Debug privilege - is it at object level or user level or both?

Similar Messages

• Difference between system level privilege and object level privilege

  hi
  i just want to know the difference between system level privileges and object level privilege.
  please correct me if i am wrong
  with system level privilege user can create objects such as creating tables,view,synonyms etc
  where as in object privilege we can only manipulate operations on object i.e perform dml not ddl
  please help

  Hi,
  810345 wrote:
  hi
  i just want to know the difference between system level privileges and object level privilege.
  please correct me if i am wrong
  with system level privilege user can create objects such as creating tables,view,synonyms etc
  where as in object privilege we can only manipulate operations on object i.e perform dml not ddl There are some system privileges that only concern manipulating objects: SELECT ANY TABLE, for example.
  The main difference is that the system-level privileges tend to cover all objects of a certain type, including objects that haven't been created yet.
  Object-level privileges usually apply only to one specifi object, such as one particular table, and are lost if the object is dropped. (For example, if I create a table called table_x, give you SELECT pivileges on it, then you can query my table. But if I then drop table_x and re-create it, you will not be able to see it unless I grant the privilege again.)

• Object Level Security in OBIEE 11.1.1.5

  Hi All,
  I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
  1) Created application roles in OBIEE with the same resposiblity names
  2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
  3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
  4) Restarted the BI server and presentation servers.
  Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
  Regards,
  Sandeep

  Sandeep Saini wrote:
  I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
  There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
  Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
  In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
  1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
  2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
  3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
  And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
  Hope this helps.!
  SVS

• Object Level Security in Oracle 10g

  Hi gurus
  Question regarding object level priviliges
  1.Created a schema "TEST" and assigned following privileges
  GRANT CREATE SESSION TO TEST;
  GRANT CREATE ANY TABLE TO TEST;
  2. created a table "Emp"
  Able to alter the table without assigning ALTER ANY TABLE privilege to "TEST
  Why?
  3.Revoked CREATE ANY TABLE privilege
  REVOKE CREATE ANY TABLE FROM TEST;
  I am still able to alter the table "Emp" though not able to create any new table
  Any thoughts on this please.
  How can I restrict a user from ALTERing any of the existing tables?
  Please help.
  Thanks
  newbie

  Hi user570138!
  I'm not sure about your problem with ALTER ANY TABLE but I think that in oracle the owner of a table is able to alter it and you can deny this. Therefor you can do the following:
  1.) Create your TEST-Schema
  2.) Create testtable in TEST-Schema
  3.) Create a public synonym to testtable
  4.) Give another user the privileges needed on testtable (e. g. SELECT, UPDATE, INSERT, DELETE)
  Never let the owner account TEST-Schema work with testtable. This is the only way I know to prevent users altering tables.
  Hope this helps!

• Object Level Security Issue.

  Hi,
  I am facing an issue in applying object level security in OBIA.
  I have successfully done the LDAP authentication.
  In object level, I want to give permission for the currently logged in user to a page of General Ledger dashboard.
  Regarding this I have added the group corresponding to the logged in user through "Manage privilege" and given Access to the Dashboards.
  But after doing this I am getting following error in my report when I ll loggin as the same user.
  "Odbc driver returned an error (SQLExecDirectW).
  Error Details
  Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P:OI2DL65P
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 27004] Unresolved table: "Financials - GL Balance Sheet". (HY000)
  SQL Issued: {call NQSGetQueryColumnInfo('SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"')}
  SQL Issued: SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"
  Please suggest me where else I need do any setting.

  Hi,
  Looks like the user does not have access to the presentation table/column, check and see if the group has access.
  See: http://obiee-tips.blogspot.com/2009/09/obiee-security.html
  Regards,
  Matt

• Object Level security not working on OBIEE 11g 11.1.1.7

  Hi,
  I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
  We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
  Regards,
  Sandeep

  Hello Sandeep,
  I have just verified the below scenario as you said but didnt find any issue.
  I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
  This might not be a 11.1.1.7 bug check it from upgrade end.
  Regards,
  Srikanth

• Error in object level routine used in transformation to remove special char

  Hi,
  I have written a code to remove special characters (#,!) at the object level. However i am getting this error
  "You cannot use the current statement between "CLASS ... DEFINITION" and "ENDCLASS" ".How do i remove this error? Please help.
  Thanks.

