Dynamic Security
How to add dynamic security in ADF 11g.
User names will come from database table not from jazn-data.xml.
Or,
How can i create UI based on ADF security policy?
Can anyone help me?
Security is more general mater than an ADF application.
Its a mater of Fusion midleware since the same users may have roles to use many applications deployed in the same weblogic server (or even in diferent servers).
Its Usualy the responsibility of administrators to manage users and roles and weblogic or any LDAP security provider has UI to support that.
[http://download.oracle.com/docs/cd/E12839_01/security.htm]
You can also configure a weblogic domain to use RDBMS provider
[http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/rdbms.htm]
and there are java api's for programing security
[http://download.oracle.com/docs/cd/E12839_01/web.1111/e13711/toc.htm]
But i also miss an example (or How to) of how to register and edit users with specific roles from inside a custom made ADF application
Edited by: mkonio on Aug 2, 2009 2:05 PM
Similar Messages
-
Dynamic security in Cube having many to many relationship
I have multiple dimensions (around 20) and 4 fact tables in my cube. I am implementing dynamic security in my cube, so only logged in user will see his information.
I have a person dimension, which stores user information.
I have a shipper dimension , which stores shipper information.
Person dimension is connected to Fact table A and Shipper is also connected to Fact table A.
Shipper Dimension is also connected to Fact Table B.
Now in dimension usage tab i connected Person dimension to FACT table B measure group using many to many relation via Fact Table A measure group.
I wrote below code block in Shipper dimension to implement security , under Dimension data tab -
exists ({[Shipper].[SHR Number].members}, strtoset("[Person].[Person number].[" + username() +"]"), "Fact Table A")
Its is working fine when run it as mdx query, using select command. I can see all measures (both from fact A and fact B) based on my ID permisisons.
But the issue is when I browse cube, I can see only Fact Table A measures and NOT FACT B measure.
FACT B measures comes as NULL.
I referred below link -
http://bifuture.blogspot.com.au/2011/09/ssas-setup-dynamic-security-in-analysis.html
PLEASE HELPI got the issue, it is related to dimension security. Its working fine
-
Dynamic Security Tabular Model : No filters are applied
Hi, I am surprise because when I open my PowerPivot report on my Bi portal on Sharepoint 2013, no filter are applied, Dynamic Security not work,
unless I do a refresh of my report. When I refresh my report, with an other windows account, all the filter determined in the tabular data model, at the level of Role.
I use the User Authentification option at the level of my report PowerPivot.
Can you help to understand this bug and help me to resolve it.
Thanks for advance.Hi,
I am not quite sure about your scenario. Are you using Power Pivot or SSAS Tabular?
Power Pivot itself does not have any security features so I guess you are talking about SSAS Tabular right?
Or are you moving data from SSAS Tabular into Power Pivot?
In this case if you you refresh the workbook a Service Account will be used and of course the securtiy settings will be derived from the credentials of this service which may be allowed to see all data
hth,
gerhard
Gerhard Brueckl
blogging @ http://blog.gbrueckl.at
working @ http://www.pmOne.com -
Problem Dynamic Security : No filter applied without Refresh
Hi, I am surprise because when I open my PowerPivot report on my Bi portal on Sharepoint 2013, no filter are applied, Dynamic Security not work, unless I do a refresh of my report. When I refresh my report, with an other windows account, all
the filter determined in the tabular data model, at the level of Role.
I use the User Authentification option at the level of my report PowerPivot.
Can you help to understand this bug and help me to resolve it.
Thanks for advance.Hi,
I am not quite sure about your scenario. Are you using Power Pivot or SSAS Tabular?
Power Pivot itself does not have any security features so I guess you are talking about SSAS Tabular right?
Or are you moving data from SSAS Tabular into Power Pivot?
In this case if you you refresh the workbook a Service Account will be used and of course the securtiy settings will be derived from the credentials of this service which may be allowed to see all data
hth,
gerhard
Gerhard Brueckl
blogging @ http://blog.gbrueckl.at
working @ http://www.pmOne.com -
Dynamic Security username () problems
Hi,
I need some help with the following situation. I am trying to put into place asome sort of dynamic Security in my cube. With some help , I manage to get something working:
select [Measures].[Sales Net Amount] on columns,
NONEMPTY(
[Dim Restaurants].[Restaurant].[Restaurant].members,
([Measures].[count],
StrToMember("[Dim User].[User].&[2]")))
on rows
from [XYZ]
my problem is the minute I replace StrToMember("[Dim User].[User].&[2]"))) with
StrToMember("[Dim User].[User].&["+ username() +"]"))) I get no result at all , look like this function is non existant but everey blog/post I looked they keep using this function.
Something is missing qand I do not see it , I am using SSAS 2012 and quite new to all of thisThe username function returns a string in the form of "domain\user" so I highly doubt that you will ever get a value of "2" coming back.
If you run the following query you can see what this function returns in your environment
with member measures.UsrName as username()
select { measures.[UsrName] } on 0
FROM [XYZ]
You need to base your dynamic security on an attribute that has data in the same format that the username() function returns.
http://darren.gosbell.com - please mark correct answers -
Dynamic Security - Power View Cabable of ?
