Defining security on a dimension based on a role

Similar Messages

• How to define an aggregation rule for a dimension based on bridge table?

  Hello,
  I need a solution for aggregating data correctly when using a dimension based on a set of dimensione tables containing a bridge table. Please find below a description of my business case and the OBIEE model which I’ve created thus far.
  Business Case
  The company involved wants to report on the number of support cases, the different types of actions that were taken and the people involved in those actions. One support case will undergo a number of actions (called ‘handelingen’) until it is closed. For each action at least one person is involved performing a specific role, but there can also be multiple persons involved with 1 action, each performing a different role for that action. This is the N : N part of the model.
  The problem that I face is visible in the two pictures below:
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/sample.png
  As long as I don’t include anything from the Dimension Meelezer in my report, I get the correct number of handelingen (7). When I include the person (called ‘Meelezer’), the measuere per action is multiplied by the number of persons/roles involved with that action.
  When I changed the Aggregation rule in the report column #Handelingen to ‘Server Complex Aggregate’ I do get the correct endtotal:
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/sample2.png
  I believe it should be possible to define in the repository a different aggregation rule for individual dimensions, but I’ve not been able to achieve this.
  Explained below is what I have created in my Physical and Business Model & Mapping layers:
  The Physical Model is built like this:
  (This is just a small part of a much larger physical model, but I’ve only included the most relevant tables)
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/PhysicalDiagram-1.png
  The Fact table (ALS Feit Zaakverloop) contains FK’s for the action (FK_HANDELING, joined to ALS Dim Handeling), the date the action took place (FK_DATUM_ZAAKVERLOOP, joined to ALS Dim Datum Zaakverloop) and the uniqe group of people involved (FK_MEELEZERS, joined to ALS Groep Meelezers) and a measure column (SUM_HANDELINGEN) populated with the value ‘1’ for each row.
  The Bridge table (ALS Brug Meelezer/Reden Meelezen) contains three FK’s: FK_GR_MEELEZERS (joined to ALS Groep Meelezers), FK_MEELEZER (joined to ALS Dim Functionaris) and FK_REDEN_MEELEZEN (joined to ALS Dim Reden Meelezen).
  The Business Model
  In the business model, the four physical tables for the N:N relation have been combined into one logical dimension table.
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/BusinessModel-1.png
  DIM Meelezer contains one LTS in which the four physical tables have been combined:
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/LTS1.png
  And all the required locical columns have been created:
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/LTS2.png
  DIM Meelezer has also been identified as a bridge table and a Business Key has been defined on a combination of the FK’s in the bridge table and business codes of the two dimension tables.
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/BMDIM.png
  Next a hierachy was created for Dim Meelezer:
  http://i84.photobucket.com/albums/k24/The_Dutchman_2006/OBIEE/Hier.png
  In Feit Zaakverloop, a measurement called ‘# Handelingen’ was created using SUM_HANDELINGEN, with an aggregation rule of SUM.
  In the LTS of both the DIM Meelezer and Feit Zaakverloop, the Logical Content Levels have both been set to: LVL Detail – Meelezer.
  Please provide suggestions that will NOT require changes to the physical datamodel as they would require too much time to achieve (or at leats would not be ready before my deadline.
  Thanks!
  Edited by: The_Dutchman on Dec 13, 2011 11:43 AM

  Hmm, no replies yet...
  Am I in 'uncharted territory' with this issue?

• Variable for one Dimension based on another Dimension's Property

  Hi all,
  This is a Acript Logic question.
  I have a dimension called P_BUDGET_MODEL. It has a property called PROFIT_CTR.
  I also have a dimension called P_PCA.
  I would like to have a variable that defines the values of P_PCA based on the values of PROFIT_CTR once the user selected the P_BUDGET_MODEL.
  Please note:
  1. One value of PROFIT_CTR might yield fiew values of P_PCA based on a well defined logic that I can code in the script using some sort of Concatenation.
  2. I want to use the variable in *XDIM_MEMBERSET P_PCA to improve performance.
  3. I have authorizations defined both for P_PCA and P_BUDGET_MODEL.
  4. I would like to use similar logic to define the time dimension based on the category dimension.
  Any ideas?
  Kind regards,
  Avihay

  Hello Nilanjan,
  First of all thanks for your response.
  I am not sure I understood. Allow me to elaborate the business scenario.
  I have a distributed planning process. Various planners are responsible for various P_BUDGET_MODEL values, which are organized in a hierarchy based on these responsibilities.
  When the user selects in a planning package the P_BUDGET_MODEL values, I want to run a logic that will perform calculations. In the logic I need to create data with various values of P_PCA. The values of P_PCA can be derived from the property P_BUDGET_MODEL.PROFIT_CTR.
  I also have authorizations on P_PCA and they are synchronized with the authorizations on P_BUDGET_MODEL. The reason I have authorizations on P_PCA is that in various reports I have P_PCA as the display criteria and I do not want users to see all of the values. I also plan to base planning approval processes on this dimension in the future.
  Since I have few users basically I needed a simple IF inside my logic, but there is no such statement.
  I am a veteran BPS and IP consultant. Such a request was very easy to implement in those tools (using characteristic relations for example and also in FOX). It surprises me that it is so hard to implement in BPC.
  Any new ideas?

