Alternate method of implementing EBS-OBIEE security

Similar Messages

• OBIEE-EBS data security integration

  Hi all,
  I am trying to implement the HR-Org based data security in EBS-OBIEE integration.
  After creating the initialization blocks EBS Single Sign-on Integration,Get Oracle EBS Security Context,Group-EBS Responsibility I have created a new initialization block HR Organizations to populate the session variable "HR_ORG" and I am using the following the query.
  Even though the session variables GROUP and USER are getting their values correctly and integration works fine, the variable HR_ORG says "has no value definition".
  [nQSError: 10058] A general error has occurred. [nQSError: 23006] The session variable, NQ_SESSION.HR_ORG, has no value definition. (HY000)
  SQL Issued: SELECT "Per Business Groups"."Business Group Id", VALUEOF(NQ_SESSION.HR_ORG) FROM HR
  Please help me for implementing the data security after the EBS-OBIEE integration..
  For populating HR_ORG variable by row wise initialization:
  SELECT DISTINCT 'HR_ORG',TO_CHAR(SEC_DET.ORGANIZATION_ID)
  FROM
  SELECT
  'HR_ORG', ASG.ORGANIZATION_ID
  FROM
  FND_USER_RESP_GROUPS URP
  ,FND_USER USR
  ,PER_SECURITY_PROFILES PSEC
  ,PER_PERSON_LIST PER
  ,PER_ALL_ASSIGNMENTS_F ASG
  WHERE
  URP.START_DATE < TRUNC(SYSDATE)
  AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_DATE) END) >= TRUNC(SYSDATE)
  AND USR.USER_NAME = ':USER'
  AND USR.USER_ID = URP.USER_ID
  AND TRUNC(SYSDATE)
  BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
  AND PSEC.SECURITY_PROFILE_ID = FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_PROFILE_ID', URP.USER_ID, URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_APPLICATION_ID)
  AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
  AND PER.PERSON_ID = ASG.PERSON_ID
  AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
  AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
  -1, URP.RESPONSIBILITY_ID,
  NULL, URP.RESPONSIBILITY_ID,
  FND_GLOBAL.RESP_ID)
  UNION
  SELECT DISTINCT 'HR_ORG',
  ORGANIZATION_ID
  FROM PER_ALL_ASSIGNMENTS_F ASG,
  FND_USER USR
  WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
  AND USR.USER_NAME = ':USER'
  AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
  AND ASG.PRIMARY_FLAG = 'Y'
  ) SEC_DET
  Thx!

  Duplicate post see Re: obiee-ebs  data  security integration

• OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

  I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
  1) Create a standard authentication/security process at an enterprise level
  2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
  3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
  4) non-EBS users must go through the OBIEE portal
  5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
  So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
  For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
  My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
  Will this work? Does anyone have a better approach they'd like to share?

  Please post the details of the application release, database version and OS.
  We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
  It could be related that OAM generated cookies are not recognized by embedded OBIEE.
  Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
  For urgent issue, please always log a SR.
  Thanks,
  Hussein

• Report on OBIEE Security

  We use Default Authenticator and implemented the security using Weblogic console. Now my client want to see a report on the OBIEE security implemented; he want to see all the groups, roles, users listed and also interested in seeing what users and roles assigned to various groups for the project.
  Is it possible to read Weblogic security Metadata?
  Appreciate your thoughts on this.
  Thanks
  Bees

  Was my answer correct? If so, please indicate so (top right of my last post). If not, then what was your answer?

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• What if I implement data level security using Selection formula?

  Hi All,
  I have a requirement to implement data level security for all the reports, the thing is, we donot have a front end application developed in java/.net or any other language, so we have only two options (as per me, if you think there are other alternatives then please share).
  1) Implement security at the database level (that is use user roles in where clause which will make the where clause really complicated and hence the performance of the query will eventually decrease).
  2) Retrieve the data with the flags of user role/permission on data. Use these flags in selection formula to select the needed records as per the user login.
  I have already in middle of implementing the second method, thought to take suggestion from you guys, I appreciate if you could tell me the drawbacks of the method I am using, and if there is an alternative method you could think of.
  Thanks,
  -Azhar

  Standaone Crystal Reports does not have any security option except to use Trusted Authentication when connecting to the DB. We use Microsofts NT or MS SQL Server Authentication only.
  Doing this in CR Designer using flags and formula will never be secure, the user could simply change the formula etc...
  Check with your DBA on how to configure AD authentication and then enable or add each user to SQL server. You may need to configure and mantain this manually depending on how you ahve your network configured.
  Thank you
  Don

• How to implement data level security

  How to implement data level security in BI Publihser?. I am using Obiee enterprise edition and bi publihser. My requirement is to show data based on User- Region relation ship.
  User A - belongs to Eastern Region
  User B - belongs to Southern Region
  so if user A logged in he should see only Eastern Region report. If user B logged in He should see only Southern region. I am using direct sql to my oralce database as data source.
  i appriciate your help

  I am using a common database username and password for jdbc connection. what i am looking is based the BI Publihser login, is there any way?
  say i have userregion table joined with fact. so that i can write a query to get the data
  select c1,c2,c3
  from userregion, fact
  where fact.region=userregion.region
  and userregion.user = BIPUBLIHSERUSER
  but my question is ithere any variable to tell who is logged in BI Publisher? Any server varaibles?
  Other related question is, In every report i want to show User name who is running the report. How can i get this?

