Data-level security in user level

Similar Messages

• How to do data level security on users based on region

  Hello guys
  I currently have created a report with dashboard prompt on column "state" with a default value "CA"
  Now, the requirement is to perform data level security on this report, so different users based out of different state will log in to the dashboard and this prompt will change its default value accordingly so the user will have the report on only users home state prompted, and users can't see other state data..
  I have thought of creating session variables to achieve the same, but how should i set up the initialization string?
  Do I need to create a new table called "user table" that stores username/password and state columns and make that user table join to the fact table in the db?
  If so, how should I configure the session value so that users get filtered date based on its state location?
  PLease provide guidance
  Thanks

  Here’s an idea off the top of my head (untested):
  First, set up your security constraints normally using Manage…Security in the Administration Tool, so that each user can only see his/her state. Refer to the previous responses to this post for guidelines.
  Then, in your dashboard prompt, for the “Default Value”, write a tiny bit of logical SQL to query the “state” column from the presentation layer. If your security constraints are properly in place, the SQL should only return one value.
  To get an idea of what the logical SQL should look like, select “All Values” as the default value, then switch it to ‘SQL Results’. That will show you the basic format of the logical SQL. It’s really just normal SQL (select <this> from <that> where <the other>), but referring to presentation layer objects rather than to physical tables and columns.
  Untested. Please reply back and let us know how it goes.

• How to set dimension level security with multiple levels

  Hi,
  We have hierarchy with Level 0 codes to Level 4 codes.
  For e.g.
  Region 1 : Level 0 code 10000, Level 1 code 10001, Level 2 code 10011, Level 3 code 10111, Level 4 code 11111
  Region 2: Level 0 code 20000, Level 1 code 20001, Level 2 code 20011, Level 3 code 20111, Level 4 code 21111
  Region 3: Level 0 code 30000, Level 1 code 30001, Level 2 code 30011, Level 3 code 30111, Level 4 code 31111
  From SSAS role administration, I would like to assign a user permission to all Region 1 codes and only Level 3 code (30111) of region 3.
  How and where do I set this kind of permission?
  Thanks in advance.
  Manisha

  see
  http://www.mssqltips.com/sqlservertip/1834/introduction-to-dimension-security-in-sql-server-analysis-services-ssas-2005/
  Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

• 802.11 X port-level authentication or user-level authentication

  I have read many online documents about 802.11x, all that i found they named port-level authentication.
  It makes sense for a wired network, since we have got a physical port, then if the supplicant has been authenticated, his port will be open to transfer data.
  And same thing with a wireless network, but we do not have physical port, we have got logical port.
  I have read one document that mentioned that 802.11 is user-level authentication,,,any comment about this ?
  Regards

  Thanks steprodr
  That means in both cases (wired. wireless) a client has to be authenticated to pass through physical port or logical port to be able to access(use)network resources,,,,,
  What is my interpretation (correct me) to your reply, that with the wire we call it port level while with wireless (my conclusion, because explicitly you have mentioned that)we do not call it port level (i.e. it is called user level) ?

• Implementing Data level Security ?

  I would like to Impelement Data level Security in Universe level itself. I have Set For users belonging to Branch (Mumbai, Delhi Etc) And One set of Users Belonging to Segment (CWG, IFA Etc) and  Set of users that are combination oif Branch and Segment.
  In the Universe I need to set the Security so that only the data related to them can be viewed. When I use a restriction I have to create many restirction and implement the same in Objects as required.
  This consumes a lot of time. Is there a easier way out.
  I have already Tables in the Database where the secuity values for the users are already stored.
  Any help is welcome
  Thanks in advance
  Suresh

  Hi Alan,
  Ok....But How Can I use the Restriction I have created in All the objects of the universe.
  For e.g.. I have Two Classes Named Channel and Relation Manager respectively.
  The Channel Class has the following Objects Namely : Channel Type, Channel Country, Channel Zone, Channel State, Channel City and Channel Name. and is Derived from BIDIMCHANNEL Table
  The Relation Manager Class has following Objects Namely: RM Segment, RM City, RM Branch RM Name. and is Derived from BIDIMRM Table.
  I have Created the a Restriction on Channel name By Using the Clause  "BIDIMChannel.ChannelName = 'AHMEDABAD' and have assigned it to an BO User.
  While using WEBI whenever I Select Anything regarding the Channel Class the restriction works fine. When We I Exclusively Select "Relation Manager" Class, the restriction is Not Applied and the entire data is visible.
  Can you Suggest a manner in which the restriction given above can be applied for all the objects belonging to the universe and not just to the class objects where the restrictions are being applied.
  Regards
  Suresh

• Information Regarding Essbase Security Except Filter Level and User Level

  I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
  Asia and America are defined in my location dimension.
  can any one explain about it without using user Level Security and Filter level security.
  Please tell me how to do it?
  Thanks in advance.

  Sandeep's reference the DBAG and the section on filters is the right direction. The filter is created in EAS.
  Let's use an example.
  You create a METAREAD filter (that is, it filters both data and dimensionality) that gives a user limited access to the Location dimension (I think I have that right), e.g., the British Isles, the UK and Ireland. You can also create a READ filter but it only limits data and, in my opinion at least, causes confusion because users can see metadata (the whole world) but only see data for the British Isles.
  NB -- filters can be assigned to individual usernames or to groups that users are members of. For a POC, I'd keep it simple and just assign it to a username, but it's your choice.
  Assign the filter to the user in Shared Services.
  Try connecting to the database in Excel through the Classic Add-In or SmartView to test what the user sees -- it should be: Total Location, British Isles, the UK, and Ireland. You will see Total Location (top of the dimension) because that's how Essbase navigates down -- it has to have the dimension name to find the limited children. You won't see any data there. But you will see data at the Location members that the METAREAD filter allows.
  That's it -- it's been around since the year dot, and is the way access is restricted. You shouldn't need to reinvent the wheel to get this to work in OBIEE. Essbase should do the work.
  Regards,
  Cameron Lackpour

• How to provide page-level security..

  HI,
  I have a requirnment that a single report having multiple pages is generated such that each or some of the pages have security tags that are compared to a security identifier list of a particular user that acts as a security clearance for that user. How to do this programatically.
  Through this comparison, a subset of pages from the report is formed which makes up a "report" from the user's point of view that contains only data the user is allowed to see. This allows multiple users to view only authorized portions of a single report having page-level security determined by level breaks in the data.How to do this also programatically.
  including both the task is one requirnment. if any one know how to do this using java program or xml, please reply as soon as possible.
  thanks in advance.

  How does you post have anything to do with SQLJ/JDBC? If this is an Oracle Report then post it to the Oracle Reports forum. Otherwise, look at the JDeveloper forum.

• Security and access levels

  I have created 4 users access levels, however, when I try to implement, when I keep inheritence, default security keeps coming up,   e.g. try changing everyone to my new access level and I get the new access level, but I also get view (inherited) - how can I "clean out" the old security settings??

  Sorry for the delay!
  OK, here's our situation - it's pretty straight forward;
  1500 users
  1500 (all) users in Everyone
  Of the 1500 users in Everyone;
  1200 in subgroup A
  200 in subgroup B
  90 in subgroup C
  10 users in Administrators
  4 universes
  1 connection
  Goal:
  Everyone and subgroups, same as admin, exception: can't delete or save to "corp" doc's.  My thought is to use same access level, then use the advanced configuration on the folders to prevent everyone from deleting any "corp docs"
  I have applied this access level to everyone and admin at;
  application > infoview, webi. cmc, deski, discussions, search
  universes > all 4
  connections > the 1
  folders > root folder,  level 1, denied access to everyone accordingly on level 2
  I have also added this access level to the top level security for users and groups
  Issues; 
  1. When I check the access level for everyone on folders, level 1 and below, I get the custom access level as inherited, but also view aslo as inherited.
  2. The users added to the admin group do not have same rights as the "administrator - for example, administrator can delete objects in the folders, but other users (within admin group) can not?  if I manually add the users to the folders, I can get this to work,  but doesn;t make sense, why would a user within a group have different rights, than any other user within the same group, with the same rights???
  Hope this helps!
  Edited by: Michael Bujarski on Jun 5, 2009 3:56 PM

• Item Level Security - 9.0.2.2.22.

  Is there a problem with setting item level security? My scenario is one multitabbed page within a page group. My settings are shown below. I want some items on the page to be seen by the public and some to only be seen by certain groups - basically welcome messages, one for employees, one for customers.
  Page Group properties - nothing to set for item level security.
  Page Level properties - On Access tab set both 'Display Page to Public Users' and 'Enable Item Level Security'
  On 'Welcome' Tab properties for above page (not page group) - On Advanced Options tab set 'Inherit Access Settings from the Page' and 'Display tab to public users'.
  On subtab 'About Us' on 'Welcome' tab properties - same as above, i.e. On Advanced Options tab set 'Inherit Access Settings from the Page' and 'Display tab to public users'.
  On 'About Us' subtab region 1 - an item region - there is no access settings to make.
  On text item added to region 1 - On Access tab set 'Define Item Level Access Privileges' then added my EMP group; view item privilege. Only other grantee is PORTAL.
  The text item still shows up for public (without login) and everyone else that logs in; that is when no one signs in! Item Level Security settings seem to have no affect whatsoever. What did I set incorrectly?

  isn't there just a bugfix available?
  9025 isn't out yet - when will it be available ?
  markus

• Data Level security for specific Users

  Hi,
  Can you please suggest some ideas on by-passing the Data Level security for specific users or specific group?
  Currently, we have data level security defined on a group permissions for one group and for people belonging to another group, the security should not apply and they should see entire data.
  But, key thing here is that, the user belongs to both the groups.
  Any ideas helps.
  Thanks,
  Chandu.

  So you are saying you want a user to belong to a group with data-level security filters, but you don't want the filters to apply to that user?
  Why are they in the group then?
  Are the data filter defined with variables or are the hard-coded?
  If variables, you may be able to put logic in initialization block to set the variable appropriately for specific users.
  I'd rethink the security model - when I define data level security filters, I tend to force users to only belong to a single group/role.

• Data level Security issue in obiee 11g

  Hi,
  We are trying to implement data level security, let me explain the issue
  The requirement is, we have 7 schools and each school has one principle , there will be a Superdintent who has 3 schools under him. so now when each principle logs in to dashboard we have a prompt for school i.e Name of school in that prompt he should see only his school and even the data of that school only which are assigned to him, now when Superdintent logs in he should see all 3 schools in the prompt and data. I have gone through this link (http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/) but could not achieve.
  We are able to achieve by writing SQL in BMM layer ( LTS Table) so where ever the table is used in dashboards the security is being applied and we are able to see what we want. We want to achieve this by application role, But when we are creating session variables and applying on Application Role its not working. We want to achieve this by using Application role because suppose in other dashboards when the table is not used or pulled in, it will not work.But if we do it using application role its applies to all dashboards and data is resticted. so that when principle or Superdintent logs in automatically its restricts the data.
  Below is the SQL which we used in BMM LTS, its working fine. But when the same SQL is applied in Application Role it's not working.
  SQL used in session variable -
  select  'SCHOOL_CD1', school_cd1 from w_staff_d where empl_id ='VALUEOF(NQ_SESSION.USER)'
  and job_desc1 = 'Principal High School - KPI'
  Any suggestions please ??
  Thanks,
  VRP

