Controlling data access at universe level
Hi,
I had a doubt in universe regarding the implementation of security.
Existing process: We had a portal called flex (intranet site)which the BO report has been integrated and for opening the report the name of report was clicked (hyperlink)
This report should show the data specific to the user profile logged into the portal.
Now if we want to restrict the data at universe level for each individual users accessing the report in portal our idea is to create a dervied table (which contains a list of userid's and project id's)in universe so that who ever logged into the portal and clicks on report he will see the data only related to profile
For example: The scenario would be a manager residing in a region need to see the list of projects which he is assigned to but not all of them.
Could you please let me know how can implement at universe. Kindly let me know if you need any futher information.
Thanks,
Eswar
Another way to do this is: (a) in your universe create a table that has a list of user names a long with their BOUSER id; (b) associate that list with fact tables or d imensions in the database, either using joins or by using a where clause as a filter or in an object definition using the syntax @variable(bouser); below is an exerpt from BO Designer guide.
Example:
@Variable
In the universe for a human resources database, you have an object called
Employee name. You want to restrict the returned data for Employee name
to the values authorized in the database for each user. This would allow
you to control what employee information each user is allowed to see. This
information is defined by their database profile.
You insert the @Variable function in the WHERE clause as follows:
Employees.Employee_Name = @Variable('BOUSER')
When the object Employee name is used in a query, the data is returned
Similar Messages
-
Multi user application control data access
Dear all,
i am using Oracle Developer Suite 10g and database 10g, windows xp plate form.
i want to develop multi user application regarding education.
i have two questions.
1. i take a start from creating an HR database which have 30 tables.
this database has 10 users.
the users will log on from their own schema.
how they will access the HR schema?
should i create a public synonym for each table in the HR Schema?
or should i create a view for each table in each user schema?
or should i grant select,insert,update etc to each user on HR schema?
2. i want to control the data access for each user.
i.e. every student could access his own academic record. each teacher access his own related record, the manager the owner and so on.
how to accompolish this task? oracle roles are not sufficient for this purpose.
Your help is highly appriciated.How about you start with the basic stuff, like the 2 days developers guide:
http://www.oracle.com/pls/db112/to_toc?pathname=appdev.112/e10766/toc.htm
and make it to the advanced developers guide:
http://docs.oracle.com/cd/E11882_01/appdev.112/e25518/toc.htm
and work your way through the concepts manual:
http://www.oracle.com/pls/db112/to_toc?pathname=server.112/e25789/toc.htm
and everything else which sounds interesting to you in here:
http://www.oracle.com/pls/db112/portal.portal_db?selected=5&frame=
As for your first question this should be covered here:
http://docs.oracle.com/cd/E11882_01/network.112/e16543/authorization.htm#BABHFJFJ
i want to control the data access for each user.This is also documented:
http://docs.oracle.com/cd/E11882_01/network.112/e16543/vpd.htm#CIHBAJGI
cheers -
How to Convert Date Object at Universe Level with out Timestamp
Hi,
I have a Object called "PCREGISTERDATE" at universe where the data type is date .but the dates are coming in the following format:9/26/2007 9:48:40 PM but i want to show the date as with out time stamp.
how can i create a object by at universelevel which shoul show only date with out Time Stamp.
please help me on this ASAP.
Thanks & Regards,
KumarPlease try below date fucntion:
select convert(varchar(10),getdate(),101) - this is for sybase
syntex will change based on your source database.
Thanks
Ponnarasu .K -
IFS For Controlling Data Access
We have a requirement where we want to be able to allow access to particular classes of files based upon the NT Application that is actually reading/writing the data.
For example - we want Word to be able to write our files but Notepad not be able to.
Does anyone have any experience/suggestions on whether this is do-able with IFS?
Thanks,
Mike.Probably not. The SMB Server does not know which application is accessing the SMB Server.
-
Create current date variable at universe level
Hi Everyone
I have created report regarding to daily car sales. However there is records registered for further months, 2015 December for instance.
Actually they are error records, but I can't delete them since data transfer is realizing automatically and updates hourly.
That is why I have decided to use prompt for report: date is less or equal to current date. But couldn't find way how to create current date variable.
Please help with this.
Regards...Yes.
Create an object called Today as:
cast(convert(char(10),getdate(),23) as datetime)
Note that it will not parse because it does not reference a table. Don't associate it with a table just to get it parsing as you will then have that table in every query that uses the Today object, whether you want it or not!
It will work fine when you use it in your query. In your example, create a condition of Ship Date Less Than Or Equal To Today where Ship Date and Today are the names of the two objects. This will then translate into SQL as:
WHERE orders.ship_date <= cast(convert(char(10),getdate(),23) as datetime)
This will parse because the table orders is in the statement.
I hope that is clear.
Regards,
Mark -
Data Access control in J2EE technologies/apps
Hi Guys,
I am working on a project that requires that i implement a mechanism for controlling data access to the content that is displayed on the pages of a Struts based web application.
First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.
