the same thing guys. Let me elaborate a tad. They use a unique id for their company (custom attribute on the People form) that allows internal identification based on their unique identifier attribute, so they clam this will be acceptable when it comes to audits, I also brought up the SarBox issues. What concerns me is that Incidents/Changes/CI's, etc will have last modified by old guy instead of new guy. And... I haven't tried it yet, but I suspect the Data tool isn't going to do the trick as it relates to CI's. By reuse login Id' I was referring to: Ex. Joe Jones leaves the company and has a Remedy login ID of jjones. A new employee is hired, Judy Jones, and she is issued the old login id used for Joe Jones of jjones. So if the new employee Judy Jones logs on as jjones, does she suddenly inherit all the records previously owned/last updated by jjones as the original user of this id? Would she possibly see his Incidents/CI's, etc? I'm still trying to wrap my head around all this so pardon my rambling. :-) I've never had to deal with this issue in the past and wondered how the community handled this request or if anyone had ever had to deal with this issue before. 7.6.04 SP2 Windows Thanks, Jase On Mon, Oct 8, 2012 at 6:08 PM, Tauf Chowdhury taufc...@gmail.com wrote: ** To echo Chris, I hope you don't work for a public company because that has to be against some sort of Sarbanes-Oxley regulation. Sent from my iPhone On Oct 8, 2012, at 4:11 PM, strauss stra...@unt.edu wrote: ** It is an incredibly bad security practice because it destroys any accountability for identity management. It is akin to reusing the social security numbers of deceased persons for newborns (try that analogy on them). We do battle with our PeopleSoft drones over this regularly, but it’s really a problem with them not having a unique index on the table for workforce ids; the LDAP login names almost never get duplicated, and our AD syncs to LDAP for that data. If you ever get a security audit, and they are reusing login ids in AD as a standard practice, your organization will fail the audit (unless the audit is by Arthur Andersen LLP). Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing IT Center http://itsm.unt.edu/ *From:* Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG arslist@ARSLIST.ORG] *On Behalf Of *Jase Brandon *Sent:* Monday, October 08, 2012 2:26 PM *To:* arslist@ARSLIST.ORG *Subject:* Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Re-use Login ID in Remedy
Maybe using their unique corporate id in the login name field, and using their Login in the special 'authentication alias' (I think that's what it's called) field on the user form (see docs) will be the best approach. Then all your last modified by, used by relationships, assignee login id's etc, are all tied to the unique corporate id while they can login using their 'jjones' login name as specified in the authentication alias. That's the most workable approach I see, and would require a one time mass conversion. Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Jase Brandon jasebran...@gmail.com Sender: Action Request System discussion list(ARSList) arslist@ARSLIST.ORG Date: Mon, 8 Oct 2012 18:49:02 To: arslist@ARSLIST.ORG Reply-To: arslist@ARSLIST.ORG Subject: Re: Re-use Login ID in Remedy I said the same thing guys. Let me elaborate a tad. They use a unique id for their company (custom attribute on the People form) that allows internal identification based on their unique identifier attribute, so they clam this will be acceptable when it comes to audits, I also brought up the SarBox issues. What concerns me is that Incidents/Changes/CI's, etc will have last modified by old guy instead of new guy. And... I haven't tried it yet, but I suspect the Data tool isn't going to do the trick as it relates to CI's. By reuse login Id' I was referring to: Ex. Joe Jones leaves the company and has a Remedy login ID of jjones. A new employee is hired, Judy Jones, and she is issued the old login id used for Joe Jones of jjones. So if the new employee Judy Jones logs on as jjones, does she suddenly inherit all the records previously owned/last updated by jjones as the original user of this id? Would she possibly see his Incidents/CI's, etc? I'm still trying to wrap my head around all this so pardon my rambling. :-) I've never had to deal with this issue in the past and wondered how the community handled this request or if anyone had ever had to deal with this issue before. 7.6.04 SP2 Windows Thanks, Jase On Mon, Oct 8, 2012 at 6:08 PM, Tauf Chowdhury taufc...@gmail.com wrote: ** To echo Chris, I hope you don't work for a public company because that has to be against some sort of Sarbanes-Oxley regulation. Sent from my iPhone On Oct 8, 2012, at 4:11 PM, strauss stra...