• OBIEE Security

  Hi,
  I want to know about various types of security provided in OBIEE.
  I come across terms like row level security and column level securtiy, I want to know about these two terms wrt OBIEE. and how we provide these type of security.
  Thanks
  Shashank Gupta

  Row level security is implemented by Data Security Groups
  There are three kind of groups - data values groups (like UK etc)
  data visibility groups (like Sales ) & Security groups like Country Based Security
  Object Level Security:
  Now for Data Visibilty under the filter you can explicitly select what subject areas a user can query like sales (Data visibility groups - Sales)
  Row Based Security:
  A Session Initianlization block is fired as a user logs and records the groups he is member of
  ex.UK Group, Sales Group & Country Based Security Group.
  The group Country Based Security Group under the filter tab has folllowing - value of dimension country = value of NQSESSION.GROUP
  Hope this helps !!

• Obiee security / Cache management scenarions and solution required

  scenario 1: Cache Mechanism implementation
  We have to develop a report which will populate the data from Cache for previous months and from database for current month simultaneously.
  Scenario 2: Security (users/groups) implementation
  We have to implement the authorisation on 20000+ roles (groups) in OBIEE. They want it to be implemented internally in OBIEE using some script/API so that all the roles will be created and as well as updated automatically in OBIEE whenever there are some updations in their database.
  Question 1: How is it possible to manage more than 20000 roles (groups) , each role is having different different privileges ?
  Scenario 3: How can we switch on or off row-level-security for different reports (As in some reports, data does not need to be restricted)"
  Example: A single report has a summary page and a detail level page. Summary page can be seen by everyone whoever logs on to the BI portal and accesses the report but when the user clicks on a figure on summary page to drill to detail he sees only his data that he has access rights to.

  scenario 1: Cache Mechanism implementation Can not be done. Either the query comes from the cache or it doesn't, it can not come from two sources.
  Scenario 2: Security (users/groups) implementation
  Question 1: How is it possible to manage more than 20000 roles (groups) , each role is having different different privileges ? Sure your requirement is to implement a specific security model not to have 20000 roles. You seem to have come with an implementation where you have 20000 roles which to me would seem like you are way off track. Could OBIEE support that? May be. Is it a good idea? Def not.
  They want it to be implemented internally in OBIEE using some script/API so that all the roles will be created and as well as updated automatically in OBIEE whenever there are some updations in their database.Whoever is "they" tell them that they are not OBIEE experts and they should not tell you how to implement things. Ask them to give you the actual business requirement rather than the "solution". You as an "OBIEE expert" should decide the best way to implement it in OBIEE. The typical approach is to have all the roles in a Database and populate the GROUP variable via a row-wise init block. Plenty of into in the forums about this. Script/API? Forget about it, not fast enough.
  Scenario 3: How can we switch on or off row-level-security for different reports (As in some reports, data does not need to be restricted)" If row-level-security is needed a the report level then you shouldn't implement it in the RPD but you should use filters in the different reports. Do not let the users change those reports.

• OBIEE Security 10g to 11g: Groups

  I had a Security scenario that I wanted to throw out to the forum...
  In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
  Data-level and object-level security was different for each group.
  In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
  In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
  I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
  My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
  Edited by: DustinC on Jan 19, 2012 1:29 PM
  Edited by: DustinC on Jan 20, 2012 3:54 PM
  Edited by: DustinC on Jan 22, 2012 12:45 PM
  Edited by: DustinC on Jan 23, 2012 11:40 AM

  Q1. how deploy external database security(users, groups) to OBIEE 11g.
  we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
  Solution:
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
  http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
  Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
  Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
  while configuring AD via weblogic console we need to give the users and group info
  Solution refer:
  http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
  Thanks
  Deva

• I have file with 500 pages created from AutoCad file. In all pages, I have different document numbers.The file is not editable in pdf. How to change all the document numbers using "Comment" feature? Any alternate method?  alternate method? I have Adobe Ac

  I have pdf file with 500 pages created from AutoCad file. In all pages, I have different document numbers.The file is not editable in pdf. How to change all the document numbers using "Comment" feature? Any alternate method?  alternate method? I have Adobe Acrobat X Pro and Windows -7 platform.

  Yes, I just want to cover up all the pages for those particular area of document numbers.
  Nothing sensitive about it. I just want to show the correct document numbers on all pages in print out.
  So, I wanted to cover up by comments, but commenting on each page will be difficult. So, I wanted to comment the same on all pages.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• Cure for "501 Method Not Implemented" error at site in Firefox but not Chrome or IE?

  I am receiving a "501 Method Not Implemented" error message at a site in Firefox but not in Chrome or IE. How can this be cured?

  Do you get that error if you access the site or if you click a link to got to another page?
  You can reload the page and bypass the cache with:
  * Press and hold Shift and left-click the Reload button.
  * Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  * Press "Cmd + Shift + R" (MAC)
  See [[Keyboard shortcuts]] and [[Mouse shortcuts]]
  * "Clear the Cache": Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
  * "Remove the Cookies" from sites that cause problems: Tools > Options > Privacy > Cookies: "Show Cookies"
  Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
  * Don't make any changes on the Safe mode start window.
  See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• Error when sending message: Method not implemented

  Hi, All:
  We have newly setup system and when we test sending test message from RWB, (RWB-Component Monitoring-Integration Engine-Test Tab), we got following error:
  "Error when sending message: Method not implemented", I know this is related to post configuration issue, I just know someone has come cross the situation and how it was resolved.
  Thanks
  Liang

  HI Liang
  Yes it looks like post installation problem. I have not come across this but i think you should check with the RFC created for IE while installation. To connect IE & AE and even the exchange profile if something is missing
  Thanks
  Gaurav