• Remove security on Company Dimension

  Hyperion Planning 9.3.1
  We currently have security implemented on the company and entity dimensions. Security is granted to users based on being assigned to the appropriate company group and entity group(facility/location). We would like to remove the security on the company dimension and only have security at the entity level(facility/location). Does anyone know the best way to do this?

  If it is a custom dimension and you don't want to use security on the dimension anymore then you can go to the dimension administration and untick "Apply Security"
  otherwise
  I would probably use the ExportSecurity utility to export all the current access permissions :- http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_hp_admin/ch03s07.html
  Update the file it produces, then use the import security utility :- http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_hp_admin/ch03s06.html
  You may need to use the SL_CLEARALL security to remove all the security first or just set security to none in the file for the company dimension members.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• JHeadStart Security problem-error page cannot be found- role based security

  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

  Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
  To remind you my steps I paste the following again:
  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

• Querying last element in a dimension based on another level in the same dimension using MDX

  Summary: I need to write an MDX that returns the last date available in the level in the date dimension based for each month in the same dimension.
  Details: i have the a dimension which has the following levels. 
  Dim_Date :  Date (key) , Month (name of month), Quarter, Year.
  The query i m trying to come up with would return the result something like
  Month  || Max_date || measure1
  Jan         2014-01-25    100
  Feb        2014-02-28     200
  Please let me know if the above makes sense. Basically i m trying to get the max date for each month. 
  Thanks
  Sri

  Hi SrikanthGS,
  Assuming that with the last date available for the measure you mean the last date with non-empty figures, consider the following against the AW:
  SELECT [Measures].[Internet Sales Amount] ON 0,
  Generate (
  [Date].[Calendar].[Month].Members,
  ( Exists ( [Date].[Month of Year].[Month of Year], [Date].[Calendar].CurrentMember ),
  Tail (
  NonEmpty (
  Descendants ( [Date].[Calendar].CurrentMember, [Date].[Calendar].[Date] ),
  [Measures].[Internet Sales Amount]
  1
  ) ON 1
  FROM [Adventure Works]
  WHERE [Product].[Product Categories].[Subcategory].&[1]
  Philip,

• Transaction based security vs. Authorization based security

  Hi All just a general question does any one know any pro's and con's about implementing transaction based security vs. authorization object based
  Thanks Mike

  Well, the Tcode goes into an authoruization object as well, namely S_TCODE, so it always boils down to authorization objects. When properly configured, PFCG will propose all necessary authorization objects once you put a transaction in the role menu. On a new system, have a look at SU25 and it's documentation to setup PFCG.
  In my opinion putting the relevant transactions in the roles first and fine tuning the authorization values afterwards is the right way to go. Tracing may help but is no substitute for testing.

• Best practices for securing communication to internet based SCCM clients ?

  What type of SSL certs does the community think should be used to secure traffic from internet based SCCM clients ?  should 3rd party SSL certs be used ?  When doing an inventory for example of the clients configuration in order to run reports
  later how the  data be protected during transit ?

  From a technical perspective, it doesn't matter where the certs come from as there is no difference whatsoever. A cert is a cert is a cert. The certs are *not* what provide the protection, they simply enable the use of SSL to protect the data in transit
  and also provide an authentication mechanism.
  From a logistics and cost perspective though, there is a huge difference. You may not be aware, but *every* client in IBCM requires its own unique client authentication certificate. This will get very expensive very quickly and is a recurring cost because
  certs expire (most commercial cert vendors rarely offer certs valid for more than 3 years). Also, deploying certs from a 3rd party is not a trivial endeavor -- you more less run into chicken and egg issues here. With an internal Microsoft PKI, if designed
  properly, there is zero recurring cost and deployment to internal systems is trivial. There is still certainly some cost and overhead involved, but it is dwarfed by that that comes with using with a third party CA for IBCM certs.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Can I create a dimension based on a view?

  The OLAP9201A allowes creating cube based on view, so does it also alowes creating dimension based on view?
  I want to using view to deal with priviledge issues.

  Thank you.
  The document says that I can create view based dimensions using cwm2. But when I tried to execute cwm2 packages' procedures, I always got error.
  For example, when I ran the following scripts under the schema 'CFA', I got error message.
  --my scripts
  begin
       cwm2_olap_dimension.create_dimension('CFA', 'TESTCWM2_DIM', 'TESTCWM2', 'TESTCWM2s', 'cwm2', 'TESTCWM2',null);
  end;
  --error messages
  The following error has occurred:
  ORA-06502: PL/SQL: 数字或值错误 : 字符串缓冲区太小
  ORA-06512: 在"OLAPSYS.CWM2_OLAP_MANAGER", line 380
  ORA-06512: 在"OLAPSYS.CWM2_OLAP_MANAGER", line 397
  ORA-06512: 在"OLAPSYS.CWM2_OLAP_DIMENSION", line 139
  ORA-06512: 在line 2
  --my comments on error messages
  The Chinese text means:error of number or value: the string buffer is too small.
  What's wrong?

