Metadata security

Is there a way to prevent editing of metadata? If not, this would be a great feature to have, similar to security settings on PDF files.

I would want to retain all my metadata and prevent it from being edited or stripped, while still being able to view it.
You can lock a file in Bridge (right mouse click menu in Bridge content panel) to prevent writing to it but like Paul stated, this only helps you to prevent changing accidentally metadata. Whenever a file is out everyone can unlock this file or you only have to open it in PS, use select all, copy, create new file and use paste to end up with an exact copy of the image data yet all metadata has been stripped…
I seem to recall that in the early days was a company in France that offered some digital copyright in the file itself that would secure the rights abuse but that was long ago and proofed not to be safe at all.

Similar Messages

  • Security issue with page drop down on planning form 11.1.1.3

    I'll buy a round of Newcastles for anyone that can fix this issue.
    Planning 11.1.1.3 a given user is given @idescendants write access to a cost center rollup that has shared members underneath. The stored members are in a primary rollup higher up in the hierarchy. The webform has the cost center selection on the page drop down. The first child in the rollup does not display. This occurs for every rollup, the first child member is not visible i nthe drop down. So for example, the outline looks like this:
    primary cost center hierarchy (stored)
    rollup1
    --ccxxx stored
    --ccyyy stored
    alternate hierarchy (shared members)
    rollup2 <--------------user has write access to @Idescendants of this rollup
    --ccxxx shared
    --ccyyy shared
    In the page drop down, only the ccyyy member shows. Not the ccxxx. Dev has the same access applied and both show correctly. I've tried refreshing security, pushing filters from plan to essbase (even though this is metadata security in planning) and nothing fixes. Webforms are identical. My next step is to restart the planning service when i get down time but was wondering if anyone else has seen this issue.Always the first child of the shared rollup that doesnt display.
    Edited by: EssbaseInAz on Nov 4, 2009 3:11 PM

    Exports are identical. In fact, prod security was cleared and reloaded using an export from dev. after the upload i re-exported prod and compared the export to what was loaded (export from dev). Security is identical. This only for users with security set on the alternate hierarchy rollups up. Admin members are fine. One test i did do was to give access to the first child that is not displaying up on the stored member. If i do that, the member will show. But that's not really feasible in this security setup and it does not explain why the exact same security works fine in dev.
    I thought about about the second issue you raise. it does seem to behave like that. but the part is tagged never share, not label. Same as in dev, which works. plus like you said, that situation only seems to arise when the members are on the row and even then, the member displays, it's just set to read only. I'm wondering if there's some flag set in the relational backend that's causing an issue or something like that. I've pushd the filters to essbase and using a test id setup i can replicate this issue, but with an excel retrieve i can obviously see the member (since metadata security isnt applied in excel) and i can also see the data for the missing cost center. So, its somewhere in planning where the metadata security is applied. I might poke around the planning tables and compare to dev to see if i can find any smoking guns. Really bizarre. Plus tomorrow i've got a window to restart the planning service to see if that helps.
    Thx for the response Jake and if you have any other suggestions i'm open. If i find a solution i'll let you know.
    Pete

  • Security Setup not working

    Hi,
    As a part of security setup we have done the following things:
    - Users created and assigned as members of groups. One group is created per entity.
    - Groups have been provisioned for the application and given security class access
    - Security classes have been created and attached to metadata. for e.g, all entities have been attached a Sec class in properties.
    - In application settings, Node Security = Entity, Security for Entities is Checked, Enable Metadata Sec Filtering is also checked.
    Even after this, the security setup doesnt seem to be working. A user with minimal provision (only Data Form Writeback from Excel) and no security class access is also able to see all the entities, also other forms, grids, etc which have been attached diff security classes. He is able to edit the forms and grids.
    Can anyone help out as to what is it that we are missing?

