Dimension level Security

Similar Messages

• How to implement Dimension Level Security on Tabular?

  Not possible on SQL Server 2014 SSAS Tabular? How to work around?
  Kenny_I

  Hi Kenny_l,
  According to your description, you want to implement dimension security in SSAS 2014 tabular. Right?
  In Analysis Services Tabular mode, dimension level security (based on role permission) is not supported. This security can only used in Multi-dimension mode. In tabular mode, we can only use row-level security based on role permission.
  Please refer to links below:
  Implement Dynamic Security by Using Row Filters
  Reference:
  Comparing Tabular and Multidimensional Solutions (SSAS)
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou
  TechNet Community Support

• Dimension Level Security on a Data Form

  Hi,
  Is there any other way in Hyperion Planning to know where the dimensional level security is missing when you get the following error - (other than manually going to the dimensions and checking it)
  "Security and/or filtering has resulted in a required dimension not being represented on the data form"
  Please let me know !
  ~ Adella

  Alp, I did try to work with your idea and it did help. Thank you so much for your input.
  Anyways, for now I think I got an answer to my question..but please do let me know of other ideas if you come across any :)
  ~ Adella

• How to set dimension level security with multiple levels

  Hi,
  We have hierarchy with Level 0 codes to Level 4 codes.
  For e.g.
  Region 1 : Level 0 code 10000, Level 1 code 10001, Level 2 code 10011, Level 3 code 10111, Level 4 code 11111
  Region 2: Level 0 code 20000, Level 1 code 20001, Level 2 code 20011, Level 3 code 20111, Level 4 code 21111
  Region 3: Level 0 code 30000, Level 1 code 30001, Level 2 code 30011, Level 3 code 30111, Level 4 code 31111
  From SSAS role administration, I would like to assign a user permission to all Region 1 codes and only Level 3 code (30111) of region 3.
  How and where do I set this kind of permission?
  Thanks in advance.
  Manisha

  see
  http://www.mssqltips.com/sqlservertip/1834/introduction-to-dimension-security-in-sql-server-analysis-services-ssas-2005/
  Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

• Dimension level Security in SSM

  Hello,
  Requirement,
  The dimension PLANT in PAS under PAS Model ABCD looks as below
  ROOT
        ASSET1
        ASSET2
  we have single CONTEXT called ASSET meaning one model connection to link ASSET context to PAS Model ABCD.
  CE level SSM users USER1 and USER2 are created.
  When user1 logins, he should be dyanamically restricted to ASSET1
  When user2 logins, he should be dyanamically restricted to ASSET2
  Please help.
  Best Regards

  Hi Shashi,
  This is a standard feature used already in many implementations worldwide. For the same context, you can restrict which measures and/or dimension members a user or user group can have access to.
  In order to put in place this kind of security, you have to create different Application Server Connections inside the Model Connection you have associated with the Context.
  In the Model Connections screen, search for a box called App.Server Connections. Click on new. This will allow you to establish a connection to the same PAS model, but using a different PAS user. In the end, you will need to create as many App.Server Connections, each one with a different PAS user associated, as the different access profiles you want to create for your users.
  To each App.Server Connection, and so to each PAS user, you can assign different user groups and/or users.
  The rest of the configuration has to be done directly in the PAS model, creating a procedure called SECURITY and specifying there which measures and/or dimension members each PAS user will have access to. You will need, of course, to create all of the PAS users first.
  Hope this helps!
  Best regards,
  Ricardo Vieira

• Security at a dimension level in a Planning Application (ver 9.3.1)

  Hi,
  I'm dealing with the Assign Access process in the Dimensions pane.
  Is it possible set access at dimension level?
  How can I set the member Account (root of Account Dimension) visible for only a subset of user?
  Thanks in advance.
  Stefano

