Authorization at row level

Similar Messages

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Row level security in Hyperion System 9 - 9.3.1

  Hi Gurus,
  I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
  The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
  matches then they get to see records for that location.
  The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
  In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
  z

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• Row Level security in OLAP universe

  Hi,
  We have a OLAP universe based on a BeX query and we are planning to implement the row level security on it.
  As it is not possible to use the normal @BOUSER in the OLAP universe, what is the way to implement the same?
  Is it possible to have it in the BeX query itself? Any thoughts on this please.
  indus

  Hi,
  right now you can not implement row level security in an OLAP Universe, you need to setup BI Authorizations and use Authorization variables in the query.
  Ingo

• Row level security in Xcelsius through scheduled reports?

  Hi Experts,
  Our requirement is to implement row level security in Xcelsius dashboards from SAP BW source through Bex queries which would have authorization variables. We have seen that these Bex authorization variables work in Webi reports and security is applied appropriately. But do they work in upto Xcelsius as well, if we use Live Office Parameter binding option? If it does, then do we need to create prompts agian in Webi?
  We have also seen that security is applied if we use the BICS (SAP Netweaver native connectivity) option. However our objective is to schedule as many reports as possible in the dashboard to save on report refresh time at run-time, which is not possible is BICS or QAAWS. Therefore the best option for us would have been if we could apply row level security on scheduled reports.
  Can you please advise on the best approach? Your help is greatly appreciated.
  Thanks,
  Sougata

  Since you are using BEx queries as data sources authorization variables is the only way to apply row level security. This will work fine also for XCelsius dashboards that run in the InfoView (in an SAP logon context eg. when the user uses it's SAP credentials to login into the InfoView) and fetch data on-demand over LO from your WebI reports. Just make sure that the underlying webi reports are set to use SSO.
  If you are using scheduled report instances no row level security is applied depending on the context of the user that started the dashboard. XCelsius will get the data that have been saved in the instances. In this case the row level security has been already applied at the moment the report instance was created BUT for the user who scheduled the reports to run.
  Regards,
  Stratos

• Row Level Security in OBIEE using OID as authentication Mechanism

  Hi OBIEE Gurus,
  I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
  I want to implement RLS by doing the following :
  1. Have Security Groups defined in OID and assign users with group membership.
  2. Import these Security Groups into OBIEE metadata
  3. Apply filters to these Security Groups
  4. Run Answers requests to see if RLS works or not
  Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
  Appreciate your help.
  Edited by: drakesh on Sep 26, 2008 7:09 AM

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• How to Apply Row level restrictions On objects

  Hi All,
  I am working on universe designer(BO 3.1) .....
  I would like to apply row level restrictions on a cloumn of table based on the user who is running the report .
  can any one please help me on this..
  Thanks in Advance.............

  Hi
  Universe access and row-level security can also be managed at the group or individual user level from within the design environment.
  Find the below video row level restrictions
  http://www.youtube.com/watch?v=6yM0OLK6QlI
  Create a data security profile that restricts access to specific rows: Information design tool 4.x - YouTube
  Implementing row level security in IDT using Data Security Profile
  And You cannot set row-level security authorizations in an OLAP universe.
  User security can be defined at the most granular level for the following content objects.
  Folders and sub-folders
  Reports
  Categories
  Events
  Program Files
  Publications

• Crystal Reports - ECC Tables - Row level security on Multiple tables

  Hi Experts,
  We are implementing Crystal Reports directly reporting on ECC Tables.  Lot of information on row-level security has been provided by experts Ingo Hilgefort, Don Williamsand Mike Seblani, but not related to multiple tables or Wild cards
  Requirement:
  Crystal Users should have access to ALL the tables in ECC, but restricted by Company code, plant, Sales Organization, Purchasing Organization fields to what ever table it applies to. Example: MARC table should be restricted by Plant, BSEG table should be restricted by Plant and company code, GLT0 table should be restricted by Company code..etc
  Users should ONLY see their Organization related data.
  Solution Developed:
  1. We created custom authorization object with BUKRS and WERKS
  2. In  /CRYSTAL/RLS  we used Wild Cards *, +  rather than specific table  and referenced the custom authorization object with =BUKRS and =WERKS  in the Field Value
  3. Enabled global lock
  4. Custom Authorization object was added to user-profiles with corresponding restrictions
  *Observation:*
  1. This security works when a crystal report was developed on a ECC table which has both BUKRS and WERKS
  2. This setup DOES NOT work when a crystal report developed on a table with either one of BUKRS or WERKS
      Example: Does not work on MARC table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~BUKRS" unknown"
     Does not work on GLT0 table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~WERKS unknown"
  Trouble Shooting:
  In the "where clause" of the internal ABAP code generated for MARC, system is checking for BUKRS - which  should not be the expected result
  ANYTHING WRONG IN THE SECURITY SETUP ? PLEASE ADVICE
  Note: Document "BusinessObjects XI Release 2, Integration Kit for SAP, Installation Guide" does not talk much about this multiple table restriction. Any other document to be referred to ?

  I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

• Row  level security in dashboard

  Hello Experts,
  We have a scenario where in my dev team is designing dashboard based on SAP BW (bex query) via OLAP universe -> Webi reports ->  Xcelsius. We need to implement data security(row level) in the dashboard i.e : The user when he sees the dashboard, should see data w.r.t only to his context.
  What are the different possible ways to handle such a situation?
  Can we use Xcelsius publishing plug in?
  Cheers,
  AK

  Hi Ingo,
  Thanks for your reply.
  So Xcelusis publishing plug in will not solve my problem right?  & I need to have BI authorizations defined in SAP system?
  I am having tough time convincing my customer about this.
  Thanks
  Cheers,
  AK

• Applying row-level security to crystal report instance

  Hi
  we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
  Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
  Thanks in advance.
  Kamal

  Hi,
  I didn't try it so far
  but I found this Link:
  http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
  -> create Instance with full authorization
  -> Join CR-Result with Customer-Table: User Authorization
  Max

• SAP-BO SSO and Row Level Security

  Hi,
  We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
  When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
  In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
  My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
  System Information
  Business Objects XI 3.1
  SAP Intg. Kit 3.1
  Thanks a lot,
  Omer

  Hi Omer,
  please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
  As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
  Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
  Regards,
  Stratos
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

• BW Username Variable in query available for  Row Level basedAuthorization ?

  Hi Authorization- and Bexs-Profs,
  I have an Row Level Authorization Model:
  The acces to the InfoCube data is based on Row Level and on access control definition
  data hold in an ODS ( Table/Data).
  The access control definition data hold in the  ODS descibes per BW User which
  selection citeria can be read.
  I want  to build up a MultiProvider with the access control definition ODS and the InfoCube and
  restrict in the Query the access control definition with the BW Username.
  How can I have access to the BW Username in a BEX Query ?
  Thank You a lot !
  Martin Sautter

  Thanks user10615659     ,
  - Yes the variable ROLES available in OBIEE 11.1.1.7.1
  - Tested the init block and variables in offline rpd its working as expected.
  - In online rpd, except ROLES and GROUP variable remaining variables working fine.
  - Verified log file in both online and offline init block testing - the init block execution is successful.
  Thanks

• Column level versus row level security in SAP BI

  This is a question. Sorry about the terminology clarification but it really does get to a question. Thanks for your patience and help.
  There is some confusing terminology among BI users so let me explain terms. The terms appear to have some currency in the BOBJ world.
  Row level security = the ability to control access to some data based on the values of a characteristic. Only the data authorized will be selected.
  Column level security = the ability to exclude certain characteristics from display by any user.
  In SAP BI row level security is managed by analysis authorizations (RSECADMIN).
  To the extent of my experience (and I am unable to test it for about a month) column level security can only be managed by authorization object S_RS_IOBJ excluding the infoobject to be controlled with the sub-object DATA).
  However my experience is that any query that reads an infoprovider that contains that infoobject will fail. It won't exclude and present to the user all the other infoobjects (i.e. columns).
  Is this really so and if so is there any mechanism that can exclude columns without forcing the developer to either design an infoprovider or multicube that excludes the infoobject?
  Edited by: Corwin Slack on Dec 14, 2009 2:07 PM

  Two things
  1. I would prefer not to have to rely on developers to implement a restriction in a query. Then I have to police every query.
  2. I am not certain that the authorization isn't checked anyway because the query accesses the cube. (Sorry no test environment available until mid January)
  My preference is that any queries that contain this authorization object just bypass the displaying the characteristic. My frecollection to date is that this isn't what happens. The query fails entirely.

• Pl sql row level locking with wait ?

  Hi,
  I am using oracle 10g.
  I am new to Oracle locks. I have two tables Table1(id_no, employee, salary) and Table2(id_no, employee, salary).
  I need to pull any requested row from Table1 into Table2 only once on demand. I have a procedure to pull data and there could be more than one requests try to call same procedure to pull a row from Table1 into Table2 at any given time.
  I coded below to achieve row level lock. if one transaction gets row level lock on Table1 at 2, so other Transactions should wait till the lock is released at line 2 or 5 to avoid duplicates.
  But below code is not working, I am getting duplicates when I call this using two concurrent java threads.
  How do I control this concurrency issue so that I can avoid duplicate entries in Table2. Could any one please help?
  1.begin
  2.select 0 into emp_cnt
  3.from Table1 where id=id_no
  4.for update;
  5.update Table1 set employee='xyz'
  6.where id=id_no;
  7.select count(*) into table2_cnt from Table2 where id=id_no;
  8.if(table2_cnt =0) then
  9.code to insert above row from Table1 to Table2;
  10.end if;
  11.commit;
  12.End;
  Edited by: 980916 on Jan 9, 2013 5:48 PM

