Crystal Reports - ECC Tables - Row level security on Multiple tables

Hi Experts,
We are implementing Crystal Reports directly reporting on ECC Tables.  Lot of information on row-level security has been provided by experts Ingo Hilgefort, Don Williamsand Mike Seblani, but not related to multiple tables or Wild cards
Requirement:
Crystal Users should have access to ALL the tables in ECC, but restricted by Company code, plant, Sales Organization, Purchasing Organization fields to what ever table it applies to. Example: MARC table should be restricted by Plant, BSEG table should be restricted by Plant and company code, GLT0 table should be restricted by Company code..etc
Users should ONLY see their Organization related data.
Solution Developed:
1. We created custom authorization object with BUKRS and WERKS
2. In  /CRYSTAL/RLS  we used Wild Cards *, +  rather than specific table  and referenced the custom authorization object with =BUKRS and =WERKS  in the Field Value
3. Enabled global lock
4. Custom Authorization object was added to user-profiles with corresponding restrictions
*Observation:*
1. This security works when a crystal report was developed on a ECC table which has both BUKRS and WERKS
2. This setup DOES NOT work when a crystal report developed on a table with either one of BUKRS or WERKS
    Example: Does not work on MARC table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~BUKRS" unknown"
   Does not work on GLT0 table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~WERKS unknown"
Trouble Shooting:
In the "where clause" of the internal ABAP code generated for MARC, system is checking for BUKRS - which  should not be the expected result
ANYTHING WRONG IN THE SECURITY SETUP ? PLEASE ADVICE
Note: Document "BusinessObjects XI Release 2, Integration Kit for SAP, Installation Guide" does not talk much about this multiple table restriction. Any other document to be referred to ?

