BI Data Access Set-based security

Similar Messages

• RBAC / Role Based Security Set Up in R12

  We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
  With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
  Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
  Disable users old assignments:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *16.00 hours*
  Setup OUM options and profiles:
  *6.00 hours*
  Setup Roles and Hierarchies:
  *14.00 hours*
  Grant Permissions:
  *12.00 hours*
  Setup Functional Security and disable the obsolete responsibilities:
  *12.00 hours*
  Setup Data Security and disable the obsolete data accesses:
  *6.00 hours*
  Total *90 hours*
  Note - all activities must be performed sequentially*
  Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

  On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
  I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

• Securing Data Access In Same Schema

  Dear All Experts,
  Please guide us to Securing the Data Access In Same Schema in Oracle Forms & Reports.
  Currently our application (Based on Oracle Forms , DB & AS 10g) is running for 6 COMPANIES in same schema. All the 6 COMPANY's employee can access the other COMPANY's Data.
  Please give us any idea to Secure the Data Access as we want that if any Employee have the Rights of one or two COMPANIES then he can only access the data of those companies instead of all the companies.
  How can we got it using same Oracle Form & Reports...?
  Please guide....
  Thanks
  Eidy

  Hello,
  <p>Did you check out the Virtual Private Database feature ? </p>
  Francois

• Setting a secure zone expiry date beyond the invoice date.

  Is it possible to set the secure zone expiry date later than the invoice date? We're just looking at a way to let our members continue to have access for say 1 week after an invoice has failed so that they can log in and update their credit card details, possibly without seeing the 'access expired' message.
  I've seen this behaviour on a site before, but I think that may have had something to do with the fact that it was a weekly membership site and that the invoices were already generated.
  Cheers
  Pat

  Hey Gaurav,
  This is for a monthly recurring subscription. What I was thinking was that if for example a user signed up on the 1st of the month that their SZ access expires on the 8th of the next month, but the invoice is still issued and paid on the 1st of the following month, and when the invoice is successfully paid the SZ access gets extended till the 8th of the next month - now that I've written it out like that I'm pretty sure this isn't possible, unless there is some setting that dev can see in the backend?
  Pat

• How do you set a security password to control access to an external hard drive?

  how do you set a security password to control access to an external hard drive?

  The only way to reliably protect data, especially on an external hard drive, is to encrypt it.  Permissions don't have to be respected.  One way to encrypt data is to create an encrypted sparse bundle disk image with Disk Utility.  See:
  http://support.apple.com/kb/HT1578
  (Be sure to use the 256-bit encryption.)
  Alternately, you could use some whole-disk encryption, though I have no experience with any of the software for doing that.  You could try the following:
  http://www.truecrypt.org/
  I don't know that I would recommend the product being advertised inappropriately by keynesis.

• Can Data Links be established between Data sets based on View Objects?

  Hi all,
  In the BI Publisher Documentation it's given that Datasets based on view object queries do not support Data Links / Group Links. We found out that only way to establish relationship between view object Datasets is to create a view link and then upload it to create a Dataset.
  1. Is there any other way to establish relationship between view objects Datasets in DataModel editor itself just as in the case of data sets based on (SQL queries e.t.c.)?
  2. If so can View object Datasets be linked to Datasets based on other Datasources?
  3. Will the Datalinks for View object Datasets be supported in any of the upcoming releases. Is there any ER logged for this case?
  Any insight on the above issues will be really helpful.
  Thanks

  Enhance the data source with date and time and populate these fields in the user exit using the function module IB_CONVERT_FROM_TIMESTAMP .
  OR
  You can create Z function module IB_CONVERT_FROM_TIMESTAMP in BW side and write a routine in update rules/transfer rules to populate date and time.
  hope this helps ...
  Ravi

• How can i access my sons laptop computer to set up security if i don't know his password'

  How can i access my sons laptop computer to set up security if i don't know his password?

  If you have your own admin account on his computer, then you don't need to access his account.  However, what type of security do you mean?  If you mean network security then that is done in the router, not the computer.  If you are referring to Parental Controls those need to be configured via an admin account - either his or yours.

