Authorization at row level
Hi All,
I have a scenario where if a particular user creates a purchase order andhe selects as incorret warehouse, the document should go for approval. I tried the following query but this send any purchase order created fr approval.
SELECT DISTINCT 'TRUE' FROM OPOR T0 INNER JOIN POR1 T1 ON T0.DocEntry = T1.DocEntry WHERE T1.[WhsCode] ='MS0006'
What could be wrong with this query?
Thanks,
Joseph
Hi Istvan,
Similarly i have created codes for other documents.
IF @transaction_type IN (N'A', N'U')
begin
if exists(select T.docentry from WOR1 T where T.docentry = @list_of_cols_val_tab_del and
T.[wareHouse] in ( '1','2','MS0007','MS0001','MS0003','MS0004','MS00010','MS0011', 'MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076', 'MS0077',
'MS0079', 'MS0090', 'MS0123', 'MS0134', 'MS0138', 'MS0198', 'MS0210', 'MS0233', 'MS0234', 'MS0269', 'MS0273', 'MS0274', 'MS0283',
'MS0284', 'MS0287' , 'MS0288', 'MS0333',
'MS0078', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0202', 'MS0203') )
begin
SET @error = 21
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
If @object_type='20' AND @transaction_type = 'A'
BEGIN
If Exists
(SELECT T0.Price, T1.Price
FROM PDN1 T0 INNER JOIN POR1 T1
ON T0.BaseEntry=T1.DocEntry and
T0.BaseLine=T1.LineNum and T0.BaseType=22
WHERE T0.DocEntry = @list_of_cols_val_tab_del
and T0.Price!=T1.Price)
Begin
SELECT @error = 1,
@error_message = 'Price is different from order !'
End
END
IF @transaction_type IN (N'A', N'U') AND (@Object_type = N'20')
begin
if exists (SELECT T0.BaseEntry, SUM(T0.Quantity)
FROM [dbo].[PDN1] T0 INNER JOIN [dbo].[POR1] T1 ON T1.DOCENTRY = T0.BASEENTRY
WHERE T0.BaseType = 22 AND T0.ItemCode = T1.ItemCode AND T0.BaseLine = T1.LineNum and T0.DOCENTRY = @list_of_cols_val_tab_del
GROUP BY T0.BaseEntry
HAVING (SUM(T0.Quantity) > SUM(T1.Quantity)) or sum(t0.quantity) > sum(t0.BaseOpnQty))
begin
select @Error = 10, @error_message = 'GRPO quantity is greater PO quantity'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '22'
begin
if exists(select T.docentry from POR1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0006','MS0007','MS0011', 'MS0012','MS0014', 'MS0015','MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076',
'MS0078', 'MS0079', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0201', 'MS0202', 'MS0203', 'MS0217','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '20'
begin
if exists(select T.docentry from PDN1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0006','MS0007','MS0011', 'MS0012','MS0014', 'MS0015','MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076',
'MS0078', 'MS0079', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0201', 'MS0202', 'MS0203', 'MS0217','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '21'
begin
if exists(select T.docentry from RPD1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0006','MS0007','MS0011', 'MS0012','MS0014', 'MS0015','MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076',
'MS0078', 'MS0079', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0201', 'MS0202', 'MS0203', 'MS0217','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '18'
begin
if exists(select T.docentry from PCH1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0006','MS0007','MS0011', 'MS0012','MS0014', 'MS0015', 'MS0016','MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076',
'MS0078', 'MS0079', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0201', 'MS0202', 'MS0203', 'MS0217','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '19'
begin
if exists(select T.docentry from RPC1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0006','MS0007','MS0011', 'MS0012','MS0014', 'MS0015','MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076',
'MS0078', 'MS0079', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0201', 'MS0202', 'MS0203', 'MS0217','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '17'
begin
if exists(select T.docentry from RDR1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0007','MS0001','MS0003','MS0004','MS00010','MS0011', 'MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076', 'MS0077',
'MS0079', 'MS0090', 'MS0123', 'MS0134', 'MS0138', 'MS0198', 'MS0210', 'MS0233', 'MS0234', 'MS0269', 'MS0273', 'MS0274', 'MS0283',
'MS0284', 'MS0287' , 'MS0288', 'MS0333',
'MS0078', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0202', 'MS0203','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '15'
begin
if exists(select T.docentry from DLN1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0007','MS0001','MS0003','MS0004','MS00010','MS0011', 'MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076', 'MS0077',
'MS0079', 'MS0090', 'MS0123', 'MS0134', 'MS0138', 'MS0198', 'MS0210', 'MS0233', 'MS0234', 'MS0269', 'MS0273', 'MS0274', 'MS0283',
