Tiger vs. data security

Similar Messages

• Data security for multiple data sources

  Dear BO guru's,
  I am struggling with a brainbraker on authorizations on Universes since quite some time.
  I am not a BO guru so hopefully someone can help me with this.
  I (more or less) know the concept of data security in BO: users can be restricted on data level in (mainly) two ways:
  1) with roles in CMC and with restrictions in Universe Designer.
  OR
  2) with a DB table that contains all authorized values per user and per field (i.e. John can see data for country UK)
  The first is easy to set up, but hard to maintain.
  The second is difficult to set up, but very flexible.
  Now here is the problem...
  Supporse your BO server is connected to different source systems (i.e. an SQL server, an Oracle server...) and you want only one universe to get data from all systems at the same time and display it in one report.
  If I am not mistaken, this means we need a data federator.
  ...My questions:
  1) Is there a possibility to do this without a data federator (but still have one universe to build my report or dashboard on)?
  2) Where do I keep the table with authorizations for the users? Is that a database of the BO Enterprise server, a seperate data base, or in a table of one of the source systems (SQL, Oracle...)?
  As this questions keeps me busy since long time, I would be very grateful to have your help.
  It seems hard to find information on this.
  Thanks a lot in advance!
  UniverseDummy

  1) Is there a possibility to do this without a data federator (but still have one universe to build my report or dashboard on)?
  Apart from the Data Federator, you can either use an ETL tool to load your data into a single Datawarehouse or wait until XI 4.0
  2) Where do I keep the table with authorizations for the users? Is that a database of the BO Enterprise server, a seperate data base, or in a table of one of the source systems (SQL, Oracle...)?
  If you are going to use the Data Federator then you can create the table in one of your source systems and add it as a data source in your DF project.
  Regards,
  Stratos

• OBIEE-EBS data security integration

  Hi all,
  I am trying to implement the HR-Org based data security in EBS-OBIEE integration.
  After creating the initialization blocks EBS Single Sign-on Integration,Get Oracle EBS Security Context,Group-EBS Responsibility I have created a new initialization block HR Organizations to populate the session variable "HR_ORG" and I am using the following the query.
  Even though the session variables GROUP and USER are getting their values correctly and integration works fine, the variable HR_ORG says "has no value definition".
  [nQSError: 10058] A general error has occurred. [nQSError: 23006] The session variable, NQ_SESSION.HR_ORG, has no value definition. (HY000)
  SQL Issued: SELECT "Per Business Groups"."Business Group Id", VALUEOF(NQ_SESSION.HR_ORG) FROM HR
  Please help me for implementing the data security after the EBS-OBIEE integration..
  For populating HR_ORG variable by row wise initialization:
  SELECT DISTINCT 'HR_ORG',TO_CHAR(SEC_DET.ORGANIZATION_ID)
  FROM
  SELECT
  'HR_ORG', ASG.ORGANIZATION_ID
  FROM
  FND_USER_RESP_GROUPS URP
  ,FND_USER USR
  ,PER_SECURITY_PROFILES PSEC
  ,PER_PERSON_LIST PER
  ,PER_ALL_ASSIGNMENTS_F ASG
  WHERE
  URP.START_DATE < TRUNC(SYSDATE)
  AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_DATE) END) >= TRUNC(SYSDATE)
  AND USR.USER_NAME = ':USER'
  AND USR.USER_ID = URP.USER_ID
  AND TRUNC(SYSDATE)
  BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
  AND PSEC.SECURITY_PROFILE_ID = FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_PROFILE_ID', URP.USER_ID, URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_APPLICATION_ID)
  AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
  AND PER.PERSON_ID = ASG.PERSON_ID
  AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
  AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
  -1, URP.RESPONSIBILITY_ID,
  NULL, URP.RESPONSIBILITY_ID,
  FND_GLOBAL.RESP_ID)
  UNION
  SELECT DISTINCT 'HR_ORG',
  ORGANIZATION_ID
  FROM PER_ALL_ASSIGNMENTS_F ASG,
  FND_USER USR
  WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
  AND USR.USER_NAME = ':USER'
  AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
  AND ASG.PRIMARY_FLAG = 'Y'
  ) SEC_DET
  Thx!

