BIP Security - Datamodel level

Similar Messages

• BIP Security - Data Level Security / Init Blocks

  Hello, I am using BIP 11.1.1.5. I am aware that in OBIEE data-level security can be implemented by placing permissions on a application role. However, I am wondering if this can be accomplished in BIP if I use a BI Analysis or SQL as the datasource for my data model. I have a catalog of 100 BIP reports and was wondering if I can implemented data-level security via the RPD. I am exploring the various options of executing this type of security. I already performed some research and found Oracle's whitepaper on Row Level Security with BI Publisher.
  Another Question: Does session init blocks work with BIP? I flipped the switch for BIP security model to 'Oracle BI Server' on the Admin security page. Next, I went to the RPD in online mode and created a simple query inside a init block. However, when I logged into BIP I didn't see the variable from the session init block in the Manage Sessions window.
  Thanks

  Look at the below link..It has three options. this one is from veeravalli I believe..I personally like the second option if there are not many reports to work with.
  cool-bi.com

• Object Level Security,Data Level Security&Row level Security

  can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
  Thanks in advance,
  Kumar

  Hi Kumar
  Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
  lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
  Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
  Please mark Correct or helpful if this clears

• BIP security

  Hi,
  I'm using BIEE11.1.1.6.
  then I faced a problem about BIP security.
  I using init session block to control user login to BIEE.
  there users stored in db can login BIEE,but can't login BIP.
  one user has BIAdministrator role also can't login BIP.
  then I do a test ,use 'weblogic' that was created in weblogic console,
  it can login the BIP.
  I found that user in db can't login BIP,users in  weblogic console can login BIP.
  anyone know why??
  thank you in advance.

  Hi,
  Can you tell me how to create the XMLP_ responsibilities in the e-Business Suite and assigned them to some users?
  I am not sure how to create them.
  Thanks,
  Preeja

• Unable To Change Security/Privacy Level Settings

  I have a MacBook Pro running 10.5.1 (ran the latest updates). When I launch iChat 4.0, I can't add buddies, I can't show status in the menu bar nor (and the most important), I can't set my Security Privacy level. My entire Security window has every selection grayed out. None of the Privacy Level radio buttons are selected which means I can't see any of my buddies online. My buddies are listed and it shows my account available but that's it. I've already deleted all the apple.ichat prefs, rebooted (and relaunched) and tried changing the settings both logged in and off. Help! I need a fix please. Thanks.
  Mike

  Hi,
  I have a theory.
  I have no hard evidence.
  But....
  The firewall in 10.5 was reported as not working properly and if Set to Specific apps was in fact Allowing All
  Now you are updated to 10.5.1
  I have a suspicion that if left at the 10.5 setting the firewall is not properly updated.
  Your symptoms suggest you are not logged into AIM fully/properly as the Security tab is only active when you are logged in.
  I would do the following.
  Use the Logout of AIM item in the iChat Menu list.
  Quit iChat as this tends to rebuild the iChat .plists on closing.
  I would go to the Mac Firewall and set it to Allow All (if different)
  I would then Set it to All Specific and restart iChat.
  If this fails remove iChatAgent from the allow list and Quit iChat and restart it which should put iChatAgent back in the firewall list.
  If this does not work I would delete all apps from the Mac Firewall - set it to Allow All and then back again and add iChat and allow it to add iChatAgent.
  If this still fails I would then delete the com.apple.ichat.AIM.plist that hold the AIM login as there is still the possibility it is corrupt but may need the firewall sorted first.
  Summary.
  I am suggesting it is a set of circumstances that may need a specific approach to sort and are asking you to test this out.
  In essence this is to reset the firewall and possibly delete the .plist involved.
  8:51 PM Friday; December 7, 2007

• Current security patch level

  I need to check at least 15 databases for current security path level and I suspect no patches were applied at all. But not sure how to check
  Is way to check what current security patch level which was applied to particular Database?
  Thanks in advance

