Row level security in Hyperion System 9 - 9.3.1

Hi Gurus,
I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
matches then they get to see records for that location.
The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
z

Follow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita

Similar Messages

  • Tips on Implementing Row Level Security

    Dear All,I am currently trying to implement row level security in Hyperion Intelligent version 8.2. The user guide is straight forward on explaining the steps. However, when I tried it, the row level security does not filter the information at all eventhough I have set the row level security setting in System Administration. Is there Anyone who can share their problems and experience when implementing row level security in Hyperion Intelligent version 8?Regards,Ricky

    I don't believe you need the bqy file anymore, as you set up the ODBC to connect to the database of the EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR).
    (I don't have an EPM instance with IR installed to check currently).
    Note: from the docs quoted earlier:
    If you want to implement row-level security in Reporting and Analysis, keep these points in mind:
    At least one Hyperion Interactive Reporting Data Access Service instance must be configured to access the data source storing your row-level security information.
    The database client library should be installed on the computer where the Hyperion Interactive Reporting Data Access Service is running.
    The data source for the Reporting and Analysis repository that has the row-level security table information should be configured.
    For security reasons, the user name and password to access the data source should differ from that used for the Reporting and Analysis user account.
    Regards, Iain

  • Row level security in BI Publisher

    Hi All ,
    I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
    e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
    I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
    Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
    Can anyone help me on this?
    Thanks!!

    Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.

  • Setting up Row Level Security in EPM 11.1.1.3

    I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
    i) Enable row level security in Workspace.
    Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
    Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
    Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
    Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
    Any log I can inspect for the connectivity error?
    ii) Configure Row Level Security setting
    I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
    thank you very much.

    I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
    i) Enable row level security in Workspace.
    Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
    Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
    Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
    Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
    Any log I can inspect for the connectivity error?
    ii) Configure Row Level Security setting
    I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
    thank you very much.

  • Row level security with session variables, not a best practice?

    Hello,
    We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
    The problem is that this method is listed as a "non best practice" in the Oracle documentation.
    Alternative Security Administration Options - 11g Release 1 (11.1.1)
    (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
    Managing Session Variables
    System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
    How confusing... what is the best practice then?
    Thank you for your help.
    Joao Moreira

    authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
    Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

  • Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

    Environment: Business Objects XI R2; Oracle 10g
    Functional Requirement:
    Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
    What do we need from the Business Objects support team?
    1.     Review the 2 attempted solutions that we have tried to implement
    2.     Propose solutions/answers to open questions for each of the attempted solutions
    3.     Propose any alternate solution that will help us implement the Function Requirement stated above
    Attempted Solution 1: Connection String uses Oracle Proxy User
    The connection string that is specified in the Universe is the following:
    app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
    app_user = generic application user
    end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
    We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
    Open Question for Solution 1:
    i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
    ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
    iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
    Attempted Solution 2: Using the ConnectInit parameter
    Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
    Therefore, we tried to set the parameter in the Universe using several different options:
    ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
    Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
    One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
    Open Questions for Solution 2:
    How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
    Note: Arroba word is being used instead of the symbol in order to avoid following error message:
    We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

    the connectinit setting should look something like this:
    declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
    The vpd_setup procedure (in Oracle) should look like this:
    CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
    BEGIN
      DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
    END vpd_setup;
    Then you can retrieve the value of the context variable in your vpd functions
    and set the vpd.

  • Parent-child hierarcy - row level security

    Hi,
    Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
    I have created a parent-child dimension, simlar to:
    a1
    --a1.1
    ----a1.1.1
    ----a1.1.2
    --a1.2
    ----a1.2.1
    By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
    a1.1
    --a1.1.1
    --a1.1.2
    To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
    I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
    How can I build a security system, that a member can only see its child hierarchy only?
    Thanks for answers and links...
    Edited by: user4516917 on 16.Nis.2012 06:54
    Edited by: user4516917 on 16.Nis.2012 06:55

    According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
    This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
    I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
    Any comments appriciated..

  • Help with implementing Row Level Security in Interactive Reporting

    We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
    The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
    I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

    The 3 tables used with the RLS are stored in the same schema as your repository by default.
    The RLS store all the Rules for any database that you are using.
    You define the rules based on the tablename (owner.tablename) and the column name.

  • Crystal Reports - ECC Tables - Row level security on Multiple tables

    Hi Experts,
    We are implementing Crystal Reports directly reporting on ECC Tables.  Lot of information on row-level security has been provided by experts Ingo Hilgefort, Don Williamsand Mike Seblani, but not related to multiple tables or Wild cards
    Requirement:
    Crystal Users should have access to ALL the tables in ECC, but restricted by Company code, plant, Sales Organization, Purchasing Organization fields to what ever table it applies to. Example: MARC table should be restricted by Plant, BSEG table should be restricted by Plant and company code, GLT0 table should be restricted by Company code..etc
    Users should ONLY see their Organization related data.
    Solution Developed:
    1. We created custom authorization object with BUKRS and WERKS
    2. In  /CRYSTAL/RLS  we used Wild Cards *, +  rather than specific table  and referenced the custom authorization object with =BUKRS and =WERKS  in the Field Value
    3. Enabled global lock
    4. Custom Authorization object was added to user-profiles with corresponding restrictions
    *Observation:*
    1. This security works when a crystal report was developed on a ECC table which has both BUKRS and WERKS
    2. This setup DOES NOT work when a crystal report developed on a table with either one of BUKRS or WERKS
        Example: Does not work on MARC table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~BUKRS" unknown"
       Does not work on GLT0 table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~WERKS unknown"
    Trouble Shooting:
    In the "where clause" of the internal ABAP code generated for MARC, system is checking for BUKRS - which  should not be the expected result
    ANYTHING WRONG IN THE SECURITY SETUP ? PLEASE ADVICE
    Note: Document "BusinessObjects XI Release 2, Integration Kit for SAP, Installation Guide" does not talk much about this multiple table restriction. Any other document to be referred to ?