  Duplicate post see Re: obiee-ebs  data  security integration

• Data security (Data from SAP BW) for AD users

  Hi  All,
  I have a scenario.
  BO env : Business Objects 3.1 Sp3
  Sap Integration kit Sp3
  My target is to implement AD SSO & also provide data security for data from SAP BW. Currently there are no roles & authorization defined in the sap System. My plan was
  Step 1:-  Implement AD SSO in Business Objects
  Step 2:  Map the AD users in SAP system
  Step 3:- Crate roles in SAP System
  Step 4:-  Assign the users roles
  Steps 5:- (Not sure) :-  Map the users (Now in SAP) to BO & then aliases them with the users from AD.
  Pleas let me know if this would be correct approach... if not please suggest.... I am kind of new to SAP BO integration with experience in BO admin

  Step 1: Setup Windows AD SSO on your BOBJ server
  Step 2: Import Windows AD groups in BO
  Step 2-  Setup Server-side SNC between BO and your SAP system
  Step 3:- Create roles in SAP System and import them in BO
  Step 4:-  Assign SAP users the created roles
  Step 5: - In the CMC create SAP aliases for your Windows AD accounts
  Step 6: - Setup your reports and/or universe connections to use SSO.
  For more information on server side SNC check the installation guide of the integration Kit.
  Regards,
  Stratos

• Using Data Security under Functional Developer / User Manager

  Has anyone succesfully carried out any Data Security policies in Oracle Apps. I would like to get details on this.
  Thanks in advance.

  Actually the other scripts on the http://www.petefinnigan.com/tools.htm site seem to do the trick where you can check for who has DBA and who has SELECT ANY TABLE.
  The next questions is .... what other privs should I be concerned with? Just want to make sure I am checking for all possibilities of access to a particular object.

• Database Data Security: both from within (using MIMEbase64 encoding) and from without (using encryption).

  In my MDB file databases (Jet 4.x format) I turn on both compression and encryption.  This gives me data security from without, meaning, I can't open a MDB file in a Word Processing software (or otherwise) and read the data in a humanly recognized
  format.   But I am also using MIMEbase64 encoding of my stored data so that the data is humanly unreadable from within - meaning that anyone performing an SQL query will not be able to humanly read the data in my database.  I do the decoding
  (from MIMEbase64) within my end-user software interfaces to the databases. 
  I found out just recently (last few months) that I can do this from Win32 Perl, so I encorporated this feature into my Perl database applications.   Only thing is that MIMEbase64 increases the size of the data stored.
  Is there a better encoding strategy available today which might actually compress the data a little?    