Hi there,
i am currently trying to create some Dashboard Reports using Power View for all Employees.
But i can't allow for any Users being able to see the Data of the other.
Is Power View capable of Determining which user is logged on and give that to my Tabular Project, so it can filter the data through the Dynamic Security implemented in the Tabular Model?Yes, Power View will work with the tabular model dynamic security. Power View does not do anything special, security is applied by the model.
http://msdn.microsoft.com/en-us/library/jj127437.aspx
Brad Syputa, Microsoft Reporting Services This posting is provided "AS IS" with no warranties. -
SSAS Dynamic security not working after upgrade
Hi,
I am able to apply the dynamic security on a 2008 R2 instance of SSAS, using the Users Dimension and a bridge table, and specifying the EXISTS(...) MDX expression in the Dimension data on the Role.
But when I copy the cube solution to a 2014 SSAS instance, the cube report ignores the security, and brings back all the data. I also tried clearing the cache, but that didn't change anything.
As far as I can tell, there are no differences in the data, and I did not change anything in the working cube solution either.
I'm out of ideas, and I have not found any clues on the internet yet.
Any help would be appreciated.
Edit: I forgot to clarify that I am using CustomData() and not Username().I think this setting can be used in conjunction with Charlie
Liao's suggestion. Thanks! -
Dynamic security using Security table in SSAS Tabular model
Hi,
Platform : SSAS Tabular model (VS 2010)
I need to apply Dynamic security using Security table(manually created) in Tabular model, Need to apply filter for 2 tables. I am able to
create roles in Tabular model using USERNAME() and LOOKUP() function it worked fine. But the problem is when i am trying to give full access for a particular column and limit the access in other column, it is not working properly.
Please find below table and guide me where i am falling short. In the Security table wherever you find ALL it means full access.
Security table
Login Name
Dim_Country
Dim_Customer
DOMAIN\User1
ALL
2
User1 should see all countries but Only 2,4 Customers
DOMAIN\User1
ALL
4
DOMAIN\User2
2
ALL
User2 should see all customers but Only 2,3 countries
DOMAIN\User2
3
ALL
DOMAIN\User3
ALL
ALL
User3 should see all Customers and Countries
DOMAIN\User4
1
3
User4 should see 1 Country and 3 Customer
ALL - means NO restriction
Numeric values indicate the Dimension IDs
Do let me know if further explanations required.
Thanks,
SundarHi Sundar,
According to your description, you want to implement dynamic security using Security table in SQL Server Analysis Services Tabular model, right?
It is very common to have data security implementation in BI projects either at databases or Cubes and sometimes this security implementation and maintenance goes out of control due to the dynamic flow of business information. Here are some links which describe
dynamic security implementation at SSAS tabular model using an external security table, please see:
http://bipassion.wordpress.com/2012/10/01/ssas-tabular-dynamic-security/
http://www.bidn.com/blogs/ChrisSchmidt/ssas/4332/dynamic-security-in-tabular
Regards,
Charlie Liao
TechNet Community Support -
Dynamic Security in a denormalized Parent-Child dimension Table
Hi guys, I need your priceless help again:
I have a parent child relationship in a table with a fixed depth, let´s say Region-->Area-->Country
I denormalized the table to have something like this
Then, to implement dynamic security, I think in a bridge table with the userId
and the CountryId, then with a measure group and a measure which count the combination of user/country I can proof the security using the non empty function.
My question is how can I also set security for the levels above the leaf members, let´s say, I want to assign an user to the Area level or Region Level. I don't know exactly which key could I include in the bridge table.
I may want to keep the id´s of the original table in the different levels.
Any comment will be appreciated.
Kind Regards,Hi Paul,
According to your description, you want to apply dynamic security on parent-child hierarchy. Right?
In Analysis Services, when a dimension contains a parent-child hierarchy, we can't set up security directly on the key attribute. Because it will not appear on the dropdown list of Dimension Data Security in Role editor.
In this scenario, we need to filter on key attribute and not the parent-child hierarchy. Then use Linkmember() to find the equivalent members on the parent-child hierarchy. Please refer to the expression below based on a employee dimension with parent-child
hierarchy.
Generate(
NonEmpty(
[Employee].[Employee].[Employee].Members,
[Measures].[Employee Count],
StrToMember('[User].[User].[' + UserName() + ']')
LinkMember(
[Employee].[Employee].CurrentMember,
[Employee].[Employees]
Also I suggest an excellent book:
Expert Cube Development with Microsoft SQL Server 2008 Analysis Services. It talks about this scenario in chap 9.
Reference:
SSAS
Dynamic security - Bridge table (factless) between User dimension and Parent-Child (PC) dimension
If you have any question, please feel free to ask.
Best Regards,
Simon Hou
TechNet Community Support -
Windows Server 2008 DNS command syntax to set All zones to Dynamic Secure updates
Hello,
Am I trying to configure all of my 150 dns zones to dynamic updates from "none" to "secure"
What is the command I should run to update all my zones. I ran "dnscmd myservername /config ALLZones /AlowUpdate 1" and I keep on receiving this error message
"DNS_ERROR_ZONE_DOES_NOT_EXIST"
What should be the exact command/argument I should run to propagate this on all my zones ?
is "..allzones" or "allzones" a valid argument ?