• Defining security provider

  I deploy WS using admin_client.jar. How can i specify security provider manually in command line? after ws has been deployed it has security provider as "File-Based Security Provider" and i need identity management provider. Thnk

  I deploy WS using admin_client.jar. How can i specify security provider manually in command line? after ws has been deployed it has security provider as "File-Based Security Provider" and i need identity management provider. Thnk

• Security on Year dimension in Hyperion Planning.

  Need to enable security on Year dimension on Hyperion Planning for below requirement. I know that we cannot enable security on year dimenison in Hyperion Planning, but want know if there is any custom solution.
  Requirement:
  IT users to have write access to Scenario: FY12FCSTJUN for year FY12 for period JUN to DEC & FY13 for Period OCT to SEP. (Calender year starts at OCT of every year)
  Normall users they want to have read access to Scenario: FY12FCSTJUN for year FY12 for period JUN to DEC and write access to Scenario: FY12FCSTJUN for Year FY13 for Period OCT to DEC
  1)we can modify the start period, end period, start yr and End yr for FY12FCSTJUN Scenario dimension to make FY12 FY12FCSTJUN as read/write for Specific year, but it won't meet the requirement.
  2)I have already tried making modification to the Planning respository table ( changed the value for ENFORCE_SECURITY parameter to 1 for DIM_ID 38 for Year in the HSP_Dimension table)on one of VM environments,but it won't enable security on the Year dimension.
  3)We can create a Budget scenario to achieve above, but it involves too many changes accross all the webforms and B rules, so we want to see if there is any custom solution available.
  Any suggestion/workaround to resolve the issue?

  Oracle will be releasing a patch in dec 2012 to fix/enable the security on year dimension. this patch is applicable for 11.1.2.2 version.

• Restricting values of a dropdown based on user roles

  Hi,
  Is it possible to restrict the values of a custom metadata dropdown based on the user roles (assuming only 1 role is assigned to each user)? Say, based on the role assigned to a user, he/she should see only 3-4 values out of 10 values in a dropdown on the checkin page. Please suggest.
  Thanks.

  You can get pretty close out of the box using some configuration manager applet voodoo
  1)First off create a Table that will contain the options for your list. Create the columns e.g. label and id and then also create a column called dSecurityGroup
  2)Add a view based on the table you just created, choose the Security tab and select "Use standard document security"
  3)Add some values to your view - make sure that you populate the dSecurityGroup column with real values of security groups
  4)Once it is all published, have a look at the checkin and search screens. You should find that UCM will evaluate the options in the same way it would documents - based on the dSecurityGroup value you applied to the row - e.g. you will see an option on the search screen if you have at least R permissions, you will see an option on a checkin screen if you have at least RW permission
  Try it out :-)

• Content delivery in portal based on user roles ?

  Portal Server new bee...
  Please can anyone point me to guides/url where i can look to enable content delivery in a portal based on user roles and how to establish SSO.
  I have installed Portal Server6.0 and iplanet Directory Server Management Edition installed.
  I did go through PS Development guide and got some sample containers up and running in the portal.
  Thanks.

  For the role-based delivery, Comment 1 sends you in the right direction. Here are a couple things to keep in mind as you read through the customization guide.
  The basic gist of what you need is to define your organization profiles with all the services defined at the org level. Then you can define simple profiles at the role level. These will probably focus around the selected and available attributes on the table containers.
  Then you might want to pay particular attention to the merge, lock, and propogate attributes. These will allow you to define how the role affects the availability of channels (does the role add, remove, or force the channel?). The easiest thing to do is probably to start with a core group of channels, and then have each role define additional channels that are of interest and should be added to the selected/available lists.
  Having roles remove channels will make matters a little more confusing and harder to maintain.

• Federation, remote role assignment based on ABAP roles on producer

  Hi all,
  We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).
  Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:
  System I: ABAP + JAVA --> ECC 6.0
  Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.
  System II: JAVA --> NW 7.0 Portal
  Our consumer portal (B) where we use roles created on the producer portal (A) on System I.
  System III: ABAP + JAVA --> SRM
  Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).
  +PROBLEM+
  We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?
  Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.
  Best regards,
  Jan Laros

  Jan,
  Interesting question. Let me share my experience and hope that's of some use to you.
  We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).
  - B's UME points to Active Directory
  - A's UME points to BI ABAP user store
  - User ids are identical in both systems
  We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.
  - A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]
  However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.
  Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).
  In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.
  Either my story is applicable or I must have got you totally wrong,
  Kiran

• Date-based group or role membership

  Hello,
  For a particular application, using Sun ONE DS 5.2, I'd like to be able to define start and end dates for a users membership of a group or a role. I realise I can do this by using an external program to examine start and end date attributes for a user and then adjusting an attribute that either makes them a member of a dynamic group or a role.
  But is there any way to do it entirely within the Directory Server itself by clever group/role/CoS definitions and comparison of date attributes ?
  Any thoughts / hints / suggestions would be greatly appreciated.

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM