Direct database data access without data level authorization check

Similar Messages

• Direct Database Request - Incorrect Column Data type

  Hello All -
  hope you can help with this. I'm using the Direct Database Request in Oracle BI to send a complex query directly to our data warehouse. My problem is that the result columns containing my measures are converted to integer by Oracle BI when they should be double. The integer conversion causes decimal values to be rounded, reading to incorrect results in my reports. I've tried several tweeks to my query in an attempt to allow OBIEE to make the correct guess on the data type but nothing has worked.
  Is there a way to force OBIEE to recognize the correct data type for a column in a Direct Database Request Query?
  Thanks in advance for you help!
  Mac

  Thank you both.
  David's response was helpful from a style/readability perspective (the columns in question were complex expressions) but I had already attempted the approach and it hadn't solved the formatting issue. Nico's response solved the problem.
  Regards,
  Mac

• Table Functions, Direct Database Requests, and NUMBER data types

  Hello. I call a number of table functions from our BI Enterprise server, and I've elected to do so using Direct Database Requests (I believe you can also call table functions in the physical layer of the repository, but that's not what I'm doing). The problem is that whenever I return any number from the table function that is not a whole number (1.23, for example), BI assigns the INTEGER datatype to the field instead of the DOUBLE datatype, thereby rounding my number to the nearest integer. Here's a concise example:
  Create these 3 database objects:
  CREATE OR REPLACE TYPE my_row AS OBJECT (my_num NUMBER);
  CREATE OR REPLACE TYPE my_tab AS TABLE OF my_row;
  CREATE OR REPLACE FUNCTION my_table_function RETURN my_tab
  PIPELINED IS
  BEGIN
  PIPE ROW(my_row(1.23));
  END;
  Then make this your query in your Direct Database Request:
  SELECT my_num FROM table(my_table_function);
  That query correctly returns "1.23" when it's called from the database. In BI, on the other hand, it returns "1" (and labels the field an INTEGER instead of DOUBLE data type). If in the Direct Database Request you change the Column Properties ->Data Format -> Decimal Places from 0 to 2, it then not surprisingly displays "1.00". I then tried changing MY_ROW.MY_NUM's datatype by explicitly specifying precision, and no luck. BI still labels this field as an INTEGER. Then I started trying to trick BI by massaging the SQL statement itself. None of the following worked:
  SELECT to_number(my_num) as my_num2 FROM table(my_table_function);
  SELECT my_num2 + 0.01 as my_num3 FROM (SELECT my_num - 0.01 AS my_num2 FROM table(my_table_function));
  SELECT to_number(to_char(my_num)) as my_num2 FROM table(my_table_function);
  SELECT to_number(substr(to_char('x'||my_num),2)) as my_num2 FROM table(my_table_function);
  Now I did find a solution, but I'm surprised that I have to resort to this:
  SELECT * FROM (SELECT /*+ NO_MERGE */ my_num FROM table(my_table_function));
  Does anyone out there know of a better way to do this? The above is a hack in my opinion. :)
  Thanks in advance for any input.
  -Jim

  Yes, it's really amazing.
  But I got it.
  CREATE OR REPLACE TYPE my_row AS OBJECT (my_num NUMBER(10,2));and in your SQL :
  SELECT cast(my_num as double precision) as my_num2 FROM table(my_table_function);I have the good result and I see the numbers after the comma.
  Very tricky !
  Edited by: gerardnico on Jul 7, 2009 2:55 PM change number(10,2) by double precision ......... pfffff

• SM30 Field level authorization check

  Hi,
  I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
  Thanks,
  Gagan Chodhry

  Hi,
  I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
  If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
  If anyone can send the sample or the way to skip the record based on the check.
  Also is there any other way to add the field level authorization to custom and standard tables...
  Thanks,
  Gagan Chodhry

• Controlling data access at universe level

  Hi,
  I had a doubt in universe regarding the implementation of security.
  Existing process: We had a portal called flex (intranet site)which the BO report has been integrated and  for opening the report the name of report was clicked (hyperlink) 
  This report should show the data specific to the user profile logged into the portal.
  Now if we want to restrict the data at universe level for each individual users accessing the report in portal our idea is to create a dervied table (which contains a list of userid's and project id's)in universe so that who ever logged into the portal and clicks on report he will see the data only related to profile
  For example: The scenario would be a manager residing in a region need to see the list of projects which he is assigned to but not all of them.
  Could you please let me know how can implement at universe. Kindly let me know if you need any futher information.
  Thanks,
  Eswar

