Datalevel security In Obiee11g

Hi,
How we will do data level security?if we have 4 (A,B,C,D)groups?in each group we have 10 users?if A group user entered if he run a report he can see 5000 records in report,if b group user entered he can see 8000,C group user entered he can see 10000 records,if D group member entered he can see 12000 records?How we will do?
if Possible give me bit Detail Answer.

Please follow the below steps to configure Data Level Security in OBIEE11g.
1. Login to Console and try to use the existing groups BIConsurems, BIAUthors and BIAdministartors if suited for your requirements. If not create the new groups based on your requirement
2. Add the users to the group
3. Log in to EM, Use the existing roles if applicable, if not create new roles and assign proper roles like BIAuthor, BIConsumer and add the correposnding groups created at step 1
4. Now open RPD in online mode and goto Manage -> Identity and then Action -> Synchronize Application Roles, Now in the Applciation Roles tab in Identity manager windows you will see the new Application Roles created at EM are present
5. Now open properties of Application Roles and click Permissions and then Data Filters and specify the Data Filters for the corresponding cols in the corresponding Subject Areas
6. In the Data Filters you can have hard coded value in the right side, if not you can have a Session initialization block and can have a SQL query which gets the corresponding site/region information from a database table and store the value into non system session variable as a single value of row wise initialization variable
Once you are done with this save ur changes in RPD and then reload metadata services in Administration tab in analytics and re-login. Now you'll see Role Based Dashboards. You can verify the roles and groups that you are part of in the My Account -> Catalog groups and Catalog Roles...
Thanks
Sampat

Similar Messages

Row level Security in obiee11g

Hello
I am trying to implement Row Level security for some 10,000 users based on the Cost Centers which are about 30,000. I know how to implement the data level security using groups an dapplication roles and creating security filters on those groups.
But There are two issues I am facing :
1. The no. of cost centers are huge i.e 30,000 . So creating these many groups doesn't seem feasible. Any other approach.
2. Cost center has got level based hierarchies having 20 levels and is a ragged hierarchy. There are some users who have access to Parent level node and there are some having access to child level cost centers. What I believed that for users having access to Parent level , I can assign all the child level cost centers and teh security will rollup to provide access to the Parent node (like you have access to California and Florida so automatically you get access to US (Cal + Flo).
But the issue is there could be one user who will have access to the TOp level so I will have to assign all teh cost center (30,000) so that he can get access to the Total Cost Centers. There could be other Managers who will have respective Parent Cost center access leading to assigning them to say 5000 - 10000 cost centers. My fact conatins the leaf level cost centers.
Is there a better approach to handle this.

Hi,
You can try to model your security requirement similar to Position-Based Security in OBIA .
Check *7.5.1 Primary Position based Security*
http://docs.oracle.com/cd/E10783_01/doc/bi.79/e10742/security.htm
Thanks

DataLevel Security

Hi,
Can any one tell how to provide data level security in obiee.
Suppose i want user(Example:Venkat) to see only the east region data only without access whole data . then how we can provide security?

Hi,
Also You can implement this at RPD by creating goups and doing filter over the groups as shown in the blog below,
http://www.rittmanmead.com/2007/05/13/obiee-and-row-level-security/
Thanks,
Vino

Datalevel security in Ldap

Hi Experts,
I have one doubt
when we are using LDAP Security how should we give Data level security for a single user.
Can you please explain this in details with example.
thanks in advance
Regards,
Jel

Hi,
once LDAP got working then u can able to see AD users in RPD (identity user list) here u can just apply data level security.
ley say userA is the AD users, once its shows in RPD
Steps to set up data filters to apply row-level authorization rules for queries:
1)
Go to your repository in the Administration Tool--->
Select Manage, then select Identity.--->
In the Identity Manager dialog, in the tree pane, select BI Repository.-->
In the right pane, select the Users tab , then double-click the anyof one AD user for which you want to set data filters.
(if u r not able to find the AD user just set online filter and put it * then it will shows up)
2) In the Application Role dialog, click Permissions.
In the User Role Permissions dialog, click the Data Filters tab.
To create filters, you first add objects on which you want to apply the filters. Then, you provide the filter expression information for the individual objects.
For example,
a filter like "Sample Sales"."D2 Market"."M00 Mkt Key" > 5 to restrict results based on a range of values for another column in the table.
You can also use repository and session variables in filter definitions. Use Expression Builder to include these variables to ensure the correct syntax.
Note: my suggestion beeter to set application role wise security (if u go with user level data security strange in feature case maintanance)
Kindly refer the below (similar way for AD users)
http://gerardnico.com/wiki/dat/obiee/security_level#data
http://obieeblog.wordpress.com/category/obiee/obiee-security/
http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
Thanks
Deva