  Hi Stefano,
  I'm currently using Hyperion Planning version 4.0.2. I tried using the ImportSecurity.exe file to update the security for the top member in Entities dimension (ie the dimension name itself) but it kept giving me this error:
  Record not processed -Finance,Entities,READ,MEMBER- Invalid Member name.
  All lines in Import Security file were successfully parsed.
  No records inserted into the database.
  1 Lines were not processed by the application due to errors.
  My secfile.txt file looks like this:
  Finance,Entities,READ,MEMBER
  Am I doing anything wrongly?
  Thanks for your help!
  Michelle

• Data level Security in Essbase

  I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
  Asia and America are defined in my location dimension.
  Please tell me how to do it?
  Regards,
  Suman

  to make your security maintenance easier, I would suggest putting the users into groups and assigning the filters to the group. If you do it at the indivual level, the user can only have one filter assigned to them, but each group could have a different filter. So for someone who should see Americas and Asia have a group calle America and one called asia. put the user into both groups and assign the america filter to the first group and asia filter to the second group

• Group Level Data Level Security not working

  I'm trying to test the data level security at the group level.
  Here's what I did
  1. Went to the security -> Groups -> Permissions -> Filters
  2. In Name added the Fact table on which I want to filter.
  3. Selected "Enable"
  4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
  When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
  Am I missing something in the creation of filters?
  Thanks in Advance.
  Rama.

  Hi,
  If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
  Hope this helps.
  Regards,
  Sandeep

• Data Level Security implementation question

  I had a quick data-level security scenario and wanted to solicit any input from the experts.
  In our current Subject Area we have one Presentation Layer using one Business Model. In this Subject Area have a Task and Employee Dimension. There is row-level Security on the Task Dimension that is done in the Business Model on the LTS Content tab. There are a batch of reports built off this Subject Area.
  There is now a request to build a new batch of reports, however, they want to now filter on the Employee Table and NOT filter on the Tasks. So the opposite of what has been applied above.
  From my perspective there are only a few ways this Security can be applied
  Business Layer: Basically either create an Alias of Employee and Task or build a second LTS for both. Then create new columns and map to these accordingly. Basically have 2 of each column in the Business Layer. One with Security applied and one without.
  Presentation Layer: Created a second Presentation Subject Area and apply the security at the Presentation Layer and remove it from the Business Layer.
  I know a third option could be put security on the Role/Group but for this case these reports are open to everyone.
  I'd just like to verify from the experts that I may have covered all solutions for this scenario or if there are any other suggestions?
  Thanks!

  Alright...
  If you have two LTS say A & B (basically duplicate) then add a column say LTS Indicator and assign 'A' for LTS A and 'B' for LTS B. Add the fragmentation content and apply the security filter and you can also create two different Presentation folders under same Subject Area if users have Answers Access so that the users know if they are querying for LTS A or LTS B.
  Similarly, build your reports making use of LTS indicators which will BI server to pick correct LTS. Say, where you want LTS A to be picked...use filter of LTS Indicator = 'A' and thats it.

• Parent-child hierarcy - row level security

  Hi,
  Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
  I have created a parent-child dimension, simlar to:
  a1
  --a1.1
  ----a1.1.1
  ----a1.1.2
  --a1.2
  ----a1.2.1
  By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
  a1.1
  --a1.1.1
  --a1.1.2
  To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
  I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
  How can I build a security system, that a member can only see its child hierarchy only?
  Thanks for answers and links...
  Edited by: user4516917 on 16.Nis.2012 06:54
  Edited by: user4516917 on 16.Nis.2012 06:55

  According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
  This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
  I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
  Any comments appriciated..

• Row level security in OBIEE 11g

  Hi guys,
  We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
  Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
  to a structure that is above another structure in hierarchy, then he should see both data from his structure and
  the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
  i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
  data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
  in the data model? And how could I create the type of filter mentioned above?  