   INSTRUCTIONS FOR SECURE/CUSTOM (non-formula based) TEXTFILE ENCODING (should be undecipherable w/o mappings file):
  by Eric C. Hansen. You may freely use these encoding instructions, and the code I have provided, but please
  acknowledge me as the author where credit is due - such as in a publication. And do not try to sell it.
  However, any code I have provided you may freely use in any programs you write to be sold for your own profit,
  except you may not attempt to sell this encoding scheme (or my code provided), as a generic encoding tool, for
  general use, to be marketed as a turn-key custom encoding solution. 
  (1) Create a unique code list 
        Using the characters:  A-Z a-z 0-9 only. That's 62 characters only.  
         62 (1 char codes) + 3844 (2 char codes) + 238,328 (3 char codes) = 242,234 total codes
                   62x1         +      62x62         +       62x62x62    
         REMINDS ME of my college Genetics course i.e. dominant/recessive trait inheritance tables  
         EXAMPLE CODES:  a, k, 3c, A4, xy1, H8j
  (2) Create a unique word(+punc) list from your textfile which is to be encoded. You know how to do this.
         Example of 9 words(+punc) found between whitespace within a textfile input line:
              "Hello", this is Mr. Bell-va-deer. My number is 999-342-8998.   
                  1       2    3   4       5              6      7       8       9
   PERL code for STEPS 3-7 is provided below. Code for STEP 1 above was previously provided. 
           You should have little trouble writing the textfile encode/decode logic yourself.  
  (3) Read your list of unique codes into an array.
  (4) Read your list of unique words(+punc) into another array.
       LOOP   #-- 0 to number of elements in words array
              (5)     select a random code and a random word(+punc) from the 2 arrays.
              (6)     now remove that code and that word(+punc) from each array using "splice".
              (7)     then save them as key/val pairs to persistent Perl SDBM database files ("mappings").  
       END LOOP
   (8) Once you have your persistent, random code/word mappings, you can convert your textfile
        to an encoded textfile. Read in one line at a time from your textfile (chomp), parse the words(+punc.)
       between whitespace within that line, then for each word(+punc) parsed, perform
       the word-to-code mapping conversions by doing a lookup within the Perl SDBM database
       file of key/val pairs, where KEY=word and VAL=code. You will then need to 
       concatenate these codes (space delimited) to your outputline, in the same order as found in your
       inputline, finally writing the outputline (newline "\n" terminated) to your new encoded textfile.    
  (9) Keep your persistent Perl SDBM database file ("mappings") in SAFE KEEPING, with a naming
       convention of your choice that perhaps hides any relationship to the name of
       your encoded text document - which it specifically pertains to. But keep a record of that joint
      relationship somewhere.  Keep a copy of both the original textfile and the encoded textfile,
      or perhaps you'd like to keep just the encoded textfile?, and not the original?  You can always decode it. 
  (10) Send your encoded text document via email as an attachment, to the recipient of your choice.
  (11) Upload your persistent Perl SDBM database "mappings" file to your secure login FTP download site. 
       NOTE:  If your encoded text document is very large, you may want to reverse 10 & 11, putting the encoded file
           on the FTP site, and sending the Perl SDBM database file ("mappings") as the email attachment.
  (12) Call your recipient to see if they have received the encoded textfile, email attachment.
       Let them know that the "mappings" file is uploaded for them to download from the FTP site.
      You can have a LINGO you both use/know on the phone, to secretly convey this message, if you like,
        to avoid possible interception of this sensitive information.
       Recipient will then take the encoded textfile email attachment, the FTP downloaded "mappings" file,
      and place them both in a directory on their PC where the Perl decoding program is located which you
       had previously sent them to handle all the decoding anytime you send them an encoded textfile + "mappings".
       Recipient will run the Perl decoding utility program to create the original textfile.
  use Win32;         #-- as you can see, I use a Windows O/S Perl distribution. 
  use IO::Handle;
  use SDBM_File;     #-- my understanding is this module comes standard with every Perl distribution
  use Fcntl;
      $PWD=Win32::GetCwd();  #-- get current working directory on Windows O/S platform.            
      srand;        #-- random seeding initiated, do this just once at top.
      @codesARR=();    @wordsARR=();          #-- initialize the arrays
      print "working.  please wait...\n\n";
      unlink( "$PWD\\Project_0836_Mappings_CtoW.pag" )
                  if (-e "$PWD\\Project_0836_Mappings_CtoW.pag" );
     unlink( "$PWD\\Project_0836_Mappings_CtoW.dir" )
                if (-e "$PWD\\Project_0836_Mappings_CtoW.dir" );
      unlink( "$PWD\\Project_0836_Mappings_WtoC.pag" )
                if (-e "$PWD\\Project_0836_Mappings_WtoC.pag" );
     unlink( "$PWD\\Project_0836_Mappings_WtoC.dir" )
               if (-e "$PWD\\Project_0836_Mappings_WtoC.dir" );
       unlink( "$PWD\\Project_0836_Mappings.txt" )
               if (-e "$PWD\\Project_0836_Mappings.txt" );
     $cnt1=0;    $ret="Y";
      open(CODES,"$PWD\\codes.txt") || do {$ret="N";};
      if ($ret eq "N") {  
             print "Codes input file not opened \n";  
             sleep 5;   die;  
      while (<CODES>) {
             chomp $_;
            $codesARR[$cnt1]=$_;
            $cnt1++;
      print $cnt1 . " codes loaded\n\n";
     close(CODES);
     $cnt2=0;    $ret="Y";
     open(WORDS,"$PWD\\words.txt") || do {$ret="N";};
      if ($ret eq "N") {  
              print "Words input file not opened \n";  
             sleep 5;   die;  
     while (<WORDS>) {
             chomp $_;
            $wordsARR[$cnt2]=$_;
              $cnt2++;
      print $cnt2 . " words loaded\n\n";
      close(WORDS);
      sleep 3;       #-- a little time to check on record counts loaded to both arrays
    tie( %Project_0836_Mappings_WtoC, "SDBM_File", '.\Project_0836_Mappings_WtoC', O_RDWR|O_CREAT, 0666 );
     if (tied %Project_0836_Mappings_WtoC) {
             print "WtoC Hash/SDBM File are now tied\n\n";    
     } else {
            print "Could not tie WtoC Hash/SDBM File\n\n";  sleep 5;  die;
     tie( %Project_0836_Mappings_CtoW, "SDBM_File", '.\Project_0836_Mappings_CtoW', O_RDWR|O_CREAT, 0666 );
      if (tied %Project_0836_Mappings_CtoW) {
               print "CtoW Hash/SDBM File are now tied\n\n";    
      } else {
             untie(%Project_0836_Mappings_WtoC);  #-- close the successful tie made directly above 
            print "Could not tie CtoW Hash/SDBM File\n\n";  sleep 5;  die;
    open (OUT,"> $PWD\\Project_0836_Mappings.txt");
     OUT->autoflush(1);
     $cnt2=$#wordsARR;   #-- we do this because we will be removing elements from wordsARR
     for ($i=0; $i<=$cnt2; $i++) {
           $index   = rand @codesARR;    # get a random index from the codes array
          $code    = $codesARR[$index]; # get the value of that array element
          splice(@codesARR,$index,1);   # removes only this element from the codes array.
          $index   = rand @wordsARR;    # get a random index from the words array
          $word    = $wordsARR[$index]; # get the value of that array element
          splice(@wordsARR,$index,1);   # removes only this element from the words array.
          $Project_0836_Mappings_WtoC{$word}=$code;   # key/value pair where: word is key, code is value
          $Project_0836_Mappings_CtoW{$code}=$word;   # key/value pair where: code is key, word is value
      print "Your Mappings have been created and saved to (.dir and .pag extension files)\n\n";
      print OUT "Here are your Mappings you just created:\n\n";
      foreach $key (keys %Project_0836_Mappings_WtoC) {
            print OUT "word=" . $key . "     code=" . $Project_0836_Mappings_WtoC{$key} . "\n";
    print OUT "##################################################\n";
     foreach $key (keys %Project_0836_Mappings_CtoW) {
             print OUT "code=" . $key . "     word=" . $Project_0836_Mappings_CtoW{$key} . "\n";
      untie(%Project_0836_Mappings_WtoC);  #-- now you have saved a persistent word/code mappings file
      untie(%Project_0836_Mappings_CtoW);  #-- now you have saved a persistent code/word mappings file
      close(OUT);   
      print "Done.  Goodbye!\n";
      sleep 5;
      exit;