  Another way to do this is: (a) in your universe create a table that has a list of user names a long with their BOUSER id; (b) associate that list with fact tables or d imensions in the database, either using joins or by using a where clause as a filter or in an object definition using the syntax @variable(bouser); below is an exerpt from BO Designer guide.
  Example:
  @Variable
  In the universe for a human resources database, you have an object called
  Employee name. You want to restrict the returned data for Employee name
  to the values authorized in the database for each user. This would allow
  you to control what employee information each user is allowed to see. This
  information is defined by their database profile.
  You insert the @Variable function in the WHERE clause as follows:
  Employees.Employee_Name = @Variable('BOUSER')
  When the object Employee name is used in a query, the data is returned

• Date field without data

  Hallo, im new,
  i have a little programm,
  the user edit a date-field (P1_Termin) and other fields, than the programm create a mail with xml-attachment.
  Only the date-field dont works. When ther user edit the field (standard ist SYSDATE+14) then die field show the new value, but the value is not in the field (P1_Termin).
  Can somebody help me?
  Thank you.

  Dear 984778,
  Would you provide a sample on apex.oracle.com with workspace+developer information
  To be able to help you efficiently.
  Best Regards

• Simple Transformation when XML sometimes appears without data

  Hi to all
  I am doing a ST to read XML file, and update this info in SAP.
  All is right, but happens some structures are sometimes without data, and this situation is normal in the business process.
  Example with Data:
  Example without DATA
  Exists, any form of the ST don´t throw error for this situation ? Have I to use some tag in particular?
  Thank you very much for the help
  regards
  Dario

  Thanks Brad
  Please, can you give me an example?
  Thank you very much
  regards
  Dario

• The Date Accessed attribute is resetting to all the files in a folder

  Hi all,
  I have an issue that the "Date Accessed" attribute is often resetting to all the files in a folder if i open single file as this folder is from File server mapped as Drive to me. This is happening to all the users whoever connect to that fileserver
  and i see same issue from RDP as well. is there any option to check which is resetting the "Date Accessed" attribute to all the files. The Date Access attribute is simillar to Date accessed and Date modified. We need to fix this issue as it is related
  to security concern for us. The file server is windows 2008 R2 and the client machines are windows 7.
  Side note: I can see that there is no software, antivirus, offline sycn is causing this issue.
  Thank you,
  Sampath
  P.Sampath

  Hi,
  It seems that some specific process accessed the files and updated the attribute. You could configure auditing on the shared folder. Then you can go through the auditing log to check which process is doing the read operation on all these files. 
  Configuring Audit Policies
  http://technet.microsoft.com/en-us/library/dd277403.aspx
  Best Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Access on aggregated levels with virtual key figures

  Hi all,
  I need access to the aggregated view of a BEx report within user-exit RSR00002 for processing virtual key figures. Currently I only get access to the lowest non-aggregated level.
  My requirements in detail:
  I get certain key-figures (250 historical values)on the lowest aggregation level - so-called folders. Then I have to aggregate this vector of values at the next hierarchy level up to the top-level, say along-side a company's business department structure. Drill-down, slice&dice should be possible. So far so good - this is done easily with standard BEx features.
  Then, on each aggregation level, i.e. hierarchy node, I need to get the third lowest of the 250 aggregated values to assign this to my vkf. This is not an issue of the algorithm but of the internal data representation or access to the OLAP processor because I don't get this vector on the same aggregated level such as I could see it in my BEx report but on the lowest non-aggregated folder level.
  The question is now:
  a. Is data access on aggregated levels and drill-downs because of the internal representation generally not possible within this user-exit and would I have to supply the aggragation logic myself or
  b. do I have overlooked something critical - did I miss the trick?
  Every idea or hint is deeply welcome!!
  Thanks a lot,
  Michael
  Message was edited by: Michael Kronenberger

  First check in <b>Technical Information</b> in <b>RSRT</b> , whether the
  <b>Virtual Char/Key</b> Fig is<b> Y</b> or <b>N</b>.

• Forcing Authorization for a transaction code without authorization check in

  Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".
  However, If Ia program has  "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.
  Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?
  Jitendra Mehta

  Hi Florin:
  S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.
  If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.
  But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.
  The only way, I have seen this working is to assign value space ( ' '  ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.
  But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not  proper to assign a no value to auth. object ( assigning space value ) "
  I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.
  Please let me know your thoughts.
  Thanks.
  Jitendra Mehta

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Authorization Check in Ad Hoc Query

  Hi Experts,
  When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
  This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.