  Hi,
  I pasted the log view below by applying SET VARIABLE LOGLEVEL=2, DISABLE_CACHE_HIT=1;, ran this report by applying SQL in Session variable. Let me know if you want anything -
  Thanks
  [OracleBIServerComponent] [TRACE:2] [USER-0] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] ############################################## [[
  -------------------- SQL Request:
  SET VARIABLE QUERY_SRC_CD='Report',SAW_SRC_PATH='/shared/Key Performance Analytics/Analysis/Climate and Culture/Analysis for total school suspensions',LOGLEVEL=2, DISABLE_CACHE_HIT=1; SELECT s_0, s_1, s_2, s_3, s_4, s_5, s_6, s_7, s_8, s_9, s_10, s_11 FROM (
  SELECT
  0 s_0,
  "High School KPI"."- Date"."School Year" s_1,
  "High School KPI"."- Grade"."Grade Level" s_2,
  "High School KPI"."- School"."School Name" s_3,
  "High School KPI"."- School Suspensions"."% of Students Suspended" s_4,
  "High School KPI"."- School Suspensions"."Count of Students Enrolled" s_5,
  "High School KPI"."- School Suspensions"."Count of Students with Incidents" s_6,
  CASE WHEN (CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END +(CASE WHEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END)=0 THEN CASE WHEN CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END <0 THEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END *-1) ELSE CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END END ELSE (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END) END /10))<0 THEN 1 ELSE 2 END s_7,
  CASE WHEN (CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END)=0 THEN CASE WHEN CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END <0 THEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END *-1) ELSE CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END END ELSE (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END) END s_8,
  CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END s_9,
  CASE WHEN MIN("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY ) END s_10,
  REPORT_AGGREGATE("High School KPI"."- School Suspensions"."% of Students Suspended" BY "High School KPI"."- Date"."School Year") s_11
  FROM "High School KPI"
  WHERE
  (("- Discipline Action"."Discipline Action Code" = 'Suspension') AND ("- Date"."School Year Desc" = VALUEOF("school_year_desc")))
  ) djm ORDER BY 1, 2 ASC NULLS LAST
  [2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-23] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- General Query Info: [[
  Repository: Star, Subject Area: High School KPI, Presentation: High School KPI
  [2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- Sending query to database named SPA (id: <<62064>>), connection pool named Initialization Block Connection Pool: [[
  WITH
  SAWITH0 AS (select T30351.SCHOOL_YEAR_DESC as c2,
  T26564.GRADE_LONG_DESC as c4,
  T26686.SCHOOL_NM as c5,
  T29835.STDNT_WID as c6,
  ROW_NUMBER() OVER (PARTITION BY T30351.SCHOOL_YEAR_DESC, T29835.STDNT_WID ORDER BY T30351.SCHOOL_YEAR_DESC DESC, T29835.STDNT_WID DESC) as c7
  from
  W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
  W_SCHOOL_YEAR_D T30351 /* KPI_W_SCHOOL_YEAR_D */ ,
  W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
  W_STDNT_ENROLL_SCHOOL_F T29835 /* KPI_W_STDNT_ENROLL_SCHOOL_F */
  where ( T26564.GRADE_LEVEL_WID = T29835.GRADE_LEVEL_WID and T26686.ORGANIZATION_WID = T29835.ORGANIZATION_WID and T29835.SCHOOL_YEAR_WID = T30351.SCHOOL_YEAR_WID and T30351.SCHOOL_YEAR_DESC = '2011-2012' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
  SAWITH1 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
  D1.c2 as c2,
  count(distinct D1.c6) as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH0 D1
  group by D1.c2, D1.c4, D1.c5),
  SAWITH2 AS (select sum(D1.c1) over (partition by D1.c2) as c1,
  D1.c2 as c2,
  D1.c3 as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH1 D1),
  SAWITH3 AS (select T30647.SCHOOL_YEAR as c3,
  T26564.GRADE_LONG_DESC as c4,
  T26686.SCHOOL_NM as c5,
  T26023.STDNT_WID as c6,
  ROW_NUMBER() OVER (PARTITION BY T30647.SCHOOL_YEAR, T26023.STDNT_WID ORDER BY T30647.SCHOOL_YEAR DESC, T26023.STDNT_WID DESC) as c7
  from
  W_DISCIPLINE_ACTION_D T29975 /* KPI_W_DISCIPLINE_ACTION_D */ ,
  W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
  W_KPI_QTR_DAY_D T30647,
  W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
  W_STDNT_DISCIPLINE_F T26023 /* KPI_W_STDNT_DISCIPLINE_F */