How can you provide datalevel security on perticular user when using

hi all
how can we proved data level security for the single user when using external table authentication,
again we have crated one more group in rpd and we have assigned user to that group,
so ,is there any other way to do it????
Thanks
sreedhar

Hi,
If its is to restrict that user to view some data,then no need to place him in a separate group.Can achieve this...
High priority is for restriction.
Lets take group-Test with two users-test1,test2.These two users are under Test group.
I applied data level security for only one user test1(restricted him to view market not equal to Central Region) but didn't apply data level security for test2.
Now i added the group to presentation catalog and gave permission to dashboard showing Market report.
When test1 logs in he can see all markets except Central Region,where as test2 logs in he can view all regions including Central Region.
Here Test group is having full access so,test2 can view all regions but test1 user is restricted for some value and its working fine.
If you want apply data level security to user to not view some data,then you can maintain that user in a group with many other users and achieve it.Above example shows it.
If its is to restrict the whole group to view dashboard and make a single user in the group to view some data in the dashboard then its not possible(priority is for restriction) in this way,in this case its better to create that a new group to that user and assign him.
Regards,
Srikanth

Data level and object level security how can we impliment in the obiee11g

How can we implement the data level security in obiee11g,

Concept is more or less same as in 10g
Data level
http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
Object level
http://docs.oracle.com/cd/E28271_01/bi.1111/e10543/intro.htm#BABHDGGB
Mark if helps
Edited by: Srini VEERAVALLI on Mar 5, 2013 6:48 AM

Access Control Mechanism (data level security) not working properly

Hi Experts,
I have done datalevel security for groups by help of a database table. This table contains UserId, Dept. code, GroupName column. UserID are verified by LDAP server during logging into Dashboard. I have made two init blocks for GroupName and Dept.Code .
Query is :
SELECT 'Group', GroupName from TABLE
Where
UserId = ':USER'
Similiar query is for Dept Code.
There are two groups ; 1. CC_User 2. Full_User. I have applied filter in PERMISSIONS for CC_User on Fact table on Dept Code. So, user in this group may see data for Dept Code aligned to him in the table. All_User may see whole data for All Dept Codes as NO filter is applied on this group.
Dept Code , UserId and GroupName are Varchar.
Now problem is this when a user have membership of one group , it works fine. For CC_user it shows data for its Dept Code and All_user may see whole data.
But When A user have permission of both the groups , only data related to CC_User group is visible. But, in my view , maximum permmision out of the both groups must be applied to the user if he belongs to more than one group.
So , here , he must see whole data, as All_user group can see full data.
Does least restrictive permmission happens in case of membership of more than one group in OBIEE.

848839 wrote:
Does least restrictive permmission happens in case of membership of more than one group in OBIEE.Indeed it does. The most restrictive filters get applied if a user belongs to multiple groups that have filters at various levels of data because its always an AND clause in the where condition. This is the sort of behavior in various tools I have seen apart from OBIEE.
Hope this helps.
Regards,
-Amith.

Data level security for Dashboard pages.

Hi all,
I have a question.I want to apply data level security to the data in Dashboard pages .
Any Answers.
Thanks Sunny.

Thanks Srikanth and Aravind .
I have studied abt the data level security for dashboard.
My question is : Is there any way to apply dataleve security to dashboard pages . like id dashboard D1 has pages p1,p2,p3
and if we want to implement datalevel security to page is that possible.
Thanks
Sunny.

Object Level Security,Data Level Security&Row level Security

can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
Thanks in advance,
Kumar

Hi Kumar
Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
Please mark Correct or helpful if this clears

OBIEE11g Implement Security on Value Based Hierarchy

Hi All,
I have a requirement to implement a security on hierarchical values on parent child hierarchy.
Ex. Manager -> Employee -> Employee.
Here, based on security requirement, Manager/Employee can see the respective hierarchy. If user is at 2nd Level, when he sees the data, hierarchy should start only from Employee -> Employee.
What I have observed is that, P-C hierarchy/closure data push hierarchy starting from the TOP level only.
Please suggest if there are any alternatives.