• Data Access Service is unable to log audit events to the security event log

  Hi,
  Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
  Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
  The service account for "System Center Data Access Service" service is "Local System".
  The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
  The question is:
  how to resolve this alert? (Where look for to obtain more information to resolve this problem)
  Thanks in advance!

  Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
  LocalService Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
  LocalSystem Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
  is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
  For identified the SDK account
  1) open services.msc
  2) From the system Center Data Access Service, you can see the SDK logon on as account 
  Roger

• Problem with FC security when data restrictions are based on RU dimention

  Dear Sirs,
  The data access restrictions for users in our system is configured, that reporting unitu2019s data can be accessed only by users that are responsible for ancestor's data based on RU hierarchy (restriction by RU dimension in data analysis).
  When reporting unit is moved in hierarchy from one parent to another -  old ancestor canu2019t access itu2019s data as only new ancestor do. But in that case we have a very big problem as users can't build old ancestoru2019s consolidated reports for previous periods - they are incorrect since RU dimension access is restricted for all periods.
  Are any ideas how the issue can be solved ?

  Dear Egle,
  Indeed,  the historical data within the reports will not be accessible after the data analysis modifications and this is the normal behavior of BO Financial Consolidation.
  Please note that an enhancement request was escalated to allow users to belong to more than one Data Access Group. This enhancement is referenced under the reference ADAPT01028492 ( for more information, you can refer to  the SAP Note 1405946 - BOFC - Allowing multiple Data Access Groups).
  This new feature is not implemented yet in  Financial Consolidation  and the current  workaround is to create 2, 3 or 4 users for the same person.
  However, this workaround will oblige users to disconnect/reconnect many times or open more than one session  to apply necessary changes on BO Financial Consolidation.
  If this request is quite important for you, we recommend you to enter this enhancement in our new site ( Idea Place): https://ideas.sap.com. Indeed, SAP has defined a new process and a new tool that is now available to customers  which allow them to log Enhancement Requests themselves and have the ability to work more directly with our technology and Development group.
  If the request sent by the customer is pertinent and voted by 10 other customers at minimum, the Enhancement Request will be probably accepted by the Product Group(to have more information  about this new process, you can refer to the SAP note 1515837 - NEW Enhancement Request Process - "Idea Place" )
  Let me know if you will need further details.
  Best regards,
  Emna.

• E63 Packet data Access point set to None? What hap...

  What happens when Packet Data>Access point is set to None(blank)? I tried to tether with my phone and I was connected to the internet for a moment. Checked my ip and it turns out it's through my mobile phone companies subnet.
  However via the Bluetooth DUN setup on my computer I specifid a computer and login information which it seemed to ignore? Can anyone explain this strange situation?
  The phone I'm using is an E63 GSM phone.

  that will work. You only need to change if you need to have always on (highly unlikley) or if you are using modem dial up and need to specify access point for that.
  If you using Nokia One Touch access then you don't even need to define access point in this menu as that application will take care of it for you.
  All other network aware applications will use access point settings as defined in settings menu.

• Ask your question.PPC Mini running 10.4.11 unable to access urls based on Javascript.  Software up to date.  Cannot find where to verify if JavaScript turned off.

  PPC Mini running 10.4.11 unable to access urls based on Javascript, get "Javascript void" at bottom of window..  Software up to date.  Cannot find where to verify if JavaScript turned off.