    What role(s) do the users have? Any user with the Administrator role bypasses class access checking and is assumed to have full access to everything. No other role provides this bypass.
    Editing forms and grids has nothing to do with Entity security. If the forms and grids have no class assigned to them, they use the [Default] class which I suggest all users have All rights to anyway. If there are grids/forms you do not want users to change, you should assign a specific class to them, other than [Default].
    Enable Metadata security filtering should restrict users from seeing the members for which they have None access to, but as long as they have Read or All access, they will see the members in a pick list.
    --Chris                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • HFM Metadata File deleted automatically in 11.1.2.3

    Hello All
    I have created HFM Metadata Manually in the Manage Metadata (Client), When I am saving the changes for the 2nd time, I got "unexpected error"  and automatically deleted my Metadata file which I have created.
    I faced this kind of error for 2 times, and its deleting my Metadata files which I have created. I could not find my Metadata files even in Recycle Bin.
    I have spend 3 Hrs for Building HFM Metadata. My Efforts are gone to waste.
    Is this is Bug in 11.1.2.3 Version?? Do I need to apply any patch for this??
    kindly suggest.
    Regards
    Dev

    Hi. Have you assigned the classes to the entities within the metadata? If so, how are you checking that there is access or no access - data grid? The user may still see the other entiies in member selection dialog boxes unless you've checked the enable metadata security filtering within application settings.
    Regarding [default], have you assigned classes to EVERY metadata item? If not, and it's common not to, then give All access to [default].
    Eric

  • Journal Security role in  HFM

    <Font color="Blue">
    Hi, All
    There is a scenario, I want to restrict the user to post the journal but he can not unpost the journal in HFM?
    How would I achieve this? Post and unpost roles are not segregated in HFM. (Means Post journal role includes the unpost journal role also) How to achieve this?
    Regards
    Taruni
    <Font/>

    This type of access is not for loading metadata(what you refer to as write access) it is basically a filter used during the display of the Metadata using any of the interfaces.
    In your example US Security Class for the people in US region.
    A user will be able to see all of the Entities tagged with the US Security Class, so if you have a "Global Region" that includes say "Europe" the user won't be able to see this structure when they are navigating in the Entity Dimension. If you also tagged some accounts for the exclusive use of US entities (with US Security Class) then, the Europeans won't have access to those accounts when they navigate the Account Dimension.
    Hope this will help you clarify the use of the Security Classes.
    Also, for this filter to take effect, you must enable METADATA SECURITY FILTERING in the Application Settings.
    Edited by: Raul Rodriguez on Nov 13, 2008 9:58 AM

  • Security refresh in Planning

    I have a Planning application where security gets cleared and re-established every night. Sometimes the refresh takes as little as eight minutes and sometimes over an hour (68 minutes). Does anybody now why that would be? There aren't many users on the system, if any, when this security refresh is being run. thx

    Some things to check on... Does your refresh process include a metadata refresh / Essabse restructure? Are you regenerating Essbase security filters or only import of Planning object and metadata security? I would check for resource conflicts on your database server and possibly your Essbase server. Are there any scheduled batch jobs or backup jobs that might be holding up your refresh?

  • Site Studio 11g: Different security access for each user

    Hi,
    I want to limit access for some contributors and grant full access to others.
    I set up different users on the content server, assign a different contributor data file to each region, and assign unique security metadata to those files.
    As result it still display the graphic icon for those data file with only read access. The contributor is not able to edit the data file but still capable to switch or remove the data file.
    +According to the documentation only the files that a particular contributor has permission to edit will display the contribution graphic icon on the web page when in contribution mode.+
    I need that the contributor should not be able to switch the data file or remove it if he doesn't have edit access to those data files.
    I've applied the metadata security to the placeholder definition unsuccessfully.
    I am using Account Security model.
    Thanks
    al
    Edited by: user8859325 on 20-Jun-2011 08:21