• Payment Card Industry Data Security Standards Requirement

  We store credit card numbers in our CRM and ERP systems for billing
  purposes. We use Delego software for credit card security. We also mask
  the credit card numbers during display.
  According to our interpretation of section 3 of the Payment Card
  Industry (PCI) Data Security Standards, we understand that we can
  retain cardholder data only as long as needed for business, legal,
  and/or regulatory purposes. According to our compliance policy that
  period is 3 years.
  Hence we wish to replace all card numbers older than 3 years with dummy
  card numbers. Since this requirement is mandated by the PCI-DSS, we
  believe SAP should be supplying us means to accomplish this. Are there any programs delivered by SAP to modify card numbers? Has anybody come across such a requirement?

  Hi Gina,
  Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
  We would appreciate any guidance.
  Thank you, TMM

• Problem due to Ironport Data Security feature

  We are using S160 (version 6.0.1-006) in forward mode and as soon as we enable Ironport Data Security feature the WSA stops responding after some time for few minutes and then starts processing http requests. This happens after every 5-10 mins. and ultimately we have to disable the Data security feature. Once the feature is disabled the WSA works smoothly. Please help......

  Hi,
  If you haven't already, I suggest opening a ticket with customer support.
  Jennie

• Oracle BI (Siebel Analytics) / Data Warehouse Data Security

  Hello,
  We are implementing Oracle Siebel Analytics and Custom datawarehousing using Oracle 9i DB. I am interested to know if we can implement consistent data security model for different data marts. Means with one single data warehouse, I want to implement data security model or policies in one place and they are applied consistently across all of the datamarts.
  1. Can we or oracle support this kind of secinerio.
  2. If yes, what would be perfect model an example will be helpful, and if not what best approach is available to resolve this security model.
  Any suggestion or help would be great.
  Regards
  Girish

  Hi, Do you also get some other packages names that the error msg reports like ...
  RPE-01012 Cannot deploy PL/SQL maps to the target schema because it is not owned by the Control Center and "SOME WRT.... package names" I think once did I face this and made sure that the repository user has some packages granted through OWBREPOS_OWNER/OWB_REPOS_OWNER to the user you are using to run the mapping.
  Regards,
  Mohammad Farhan Alam

• Data Security in OBIEE Repository

  I applied Data Security in OBIEE Repository,created testuser and assigned to Test group.Applied security in the Test group for specific column using Logical Fact.When i login using the testuser i am not able to see the applied data filter in the Test Group.Am i missing anything.
  Thanks in Advance

  I tried but still i don't see the security filter.Do i need to configure my NQSconfigfile.ini.Security filter status in Repository is Enable.We implemented fragmentation in logical fact,anyway that shouldn't matter as per my guess.