  This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
  1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
  2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
  3. Add this position variable as a content filter in your LTS in you BMM layer.
  4. You can also use this session variable  as a filter in you reports too.
  hope this helps.
  Senthil

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation

• OBIEE Row-Level Security Inquiry

  I had discussed a security requirement with one of our resources and it seems like a simple concept but for some reason I can’t think of simple way to implement in OBIEE.
  If we have a fact table with a security column that has values which state what groups can see the data in that row (Multiple groups separated by semi-colons). The data in the row is layed out like this:
  Group 1;Group 2;Group 3;Group 4
  There is a user and group mapping table as well where if I pull a user (Say User1) the data in the column for their group assignments would look like:
  Group 3;Group 10; Group 11
  Since this user is in Group 3 they can see the values in that row of the fact table above (Because Group 3 appears in both).
  Now I can run a session variable to get the user groups but how to then correlate to what rows they can see in that fact table is where I am stuck.
  Can I solicit any suggestions?

  They are various problems with your approach. To start with let's how OBIEE would like you to have the data:
  State Sales
  1 99
  2 30
  3 50
  Then your user to group table should be like this:
  User State
  1 1
  1 2
  1 3
  2 1
  3 3
  You would then do an row-wise Init Block to populate the GROUP variable. Then you simply do a filter in your BMM layer State = VALUEOF(NQ_SESSION.GROUP). Note that GROUP is that a list of groups so OBIEE will take care to convert this to SQL correctly. Now the way you have your data I don't think you can easily do row-level security. Basically what you need is to have your Group as dimension in your fact. What you have a is concatenated value which is useless. Also your user to group mapping table needs to be flat so you can do the row-wise init block. Hope it helps.

• Row Level Security (VPD)

  We are enhancing our corporate security model using VPD fine grain access to allow more flexible policies. This will provide different levels of row level access on each set of mart fact tables (Health Board level access on Mart A, GP Practice level on Mart B etc). We also want different column level security (masking) on common dimensions depending on which mart is being queried, e.g. a user might be allowed to see confidential patient columns when querying Mart A, but not on Mart B.
  OID groups hold user attributes, and we can retrieve these via logon trigger and policy functions and then set user contexts accordingly.
  When a query is submitted to the database (via Business Objects), it triggers the policy function on a particular mart fact table(s), which applies the particular row level constraint based upon the users context. So far so good. Problem is, when any dimension policy functions are being triggered (at the same time), they need to know which particular Mart is being queried, so that they can retrieve the correct user context to apply either confidential or non-confidential column masking.
  I basically need a means of interrogating the SQL before (or as) it reaches the dimension policy functions, from which the function can identify the Mart from the named tables in the SQL FROM list. Is there a way of doing this, or some other mechanism entirely for delivering this level of access control?
  One solution is to have a separate dimension view specific to each Mart. A particular view would join to a particular mart (in Business Objects), and the policy function amended for each. However we would rather avoid this as it could mean up to 20 + views for each dimension, and require a substantial maintenance overhead.
  Thanks
  Simon
  Edinburgh

  Why would you want a situation where USER1 cannot see any of the data in the table but owns a procedure that allows him to update any row in the table? That would basically defeat the purpose of using VPD-- if USER1 can circumvent the VPD policy in this procedure, USER1 can circumvent the policy in any procedure and can create procedures that allow him to view and manipulate the data.
  Can you provide a bit more background about what problem you're trying to solve? Why does USER1 need to own the procedure if USER1 isn't allowed to see any of the data? Are you trying to write a procedure that will apply the caller's VPD policy (i.e. when USER2 calls the procedure, he can only update the rows that his VPD policy allows him to see)? Or do you want the procedure code to bypass the VPD policy entirely? Why are you fine with granting USER2 the ability to bypass the VPD policy but you are not OK granting USER1 that same privilege?
  Justin

• Cube cell-level security

  Hi,
  How to implement cell-level security for oracle9i rolap cube without Virtual Private Databases ?
  thanks.

  Thanks, Mark.
  I have read your article,I have some questions:
  (1) How can create one cube for many fact views?
  (2) I access the cube with the olap api,can this method support?
  Actualy, I need something like MS sql 2000 Analusis Service dimension security. Now I implement this by my front end tool(with olap api).
  I have read your weblog for a long time,thank you for your good articles!
  Gu YQ