  Just to be clear with my situation also. I just patched a 10gR2 with CPUJAN2008 on PROD1 (dev) and completed all post-install tasks. Now i want to import everything from PROD2 (unpatched production 10gR2) via data pump to PROD01 (patched). This is to mirror everything from PROD2 to PROD1 and eventually turn PROD1 to a production DB. Questions are:
  1) Can i just import only the data tables? or do i have to import all schemas? (i.e. SYS, SYSDBA, SYSMAN, etc)
  2) If I import anything, do i have to reinstall the complete CPU patch? or re-do all the post installation tasks? ie. reccompile objects/views/objects via post scripts?
  Thank you guys!!!

• BIP Security (and OBIEE) doesn't seem to work with Subgroups

  Bottom Line Question:
  Can security groups be used as subgroups under XMLP_ADMIN, XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE and XMLP_TEMPLATE_DESIGNER and OBIEE Administrators? Or do the tools expect that only users can be added here?
  Enterprise BIP (10.1.3.3.3) has been configured with BI Server Security. In the BI Repository, 3 groups were created: Repository Administrators, Repository Developers and Report Developers.
  Repository Administrators group was added to XMLP_ADMIN and Administrators. The users in the group do not see the Admin Tab.
  The Report Developers group was added as a subgroup to XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE, XMLP_TEMPLATE_DESIGNER. BIP Developers were then added to the Report Developers group in the BI Repository. In BIP, Report Developers was given permissions to the top level report folders under Shared Folders.
  When a BIP developer logs in, they are able to see View the reports and look at History but not Edit or Configure.
  I have tried other combinations of this set up with various results but none of them the desired result.
  Has anyone tried this?

  Bottom Line Question:
  Can security groups be used as subgroups under XMLP_ADMIN, XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE and XMLP_TEMPLATE_DESIGNER and OBIEE Administrators? Or do the tools expect that only users can be added here?
  Enterprise BIP (10.1.3.3.3) has been configured with BI Server Security. In the BI Repository, 3 groups were created: Repository Administrators, Repository Developers and Report Developers.
  Repository Administrators group was added to XMLP_ADMIN and Administrators. The users in the group do not see the Admin Tab.
  The Report Developers group was added as a subgroup to XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE, XMLP_TEMPLATE_DESIGNER. BIP Developers were then added to the Report Developers group in the BI Repository. In BIP, Report Developers was given permissions to the top level report folders under Shared Folders.
  When a BIP developer logs in, they are able to see View the reports and look at History but not Edit or Configure.
  I have tried other combinations of this set up with various results but none of them the desired result.
  Has anyone tried this?

• [Security]   Row-level security in ADF

  Hi all,
  I want to implement row-level security in my application, the scenario is like this:
  There are several users that connect to the application
  These users are authenticated in some way (XML file, OID, DB)
  When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
  So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
  I have tried VPD and it has some useful features but my problems are:
  1) Where and how to define the 'where conditions'?
  2) How to attach the 'where conditions' to the executing DML?
  3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
  4) What is the best authentication approach?
  Any helps will be really appreciated.
  S/\EE|)

  Hi,
  yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
      public void prepareSession(SessionData SessionData)
         super.prepareSession(SessionData);
         oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
         // Specify the user that connects through the proxy user and its roles
         Properties prop = new Properties();
         prop.put(OracleConnection.PROXY_USER_NAME,"hr");
         //prop.put(OracleConnection.PROXY_ROLES, roles);
         String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
         java.sql.CallableStatement st= null;
        // Open the proxy session (DB-authenticated users)
        try
          oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
          st = getDBTransaction().createCallableStatement(appContext,0);
          st.execute();
        catch (SQLException e)
          e.printStackTrace();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jbo.server.DatabaseTransactionFactory;
  * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
  * DBTransactionImpl2
  * @author Frank Nimphius
  public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
    public PrxyDatabaseTransactionFactory()
      super();
     * Override the create method to return an instance of PrxyTransactionImpl instead
     * of DBTransactionImpl2
     * @return PrxyTransactionImpl
    public DBTransactionImpl2 create()
      return new PrxyTransactionImpl();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jdbc.OracleConnection;
  public class PrxyTransactionImpl
    extends DBTransactionImpl2
    public PrxyTransactionImpl()
      super();
     * The DBTransactionImpl2 does not expose the connection in a public
     * method. This class is a wrapper to expose the connection to the
     * BC app, so it can be accessed in the ApplicationModuleImpl class
     * @return OracleConnection - SQL Connection
    public OracleConnection getPrxyConnection()
      return (OracleConnection) this.getJdbcConnection();
  }Note that for EUS ApplicationModule pooling should be disabled
  Frank

• UME security vs ABAP security object level

  We installed Virsa Compliance Calibrator & Access Enforcer and trying to configure security in UME to control user access so that besides action level security, we need further restriction on for example, Functional Area, cost center & department access. Does UME have lower level authorization restriction capabilities similar to that of ABAP authorization object level security? If not, how can we utilize ABAP Virsa security objects to control JAVA front end access?
  Your advice is much appreciated.
  Thanks,

  I'm not aware of a way to limit requestor access (you can request anything visible); however, you can provide direction by populating an attribute field (i.e. company) with valid company values for each role.  When a requestor searches for a role, if they filter by the appropriate company, they will only see valid roles for the request.  I did, however, point the request authentification towards a 'fake LDAP'.  This prevents individuals without specific UME credentials from submitting a request.
  However, you can restrict approvers using a custom approver/determinator.  In my case, I wanted to use a combination of "role" and "usergroup" to determine approver, rather than use one approver set for all requests.  I have implemented and confirmed this works.  The unfortunate side affect, is that you have to maintain a seperate file for this custom A/D (which you have to refer to /append for any request for role approver information).

• Instance Level Security (user level security) ?

  Hi, I would like to have instance level security in my ejbs. That is I want to verify that the person calling my CMP ejbs is the one who logged-in. I don't want the logged-in user accessing someone else's information. I would like to know what is the best way to implement this?
  I was thinking along the line of having code in my cmp's ejbload method. The code would find the user owner of the record it belongs to by navigating to the owner using the cmr relationships. Let us say that there are three cmp beans: user, order and orderlineitem with the following relationships:
  user has 1-to-n relationship with order. Order has 1-to-n relationship with orderlineitem. So, in my orderlineitem->ejbLoadmethod, I would try to find the user to it belongs to by navigating to user bean and finding the userlike this:
  String userName = getOrder.getUser().getUserName();
  if (userName.equals(ec.getCallerPrincipal().getName)) {
  System.out.println("user is right");
  } else {
  System.out.println("user is NOT not the right user");
  Is this a good idea? Is there a better way to do this?

  When I go to application server controlHow you are accessing the ASC? Please also check your IE settings.
  Additionally you can review
  http://download.oracle.com/docs/cd/B25221_04/core.1013/b25209/tools.htm#i1055655
  I do think that the error is related to role. You can also check the above link under heading (Creating Administrative Users and Assigning Administrative Roles).
  Hope it is helpful.
  Adith

• Obiee and BIP security - obiee 11g 11.1.1.7.1

  Hello,
    I have configured an external LDAP setting for authentication. Reordered the new LDAP as first authentication provider. The issue i am facing is , that i am able to login with external ldap users and weblogic as expected in obiee.  But when i login as weblogic user, and try to click on Manage BI Publisher link (to add jndi connections), it throws error Unthorized user! ...
    Any clue, if i need to do separate setting for BI Publisher?
  Regards,
  Shruti

  Hi Shruti,
  Can you please check the security file xmlp-server-config.xml under this path MW_HOME/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Admin/Configuration and see whats the securitymodel in here
  also try to delete the weblogic user  from catalog users folder and then try to login and see if you can access it now

• Security - Report level permissions

  I have two end users and five reports developed under a workspace.
  I want to set the report level permissions to these end users.
  e.g End user A can be able to view reports R1, R2 and R3
  and end usre B can be able to view reports R4 and R5. How it can be done?
  Edited by: user9313405 on Mar 9, 2010 11:43 PM

  Create an Authorization scheme that can distinguish user A and B and use this Authorization Scheme for the Reports (when they are on the same Page) or for the Page (when they are on different Pages). Also check if you should use the same Authorization Scheme for Links or Buttons that link to these Pages/Reports.