@unt.edu wrote: ** It is an incredibly bad security practice because it destroys any accountability for identity management. It is akin to reusing the social security numbers of deceased persons for newborns (try that analogy on them). We do battle with our PeopleSoft drones over this regularly, but it’s really a problem with them not having a unique index on the table for workforce ids; the LDAP login names almost never get duplicated, and our AD syncs to LDAP for that data. If you ever get a security audit, and they are reusing login ids in AD as a standard practice, your organization will fail the audit (unless the audit is by Arthur Andersen LLP). Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing IT Center http://itsm.unt.edu/ *From:* Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG arslist@ARSLIST.ORG] *On Behalf Of *Jase Brandon *Sent:* Monday, October 08, 2012 2:26 PM *To:* arslist@ARSLIST.ORG *Subject:* Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: [EXTERNAL] Re: Re-use Login ID in Remedy
Jase: There's something I'm not following here...if this unique ID/custom attribute is for the company, why isn't it still possible that our hypothetical Joe and Judy Jones might both work for that company? Can you say a little more about what make this identifier unique? Thanks, Natalie Stroud SAIC @ Sandia National Laboratories ARS-ITSM Tester Albuquerque, NM USA nkst...@sandia.govmailto:nkst...@sandia.gov ITSM 7.6.04 SP2 - Windows 2008 - SQL Server 2008 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jase Brandon Sent: Monday, October 08, 2012 4:49 PM To: arslist@ARSLIST.ORG Subject: [EXTERNAL] Re: Re-use Login ID in Remedy ** I said the same thing guys. Let me elaborate a tad. They use a unique id for their company (custom attribute on the People form) that allows internal identification based on their unique identifier attribute, so they clam this will be acceptable when it comes to audits, I also brought up the SarBox issues. What concerns me is that Incidents/Changes/CI's, etc will have last modified by old guy instead of new guy. And... I haven't tried it yet, but I suspect the Data tool isn't going to do the trick as it relates to CI's. By reuse login Id' I was referring to: Ex. Joe Jones leaves the company and has a Remedy login ID of jjones. A new employee is hired, Judy Jones, and she is issued the old login id used for Joe Jones of jjones. So if the new employee Judy Jones logs on as jjones, does she suddenly inherit all the records previously owned/last updated by jjones as the original user of this id? Would she possibly see his Incidents/CI's, etc? I'm still trying to wrap my head around all this so pardon my rambling. :-) I've never had to deal with this issue in the past and wondered how the community handled this request or if anyone had ever had to deal with this issue before. 7.6.04 SP2 Windows Thanks, Jase On Mon, Oct 8, 2012 at 6:08 PM, Tauf Chowdhury taufc...@gmail.commailto:taufc...@gmail.com wrote: ** To echo Chris, I hope you don't work for a public company because that has to be against some sort of Sarbanes-Oxley regulation. Sent from my iPhone On Oct 8, 2012, at 4:11 PM, strauss stra...@unt.edumailto:stra...@unt.edu wrote: ** It is an incredibly bad security practice because it destroys any accountability for identity management. It is akin to reusing the social security numbers of deceased persons for newborns (try that analogy on them). We do battle with our PeopleSoft drones over this regularly, but it's really a problem with them not having a unique index on the table for workforce ids; the LDAP login names almost never get duplicated, and our AD syncs to LDAP for that data. If you ever get a security audit, and they are reusing login ids in AD as a standard practice, your organization will fail the audit (unless the audit is by Arthur Andersen LLP). Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing IT Center http://itsm.unt.edu/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jase Brandon Sent: Monday, October 08, 2012 2:26 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re-use Login ID in Remedy ** Hello All, I have been approached and asked about how we can re-use Login Id' and I've never been asked to do this anywhere else. Of course my initial reply was We shouldn't Do That, but I need more of a justification as the company reuses login ids via AD as a standard. Ive told them Login Id is associated with all things ITSM/CI's. I see this being a recipe for disaster. Can anyone help me out with your thoughts on this one please? Has anyone else done anything like this before? Thanks in Advance, Jase Brandon _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are