I am intersted to know of the different approaches/frameworks out there to implementing "data access" control. Is there a framework out there for this kind of thing?
Im thinking to do this the controls/privileges need to be configured (i.e. data access categories, users etc) somewhere probably in the database. The rules can get quite complicated so im wondering whether there is already a framework that i can use to accomplish this rather than implementing it from scratch.
Thinking about how it will work, the rules the govern the access are very specific to our business domain so i am not really sure whether it is possible if there is any third party framework that i can use that is very generic and will allow the rules to be configured.
Thanksyou are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
[http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
Its a chore to test, but quite easy to maintain and to read IMO. -
Access on aggregated levels with virtual key figures
Hi all,
I need access to the aggregated view of a BEx report within user-exit RSR00002 for processing virtual key figures. Currently I only get access to the lowest non-aggregated level.
My requirements in detail:
I get certain key-figures (250 historical values)on the lowest aggregation level - so-called folders. Then I have to aggregate this vector of values at the next hierarchy level up to the top-level, say along-side a company's business department structure. Drill-down, slice&dice should be possible. So far so good - this is done easily with standard BEx features.
Then, on each aggregation level, i.e. hierarchy node, I need to get the third lowest of the 250 aggregated values to assign this to my vkf. This is not an issue of the algorithm but of the internal data representation or access to the OLAP processor because I don't get this vector on the same aggregated level such as I could see it in my BEx report but on the lowest non-aggregated folder level.
The question is now:
a. Is data access on aggregated levels and drill-downs because of the internal representation generally not possible within this user-exit and would I have to supply the aggragation logic myself or
b. do I have overlooked something critical - did I miss the trick?
Every idea or hint is deeply welcome!!
Thanks a lot,
Michael
Message was edited by: Michael KronenbergerFirst check in <b>Technical Information</b> in <b>RSRT</b> , whether the
<b>Virtual Char/Key</b> Fig is<b> Y</b> or <b>N</b>. -
How to get current logged-in user name in data access driver or in universe
In universe, to get the current log in user is via @Variable('BOUSER').
Right now, I need to be able to get the user name in the data access driver. I am writing a customized data access driver because we need to patch some where clause on the the query generated by the universe based on the logged-in user info. I only think of using end_sql parameter or adding an universe level filter to patch the @Variable('BOUSER') to the query, which would not work if user want to use customized query.
Can anyone tell me how to get currentBO user name from connection server ? or how @Variable('BOUSER') is translated into the logged-in user name in the universe?I do not know your EJB Service. But you should pass the credentials of the current logged on portal user to your service. That's not by default I think.
I had a similar problem with CAF developed webservices. I had to turn on permission checks in my web service and passed the credentials via logon ticket.
Regards, Bernd -
Is there a way we can control Display access in SE16 at the row level?
Table MARC has material master data at plant level,i want a user to be able to view only plant A via SE16.SAP has objects to control access in MM03 but how can we control view access in SE16 without totally eliminating the table access.
If not are there any alternatives?Like develop ZSE16 or create a new DB view etc?Appreciate your replyThis link has some info where OB52 is restricted by company code - the principles may apply to your application though you will need to create a transaction for it
http://www.sap-img.com/zf011.htm
it also won't be any use if the user has SE16 or similar - though you don't give these if you want to restrict at any level lower than groups of table
hope that helps
cheers
alex -
Direct database data access without data level authorization check
Hello,
My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
The things in my mind are
SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
Data Browser : SE11, SE12, SE16, SE16N, SE17
Table Maintenance : SM30
Function Module : RFC_READ_TABLE
Function Module : DB_EXECUTE_SQL (DML)
Anyone knows anything which is not listed above?
ThanksHI,
Generally in production user's should not be given all these authorizations.
Ram. -
Applying Support Packs at GRC Access Control 5.3 overall solution level
Hi All
I recently noticed something at a customer, that GRC Access Controls 5.3 launch pad shows a different SP level e.g. version8, while the components, Compliant User Provisioning shown SP10, RAR shown SP12 etc.
My questions are;
1. Should SP updates be applied at a component level i.e. at RAR, CUP, ERM, and SPM level?
2. Would this customer scenario cause an issue in the future, when for example RAR is sitting on a different SP level than CUP etc.?
3. If GRC Access Controls launch pad shows SP level/version, does this SP level/version represent the SP level/version that applies to all components? or does this represent SP level/version of the launchpad only?
4. Are the Support Packs required to be applied on the ABAP stack as well?
Thanks
OdwaHi Odwa,
Please see my replies below.
1. Should SP updates be applied at a component level i.e. at RAR, CUP, ERM, and SPM level? NO, Just apply them to the entire GRC-AC from the JSPM
2. Would this customer scenario cause an issue in the future, when for example RAR is sitting on a different SP level than CUP etc.? Yes, one of these days there is going to be a problem becuas eof this
3. If GRC Access Controls launch pad shows SP level/version, does this SP level/version represent the SP level/version that applies to all components? or does this represent SP level/version of the launchpad only?
