Row-level Security Filters applied to Columns and Tables only? no Areas?
Good day all,
Just quick question (obiee 10.3.3.2) - Is there a way to edit row-level security using Whole subject areas (instead of bringing in the individual Fact tables and applying filters by copying/pasting them).
Follow up question - if I have nested facts in presentation layer (ones preceding with "-" - do I specifically add them to conditions, or would they be inherited by only including parent fact)?
Thanks!
Message was edited by:
wildmight
I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?
Similar Messages
-
How To Setup User Row Level Security In Answers From Values In Table
I am trying to setup row level security when a user logs into BI Answers. Basically I want the user to create any report that they would like but only see the data that they are associated to being retrieved in the Answer Report results. I have users stored in an Oracle authentication table where they have multiple values for schools that they can view. I have data in my RPD file that contain tables with multiple rows for schools. What I would like is to capture the associated school values for the user logged into BI Answers and place a filter on the data being retrieved in the RPD file to only show rows for the user's associated schools. Can I add a WHERE clause on the Business Model and Mapping layer of the RPD that would retrieve the multiple associated schools in my authentication table and filter/match them (IN clause maybe) to the school values in the RPD data being retrieved?
Thank you in advance for any information you my have to help me along,
KyleTurribeach,
I appologize, I did not use those exact words to search on in the forum. I should have and what I did use didn't turn anything up for my situation.
Thank you for the link. It helped me find the below link which describes the setup in detail and resolved my issue:
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
What I needed was a row-wise variable/initialization block that stored the multiple school values for my logged in user. I then edited the "Content" tab of the Logical Table Source with a WHERE/IN clause that filtered down the result set based on my variable/initialization block SQL query.
This solution works great!
Thanks again! -
Row Level Security Not working for the ECC table.
Hi All,
We have created a crystal report using SQL Driver.
We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
But when I run the report, it bypasses the row level security and gives access.
Am I missing some configuration?Hi Ingo,
Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
This custom auth object is maintained for the PA0001 table.
This object is added at the role level with the restricted access to the Company Code.. -
Row level Security for BI Author Role
Hi All,
We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
roles. But we are facing issue with configuring row level security for BI Author role.
BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
security is applied than he can see all the data. For eg.
We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
But if BI Author create a report with only Brand and Measures than row level security is not working.
Does anyone has face this issue before.
Please let me know if you want any other information from my side.
Regards,
VikasIf you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
Business Intelligence Beans Product Management Team
Oracle Corporation -
How to implement row level security?
Hi all,
There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
Many Thanks
AmyHere are two options to achieve what you want.
A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
1. create a security codes table. Say for example
001 - company a
002 - company b
2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
4. update all data in the tables according to which company they belong to.
5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
Table name = Employee.
Create a view employee_a on employee
create a view employee_b on employee
Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
create synonym employee on employee_a in x schema.
create synonym employee on employee_b on y schema.
This i have not tried but believe should work.
Hope one of these options serve your purpose. -
Row-level security(VPD) problem
Hi,
ADF BC, Jdeveloper 11.1.1.3.0
We want to implement Row-level security in ADF by VPD, and do following:
1, create VPD policy according to the following sample
http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
I appreciate your suggestion.
thanksSo how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.
-
Row level security in Xcelsius through scheduled reports?
Hi Experts,
Our requirement is to implement row level security in Xcelsius dashboards from SAP BW source through Bex queries which would have authorization variables. We have seen that these Bex authorization variables work in Webi reports and security is applied appropriately. But do they work in upto Xcelsius as well, if we use Live Office Parameter binding option? If it does, then do we need to create prompts agian in Webi?
We have also seen that security is applied if we use the BICS (SAP Netweaver native connectivity) option. However our objective is to schedule as many reports as possible in the dashboard to save on report refresh time at run-time, which is not possible is BICS or QAAWS. Therefore the best option for us would have been if we could apply row level security on scheduled reports.
Can you please advise on the best approach? Your help is greatly appreciated.
Thanks,
SougataSince you are using BEx queries as data sources authorization variables is the only way to apply row level security. This will work fine also for XCelsius dashboards that run in the InfoView (in an SAP logon context eg. when the user uses it's SAP credentials to login into the InfoView) and fetch data on-demand over LO from your WebI reports. Just make sure that the underlying webi reports are set to use SSO.
If you are using scheduled report instances no row level security is applied depending on the context of the user that started the dashboard. XCelsius will get the data that have been saved in the instances. In this case the row level security has been already applied at the moment the report instance was created BUT for the user who scheduled the reports to run.
Regards,
Stratos -
Suggestion required for using row level security
We have a scenario to provide row level security to some of the transaction tables like HR_EMPLOYEE which has a foreign key column DEPT_ID to HR_DEPARTMENTS table. This table may grow up to about 5 million records. There could be regular SELECT operations on this table and not so frequent UPDATES compared to the SELECT operation.
We were looking at the following approaches...