  I guess I verified this in following earlier IIIasss recommendations (whom I will respond to in detail after this).
  I have used Firefox (cookies deleted after each session) successfully with this site (Zinni Optical), but something has changed over the last year and a half and, to my knowledge it isn't on my end.  When I get response at all, and try to navigate to "My Favorites, etc., and nothing happens for a while, I try to refresh, only to get a "stopped" message with a blank screen.
  Tried Safari and Internet Explorer browsers (all I presently have installed) without succerss.  May go back to TenFourFox (which had it's own wierdness over time, which is why I uninstalled it.  Don't know latest versions compatible with 10.4.11 of Safari (but Software update is satisfied I'm up to date) or Internet Explorer.
  I'm out in the sticks using a Verizon (Novatel) MiFi in a metal building, and so require a Wilson external antenna, liightening arrestor, signal amplifier and inside rebroadcast antenna to boost cell phone  signal from one to four bars.  Hope I get similar boost for  wireless-Airport connection, understand that is different frequency, but also boosted.
  The site for the bank I do WebBillpay with has had a minor change...no longer do I get the option to sign off (six months to a year ago), otherwise, fine.

• Data Access control in J2EE technologies/apps

  Hi Guys,
  I am working on a project that requires that i implement a mechanism for controlling data access to the content that is displayed on the pages of a Struts based web application.
  First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.
  I am intersted to know of the different approaches/frameworks out there to implementing "data access" control. Is there a framework out there for this kind of thing?
  Im thinking to do this the controls/privileges need to be configured (i.e. data access categories, users etc) somewhere probably in the database. The rules can get quite complicated so im wondering whether there is already a framework that i can use to accomplish this rather than implementing it from scratch.
  Thinking about how it will work, the rules the govern the access are very specific to our business domain so i am not really sure whether it is possible if there is any third party framework that i can use that is very generic and will allow the rules to be configured.
  Thanks

  you are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
  In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
  [http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
  Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
  Its a chore to test, but quite easy to maintain and to read IMO.

• RBAC ISE 1.2 Data Access Permissions

  Hello,
  We are trying to configure ISE 1.2 patch 7 RBAC profiles.
  The idea is that regional admins can only manage their users.
  Under User Identity Groups we have several groups for example:
  UK-Users
  Brazil-Users
  Russia-Users
  Each identity is then added to the correct group based on their location / country.
  We also have a UK-Admin group that contains the UK admins.
  Next I crate the permissions and policy...
  We have a Menu access permission (Identity Menu Access) that only allows the access to Administration > Identity Management.
  We then configure a Data access permission (UK Data Access) that only allows access to  User Identity Groups > UK-Users.
  Next I set a policy that says UK-Admin group can only access Identity Menu + UK Data).
  Then test...
  I create a user and add them to the UK-Admins group.
  When I login as a UK admin I can see all the data across all user idnetity groups.
  I would expect to only see the users in the UK-Users group, but I dont!
  Confused.

  Please refer "Role-Based Permissions" from
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_admin.html#62254
  Data Access Name
  RBAC Group
  Permissible Admin Groups
  Permissible Network Device Groups
  Super Admin Data Access
  Super Admin
  Admin Groups
  User Identity Groups
  Endpoint Identity Groups
  All Locations
  All Device Types
  Policy Admin Data Access
  Policy Admin
  User Identity Groups
  Endpoint Identity Groups
  None
  Identity Admin Data Access
  Identity Admin
  User Identity Groups
  Endpoint Identity Groups
  None
  Network Admin Data Access
  Network Device Admin
  None
  All Locations
  All Device Types
  System Admin Data Access
  System Admin
  Admin Groups
  None
  RBAC Admin Data Access
  RBAC Admin
  Admin Groups
  None

• Website needs Microsoft Data Access - Active X Data Objects

  I have a number of websites for work that are seem to be built around Internet Explorer. When I try to open them on my Mac at home with Safari, I get message that I pasted below.
  I'm thinking this might be related to the fact that when I open them on a PC for the first time it shows a similar message, but Internet Explorer prompts me to download and run "Microsoft Data Access - Active X Data Objects", and then it runs fine.
  Based on this I'm assuming it's a lack of these "objects" that are causing this problem. Is there any equivalent to these components for the Mac? Anything I can try to access these websites from my Mac? I've tried using Firefox as well, which has the exact same issue.
  Right now I've got to fire up my 2006 PC laptop to use Internet Explorer every time I need access to these sites. I realize I could install windows on my Mac with bootcamp and restart in windows every time I need access, but that seems like a waste just to visit 2 websites. Any advice?
  +"Scanning Required components...+
  +The user's Internet browser requires proper configuration to access our site. Read the following instructions on how to set up the browser properly.+
  +Active Scripting Configuration:+
  +Select Tools from the Internet Explorer menu bar.+
  +Select Internet Options ...+
  +Select the Security tab.+
  +In the Web Content Zone list, select «Internet».+
  +Click Custom level....+
  +In the Settings list, scroll down to the Scripting section.+
  +Check the Enable option under the «Active scripting» item and click OK.+
  +Click Yes to confirm the change in the security settings.+
  +In the Internet Options dialog box, select the «Local intranet» and repeat steps 5 to 8.+
  +Click OK to close the dialog box."+