    Hi,
    I want to limit access for some contributors and grant full access to others.
    I set up different users on the content server, assign a different contributor data file to each region, and assign unique security metadata to those files.
    As result it still display the graphic icon for those data file with only read access. The contributor is not able to edit the data file but still capable to switch or remove the data file.
    +According to the documentation only the files that a particular contributor has permission to edit will display the contribution graphic icon on the web page when in contribution mode.+
    I need that the contributor should not be able to switch the data file or remove it if he doesn't have edit access to those data files.
    I've applied the metadata security to the placeholder definition unsuccessfully.
    I am using Account Security model.
    Thanks
    al
    Edited by: user8859325 on 20-Jun-2011 08:21

  • DSP 2.1 ldconsole access / security setup

    Hi,
    I'm trying to figure out ( and am struggling)... how to configure access to the ldconsole. The scenario we have is some developers who do not have admin rights on the weblogic console, they do have limited rights to review some of the deployment configuration but not change anything. But what they need to be able to do is Purge their data cache etc in the LDConsole. I've added the group they are a member of to both the administrative and metadata security policies in the LDConsole and they can log in... however when they click their application they don't see the view you see if your an administrator. They just see an empty page. Also they don't see in the expandable tree view the Physical sources or anything else, just "Endpoint". Can any one tell me what I’m missing here or point me in the right direction, i'm finding the docs not very helpful so I’m either just not seeing it or looking in the wrong place :-S
    Regards,
    Dave

    In DSP 2.x, you cannot access the console with different privileges as you might expect. This is a known issue. It is fixed in DSP 3.0

  • Upgrade/Migrate 9.3.3 Planning apps to 11.1.2.2

    I am in the next step of our upgrade from 9.3.3 to 11.1.2.2 and ready to migrate our Planning applications. I have read many of the posts related to this and have a general list of steps, but I have slightly different situation than what I have seen posted before.
    To summarize, we have installed 11.1.2.2 on new servers.  Our old 9.3.3 is still up and running on different environment.  I have sucessfully completed the following:
    1.     Foundation Services/Shared Services installed and up and running and users/groups successfully migrated.
    2.     Essbase and EAS installed and up and running.  All Essbase applications (except for the Planning apps), have been successfully migrated from 9.3.3 to 11.1.2.2.
    3.     Planning has been installed and is up and running.  While there are no Planning apps in the new system, I can open the Planning Administrator via WorkSpace.
    So the next step is to get my Planning apps moved/migrated from the 9.3.3 environment to the new 11.1.2.2.
    To complicate matters, we are switching from SQL Server repository in 9.3.3 to Oracle in our new 11.1.2.2.  So the first thing we did was to create a new Oracle schema for our Planning app repository and using SQL Developer migrate wizard, we copied/migrated the tables and data from the old SQL Server to Oracle.  It appears that all the tables and data were successfully copied into Oracle.
    Our old Planning application is called PlanTest. The application owner is a native user called planadm.  My intended migration plan (and my questions) are:
    1.     Do I create a new blank Planning app called PlanTest using native account planamd in 11.1.2.2?
    2.     If I use my new Oracle repository for this blank app, will it wipe out the old converted data or will it try to upgrade/migrate it?
    3.     Or..should I take a backup of my new converted repository first.  Then drop/recreate the Oracle Schema (so no tables) and let Planning build the repository when I create the blank Planning app?  Then capture the owner SID in the new HSP_USER table.  Stop Planning. Then overlay the database backup of 9.3.3 over the newly created repository and replace the owner SID info. Then Restart Planning.
              ** My concern:  Is the Planning app repository table structures the same between 9.3.3 and 11.1.2.2?
    4.     Open Planning and hope that the application PlanTest appears!
    5.     Use Planning upgrade Wizard to finish the migration and upgrade the repository.
    6.     Push/Create app to Essbase.
    7.     Export data from old app to .txt load file and reload into new Planning cube.
    8.     Convert/Migrate Business Rules using info from John's blog.
    I am sure I missed something.  Any suggestions or comments on these steps would be appreciated.  Bottom line is I need to get this app (and several others) migrated successfully with all metadata, security, forms, rules etc. working.  Rebuilding them from scratch is NOT an option.
    Also, to clarify.  This is a Classic Planning app.  We are not using EPMA.
    Thanks,
    Mike