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • Row-level security at the Database level

    We need Row-level security at the Database level, where the user who logs in to Crystal reports, should be able to fetch only those rows from the database that he is entitled to see. For this, the login name of the user is passed to a stored procedure which sets the context of the DB session and restricts the data retrieved.
    We are not looking for row-level security where the data is first retrieved and then filtered based on the user login name. However, we are definitely looking for a way to set a context for a database session based on the user login name, even before we start fetching data. So effectively, the user who logs in will fetch only those rows which he is supposed to see.
    Issue:
    We face a problem of not being able to pass a variable (something like 'BOUSER' for BO which works, whereas, 'CurrentCEUserName' for Crystal Reports, which doesn't work), to the database stored procedure to set the context.
    Please let us know if we can use 'CurrentCEUserName' variable in Crystal in the same way as 'BOUSER' is used in ConnectInit for BO? We would like to know how we could pass any variable in Crystal Reports which holds the user login information to a stored procedure.
    Also, please suggest alternate ways to achieve this security restriction, if any.

    Hi
    A previous database had a personnel table with their station name, district and region, with a field holding their logon name.  We also had an activity table with the fields referring to the activity, and a field of Station, district and region it occured in.
    By linking the individual rows in an activity table to the personnel table on the station name field, we then used the CurrentCEUserName to filter on the personnel.  This returned only the records in the activity table where the station the activity took place at was the same as the station associated with the selected personnel who has logged on.
    The additional bonus was if we linked it on District or region we had the same result but at a greater level. ie all activity in the logged on personell's District or if linked on region, then their region.
    The personnel table was maintained by the system administrators, so maintenance was low.
    I hope this helps.
    Kevin

  • SAP-BO SSO and Row Level Security

    Hi,
    We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
    When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
    In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
    My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
    System Information
    Business Objects XI 3.1
    SAP Intg. Kit 3.1
    Thanks a lot,
    Omer

    Hi Omer,
    please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
    As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
    Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
    Regards,
    Stratos
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

  • Brio Version 6.5.2 row level security

    Does anyone have any suggestions on implementing row level security through the ODS portion of Brio 6.5.2, I know it is built in to the new hyperion intelligence server but can it be implemented with the older brio product?

    Another popular option is to build a table that has all the ODS users in it and another column that has the value you wish to limit i.e. customer number. You can then as part of document scripts capture the ODSUserName and populate it into the all queries. The downside to this is that you must include this new table and the limit in all of your queries.On a side note I would look at upgrading to the HPS 8 platform. The newest version that will be out in February 8.2 has some incredible stuff in it and has fixed the major issues in the previous releases of 8.

  • Row Level Security not working for SAP R/3

    Hi Guys
    We have an environment where the details are as mentioned below:
    1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
    2. The SAP roles are imported in Business Objects CMC.
    3. Crystal Reports are published on the Enterprise as well.
    3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
    Any help in this issue is greatly appreciated.
    Thanks and Regards
    Kamal

    Hi,
    In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
    This tool defined which tables are to be restricted based on authorizations.
    However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
    You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
    thanks
    Mike

  • Row level security at universe design level

    Hi,
    I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
    My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
    Regards,
    Mishra Vibhav.

    Thanks for the reply.
    Much Appriciated.
    My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
    Warm Regrads,
    Mishra Vibhav

  • How to check the row level security in TOAD for oracle

    Hi ,
    for ex, i have 2 types of users
    normal user and super user
    super user can see the group set (some column name) created by normal user
    but normal user can not see the set created by super user
    this set crestion aslso has 3 types "U','P',S'
    P & S can be viewed by even normal user
    but U should not
    so here we are having some row level security for the normal user .....
    So, in TOAD for oracle how to check that......
    Let me know if i'm not clear

    Like
    I'm the super user....
    And some records are inserted to a table by different users ('a' , 'b', etc....)
    So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
    how to see in TOAD where such type of scripts (filter conditions) are written.....

Maybe you are looking for

  • Error during copying of conditions in creating quantity contract

    Hi experts,             When am trying to create a condition based on the plant it is displaying an error message "Error during copying of conditions". Please let me know the solutions or any configuration is required. Regards, Sunil Kumar.

  • R3AD_SALESDO0004700962 in syafal status

    Hi all, While checking SMQ2 in CRM , we found R3AD_SALESDO0004700962 is sysfail status . We checked SMW01 transaction,found few bdocs are in E08(mapping error) state with error "A business transaction already exists with the number xxxxxxxxxx". Bdoc

  • Pivote table report dynamic month year

    Hi Gurus, I got a requirement to create an report such that it has to show the last 6 months of this year and pervious year month column with values. It is a trending report to see current 6 months and last year this month to show in one report only.

  • Shell command execution from HTMLDB

    I created a Java procedure for host calls on Unix environment, it seems to be working under sqlplus, the commands like "rc('/bin/mkdir /tmp/linkin);" works fine if used from within sqlplus but when executed from within html_db no directory is created

  • Safe way to cancel queries in dbxml shell utility?

    Is there a (safe) way of cancelling a query you're running in the dbxml shell? Because I'm using a throwaway test container I've gone and used Ctrl-C a couple of times but it exits the shell completely so may be leaving the open container in a mess.