  where ( T26023.DISCIPLINE_ACTION_WID = T29975.DISCIPLINE_ACTION_WID and T26023.ORGANIZATION_WID = T26686.ORGANIZATION_WID and T26023.DATE_WID = T30647.DATE_WID and T26023.GRADE_LEVEL_WID = T26564.GRADE_LEVEL_WID and T29975.DISCIPLINE_ACTION_CD = 'Suspension' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
  SAWITH4 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
  count(distinct D1.c6) as c2,
  D1.c3 as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH3 D1
  group by D1.c3, D1.c4, D1.c5),
  SAWITH5 AS (select sum(D1.c1) over (partition by D1.c3) as c1,
  D1.c2 as c2,
  D1.c3 as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH4 D1)
  select distinct case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end as c1,
  case when D1.c4 is not null then D1.c4 when D2.c4 is not null then D2.c4 end as c2,
  case when D1.c5 is not null then D1.c5 when D2.c5 is not null then D2.c5 end as c3,
  case when D1.c3 = 0 then NULL else D2.c2 * 100.0 / nullif( D1.c3, 0) end as c4,
  D1.c3 as c5,
  D2.c2 as c6
  from
  SAWITH2 D1,
  SAWITH5 D2
  where ( nvl(D1.c2 , '1') = nvl(D2.c3 , '1') and nvl(D1.c2 , '2') = nvl(D2.c3 , '2') and nvl(D1.c4 , '1') = nvl(D2.c4 , '1') and nvl(D1.c4 , '2') = nvl(D2.c4 , '2') and nvl(D1.c5 , '1') = nvl(D2.c5 , '1') and nvl(D1.c5 , '2') = nvl(D2.c5 , '2') )
  order by c1, c2, c3
  [2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- Sending query to database named SPA (id: <<62434>>), connection pool named Initialization Block Connection Pool: [[
  WITH
  SAWITH0 AS (select T30351.SCHOOL_YEAR_DESC as c2,
  T26564.GRADE_LONG_DESC as c4,
  T26686.SCHOOL_NM as c5,
  T29835.STDNT_WID as c6,
  ROW_NUMBER() OVER (PARTITION BY T30351.SCHOOL_YEAR_DESC, T29835.STDNT_WID ORDER BY T30351.SCHOOL_YEAR_DESC DESC, T29835.STDNT_WID DESC) as c7
  from
  W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
  W_SCHOOL_YEAR_D T30351 /* KPI_W_SCHOOL_YEAR_D */ ,
  W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
  W_STDNT_ENROLL_SCHOOL_F T29835 /* KPI_W_STDNT_ENROLL_SCHOOL_F */
  where ( T26564.GRADE_LEVEL_WID = T29835.GRADE_LEVEL_WID and T26686.ORGANIZATION_WID = T29835.ORGANIZATION_WID and T29835.SCHOOL_YEAR_WID = T30351.SCHOOL_YEAR_WID and T30351.SCHOOL_YEAR_DESC = '2011-2012' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
  SAWITH1 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
  D1.c2 as c2,
  count(distinct D1.c6) as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH0 D1
  group by D1.c2, D1.c4, D1.c5),
  SAWITH2 AS (select sum(D1.c1) over (partition by D1.c2) as c1,
  D1.c2 as c2,
  D1.c3 as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH1 D1),
  SAWITH3 AS (select T30647.SCHOOL_YEAR as c3,
  T26564.GRADE_LONG_DESC as c4,
  T26686.SCHOOL_NM as c5,
  T26023.STDNT_WID as c6,
  ROW_NUMBER() OVER (PARTITION BY T30647.SCHOOL_YEAR, T26023.STDNT_WID ORDER BY T30647.SCHOOL_YEAR DESC, T26023.STDNT_WID DESC) as c7
  from
  W_DISCIPLINE_ACTION_D T29975 /* KPI_W_DISCIPLINE_ACTION_D */ ,
  W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
  W_KPI_QTR_DAY_D T30647,
  W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
  W_STDNT_DISCIPLINE_F T26023 /* KPI_W_STDNT_DISCIPLINE_F */
  where ( T26023.DISCIPLINE_ACTION_WID = T29975.DISCIPLINE_ACTION_WID and T26023.ORGANIZATION_WID = T26686.ORGANIZATION_WID and T26023.DATE_WID = T30647.DATE_WID and T26023.GRADE_LEVEL_WID = T26564.GRADE_LEVEL_WID and T29975.DISCIPLINE_ACTION_CD = 'Suspension' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
  SAWITH4 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
  count(distinct D1.c6) as c2,
  D1.c3 as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH3 D1
  group by D1.c3, D1.c4, D1.c5),
  SAWITH5 AS (select sum(D1.c1) over (partition by D1.c3) as c1,
  D1.c2 as c2,
  D1.c3 as c3,
  D1.c4 as c4,
  D1.c5 as c5
  from
  SAWITH4 D1),
  SAWITH6 AS (select case when max(D1.c1) = 0 then NULL else max(D2.c1) * 100.0 / nullif( max(D1.c1), 0) end as c11,
  case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end as c12
  from
  SAWITH2 D1,
  SAWITH5 D2
  where ( nvl(D1.c2 , '1') = nvl(D2.c3 , '1') and nvl(D1.c2 , '2') = nvl(D2.c3 , '2') and nvl(D1.c4 , '1') = nvl(D2.c4 , '1') and nvl(D1.c4 , '2') = nvl(D2.c4 , '2') and nvl(D1.c5 , '1') = nvl(D2.c5 , '1') and nvl(D1.c5 , '2') = nvl(D2.c5 , '2') )
  group by case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end )
  select D2.c11 as c1,
  D2.c12 as c2
  from
  SAWITH6 D2
  order by c2
  Edited by: 965968 on Oct 17, 2012 11:49 AM