    Following the steps, the upgrade/migration of the Planning application worked successfully.  The app and forms were all migrated and was able to push to Essbase application successfully.  The only issue was security.  While the users/groups seem to appear in the migrated Planning app, none of their security access/filter info migrated.  We have Planning security defined down to the member level in the application and it appears none of that successfully migrated, so we would need to manually re-assign all of that security.  Any thoughts of what may have happend or step I may have missed?
    Also have moved on to attempt migration of the Business Rules to Calc Manager.  Using John's 2nd alternative method from his blog, I export the rule from 9.3.3 EAS to HBRRules.xml file, copy it to the appropriate 11.1.2.2 folder, select "Migrate" on the PlanTest planning app in Calc Manager, select the app and Plan type and all seems well with the Import screen even indicating that the Rule and variables were Inserted.  But I never see the rule appear.  Could this be an "owner" issue or is there something I need to do to the .xml file before the migration step?
    Mike

  • Can't see package body in SQL Developer version 3.1

    Hello,
    Have been scouring the boards and google for this issue for quite some time now. I think I have discovered the issue, but would like to see if a work around exists.
    Problem:
    I am unable to view packages, procs, VIEW DDl, etc. of other users. When a colleague of mine uses Toad, with the EXACT same connection ID and setting, they are in fact able to see all the source code...
    What I've found:
    Looking around, apparently Toad and SQL Dev work in different ways. Toad apparently uses DBA_SOURCE and DBA_OBJECTS to generate everything.
    SQL Dev uses the META_DATA package to retrieve everything. Further, in order to use the meta_data package, I need the grant catalog role, or something like that.
    Is there a way to set up SQL Developer to use the same method as Toad to retrieve the code? It's a fact that I WILL NOT receive the catalog permission per the DBAs... I can write out the
    select text from DBA_SOURCE where OWNER = 'OWNER' and NAME = 'OBJECT NAME';
    But, I would prefer to just be able to use the tree nodes and click on objects to generate all this. Anyone know of any setting for this?

    Hi,
    No doubt SQL Developer wants to be competitive with Toad but, in terms of raising red flags over inconsistencies in basic functionality, any difference versus SQL*Plus would be more surprising than versus Toad.
    DBA_SOURCE and DBA_OBJECTS are public synonyms available in any standard Oracle installation, but you also need the SELECT ANY DICTIONARY privilege to get maximum benefit from them. That lets you view code in another user's schema without having an explicit privilege (like EXECUTE) on a package/procedure/function.
    If you already do have such privileges (either SELECT ANY DICTIONARY, or EXECUTE or DEBUG on specific executable objects), and the Code tab is empty, then you will need to provide a test case, as Vadim indicates.
    In terms of any case where SQL Developer utilizes DBMS_METADATA, my understanding is the API relies on the SELECT_CATALOG_ROLE privilege if a user does not own or otherwise have an explicitly granted privilege on an object. Developers like to use this API wherever possible in place of writing a script that might break or need maintenance to deal with future versions of the Oracle database.
    I have no idea how Toad works, and I probably shouldn't speculate, but here is one scenario that could explain the case you mention without the connection user having any of the privileges noted above. Let's say the Toad client software calls a PL/SQL package that selects from DBA_SOURCE and is installed in a schema that has the SELECT ANY DICTIONARY privilege. All Toad users are granted EXECUTE on this package and therefore inherit SELECT ANY DICTIONARY in the context of running the package. This will work, but at the price of complicating installation of Toad. Also, it doesn't afford an administrator fine-grained control over metadata security.
    Regards,
    Gary
    SQL Developer Team