'MS0284', 'MS0287' , 'MS0288', 'MS0333',
'MS0078', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0202', 'MS0203','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '16'
begin
if exists(select T.docentry from RDN1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0007','MS0001','MS0003','MS0004','MS00010','MS0011', 'MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076', 'MS0077',
'MS0079', 'MS0090', 'MS0123', 'MS0134', 'MS0138', 'MS0198', 'MS0210', 'MS0233', 'MS0234', 'MS0269', 'MS0273', 'MS0274', 'MS0283',
'MS0284', 'MS0287' , 'MS0288', 'MS0333',
'MS0078', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0202', 'MS0203','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '13'
begin
if exists(select T.docentry from INV1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0007','MS0001','MS0003','MS0004','MS00010','MS0011', 'MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076', 'MS0077',
'MS0079', 'MS0090', 'MS0123', 'MS0134', 'MS0138', 'MS0198', 'MS0210', 'MS0233', 'MS0234', 'MS0269', 'MS0273', 'MS0274', 'MS0283',
'MS0284', 'MS0287' , 'MS0288', 'MS0333',
'MS0078', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0202', 'MS0203','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
IF @transaction_type IN (N'A', N'U') and @object_type = '14'
begin
if exists(select T.docentry from RIN1 T where T.docentry = @list_of_cols_val_tab_del and
T.[WhsCode] in ( '1','2','MS0007','MS0001','MS0003','MS0004','MS00010','MS0011', 'MS0022', 'MS0023','MS0024',
'MS0027','MS0028','MS0035', 'MS0040', 'MS0041','MS0042','MS0043','MS0044','MS0048', 'MS0062', 'MS0065', 'MS0076', 'MS0077',
'MS0079', 'MS0090', 'MS0123', 'MS0134', 'MS0138', 'MS0198', 'MS0210', 'MS0233', 'MS0234', 'MS0269', 'MS0273', 'MS0274', 'MS0283',
'MS0284', 'MS0287' , 'MS0288', 'MS0333',
'MS0078', 'MS0091', 'MS0137', 'MS0143', 'MS0153', 'MS0154', 'MS0155', 'MS0156', 'MS0158', 'MS0183',
'MS0199', 'MS0202', 'MS0203','P00001','P00002','P00003','P00007','P00008','P00009','P00010','P00011',
'P00012','P00013','P00014','P00015','P00016','P00017','P00018','P00026','P00028','P00030','P00033') )
begin
SET @error = 20
SET @error_message = N'YOU CANNOT USE THIS WAREHOUSE FOR THE TRANSACTION'
end
end
Now at times, we get the error message that header data is missing.
Thanks,
Joseph
Similar Messages
-
Row Level Security not working for SAP R/3
Hi Guys
We have an environment where the details are as mentioned below:
1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
2. The SAP roles are imported in Business Objects CMC.
3. Crystal Reports are published on the Enterprise as well.
3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
Any help in this issue is greatly appreciated.
Thanks and Regards
KamalHi,
In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server. This is a server side tool which the Integration solution for SAP offers as a transport.
This tool defined which tables are to be restricted based on authorizations.
However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview. If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
thanks
Mike -
Row level security in Hyperion System 9 - 9.3.1
Hi Gurus,
I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
matches then they get to see records for that location.
The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
zFollow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita -
Row Level security in OLAP universe
Hi,
We have a OLAP universe based on a BeX query and we are planning to implement the row level security on it.
As it is not possible to use the normal @BOUSER in the OLAP universe, what is the way to implement the same?
Is it possible to have it in the BeX query itself? Any thoughts on this please.
indusHi,
right now you can not implement row level security in an OLAP Universe, you need to setup BI Authorizations and use Authorization variables in the query.
Ingo -
Row level security in Xcelsius through scheduled reports?
Hi Experts,
Our requirement is to implement row level security in Xcelsius dashboards from SAP BW source through Bex queries which would have authorization variables. We have seen that these Bex authorization variables work in Webi reports and security is applied appropriately. But do they work in upto Xcelsius as well, if we use Live Office Parameter binding option? If it does, then do we need to create prompts agian in Webi?
We have also seen that security is applied if we use the BICS (SAP Netweaver native connectivity) option. However our objective is to schedule as many reports as possible in the dashboard to save on report refresh time at run-time, which is not possible is BICS or QAAWS. Therefore the best option for us would have been if we could apply row level security on scheduled reports.
Can you please advise on the best approach? Your help is greatly appreciated.