Hi Patrick, I'm working on similar requirement. Have you managed to implement it?

Security for value based hierarchy OBIEE11G

Hello All
I have a value based hierarchy where the structure is
EMP 1 -> EMP 2
                EMP 3
EMP 2 -> EMP 4
               EMP 5
               EMP 6
I have implemented a parent child hierachy and it works fine and i am trying to implement a row level security. Can you please advice.
1) When emp1 logs in, he/she can able to see all employees
2) When emp2 logs in, he/she can able to see emp2 and the reportees 4,5,and 6
3) When emp3 logs in he can able to only his information.

Hello All
I have a value based hierarchy where the structure is
EMP 1 -> EMP 2
                EMP 3
EMP 2 -> EMP 4
               EMP 5
               EMP 6
I have implemented a parent child hierachy and it works fine and i am trying to implement a row level security. Can you please advice.
1) When emp1 logs in, he/she can able to see all employees
2) When emp2 logs in, he/she can able to see emp2 and the reportees 4,5,and 6
3) When emp3 logs in he can able to only his information.

OBIEE11g Security

Please help me with the information!!
What exactly is the difference between Users/Groups vs Catalog Groups vs Application Roles
We recently upgraded from 10g to 11g environment
We were having external table Authentication in 10g.
we have a Super user group which have all privileges(create anlaysis /dashboard) like weblogic.
After the upgrade I was testing with one of the users from that Power group but he could not create analysis/Dashboard(When I punch in "New" could not see Analysis/Dashboard) etc.
Let me know what makes do like this.I am not familiar with weblogic security Architecture!!
Thanks
NK

Hi NK,
You need to remember two things Authentication and Authorization
Authentication where in 11g happens through external table itself (initialization block) when it comes to authorization the groups (no longer supported directly in rpd) you should assign the groups to default application roles . For example superuser has to assign to BI Administrator/BI author role in weblogic itself to get a privilege of creating analysis,dashboard & assigning permissions
http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
thanks,
Saichand

OBIEE Security 10g to 11g: Groups

I had a Security scenario that I wanted to throw out to the forum...
In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
Data-level and object-level security was different for each group.
In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
Edited by: DustinC on Jan 19, 2012 1:29 PM
Edited by: DustinC on Jan 20, 2012 3:54 PM
Edited by: DustinC on Jan 22, 2012 12:45 PM
Edited by: DustinC on Jan 23, 2012 11:40 AM

Q1. how deploy external database security(users, groups) to OBIEE 11g.
we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
Solution:
http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
while configuring AD via weblogic console we need to give the users and group info
Solution refer:
http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
Thanks
Deva

Security question in obiee 11g

Hi,
I have a question on security configuration on what we have in 10 and deploying to 11g.
Q1. how deploy external database security(users, groups) to OBIEE 11g.
we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
Thanks
Jay.

Q1. how deploy external database security(users, groups) to OBIEE 11g.
we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
Solution:
http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
while configuring AD via weblogic console we need to give the users and group info
Solution refer:
http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
Thanks
Deva

Obiee11g upgrade: Preventing authenticated-user from accessing obiee system

HI Gurus,
We have a problem regarding security and request your inputs. Please see the issue below:
Current Situation:
We have successfully integrated OBIEE11g with our enterprise MS Active DIrectory. With the current set up, any user in the company will be successfully authenticated by MSAD and he/she is able to login to obiee and reach the new bieehome page. I want to prevent this.
Expected:
Only users who belong to certain AD Groups should be able to acess obiee
How do I prevent this? In our MSAD we have AD groups built to identify OBIEE users. These ad Groups are pre-fixed with OBIEE_ (Ex: OBIEE_Marketing etc). Only the users belong to these groups should be allowed to login.
In 10g, we made use of privileges to explicitly grant access to obiee. We made use of privileges like 'Access to Dashboard' etc. As a result, even if a user is successfully authenticated by LDAP MSAD , he wont be able to reach obiee dashboards if he is not a member of designated GROUP. In 11g, since there is a new page called 'BIEE HOME', non-authorized users are able to reach this page.
Any help would be highly appreciated
--Joe

I have created an SR with Oracle and as per the responses I got, it looks like this is an issue as there is no way to restrict access to bieehome page.
Anyone has any workarounds? This is really holding up our 11g release
--Joe

Datalevel security In Obiee11g

Similar Messages

Maybe you are looking for