  • Changed content type (DDOCTYPE) is not visible in GUI

    Hi,
    I have strange problem. I made configuration import from other UCM machine (content types, metadata, security groups and so..). After import I checked it - I have my security groups there, I have my metadata there, but I DO NOT HAVE there my content type (in drop down box there are only couple of preinstalled content types - Acme xxx Department...). I have checked in the admin applets -> configuration manager and my added content type was there (among the 'Acme ....' preinstalled content types). I even deleted those 'Acme....' content types to be sure that only my one is there. But in the search gui there is still drop down box with 'Acme...' types and my own is missing there.
    Strange because I do not know why it shows content types which have been deleted and are not in database anymore. I checked the database and in the table DOCTYPES there is only my own content type.
    Can anybody give me som hint? I tried restarting servers, clearing browser's cache, but still without success.

    Hi. I tried it, but it did not help. :(
    It is strange. Before I had the error in log:
    Unable to rename '/appl/ucm_cluster/server/weblayout/resources/schema.work' to '/appl/ucm_cluster/server/weblayout/resources/schema' while publishing schema.
    When I looked into the 'schema' dir there was old doctypes in js file
    In 'shcema.work' which was supposed to be renamed to 'schema' there was my correct document type in js file.
    Now in /server/weblayout/resources/schema/views/doctypes/all.js file there is only my correct document type but i still have in gui the old wrong doctypes! :(

  • Essbase Gurus this is the time to help for this scenario in securityfilters

    Hi Gurus,
    I have one scenario in ASO(11v) ,I have to create security filters for two users
    for eg:
    GEO Account  30000
    wen we drill down
    india turnover 10000
    paris turnover 100000
    UK turnover noacess
    I created "GEO","india","paris"
    this security filter is working fine for one user
    but i need second filter like below
    in total sumof aggregation it doesnt show that is diffrent for both users (UK turnoover dont show in upper level)
    Actually UK have the measure but we have to restrict that measure for some users
    like below
    for another user
    GEO Account 20000
    wen we drill down
    india turnover 10000
    paris turnover 100000
    UK turnover noacess
    i m struggling here I tried with different options but no use ,my client wnt this requirement ,plz ur help gr8forly Appriciated
    Thanks
    Edited by: user98631 on Dec 18, 2009 4:31 AM

    Its amazing how the same off the wall question pops up around the same time. There is another thread about this. A security filter alone will not get you want you want.
    The best solution I can offer is to create multiple rollups that give you what you want, and use metadata security to restrict the users from seeing the geo member. Have the filter only allow them to see their rollup.
    I guess in an out of the box solutions would be to have one cube with all the data then multiple cubes partitioned to the soruce cube with the data for specific rollups. Allow the users to only see the cube that has the rollup they need.

  • Lcm batch utility issue in 11.1.1.3

    "Utility.bat" is currently unable to execute multiple Definationmigration.xml files from the batch mode
    In the batch file i have called multiple Definationmigration.xml file
    The batch file is in this format
    echo D:
    D:\cd d:\Hyperion\common\utilities\LCM\9.5.0.0\bin
    Utility.bat D:\hssuser\ACMigrationDefinition.xml
    Utility.bat D:\hssuser\AYMigrationDefinition.xml
    Utility.bat D:\hssuser\AzMigrationDefinition.xml
    Utility.bat reads the first "D:\hssuser\ACMigrationDefinition.xml" and getting executed successfully .I can the see the backup created under filesystem application group
    while the other two files are not .
    Is there any format to run multiple MigrationDefinition.xml from the batch file or does not support multiple MigrationDefinition.xml to be called in the batch file
    Please help

    Hi. Have you assigned the classes to the entities within the metadata? If so, how are you checking that there is access or no access - data grid? The user may still see the other entiies in member selection dialog boxes unless you've checked the enable metadata security filtering within application settings.
    Regarding [default], have you assigned classes to EVERY metadata item? If not, and it's common not to, then give All access to [default].
    Eric

  • How do I get a profile / .per file from a EPMA application this is for HFM

    I want to copy an EPMA application into another environment but outside of EPMA. I can get the metadata, Security and Rules Extracts. How do i get the .per periods file to set up the classic application.