  Hi,
  Try this...
  From your Safari menu bar click Safari / Preferences then select the Advanced tab. Enable the develop menu.
  In the menu bar click Develop / User Agent.
  Try IE 8, 7, or 6.
  No guarantees but can't hurt to try. ActiveX requires Windows.........
  Carolyn

• N80: WLAN problem: "Define access pts. for secure ...

  Nokia N80 (black)
  Firmware: 3.0617.0.6
  I have problems getting on the WLAN. Here is a step-by-step description of what I do:
  First:
  1) "Connect." -> "Conn. mgr" -> "Availab. WLAN"
  2) Mark "HQ" WLAN
  3) "Options" -> "Define access point"
  4) Answer "Yes" to "Define internet access point for WLAN network "HQ"?
  5) Get the message: "Define access pts. for secure WLAN networks in 'Access points' in conn. settings."
  Then:
  6) "Tools" -> "Settings" -> "Connection" -> "Access points"
  7) "Options" -> "New access point" -> "Use default settings"
  8) Write "HQ" in the "Connection name" field.
  9) "Data bearer": "Wireless LAN"
  10) "WLAN netw. name": "HQ"
  11) "Network status": "Public"
  12) "WLAN netw. mode": "Infrastructure"
  13) "WLAN security mode": "WPA/WPA2" (the WLAN is using "WPA-PSK")
  14) "WLAN securoty settings" sub-menu:
  - "WPA mode": "Pre-shared key"
  - Pre-shared key": the correct one (verified with laptop connection)
  - "TKIP encryption": I have tried both "Allowed" and "Not allowed".
  15) Homepage: "None".
  When I go back and go through steps 1-5 again, I get the exact same message.
  What am I doing wrong? Can someone give please me a _really_ detailed step-by-step guide for how to do this?
  I have been able to use gcalsync (www.gcalsync.com) with the same "HQ" WLAN, but then it is gcalsync that asks for SSID and key. So: The WLAN works, I just don't understand how to set it up.
  I will be very, very grateful if someone can help me with this. Thank you.

  Hi Chrlov,
  An example of my set up based on my old Linksys router.
  1. Go to Menu > Tools > Settings > Connection > Access points.
  2. Select Options > New access point > Use default settings.
  3. Give a name to 'Connection name'. In my case, 'Home WLAN'.
  4. Change 'Data bearer' to 'Wireless LAN'.
  5. Change 'WLAN netw. name' to the SSID I had set up on my Linksys router. In my case, some thing like 'gen1xxxxhomewireless' (this is not the real one, censored by me. LOL)
  6. Since my SSID is hidden, I change 'Network status' to 'Hidden'.
  7. My Linksys had WEP set up (and that it is permanent). So I leave 'WLAN netw. mode' and 'WLAN security mode' as 'Infrastructure' and 'WEP' respectively.
  8. I set up WEP security settings in 'WLAN security sett.'
  a. Since I'm using key 3, I change 'WEP key in use' to '#3'.
  b. I leave 'Authentication type' as the default of 'Open'.
  c. I key in all 4 keys in 'WEP key settings'. Since I'm using 64-bit hexadecimal key, I set 'WEP encryption' to '64 bits' and 'WEP key format' to 'Hexadecimal'.
  Hope this is a good reference.
  Good luck and cheers. ^_^;