4. Are the Support Packs required to be applied on the ABAP stack as well? Yes they need to be applied on all the ABAP stacks as well, it is very omportant that support packs remain in sync everywhere.
Thanks!
Chinmaya
Edited by: chinmaya prakash on Dec 6, 2010 4:10 PM -
Controll user access with internal attribute date
I all.
i've created an internal attribute called Date-of-validity of type Date.
the objective is to controll user access based on the date configured in this attribute and permit acces only when the date as not been reached.
who do i control-it, putt the acs looking to the date in an autommated way.
thanks in adv
Antero VasconcelosIt is possible to define an internal user whose password is taken from an external store.
In internal user definition select "Password Type" to be the LDAP database and then define the rest of the user definition, including identity groups, as desired -
Data access disrupters (DAD's)are not being displayed on control panel
Hi,
Data access disrupters are not being displayed on Application server control panel (sid.host.domine > HTTP Server > mod_plsql Services >DAD's ) But users are able to access their applications.
Not able to see database access details through Application server control panel. Can you please tell me where could be the problem exists..
Thanks,
DJI am assuming you mean Discriptors (instead of Disrupters) and I am not sure which release of Application Server you are running. But assuming it is 9i (say 9.0.3 on Windows), if you select the OC4J instance or container the applicatlion was deployed to. You will see a link to Data Sources displayed below Application Defaults.
The files equivalent will be found in your <ORACLE_APPSHOME>\j2ee\<INSTANCE_NAME>\config\data-sources.xml -
You do not have rights to access the data in the universe - WIS 00505
Hello,
Trying to create my firs WebI report above Universe, I entered the InfoView, and selected new Web Intelligence report. After drug and drop the objects I want to display, when I press the run query button I get the message "you do not have rights to access the data in the universe .Contact BO Administrator Error WIS 00505". I already implemented note number 1299687.
What can it be?
Thanks,
DavidHi David,
please make sure that the BOBJ user you are using to create the report has appropriate rights on your universe AND the underlying connection. You can set the authorization for this kind of objects in the CMC under Universes and under Connections .
Regards,
Stratos -
How to get Current Log in BO user name in data access driver
In universe, to get the current log in user is via @Variable('BOUSER').
Right now, I need to be able to get the user name in the data access driver. I am writing a customized data access driver because we need to patch some where clause on the the query generated by the universe based on the logged-in user info. I only think of using end_sql parameter or adding an universe level filter to patch the @Variable('BOUSER') to the query, which would not work if user want to use customized query.
Can anyone tell me how to get currentBO user name from connection server ? or how @Variable('BOUSER') is translated into the logged-in user name in the universe?Shweta,
The link you provided was the Auditor guide for BO 6.x, I'm not sure it that is going to help Karen or not.
Karen,
There is function called connection
(usage: =connection([Query Name]), where [Query Name]
denotes the name of the tab for the query under Edit Query)
Here is some of the output from connection:
4;ODBC18;MS SQL Server 2000166; VERSION=7; USER=xxxxx;
PASSWORD=; DBTYPE=Relational; DATABASE=xxx_xxxx;
ODBC_USER=xxxxxx; ODBC_PASSWORD=; BO_DSN=xxxx_xxxx;
BO_DRV_CONNECT_MODE=0; 224; VERSION=6; Name=xxxxx; Shared=4;
LoginTimeout=600; Timeout=600; Pool Time=60; Array Fetch Size=10;
Array Bind Size=5; RecommendedLenTransfert=1000; Password_Encryption=x;
AliasTable=; MeasureDimension=; Hint=; ConnectInit=; ArrayFetch=1;
I'm not sure if this info helps out either, being that connection provides info on a post-processing basis and it sounds like you need to get out ahead of the SQL generation. The @variable('bouser') would seem like the place to be, however, in allowing custom SQL to take place you loose the bouser due to an individual could customize the SQL to the point that it gets unwantingly yanked out. The end_sql might be your answer...
Thanks,
John
Maybe you are looking for
-
When I try to buy something, I get an Apple-ID which is not the one I want to use, and I don't know how to get rid of it either, so that I can replace it with my ID in Mail, contacts etc. The ID I get without wanting it, I can't find anywhere. I have
-
Document in status not posted' trip cannot be changed"
Dear Gurus, I have a situation here that, iam unable to change the expenses, iam getting the following message. "document in status not posted' trip cannot be changed" The Posting run was created for this trip, which was accidentally deleted, from
-
Hoping someone can help me with this. In Word I used to create newsletters - I would put my title at the very top centered across the whole page, then I would insert a new section (continuous) so I could then create two or three columns of text. Wi
-
Recently after working perfect, my HDMI output of my Mac Mini has quit working. I can use the thunderbolt and works fine but trying to figure out why the HDMI quit working.
-
Why won't my flash player work? downloads but does not install! internet explorer 9
I need the flash player to do my college statistics homework but it will not work!!!!! I was prompted by my textbook's website to update my flash player, so I followed the link as well as all the instructions on the adobe website. The flash player st