• OT: Server Security Settings Levels

  Can this effect the way a website functions?
  Senario:
  I have a site set up which uses Paypal IPN. The IPN file updates a database.
  I have set the site up on 3 testing servers, 2 work, they update the database as expected. The 3rd doesn't. Unfortunately that 3rd server just happens to be the one the website needs to be housed on.
  I mentioned the security settings as I had a lot of trouble getting into its control panel because it blocks my dynamic IP after a couple of attempts, great. Also it seems less responsive than the 2 servers which do function correctly. i.e., sometimes when testing the IPN file the results get pinged back to my email and at other times it does not. For instance I can call the IPN file 5 times and only get 3 responses, whereas I get the reciprical amount of responses from the other 2 servers.
  At the moment all by tests lead me to think it's a server issue and not a coding issue.
  Any thoughts about whether a server which has too higher security setting or is set up incorrectly can have this kind of effect?
  Os

  Hi,
  Thanks for your replies. I'm not talking about a backup. I'm not using the TC for time machine. I'm just using it as a network storage device. I have a G-Raid drive attached to the TC for time machine backups.
  The TC simply has my iPhoto library and iTunes library on it so they can be shared around the house. The advantage of using the TC is that I can access the drive over the internet, so I can connect to my iTunes library on my MBP at work.
  Ideally, I would just like to just stop the kids from copying or listening to specific (explicit) records within my iTunes library. Perhaps I should use the shared libraries feature instead and put a password on it? Then I could remove their read-only access to the server.
  I'm sorry if I should have put this onto the iTunes forum but when I asked the question I was thinking more about restricting their access to the files themselves.

• BIP security model DBSect Adpt and Siebel eChannel LDAPSectAdpt

  Hi,
  Previously in production we implement siebel eChannel that uses DBSectAdpt to single sign on against BIP report which uses DBSectAdpt.This method was successfully implement. In our current project siebel eChannel is force to use LDAPSectAdpt under certain circumstances.
  1.To implement the single sign on is it possible for BIP report to use DBSectAdpt or force to use the LDAPSectAdpt?
  2. How about the XMLP Report Server(DBSectAdpt ) and EAI Object Manager(DBSectAdpt ). Do they require to change to LDAPSectAdpt too?
  Thanks for those who read as this is very urgent and its near to deadline.
  Thank You
  Joey Tan , MY

  Case solve. It is possible to use mix authentication.

• Change Security Logging Level Weblogic 10.3.5.0

  I hace in a ADF Aplication this code
  public static ADFLogger log= ADFLogger.createADFLogger(Main.class);
  log.fine("LOG FINE-TEST");
  log.warning("LOG WARNING-TEST");
  log.finest("LOG FINEST-TEST");
  log.config("LOG CONFIG-TEST");
  log.info("ASD","FGH","LOG INFO-TEST");
  log.severe("LOG SEVERE-TEST");
  But when i deploy the app in my weblogic y get only the messages for log.
  I need to show the log for info but i can't show it. I read about change a file called logging.xml on the server but i don't know what put in it or what i need to change.

  Hi,
  This should help you -
  https://blogs.oracle.com/groundside/entry/adventures_in_adf_logging_part2
  Link below gives the in-depth of what you need/should do for ADF Logger -
  http://docs.oracle.com/cd/E15586_01/web.1111/b31974/web_testdebug.htm#BABDBCGF
  Thanks
  Sachin