I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

Similar Messages

  • Row-level Security over Multiple Tables

    Working on Oracle Database 10g Enterprise Edition 10.2.0.4.0 - 64bit
    Say you have the following tables:
    CREATE TABLE    faculty_course_term
        crn             CHAR(8),
        term            DATE,
        course_college  VARCHAR2(20 Char),
        course_depart   VARCHAR2(20 Char),
        faculty_id      NUMBER,
        fac_college     VARCHAR2(20 Char),
        fac_department  VARCHAR2(20 Char),
        fac_fname       VARCHAR2(20 Char),
        fac_lname       VARCHAR2(20 Char),
        CONSTRAINT      faculty_course_term_uk
            UNIQUE      (crn, term, faculty_id)
    CREATE TABLE    course_term
        crn             CHAR(8),
        term            DATE,
        course_subject  VARCHAR2(20 Char),
        course_number   CHAR(4),
        course_section  VARCHAR2(5 Char),
        college         VARCHAR2(20 Char),
        department      VARCHAR2(20 Char),
        course_credits  NUMBER,
        CONSTRAINT      course_term_uk
            UNIQUE      (crn, term)
    CREATE TABLE    student_course_term
        crn             CHAR(8),
        term            DATE,
        course_college  VARCHAR2(20 Char),
        course_depart   VARCHAR2(20 Char),
        student_id      NUMBER,
        stu_college     VARCHAR2(20 Char),
        stu_department  VARCHAR2(20 Char),
        earned_credit   NUMBER,
        CONSTRAINT      student_course_term_uk
            UNIQUE      (crn, term, student_id)
    );These tables are summary tables that represent multiple other tables. These tables can be joined by the CRN and Term columns. There is not, however, any foreign keys between them.
    You have made these tables available within a Subject Area on a repository. You now want to increase your user base for faculty, department heads, and college heads to access this data, but only the data that they have access to via their position.
    So you have the following Requirements for your security:
    Requirement 1:     Users with a Group_ID of 1 can see all data.
    Requirement 2:     Users with a Group_ID of 2 can see all Faculty, Course
              and Student records within their College.
    Requirement 3:  Users with a Group_ID of 2 can see Students records
              that are not in their College but are taking Courses in their
              College.
    Requirement 4:     Users with a Group_ID of 3 can see all Faculty, Course
              and Student records within their Department.
    Requirement 5:  Users with a Group_ID of 3 can see Students records
              that are not in their Department but are taking Courses in their
              Department.
    Requirement 6:     All Users can see Course records that they teach (even if it is
              outside their Department or College), as well as all Students
              within those Courses.To meet this criteria, you setup a new table on the database:
    CREATE TABLE    faculty_groups
        faculty_id      NUMBER,
        group_id        NUMBER,
        username        VARCHAR2(20 Char),
        fac_college     VARCHAR2(20 Char),
        fac_department  VARCHAR2(20 Char)
    );And you setup your Session Initialization Blocks and Variables like this:
    SELECT 'GROUP_ID', group_id
    FROM faculty_groups
    WHERE UPPER (username) = UPPER( 'VALUEOF(NQ_SESSION.USER)')
    SELECT 'COLLEGE', fac__college
    FROM faculty_groups
    WHERE UPPER (username) = UPPER( 'VALUEOF(NQ_SESSION.USER)')
    AND group_id = 2And so on for Department and Faculty_ID.
    Now, meeting Requirement 1 is easy enough starting all your data filters with:
    VALUEOF(NQ_SESSION."GROUP_ID") = 1
    ORRequirements 2 and 4 are also easily met in the manner of:
    VALUEOF(NQ_SESSION."GROUP_ID") = 2
    AND
         "Courses Term"."FACULTY_COURSE_TERM"."COURSE_COLLEGE" =  VALUEOF(NQ_SESSION."COLLEGE")
         OR
         "Courses Term"."FACULTY_COURSE_TERM"."FAC_COLLEGE" =  VALUEOF(NQ_SESSION."COLLEGE")
    )However, the hard part comes up with Requirements 3, 5 and 6. Using Requirement 6 on Student_Course_Term as an example, you need to identify the Faculty member that is teaching the Course using the Faculty_Course_Term table, then connect all related records to the Student_Course_Term table using the CRN and Term fields. But attempting the following data filter on the Student_Course_Term table results in a "No fact table exists at the requested level of detail" error:
    OR
    "Courses Term"."FACULTY_COURSE_TERM"."FACULTY_ID" = VALUEOF(NQ_SESSION."Faculty_ID")As well as trying:
    OR
         "Courses Term"."FACULTY_COURSE_TERM"."FACULTY_ID" = VALUEOF(NQ_SESSION."Faculty_ID")
         AND
         "Courses Term"."FACULTY_COURSE_TERM"."CRN" = "Course Term"."STUDENT_COURSE_TERM"."CRN"
         AND
         "Courses Term"."FACULTY_COURSE_TERM"."TERM" = "Course Term"."STUDENT_COURSE_TERM"."TERM"
    )Any suggestions? Does what I am attempting require physical foreign keys between the tables?
    Edited by: Nick Clinite on May 21, 2013 1:34 PM

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

  • Row Level Security Not working for the ECC table.

    Hi All,
    We have created a crystal report using SQL Driver.
    We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
    But when I run the report, it bypasses the row level security and gives access.
    Am I missing some configuration?

    Hi Ingo,
    Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
    This custom auth object is maintained for the PA0001 table.
    This object is added at the role level with the restricted access to the Company Code..

  • Row level security in Xcelsius through scheduled reports?