Thanks,
SougataSince you are using BEx queries as data sources authorization variables is the only way to apply row level security. This will work fine also for XCelsius dashboards that run in the InfoView (in an SAP logon context eg. when the user uses it's SAP credentials to login into the InfoView) and fetch data on-demand over LO from your WebI reports. Just make sure that the underlying webi reports are set to use SSO.
If you are using scheduled report instances no row level security is applied depending on the context of the user that started the dashboard. XCelsius will get the data that have been saved in the instances. In this case the row level security has been already applied at the moment the report instance was created BUT for the user who scheduled the reports to run.
Regards,
Stratos -
Row Level Security in OBIEE using OID as authentication Mechanism
Hi OBIEE Gurus,
I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
I want to implement RLS by doing the following :
1. Have Security Groups defined in OID and assign users with group membership.
2. Import these Security Groups into OBIEE metadata
3. Apply filters to these Security Groups
4. Run Answers requests to see if RLS works or not
Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
Appreciate your help.
Edited by: drakesh on Sep 26, 2008 7:09 AMFollow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita -
How to Apply Row level restrictions On objects
Hi All,
I am working on universe designer(BO 3.1) .....
I would like to apply row level restrictions on a cloumn of table based on the user who is running the report .
can any one please help me on this..
Thanks in Advance.............Hi
Universe access and row-level security can also be managed at the group or individual user level from within the design environment.
Find the below video row level restrictions
http://www.youtube.com/watch?v=6yM0OLK6QlI
Create a data security profile that restricts access to specific rows: Information design tool 4.x - YouTube
Implementing row level security in IDT using Data Security Profile
And You cannot set row-level security authorizations in an OLAP universe.
User security can be defined at the most granular level for the following content objects.
Folders and sub-folders
Reports
Categories
Events
Program Files
Publications -
Crystal Reports - ECC Tables - Row level security on Multiple tables
Hi Experts,
We are implementing Crystal Reports directly reporting on ECC Tables. Lot of information on row-level security has been provided by experts Ingo Hilgefort, Don Williamsand Mike Seblani, but not related to multiple tables or Wild cards
Requirement:
Crystal Users should have access to ALL the tables in ECC, but restricted by Company code, plant, Sales Organization, Purchasing Organization fields to what ever table it applies to. Example: MARC table should be restricted by Plant, BSEG table should be restricted by Plant and company code, GLT0 table should be restricted by Company code..etc
Users should ONLY see their Organization related data.
Solution Developed:
1. We created custom authorization object with BUKRS and WERKS
2. In /CRYSTAL/RLS we used Wild Cards *, + rather than specific table and referenced the custom authorization object with =BUKRS and =WERKS in the Field Value
3. Enabled global lock
4. Custom Authorization object was added to user-profiles with corresponding restrictions
*Observation:*
1. This security works when a crystal report was developed on a ECC table which has both BUKRS and WERKS
2. This setup DOES NOT work when a crystal report developed on a table with either one of BUKRS or WERKS
Example: Does not work on MARC table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~BUKRS" unknown"
Does not work on GLT0 table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~WERKS unknown"
Trouble Shooting:
In the "where clause" of the internal ABAP code generated for MARC, system is checking for BUKRS - which should not be the expected result
ANYTHING WRONG IN THE SECURITY SETUP ? PLEASE ADVICE
Note: Document "BusinessObjects XI Release 2, Integration Kit for SAP, Installation Guide" does not talk much about this multiple table restriction. Any other document to be referred to ?I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?
-
Row level security in dashboard
Hello Experts,
We have a scenario where in my dev team is designing dashboard based on SAP BW (bex query) via OLAP universe -> Webi reports -> Xcelsius. We need to implement data security(row level) in the dashboard i.e : The user when he sees the dashboard, should see data w.r.t only to his context.
What are the different possible ways to handle such a situation?
Can we use Xcelsius publishing plug in?
Cheers,
AKHi Ingo,
Thanks for your reply.
So Xcelusis publishing plug in will not solve my problem right? & I need to have BI authorizations defined in SAP system?
I am having tough time convincing my customer about this.
Thanks
Cheers,
AK -
Applying row-level security to crystal report instance
Hi
we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
Thanks in advance.
KamalHi,
I didn't try it so far
but I found this Link:
http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
-> create Instance with full authorization
-> Join CR-Result with Customer-Table: User Authorization
Max -
SAP-BO SSO and Row Level Security
Hi,
We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
System Information
Business Objects XI 3.1
SAP Intg. Kit 3.1
Thanks a lot,
OmerHi Omer,
please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
Regards,
Stratos
Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM -
BW Username Variable in query available for Row Level basedAuthorization ?