    Hi Raul,
    Thanks for the help. What I was trying to do is extract one from an existing application. But I guess it is easy enopugh to set one up from scratch. I wasnt sure of the start period of the app that i wanted duplicated, but opening it in the classic app client, and dropping down on the year dimension gives us the info.
    Thanks for your help.
    Vivek

  • OBIEE 10q problem with user authentication - only administrator is working

    Dear colleagues, i am facing to problem in our OBI solution,
    From some time I am able to connect only wih Administrator account. User accounts defined in rpd are not working. I am not using LDAP.
    The error logs are enclosed:
    Any idea what to check please?
    Thanks for support,
    Michal.
    Stav: 08004. Kód: 2718234696. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused. [nQSError: 46036] Internal Assertion: Condition dbIDs.size() == 1, file server/Metadata/Security/Src/SSDBAuthenticator.cpp, line 31. (08004)
    Log1
    [43030] : Oracle BI Server (64-bit) started. Version: 10.1.3.4.0.080726.1900.
    2012-03-29 14:31:40
    [16020] Metadata Database Type: Oracle 10g R2
    Data Source Name: PRODLI1
    Data Source Type: Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64b
    2012-03-29 14:31:40
    [46036] Internal Assertion: Condition dbIDs.size() == 1, file server/Metadata/Security/Src/SSDBAuthenticator.cpp, line 31.
    Saw Log
    Type: Error
    Severity: 40
    Time: Thu Mar 29 15:00:29 2012
    File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
    Properties: ConnId-1,1;ThreadID-3856
    Location:
    saw.odbc.connection.open
    saw.connectionPool.getConnection
    saw.threadPool
    saw.threads
    Odbc driver returned an error (SQLDriverConnectW).
    State: 08004. Code: 2718234696. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
    [nQSError: 46036] Internal Assertion: Condition dbIDs.size() == 1, file server/Metadata/Security/Src/SSDBAuthenticator.cpp, line 31. (08004)

    Hi satya,
    thank for your cooperation and help.
    I checked:
    1. Go --> settings--> Administrator--> Manage privilege--> access dashboard--> give permission everyone Fullcontrol.
    It's O.K., same for access answers and deliveries
    1. Are you created users in your rpd?
    YES in rpd file in security manager "users", "groups"
    2. which security are you implemented?
    catalog object security
    Object Level security by creating catalog groups
    3. Are you changed any thing object level.
    No.
    I tried to create one new user "test" but I am not able to connect to application
    I also tried to set one user to Administrators group in repository, reload BI, but without any success :-(

Maybe you are looking for

  • Material master data and Asset

    Hello Guys Considering the every material master data that I am buying will end up been an Asset in my company. I would like to know how can I alredy related the material master data that I am creating with a possible hierarchy to make it esier at th

  • Can't create 11x17 pdf.

    Hello......I'm trying to convert a Microsoft Publisher 11x17 document into a pdf and when I receive my document after conversion it is divided into three pages. Before conversion I edit preferences and select Tabloid but I still am not getting my doc

  • Delete button not working on the desktop

    Hello There, I am a new mac user. I don't know but for some reason, delete button on the desktop is not working, i.e. if I want to delete something I have to right click and then select "move to trash", is there are workaround for that, or it is like

  • How to divide SAPS when having two instances on same host

    Hello I wander how to divide SAPS when having two instances on same host. By looking at st06? Thank you in advance

  • Error when I try to access to "Payables Business Intelligent" Tab

    Hi everyone, sorry but I´m new in Fusion Aplications, When i try to access  to "Payables Business Intelligent" Tab I get this error: Details when Click in "Analyze" Thanks for any comments.