  Welcome to the forums and welcome to Oracle.
  Lets establish one thing right from the beginning ... the Oracle Database is not a Microsoft product.
  There is no general reason to use row level locks, you should not want to use row level locks, you don't need row level locks, and you will almost never have any valid reason to consider row level locks.
  That said there are two situations were it may be necessary to lock a row prior to an update or delete (possibly in a merge) and in those cases you want to use the built-in SELECT FOR UPDATE syntax. (Demo here: http://www.morganslibrary.org/reference/deadlocks.html#dlfu). But we should be clear here ... one rarely needs to use this locking mechanism as the chances of a collision in a well designed application are essentially zero.
  Also as you are new to Oracle please explore the dynamic performance view V$RESERVED_WORDS and do not name objects, columns, etc. with reserved word names not that there is an excuse in any product to name a column "ID." Something Joe Celko has railed about for decades and a tradition I think we should all follow.
  In the case of your posted code example (btw please read the FAQ and learn how to use tags) the solution is SELECT FOR UPDATE if locking can be justified which is unlikely.
  Edited by: damorgan on Jan 9, 2013 6:11 PM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• How to get a row level share lock

  Is it possible to acquire a row-level share lock, which would do all of the following?
  1. Prevent others from updating that row.
  2. Allow others to read that row.
  3. Allow others to update other rows in the same table.
  I have the following scenario where two transactions need to lock eachother out:
  Set-up:
  Insert into TABLE_A(value_a) values ('ok');
  Insert into TABLE_B(value_b) values ('ok');
  Transaction A:
  Select value_b from TABLE_B
  If value_b = 'ok', update TABLE_A set value_a = 'not ok'
  Transaction B:
  Select value_a from TABLE_A
  If value_a = 'ok', update TABLE_B set value_b = 'not ok'
  If transaction A runs first then the end result is "not ok" only in TABLE_A.
  If transaction B runs first then the end result is "not ok" only in TABLE_B.
  If the two transactions run concurrently, it is possible to get "not ok" in both tables. This is what I would like to prevent.
  One way to get what I want is to use "select for update":
  Transaction A:
  Select value_a from TABLE_A for update
  Select value_b from TABLE_B for update
  If value_b = 'ok', update TABLE_A set value_a = 'not ok'
  Transaction B:
  Select value_a from TABLE_A for update
  Select value_b from TABLE_B for update
  If value_b = 'ok', update TABLE_B set value_a = 'not ok'
  This way both transactions won't perform their update unless they know that the result if their select will still be the same after they commit. However, by using "select for update" Transaction A has gained an exclusive lock on the TABLE_B row. If a Transaction C with the same contents as Transaction A happens concurrently, then the two will block eachother even though all they both want is to read data from the same table.
  Another way is to use "lock table", however using that would block out not only writes to a specific row, but writes to all rows in the table. (In my example there is only one row, but obviously that's just a simplified example.)
  I have looked at the "serializable" isolation level, but that doesn't seem to help because the queries and updates involve more than one table.
  I know that "reads don't block writes" is a fundamental part of the Oracle design that makes Oracle what it is, but is there any way I can explicitly make it happen anyway? Or can anyone see some other solution to what I'm trying to achieve?

  Let me give a more real-world example to show what I'm talking about.
  Imagine a simple bug-reporting OLTP application. Each bug has 3 fields:
  1. Description
  2. Resolution
  3. Status (open/closed)
  The application also has some rules:
  A. If the Status is "closed", Description and Resolution cannot be changed.
  B. In order to change the Status to "closed", both a Description and Resolution must be specified.
  Now as long as only one person at a time updates a bug, everything is fine. However, if one person switches the Status to "closed" while another concurrently blanks out the Resolution you end up with a closed bug that has no Resolution. This is why some locking is necessary.
  If Description, Resolution, and Status are all stored in the same table row, then it makes sense for each transaction to simply select the whole row FOR UPDATE, and then UPDATE it after it ensures all the rules are passed. However, in my fictional bug-reporting application they are all stored in separate tables. Now, the transaction that is making the change to Resolution could lock the row in the Status table FOR UPDATE (as everyone so far has suggested). Transactions making a similar change to the Description should then also lock the row in the Status table FOR UPDATE for the same reason. The end result of this is that Description changes and Resolution changes lock eachother out (can't happen concurrently, are serialized) when they don't need to be. Description changes and Resolution changes don't affect eachother, but because they both need to (exclusively) lock the same row, they are serialized.
  If there was a way to acquire a share lock on the row in the Status table, then Description and Resolution changes would use that and not affect eachother. Status changes would still acquire an exclusive lock on the row, and would be blocked by (and block any further) concurrent Description and Resolution changes. This would be ideal.