Hi Authorization- and Bexs-Profs,
I have an Row Level Authorization Model:
The acces to the InfoCube data is based on Row Level and on access control definition
data hold in an ODS ( Table/Data).
The access control definition data hold in the ODS descibes per BW User which
selection citeria can be read.
I want to build up a MultiProvider with the access control definition ODS and the InfoCube and
restrict in the Query the access control definition with the BW Username.
How can I have access to the BW Username in a BEX Query ?
Thank You a lot !
Martin SautterThanks user10615659 ,
- Yes the variable ROLES available in OBIEE 11.1.1.7.1
- Tested the init block and variables in offline rpd its working as expected.
- In online rpd, except ROLES and GROUP variable remaining variables working fine.
- Verified log file in both online and offline init block testing - the init block execution is successful.
Thanks -
Column level versus row level security in SAP BI
This is a question. Sorry about the terminology clarification but it really does get to a question. Thanks for your patience and help.
There is some confusing terminology among BI users so let me explain terms. The terms appear to have some currency in the BOBJ world.
Row level security = the ability to control access to some data based on the values of a characteristic. Only the data authorized will be selected.
Column level security = the ability to exclude certain characteristics from display by any user.
In SAP BI row level security is managed by analysis authorizations (RSECADMIN).
To the extent of my experience (and I am unable to test it for about a month) column level security can only be managed by authorization object S_RS_IOBJ excluding the infoobject to be controlled with the sub-object DATA).
However my experience is that any query that reads an infoprovider that contains that infoobject will fail. It won't exclude and present to the user all the other infoobjects (i.e. columns).
Is this really so and if so is there any mechanism that can exclude columns without forcing the developer to either design an infoprovider or multicube that excludes the infoobject?
Edited by: Corwin Slack on Dec 14, 2009 2:07 PMTwo things
1. I would prefer not to have to rely on developers to implement a restriction in a query. Then I have to police every query.
2. I am not certain that the authorization isn't checked anyway because the query accesses the cube. (Sorry no test environment available until mid January)
My preference is that any queries that contain this authorization object just bypass the displaying the characteristic. My frecollection to date is that this isn't what happens. The query fails entirely. -
Pl sql row level locking with wait ?
Hi,
I am using oracle 10g.
I am new to Oracle locks. I have two tables Table1(id_no, employee, salary) and Table2(id_no, employee, salary).
I need to pull any requested row from Table1 into Table2 only once on demand. I have a procedure to pull data and there could be more than one requests try to call same procedure to pull a row from Table1 into Table2 at any given time.
I coded below to achieve row level lock. if one transaction gets row level lock on Table1 at 2, so other Transactions should wait till the lock is released at line 2 or 5 to avoid duplicates.
But below code is not working, I am getting duplicates when I call this using two concurrent java threads.
How do I control this concurrency issue so that I can avoid duplicate entries in Table2. Could any one please help?
1.begin
2.select 0 into emp_cnt
3.from Table1 where id=id_no
4.for update;
5.update Table1 set employee='xyz'
6.where id=id_no;
7.select count(*) into table2_cnt from Table2 where id=id_no;
8.if(table2_cnt =0) then
9.code to insert above row from Table1 to Table2;
10.end if;
11.commit;
12.End;
Edited by: 980916 on Jan 9, 2013 5:48 PMWelcome to the forums and welcome to Oracle.
Lets establish one thing right from the beginning ... the Oracle Database is not a Microsoft product.
There is no general reason to use row level locks, you should not want to use row level locks, you don't need row level locks, and you will almost never have any valid reason to consider row level locks.
That said there are two situations were it may be necessary to lock a row prior to an update or delete (possibly in a merge) and in those cases you want to use the built-in SELECT FOR UPDATE syntax. (Demo here: http://www.morganslibrary.org/reference/deadlocks.html#dlfu). But we should be clear here ... one rarely needs to use this locking mechanism as the chances of a collision in a well designed application are essentially zero.
Also as you are new to Oracle please explore the dynamic performance view V$RESERVED_WORDS and do not name objects, columns, etc. with reserved word names not that there is an excuse in any product to name a column "ID." Something Joe Celko has railed about for decades and a tradition I think we should all follow.
In the case of your posted code example (btw please read the FAQ and learn how to use tags) the solution is SELECT FOR UPDATE if locking can be justified which is unlikely.
Edited by: damorgan on Jan 9, 2013 6:11 PM -
How to get a row level share lock
Is it possible to acquire a row-level share lock, which would do all of the following?