• Error after deploying vShield Data Security

  After i installed vShield Data Security still have the status "Not installed" in vshield manager, i can see that the VM is up but i don't know why vshield manager don't see it when i tried to install it again i have the following error:
  vShield Data Security installation encountered error while installing service VM:Internal server error: Host is not prepared

  Hi,
       Always try to start with Uninstall option(clicking the “Uninstall” button).Irrespective of the results please do follow below steps.
  1)Remove the vmservice-vswitch that was created during the install (assuming there is no other device that uses this vswitch). This is a service vSwitch with no physical adapters that was created during the install. This will have 2 port groups, one called vmservice-vmknic-pg and the other vmservice-vsheild-pg.
  2)Remove the 169.x.x.x address given to the Net.DVFilterBindIpAddress property for the host.  Select the ESX host on the left hand side tree, on the right hand pane select the Configuration tab and click on Advanced Settings under Software. In the Advaced Settings page look for the Net section and select it. Scroll all the way down and then make your way up until you find Net.DVFilterBindIpAddress = 169.254.1.1. Remove the 169.254.1.1 and click OK
  3)Either reboot the VCNS appliance or
             Go into the vShield Manager console/SSH and restart the web-manager component:
              Manager#no web-manager
               Manager#web-manager

• Data security with iPhone sync to First Class over Rogers network

  I manage about 20 iPhones over the Rogers network in Southern Ontario. We use them to sync Contact and Calendar info to our First Class email system and to collect email via an IMAP connection to First Class. I've got some users concerned about data security when they sync their calendars and contacts and about the vulnerability of their email. Most of these concerns come from former BlackBerry users who felt their data was encrypted with a BlackBerry and now isn't with the iPhone. Oh ya, I've set up the calendar and contact sync by using instructions my Apple rep gave me. Basically you set up an Exchange account and leave out the domain name and the iPhone syncs with First Class perfectly.
  Any thoughts?
  Thanks

  The iPhone's Mail client supports SSL for the incoming and outgoing mail server, but supporting a connection using SSL depends on the email account provider. If you control this, enable connecting to the incoming and outgoing mail server via SSL and require doing so when accessing the account with the iPhone's Mail client.
  I don't know what security is included when connecting to an Exchange server via ActiveSync for over the air syncing for contact info and calendar events, but since this is used by businesses, the connection should be secure.

• Data Security in vCloud Air

  Not being a security expert but more of a data at rest question,are countries where data security is a requirement able to prove that vCloud Air will only leave data in their country of origin and is there a document that states that a workload will reside in 1 datacenter and not move to another one ?

  Actually - there is a document that says this... it's in our Data Privacy Addendum- a part of the legal Terms of Service.
  2.8  Transfer of Data. You will select the location of Your Content. You consent that we will store Your Content in the location that you choose when you purchase a specific Service Offering. By uploading Your Content into the Service Offering, you may transfer and access Your Content from around the world, including to and from the location in which Your Content is maintained. To the extent you provide Your Content in connection with customer support, you acknowledge and agree that we may handle Your Content in any country in which we or our subcontractors maintain facilities. If you are a customer in the European Union or Switzerland, you acknowledge and agree that the Service Offering storage location you choose for Your Content, and the location in which Your Content is Processed for customer support, may be in countries where the laws do not protect your personal information to the same extent as the laws in your country. We will implement measures to ensure that we provide adequate protection for Your Content that we Process on your behalf. To this end, we will maintain an appropriate safe harbor certification with the US Department of Commerce (or an equivalent data export solution) when you transfer Your Content to us from the European Union or Switzerland. - See more at: https://www.vmware.com/support/vcloud-air/data-privacy-addendum.html#sthash.CBYM8UBm.dpuf

• Data Security Report by user

  Hello experts,
  It's possible in a easy way to get all the data security (dimensions member security) for one specific user?
  I would like to have a report for a specif user with the list of dimensions member he have read/write access.
  Regards,
  Rodrigo

  Hi, try Access Control Report. It's in the LCM right click on your app (under Application Group)
  If you find it very large you can write your own SQL directly in planning RDBMS or get some ready to use queries

• Data security in Dashboard

  hi all
  I need to implement the data security in Dashboard
  The scenario as follows
  I am having 4 columns in my dashboard as employee name , project number , project manager name , Cost
  once a project manager called anil loged he wants to see who are all employees working in his projects and details , along with this he is in a position to see the projects belongs to him but not the other projects
  can any one help me regarding this
  Thanks in advance
  soori

  hi vineeth
  Thanks for u r Reply
  But my scenario not like this ,
  I need to implement the data security in Dashboard
  The scenario as follows
  I am having 4 columns in my dashboard as employee name , project number , project manager name , Cost
  once a project manager called anil loged he wants to see who are all employees working in his projects and details , along with this he is in a position to see the projects belongs to him but not the other projects
  can any one help me regarding this
  Thanks in advance
  soori