  DATA:
    ch1(32) TYPE x VALUE
    '00200120022003200420052006200720082009200A200B200C200D200E200F20',
    ch2(32) TYPE x VALUE
    '10201120122013201420152016201720182019201A201B201C201D201E201F20',
    ch3(60) TYPE c VALUE
    '¿ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¡ ¯ ® ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ '.
  DATA:
    ch4(90) TYPE c VALUE
    'ø ÷ æ ß  ? ? ? ? ? ? ? ? ? ? ? ! ~ `  #'.
  FIELD-SYMBOLS:  TYPE c.
  DATA: l_ZPWRKCTY TYPE /BIC/OIZPWRKCTY,
        l_ZPSTNAMe TYPE /BIC/OIZPSTNAME.
  l_ZPWRKCTY = SOURCE_FIELDS-FIPS_NAME.
    translate l_ZPWRKCTY to upper case.
       RESULT = l_ZPWRKCTY.
    CONDENSE RESULT.
  Exclamation mark is not permitted as a first symbol of the field
  content
    IF RESULT(1) = '!'.
      RESULT(1) = ' '.
    ENDIF.
    CONDENSE RESULT.
  The only # sign is not permitted
    IF STRLEN( RESULT ) = 1.
      IF RESULT(1) = '#'.
        RESULT(1) = ' '.
      ENDIF.
    ENDIF.
  Replace Invalid Characters by SPACE
    ASSIGN ch1 TO .
    TRANSLATE RESULT using ch3.
    TRANSLATE RESULT using ch4.
    CALL FUNCTION 'SCP_REPLACE_STRANGE_CHARS'
      EXPORTING
        INTEXT                  = RESULT
     IMPORTING
       OUTTEXT                = RESULT.
  Remove leading and trailing blanks if any
    CONDENSE RESULT.

• Validation at View Object level and not Enity Object

  How would you create validation logic at the view object level and not at the entity object level? I have many VOs that reference the same EO and want some validation logic to be applied only to certain VOs.
  Thanks,
  Quoc

  My use case for this is to perform form validation inputted by the user via a JSPX page.

• How to put validation between attributes at View Object level in BC4J

  Hi,
  Is it possible in BC4J to put validation between attributes at View Object level?
  I know that I can do it at Entity Object level in validateEntity method, but I have several View Objects connected with one Entity Object and don't want to have the same validation logic for all View Objects.
  Thanks for any help!

  It returns errorWhat error does it return?
  John

• How to get object level security in Universe?

  Hi,
  I need to get the object level security for an Universe. I'm able to get the list of objects and its security access level (Public / Controlled / Restricted / Confidential / Private / )  from the (.Unv) file using the Designer SDK.
  But I need to get the list of users who has the object level security in the universe. In the CMC, by clicking the Universe and click on the Object Level Security tab, we can see the list of users there.
  I need to get the same using BOE SDK.
  I have used the following query to get the universe from the repository,
  "select * from ci_appobjects where si_kind='universe' "
  But I'm not able to get the list of users having obj. level security for that universe.
  Kindly help me to proceed.
  Thanks.

  The access security level is encapsulated in the SI_KIND='Overload' object. 
  Look for those types of objects, and the doc for the Overload class.
  An Overload references the Universe to which it's associated, and User/UserGroup objects are associated with the Overload via SecurityInfo.
  Sincerely,
  Ted Ueda

• ORA-01039:Insufficient Privileges on the Underlying Objects of the View

  Hi,
  I have a Query where it is using (SELECT name from v$DATABASE as a Inline View).
  But when my running the Explain Plan in Toad it is giving the Error as
  'ORA-01039:Insufficient Privileges on the Underlying Objects of the View'
  Any help will be appreciable
  Thanks and Regards

  you need SELECT ANY DICTIONARY privelage Below is a small demonstration.
  First iam connecting as a SYSDBA and doing an explain plan on v$database.
  SQL*Plus: Release 9.2.0.1.0 - Production on Mon Sep 1 12:36:53 2008
  Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
  Enter user-name: akivadba/akivadba@akivatst as sysdba
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
  With the Partitioning, OLAP and Data Mining options
  SQL> set linesize 250
  SQL>
  SQL> explain plan for select * from v$database
    2  /
  Explained.
  SQL> select * from table(dbms_xplan.display)
    2  /
  PLAN_TABLE_OUTPUT
  Plan hash value: 735420252
  | Id  | Operation            | Name     | Rows  | Bytes | Cost (%CPU)| Time     |
  |   0 | SELECT STATEMENT     |          |   100 | 77200 |     0   (0)| 00:00:01 |
  |   1 |  MERGE JOIN CARTESIAN|          |   100 | 77200 |     0   (0)| 00:00:01 |
  |*  2 |   FIXED TABLE FULL   | X$KCCDI  |     1 |   710 |     0   (0)| 00:00:01 |
  |   3 |   BUFFER SORT        |          |   100 |  6200 |     0   (0)| 00:00:01 |
  |   4 |    FIXED TABLE FULL  | X$KCCDI2 |   100 |  6200 |     0   (0)| 00:00:01 |
  Predicate Information (identified by operation id):
     2 - filter("DI"."INST_ID"=USERENV('INSTANCE'))
  16 rows selected.No problem till now every thing is fine. Now iam connecting as a normal user and doing the same.
  SQL> connect
  Enter user-name: sysadm/sysadm@akivatst
  Connected.
  SQL>
  SQL> explain plan for select * from v$database
    2  /
  explain plan for select * from v$database
  ERROR at line 1:
  ORA-01039: insufficient privileges on underlying objects of the viewLook i got the insufficient privileges error. Now let me grant the required privileges.
  SQL> connect
  Enter user-name: akivadba/akivadba@akivatst as sysdba
  Connected.
  SQL> GRANT SELECT ANY DICTIONARY TO SYSADM
    2  /
  Grant succeeded.Now connect back to the user and try again.
  SQL> connect
  Enter user-name: sysadm/sysadm@akivatst
  Connected.
  SQL> explain plan for select * from v$database
    2  /
  Explained.
  SQL> select * from table(dbms_xplan.display)
    2  /
  PLAN_TABLE_OUTPUT
  Plan hash value: 735420252
  | Id  | Operation            | Name     | Rows  | Bytes | Cost (%CPU)| Time     |
  |   0 | SELECT STATEMENT     |          |   100 | 77200 |     0   (0)| 00:00:01 |
  |   1 |  MERGE JOIN CARTESIAN|          |   100 | 77200 |     0   (0)| 00:00:01 |
  |*  2 |   FIXED TABLE FULL   | X$KCCDI  |     1 |   710 |     0   (0)| 00:00:01 |
  |   3 |   BUFFER SORT        |          |   100 |  6200 |     0   (0)| 00:00:01 |
  |   4 |    FIXED TABLE FULL  | X$KCCDI2 |   100 |  6200 |     0   (0)| 00:00:01 |
  Predicate Information (identified by operation id):
     2 - filter("DI"."INST_ID"=USERENV('INSTANCE'))
  16 rows selected.
  SQL>Thanks,
  Karthick.
  Edited by: karthick_arp on Sep 1, 2008 12:21 AM