  You need to do this in your infoset ...
  You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
  You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
  INITIALIZATION.
  PNP_SW_SKIP_PERNR = 'N'.
  It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
  The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
  Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
  -Saquib

• Authorization check for Selection of Filter Values for Query Definition

  I am looking for a solution to the following problem:
  Assuming you have confidential master data in your development system.
  How can I protect a query developer to see only master data values, that he is allowed to see when e.g. creating a restricted key figure.
  I know that you can enable a setting in the "Business Explorer" tab that says "Query Def. Filter Value Selection". The help says:
  This field describes how the selection of filter values and the restriction of characteristics function when you define queries.
  The values from the master data table are normally displayed when you restrict characteristics. For characteristics without a master data table, the values from the SID table are displayed instead. In a number of cases, however, it could be better to display only the values that are in the InfoProvider. The setting "InfoProvider Values Only" is permitted for this reason.
  This would almost do it, but it can be overwritten in the BEx Query Designer.
  Is there a way of preventing Query Developers from seeing all InfoObject values when creating restricted key figures?
  Thanks for your replies.

  Hi,
  Thanks for the points. I am not too sure how you guys go about implementing SAP. Sorry I am not trying to be rude but you're not suppose to see any "real" data in DEV where all development takes place. You can't prevent query developers to see data. Without data there is no way they know their queries are right or wrong. Ask ECC guys to load dummy data to DEV environment that closely resemble those data currently in legacy e.g. real data. Sorry it was my mistake at the beginning when i thought it was preventing specific end users to see data that are not belong to them.

• Without providing access of mass storage,allow access of data card or local printer ,

  Hello,
  Pls assist in exploring the possibility to allow access of data card or local printer  without providing access of mass storage.
  Balwan Singh

  Hello Balwan Singh,
  You can use two methods on is using Administrative Template and the other is using Preferences, both are available within the GPO in Domain Controllers with 2008 and later.
  Option 1: Administrative Template.
  This setting can be configured either at Computer or User level.
  You need to go to:
  Computer or User Configuration\Policies\Administrative Templates\System\Removable Storage Access
  In here you can Enable the setting "Removable Disks: Deny read access" or "Removable Disks: Deny write access" 
  Just be aware that this settings does not apply to a servers at a "User Configuration" level.
  Option 2: Preferences.
  This setting can be configured either at Computer or User level.
  You need to go to:
  Computer or User Configuration\Preferences\Control Panel\Devices
  In here you need to create a new item as follows:
  - Right click and select new --> Device
  - On General Tab you can select two "Action" options "Use this device (enable)" or "Do not use this device (disable)" in this case you should use the second option "Do
  not use this device (disable)"
  - On "Device class:" you can browse the devices attached to the computer from where you are configuring this GPO.
  In this list yo need to choose the "Universal Serial Bus controllers" node and among the options listed in here you should choose the "USB Mass Storage Device" which is the class used for USB drives.
  Remember that if you are configuring the GPO from a domain controller probably you do not see the "USB Mass Storage Device" in the "Universal
  Serial Bus controllers" node since there does not exists a USB drive directly attached to your domain controller.
  You can workaround this by either connect a USB drive to your Domain Controller or connect with the Group Policy Management Console (GPMC.msc) from a workstation on which you can safely plug a USB drive just to be able to visualize it and configure your GPO.
  Related Info:
  Configure a Device Item
  https://technet.microsoft.com/en-us/library/cc771861.aspx?f=255&MSPPError=-2147217396
  I hope this info help you to reach yor goal. :D
  5ALU2 !

• Adding custom fields to VA01 additional data tab without access key

  I have to add custom fields at item level in transaction VA01/VA02.
  Is  access key required to add fields to additional data screen i.e 8459 ?
  Is there any way to do this without using access key ?

  Hi ,
  Try for any User Exit or BADI available for the tcodes.
  Here are exits for VA01 and VA02.
  Exit Name           Description
  SDTRM001            Reschedule schedule lines without a new ATP check
  V45A0001            Determine alternative materials for product selection
  V45A0002            Predefine sold-to party in sales document
  V45A0003            Collector for customer function modulpool MV45A
  V45A0004            Copy packing proposal
  V45E0001            Update the purchase order from the sales order
  V45E0002            Data transfer in procurement elements (PRreq., assembly)
  V45L0001            SD component supplier processing (customer enhancements)
  V45P0001            SD customer function for cross-company code sales
  V45S0001            Update sales document from configuration
  V45S0003            MRP-relevance for incomplete configuration
  V45S0004            Effectivity type in sales order
  V45W0001            SD Service Management: Forward Contract Data to Item
  V46H0001            SD Customer functions for resource-related billing
  V60F0001            SD Billing plan (customer enhancement) diff. to billing plan
  Regards,
  Lakshman.