• Data level Security in Essbase

  I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
  Asia and America are defined in my location dimension.
  Please tell me how to do it?
  Regards,
  Suman

  to make your security maintenance easier, I would suggest putting the users into groups and assigning the filters to the group. If you do it at the indivual level, the user can only have one filter assigned to them, but each group could have a different filter. So for someone who should see Americas and Asia have a group calle America and one called asia. put the user into both groups and assign the america filter to the first group and asia filter to the second group

• Group Level Data Level Security not working

  I'm trying to test the data level security at the group level.
  Here's what I did
  1. Went to the security -> Groups -> Permissions -> Filters
  2. In Name added the Fact table on which I want to filter.
  3. Selected "Enable"
  4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
  When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
  Am I missing something in the creation of filters?
  Thanks in Advance.
  Rama.

  Hi,
  If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
  Hope this helps.
  Regards,
  Sandeep

• Dashboard prompts are getting cached and not working as per data level security

  Hi,
  Version: OBIEE 11.1.1.5 BP2
     We have dashboard prompts that have data level security defined in RPD - Content tab of an LTS.
  After clearing cache, the dashboard prompt applies the security properly. When another user who has a different security defined, is seeing the same prompt values on clicking the drop down of a prompt and also when they click search prompt popup.
  Issue is, for second user, I do not even see cached query in the session logs. Tried applying the DISABLE_CACHE_HIT=1 in the prompt sql results, no luck.
  But reports are applying the security correctly, issue is with prompts alone.
  Any thoughts on this?
  Thanks,
  Rajesh

  Just for others reference: We disabled caching on the table to avoid this issue.

• Data Level Security implementation question

  I had a quick data-level security scenario and wanted to solicit any input from the experts.
  In our current Subject Area we have one Presentation Layer using one Business Model. In this Subject Area have a Task and Employee Dimension. There is row-level Security on the Task Dimension that is done in the Business Model on the LTS Content tab. There are a batch of reports built off this Subject Area.
  There is now a request to build a new batch of reports, however, they want to now filter on the Employee Table and NOT filter on the Tasks. So the opposite of what has been applied above.
  From my perspective there are only a few ways this Security can be applied
  Business Layer: Basically either create an Alias of Employee and Task or build a second LTS for both. Then create new columns and map to these accordingly. Basically have 2 of each column in the Business Layer. One with Security applied and one without.
  Presentation Layer: Created a second Presentation Subject Area and apply the security at the Presentation Layer and remove it from the Business Layer.
  I know a third option could be put security on the Role/Group but for this case these reports are open to everyone.
  I'd just like to verify from the experts that I may have covered all solutions for this scenario or if there are any other suggestions?
  Thanks!

  Alright...
  If you have two LTS say A & B (basically duplicate) then add a column say LTS Indicator and assign 'A' for LTS A and 'B' for LTS B. Add the fragmentation content and apply the security filter and you can also create two different Presentation folders under same Subject Area if users have Answers Access so that the users know if they are querying for LTS A or LTS B.
  Similarly, build your reports making use of LTS indicators which will BI server to pick correct LTS. Say, where you want LTS A to be picked...use filter of LTS Indicator = 'A' and thats it.