    Hi Experts,
    Our requirement is to implement row level security in Xcelsius dashboards from SAP BW source through Bex queries which would have authorization variables. We have seen that these Bex authorization variables work in Webi reports and security is applied appropriately. But do they work in upto Xcelsius as well, if we use Live Office Parameter binding option? If it does, then do we need to create prompts agian in Webi?
    We have also seen that security is applied if we use the BICS (SAP Netweaver native connectivity) option. However our objective is to schedule as many reports as possible in the dashboard to save on report refresh time at run-time, which is not possible is BICS or QAAWS. Therefore the best option for us would have been if we could apply row level security on scheduled reports.
    Can you please advise on the best approach? Your help is greatly appreciated.
    Thanks,
    Sougata

    Since you are using BEx queries as data sources authorization variables is the only way to apply row level security. This will work fine also for XCelsius dashboards that run in the InfoView (in an SAP logon context eg. when the user uses it's SAP credentials to login into the InfoView) and fetch data on-demand over LO from your WebI reports. Just make sure that the underlying webi reports are set to use SSO.
    If you are using scheduled report instances no row level security is applied depending on the context of the user that started the dashboard. XCelsius will get the data that have been saved in the instances. In this case the row level security has been already applied at the moment the report instance was created BUT for the user who scheduled the reports to run.
    Regards,
    Stratos

  • Applying row-level security to crystal report instance

    Hi
    we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
    Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
    Thanks in advance.
    Kamal

    Hi,
    I didn't try it so far
    but I found this Link:
    http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
    -> create Instance with full authorization
    -> Join CR-Result with Customer-Table: User Authorization
    Max

  • Crystal reports LOV cascading prompts row level security not working

    Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
    Using XIR2 environment.
    Appreciate the response.
    Thanks
    Chenthil

    Hi Chen,
    In terms of what could be done on the Crystal Reports end, there is no such controls available.  However, your question may be better answered if it was posted to our Business Objects Enterprise forum. 
    It is at "BusinessObjects Enterprise Administration" section of the forums.
    FYI.

  • Help with implementing Row Level Security in Interactive Reporting

    We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
    The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
    I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

    The 3 tables used with the RLS are stored in the same schema as your repository by default.
    The RLS store all the Rules for any database that you are using.
    You define the rules based on the tablename (owner.tablename) and the column name.

  • How To Setup User Row Level Security In Answers From Values In Table

    I am trying to setup row level security when a user logs into BI Answers. Basically I want the user to create any report that they would like but only see the data that they are associated to being retrieved in the Answer Report results. I have users stored in an Oracle authentication table where they have multiple values for schools that they can view. I have data in my RPD file that contain tables with multiple rows for schools. What I would like is to capture the associated school values for the user logged into BI Answers and place a filter on the data being retrieved in the RPD file to only show rows for the user's associated schools. Can I add a WHERE clause on the Business Model and Mapping layer of the RPD that would retrieve the multiple associated schools in my authentication table and filter/match them (IN clause maybe) to the school values in the RPD data being retrieved?
    Thank you in advance for any information you my have to help me along,
    Kyle

    Turribeach,
    I appologize, I did not use those exact words to search on in the forum. I should have and what I did use didn't turn anything up for my situation.
    Thank you for the link. It helped me find the below link which describes the setup in detail and resolved my issue:
    http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
    What I needed was a row-wise variable/initialization block that stored the multiple school values for my logged in user. I then edited the "Content" tab of the Logical Table Source with a WHERE/IN clause that filtered down the result set based on my variable/initialization block SQL query.
    This solution works great!
    Thanks again!

  • Universe row level security workiing in main report but not subreports

    I have a report with a couple of sub reports that are running against a universe with row level security. The security works in the main report but when the sub reports run, the security is missing. The report is running through BOE, CR XI R2. Is there something Im missing...? Being new to BOE...