1. Prevent others from updating that row.
2. Allow others to read that row.
3. Allow others to update other rows in the same table.
I have the following scenario where two transactions need to lock eachother out:
Set-up:
Insert into TABLE_A(value_a) values ('ok');
Insert into TABLE_B(value_b) values ('ok');
Transaction A:
Select value_b from TABLE_B
If value_b = 'ok', update TABLE_A set value_a = 'not ok'
Transaction B:
Select value_a from TABLE_A
If value_a = 'ok', update TABLE_B set value_b = 'not ok'
If transaction A runs first then the end result is "not ok" only in TABLE_A.
If transaction B runs first then the end result is "not ok" only in TABLE_B.
If the two transactions run concurrently, it is possible to get "not ok" in both tables. This is what I would like to prevent.
One way to get what I want is to use "select for update":
Transaction A:
Select value_a from TABLE_A for update
Select value_b from TABLE_B for update
If value_b = 'ok', update TABLE_A set value_a = 'not ok'
Transaction B:
Select value_a from TABLE_A for update
Select value_b from TABLE_B for update
If value_b = 'ok', update TABLE_B set value_a = 'not ok'
This way both transactions won't perform their update unless they know that the result if their select will still be the same after they commit. However, by using "select for update" Transaction A has gained an exclusive lock on the TABLE_B row. If a Transaction C with the same contents as Transaction A happens concurrently, then the two will block eachother even though all they both want is to read data from the same table.
Another way is to use "lock table", however using that would block out not only writes to a specific row, but writes to all rows in the table. (In my example there is only one row, but obviously that's just a simplified example.)
I have looked at the "serializable" isolation level, but that doesn't seem to help because the queries and updates involve more than one table.
I know that "reads don't block writes" is a fundamental part of the Oracle design that makes Oracle what it is, but is there any way I can explicitly make it happen anyway? Or can anyone see some other solution to what I'm trying to achieve?Let me give a more real-world example to show what I'm talking about.
Imagine a simple bug-reporting OLTP application. Each bug has 3 fields:
1. Description
2. Resolution
3. Status (open/closed)
The application also has some rules:
A. If the Status is "closed", Description and Resolution cannot be changed.
B. In order to change the Status to "closed", both a Description and Resolution must be specified.
Now as long as only one person at a time updates a bug, everything is fine. However, if one person switches the Status to "closed" while another concurrently blanks out the Resolution you end up with a closed bug that has no Resolution. This is why some locking is necessary.
If Description, Resolution, and Status are all stored in the same table row, then it makes sense for each transaction to simply select the whole row FOR UPDATE, and then UPDATE it after it ensures all the rules are passed. However, in my fictional bug-reporting application they are all stored in separate tables. Now, the transaction that is making the change to Resolution could lock the row in the Status table FOR UPDATE (as everyone so far has suggested). Transactions making a similar change to the Description should then also lock the row in the Status table FOR UPDATE for the same reason. The end result of this is that Description changes and Resolution changes lock eachother out (can't happen concurrently, are serialized) when they don't need to be. Description changes and Resolution changes don't affect eachother, but because they both need to (exclusively) lock the same row, they are serialized.
If there was a way to acquire a share lock on the row in the Status table, then Description and Resolution changes would use that and not affect eachother. Status changes would still acquire an exclusive lock on the row, and would be blocked by (and block any further) concurrent Description and Resolution changes. This would be ideal.
Maybe you are looking for
-
After Statspack Install Logical DB stopped - urgent
Oracle 10.2.0.1.0 After installing statspack @spcreate installed sucessfully @spauto create job sucessfully But the Logical stdby stopped applying the logs with the following error message alert.log ================ LOGSTDBY stmt: grant execute on db
-
Project Purchase Order Integration
Hi Gurus, I have prepared a purchase order for the destination type expense. At the same time i have created 2 different Capital Projects. The projects should be visible in the distribution tab of the Purchase Order without fail. But none of the 2 pr
-
Migrating to PSE10 & moving default storage locations
Greetings all, I have purchased the upgrade from PSE9 to PSE10 and am planning to migrate the default location of my images and catalog from a local drive on my Windows 7 PC to a NAS device. I am wanting to move the default location to a NAS so that
-
Vendor Cash Discount Master Data Settings
Where is the proper area of the COA that a vendor discount account should be setup and what are its typical settings? Looking for specifics in the following areas: Cost Element? Y/N General Operating Expense Section of COA? Y/N Auto-Posting? Y/N Cas
-
3.6.4 had a bad adobe i went back to 3.6.3 why did firefox call it an update when 3.6.2,3.6.3,3.6.4 are a higher number than 3.6 == This happened == Just once or twice