Table :
HR_EMPLOYEE
EMPNO
DEPT_ID
LAST_NAME
FIRST_NAME
1. Enable Oracle Label Security policy on this table and use static predicates.
In this approach we add the OLS policy column (POLICY_COLUMN) and add predicate to access data.
e.g. we will be giving access to global data by predicate like
OR POLICY_COLUMN =CHAR_TO_LABEL('POLICY_NAME','C::DEPT1')
where C::DEPT is the OLS Label
2. Using VPD policy. We donot add any column, instead use the existing column DEPT_ID to provide row label security. In this approach the DEPT_ID is to be compared against an additional table and DOMINATES function will be used to verify the permission for the user to access the data.
e.g. In this approach, the policy function is like
'DOMINATES(char_to_label(''POLICY_NAME'', SA_SESSION.LABEL(''POLICY_NAME''))
,char_to_label(''POLICY_NAME'', POLICY_PKG.GET_LABEL_FROM_DEPTID(DEPT_ID))) = 1'
The GET_LABEL_FROM_DEPTID function returns the OLS label for the corresponding department. This is compared with the user's session label and appropriate rows are given access.
Can someone suggest on which of the above approaches is more performance effective considering the number of records and the additional OLS column added to the table.Hi there,
would you be able to describe as detailed as possible what you want to achieve? From my first glimpse at your code, it seems as if you are using both OLS and VPD in a rather extraordinary way.
Best, Peter -
Universe row level security workiing in main report but not subreports
I have a report with a couple of sub reports that are running against a universe with row level security. The security works in the main report but when the sub reports run, the security is missing. The report is running through BOE, CR XI R2. Is there something Im missing...? Being new to BOE...
Hi Michael,
I am sure the Sub-report is also based on Universe.
Try to create query with atleast one object/column coming from table on which row level security is applied in universe.
Hope this will solve the problem.
Thanks,
Sushil -
ADFBC 10.1.3.3 Row Level Security
Hello.
Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
Any help would be great.
Thanks a lot.
JohnThanks for the response Frank.
Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
Thanks again -
How to enforce row level security on MSAS Cube
We have to enforce row level security on MSAS Cube based on BOUSER.
We are using a security table which contains BOUSER ID and Location ID
We need help in joining the security table with MSAS Cube.
ThanksHI,
I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
Hope this helps. -
Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
I'm using sql developer and Oracle 10g.
I have this two tables :
CREATE TABLE HR_employees
(codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
coddep NUMBER(4) not null,
DB_user VARCHAR2(10),
and
CREATE TABLE Candid
(codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
codHr NUMBER(3) NOT NULL,
CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
I tried to implement row level security on them by using two views:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
UNION
SELECT * FROM hr_employees
WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
AND coddep IN (4000,5000);
CREATE OR REPLACE VIEW candid_v AS
SELECT cand.*
FROM candid cand , hr_employees hr
WHERE cand.codhr= hr.codhr
AND hr.db_user=user
UNION
SELECT cand.* FROM candid cand, hr_employees hr
WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
WHERE H.db_user=user
AND H.coddep IN (4000,5000) );
What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
Sorry for the bad english,it's a foreign language to me ,
I hope you can help meHi,
Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
OR ( codhr = user_codhr
AND coddep IN (4000,5000)
);If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...". -
How to apply row level security against the database administrator
I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
Is there additional ways to achieve the aim?Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
This includes DBAs.
The simple fact of being DBA doesn't guarantee the exemption.
Everything goes to depend of the VPD config. -
Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)
To the Universe Gurus out there:
I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
Background:
We have 11 tables that are to be restricted.
Each table is accessible to potentially 1..* group of users only.
For eg SALES is accessible to ALL_SALES members only.
Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
For eg
1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
Results:
1) With the way I laid out the business rules above, I am ending up with 528 groups.
2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
Problems/Questions:
How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
Am I even thinking of this the right way or is there a more noble way to do this?
Regardsthe connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
How To Apply Row level security ??
Hi all,
I want to apply row level security on one of my custom objects created in PO schema in R12. How to do that??
Thanks and Regards
RajThank You Gaurav
--Raj
Maybe you are looking for
-
DVD Burn fails (Error code 0x80020022), newish drive, just applied updates
Hello, when i try to burn a data dvd with a variety of files from finder on my power mac g5 it thinks a while and then fails with the message: Burning the disc failed because communication to the disc drive failed (Error code 0x80020022) I just downl
-
How do I make a submit button that sends the form to an email address?
I can see how to link to an email which then opens up an email someone could attach the form to. But I do not see how to make a button that automatically sends the form to an email address. Can someone provide assistance? Thanks!
-
HT1364 My library just disappeared... Help!
I had about 17,000 songs in my iTunes library. A while back I added an external drive, then later another. I had some music on my C drive, some on one external drive, and more on a second external drive. Recently I had to empty my library and reload
-
I Have received an email like this twice now and have tried to update my details but still been unsuccessful. Am just wondering if this is actually apple or a scam? Please help!
-
How, and which abode flash player do you install in macbook pro : mac os x version 10.7.2
How, and which abobe flashplayer do you use with Macbook pro : Mac os x version 10.7.2