• Create master on object level?

  Is there a way to create the same concept of a master on an object (or grouping of objects) level? I'm looking to put several objects on a page (shapes, text, images), group them, and reuse them. I am aware you can do this by using object libraries or exporing snippet files. However, when I make updates to the group, I'd like for it to retroactively update all instances of that group. I don't want to save the group as a flat image and link it, because I'd also like the ability to unlink an instance of the object (or object grouping) so I can edit that single instance without making changes to any other instances of that object (or object grouping).
  Please let me know if there is anyway to achieve this, even if it requires a work-around. Thanks!

  If you have CS6 or CC, you can use the Content Collector
  http://helpx.adobe.com/indesign/using/linked-content.html

• Object Level security by creating catalog groups in OBIEE-10G

  Hi All,
  I have a requirement to display the dashboard based on the user login. Ex. Mike belongs to HR, Smith belongs to Accounts
  When Mike logs in he should see only these three dashboards. HR View, Common data1, common data2. When Smith logs in he should see only these three dashboards. Accounts view, Common data1, commondata2.
  The commondata1 and commondata2 dashboards has common reports for all the departments. The other dashboards are department specific with all different reports. How can I implement this?
  From one of my earlier posts I was advised to do it using Object Level security by creating catalog groups. Can you please provide me end to end instructions on how to create Object level security based on catalog groups.
  Thanks for your time and help.

  Hi,
  Mike to HR
  Smit - Account
  Yes, You achive by Object Level security by creating catalog groups
  1) Create Catalog group and users in RPD part(Ex: Account_grp,HR_grp)
  2)assign user to that particular group(let say Ex: Account_grp= Smith and HR_grp=Mike )
  3) login (Admin user id ) into dashboard page and --->mange dashboard page -->add users to that particular
  dashboard to relevent users and save it then
  try to login that mike and smith user it will work
  kindly refer below link
  http://www.rittmanmead.com/2010/01/obiee-10g-web-catalog-best-practices/
  http://www.rittmanmead.com/2007/05/obiee-and-row-level-security/
  thanks
  Deva

• Setting permissions at entity object level using JAAS and LDAP

  Hi,
  I am using ldap-based provider for authorizaton. Every thing works fine. Authorization works fine based on the roles created in web.xml file.
  Could you please let me know how I can define permissions at entity object level when using ldap based provider.
  Following line is the permission created for an entity object (SpcStrBdgt) when using XML-based provider.
  <permission>
       <class>oracle.jbo.server.security.jazn.JboJAZNEntityPermission</class>                    <name>model.SpcStrBdgt/READONLY</name>
  </permission>
  Above is defined in jazn-data.xml file.How can I define the same thing when using ldap-based provider?
  Thanks,
  Seatre

  Hi,
  There is an enhancement request Bug2692994 for this feature.
  Thanks,
  Yvonne

• Viewing Object-Level Permissions that are Granted in a Schema

  I have a user A and user B in my database. User B has around 1000 objects that constist of tables, views triggers, procs, packages, etc. We need to verify that user A was not explicity granted any write permissions on objects in user B's schema. What query and tables would give me insight into the object-level permissions that would have been granted on user B's objects?
  Thank you in advance!

  user11340104 wrote:
  I have a user A and user B in my database. User B has around 1000 objects that constist of tables, views triggers, procs, packages, etc. We need to verify that user A was not explicity granted any write permissions on objects in user B's schema. What query and tables would give me insight into the object-level permissions that would have been granted on user B's objects?
  Thank you in advance!appropriate code is available at URL below
  http://www.petefinnigan.com/tools.htm