    Hi Michael,
    I am sure the Sub-report is also based on Universe.
    Try to create query with atleast one object/column coming from table on which row level security is applied in universe.
    Hope this will solve the problem.
    Thanks,
    Sushil

  • Reports XI: Infoview behavior with Row Level Security

    Post Author: pwilliamsbssp
    CA Forum: General
    I have a report that is based off a business view that has project information with an additional table used to assign report users to certain clients (each project has a client).  A filter is used to assign the report user to the current ce username.The report is scheduled by the administrator login.  Each user goes to view their report on Infoview and is able to view data for only those clients specifically assigned.   This functionality seems to work fine - everyone views one instance of the report and InfoView assigns the row level security.However, I'm running into a problem viewing report histories when adding or changing client assignments.   The historical reports come up either blank or with erroneous information (such as the current week's information instead of the previous week's data saved with the instance of the report).   I have not found a logical link between the behavior of the historical reports and the specific users.  Some can see one week and not another while others have the reverse, regardless of their security assignments.Does anyone understand the behavior of view historical reports with row-level security?  I have no idea what data/metadata is saved with each report instance and when the row-level security is being read.  Is it read when viewing the report? or, is it specific to the structure of the data when the report was run?With other reports using the same row-level security model I'm able to view the historical reports although it has the client assignments at the time the report was created.  But, at least I'm able to view the reports.Any insight welcome.Patrick Williams

    Post Author: pwilliamsbssp
    CA Forum: General
    Bump.  Anyone is welcome to tackle this question.  Please.

  • Row-level Security Filters applied to Columns and Tables only? no Areas?

    Good day all,
    Just quick question (obiee 10.3.3.2) - Is there a way to edit row-level security using Whole subject areas (instead of bringing in the individual Fact tables and applying filters by copying/pasting them).
    Follow up question - if I have nested facts in presentation layer (ones preceding with "-" - do I specifically add them to conditions, or would they be inherited by only including parent fact)?
    Thanks!
    Message was edited by:
    wildmight

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • Report based row level security

    I have a requirement to have row level security on only one particular report - so a user in the "Accounting" group - when running this report can only see the "Accounting" business unit but not any of the other business units such as "food service" or "training" - however when running any of the other reports - they are able to see all business units. Is there a way to deploy row level security so when a particular report is run that the security filter is applied - and not in all cases?
    thanks very much for your help!

    Kapsnerc,
    One way to solve your problem is to duplicate the column in your rpd and then define security accordingly.
    For this report use the duplicated column and for the rest use the original column to build the report.
    Regards,
    Venkata.
    Edited by: user8000915 on Jun 28, 2010 2:07 PM

  • Row Level Security not working for SAP R/3

    Hi Guys
    We have an environment where the details are as mentioned below:
    1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
    2. The SAP roles are imported in Business Objects CMC.
    3. Crystal Reports are published on the Enterprise as well.
    3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
    Any help in this issue is greatly appreciated.
    Thanks and Regards
    Kamal

    Hi,
    In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
    This tool defined which tables are to be restricted based on authorizations.
    However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
    You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
    thanks
    Mike

  • Row level security not working if I hit the aggregate

    I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...

    Hi Ingo,
    Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
    This custom auth object is maintained for the PA0001 table.
    This object is added at the role level with the restricted access to the Company Code..

Maybe you are looking for

  • Client Certificate Authentication

    Hi guys I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated ge

  • HT1766 How can I transfer my old iphone number to my new iphone?

    I bought the new iphone from verizon and i had another iphone with another carrier and i was just wondering what it is i had to do switch my old cell phone number to my new one without having to go to my new carrier.

  • Setting up a second wireless network with TC

    Hi All Am shiny new to these communities and a recent convert from PC/Windows to MAC/OS and have so far been loving a simple, easy to use home computer life! I've scoured through to see if i could find an answer to my question but couldn’t see anythi

  • Opening Adobe illustrator CS5 file in CorelDraw X5

    I was totally new to graphic design and the best I could do was resize images in MS Paint or use Word 2010. Than I discovered Adobe Illustartor as I needed to make a logo and Letter Head. After breaking my head against my monitor (does not hurt any m

  • Add a VI in a VI

    I am trying to add a VI in another VI (main VI).  I am able to do this by drag & drop, but the input-output terminals of the VI that is being added are not visible in main VI.  Any help is much appreciated. Solved! Go to Solution.