Thanks
RobertHi Robert,
Even add the two dots, I also get the same result.
Here is the screenshot of my lab,
As Kumar has mentioned, you need to write a script.
I have tried to modify the script provided by Kumar. It works on my lab server.
Here is the script,
$a = get-dnsServerZone
foreach ( $zone in $a)
if ($zone.ZoneType -eq "Primary")
if ($zone.IsDsIntegrated -eq "True")
{ set-dnsServerPrimaryZone -DynamicUpdate Secure -ZoneName $zone.zonename }
Best Regards.
Steven Lee
TechNet Community Support -
I need to create a security group that contains all the enabled users in AD.
This group needs to be dynamic so that when a user is disabled it is automatically removed from it
ThanksI need to create a security group that contains all the enabled users in AD.
This group needs to be dynamic so that when a user is disabled it is automatically removed from it
Thanks
We do have the concept of dynamic objects in Active Directory but that is not what you are looking for. Dynamic objects in Active Directory have specific TTL and when their TTL expires they are directly deleted and they will not be considered in Garbage
Collection.
What you need I believe is a script which 'Removes the disabled users from the group' and run it for like every 15 minutes on your domain controller. I ill update this thread as soon as I get my hands on a PowerShell.
Update: Run this as schedule task:
Get-ADGroupMember GroupTest | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled,samaccountname | ?{$_.Enabled -eq $false} | ?{Remove-ADGroupMember -Identity GroupTest -Members $_.samaccountname -Confirm:$false}}
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or
to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights. -
Dynamic Security Audit Log filesize
Hello,
We have the following parameters set
rsau/max_diskspace/local 20M
rsau/max_diskspace/per_day 0
rsau/max_diskspace/per_file 0
If I look in the DynamicConfiguration tab, it shows
Maximum File Size 100,000 MB
This seems a little crazy. Does anyone have any idea how the Max File Size got to be displayed so large?
Kind regards,
PeterRefer to SAP Note : 909734 - SecAudit: Parameter rsau/max_diskspace/local too small
As of kernel patch 2113 (4.6D) or 88 (6.40), the system requires a minimum size of 1 megabyte (1048576) for 4.6D, and a minimum size of 10 megabytes (10485760) for 6.40. As of kernel patch 134 (6.40), rsau/max_diskspace/local requires a minimum of 100 megabyte. -
Dynamic Dimension Security Error
Hi Everyone,
I created a dynamic security in SASS and I use the following MDX in the Allowed Member set:
EXISTS([Sales Territory].[Sales Territory Group].Members,
Strtoset("[Users].[User Name].&[" +Username+ "]"), "User Dim Member Permissions").
On trying to check the MDX Query I got the following error message:
Check MDX script syntax failed because of the following error:
An error occurred in the MDX script for the dimension attribute permission's allowed member set: The dimension '[Users]' was not found in the cube when the string, [Users].[User Name].&[TEST\Bi_svcSetup], was parsed.
Please can someone assist me with this.
Thanks
meHi Lilutchay,
According to your description, you are trying to implement dynamic security without success, right?
Based on my research, the issue can be caused by that you implement custom security on database dimension instead of cube dimension. So, in you scenario, please try the same thing on cube dimensions and check if this issue is persists or not.
Reference.
http://www.rdacorp.com/2009/01/advanced-dimension-data-security-with-sql-server-2008/
Hope this helps.
Regards,
Charlie Liao
TechNet Community Support -
Dimension security is not working if user have two roles in SSAS while connecting from Excel
Hello Genius,
I am facing the issue when user trying to connect the cube from excel if user have more than one role in ssas db.
Role 1: Countryuser, I have implemented the dimension security with country
dimension and countrycode attribute.
Role 2: CityUser, I have implemented the dimension security with
city dimension and citycode attribute.
If user is mapped to any one of above role dimension security is working perfectly according to the logic but mapped to both role, cube is exposing all the data in this case dimension security is not working.
Please give me the solution to fix this issue or incase I am wrong kindly advice.
Thanks
GaneshThis is the expected behaviour as allowed sets in roles are unioned together.
This is not a problem when your roles are restricting across a single attribute.
eg.
US_role = {[Geography].[Country].[USA]
France_role = {[Geography].[Country].[France] }
as someone in both roles ends up seeing {[Geography].[Country].[USA], [Geography].[Country].[France] }
But when you have different attributes:
NY_role = {[Geography].[City].[New York] }
France_role = {[Geography].[Country].[France] }
The first role is unrestricted on countries and the second is unrestriced on cities which is effectively:
NY_role = {[Geography].[Country].AllMembers , [Geography].[City].[New York] }
France_role = {[Geography].[Country].[France], [Geography].[City].AllMembers }
And when you union those two sets together you end up with:
{[Geography].[Country].AllMembers , [Geography].[City].AllMembers }
Which means that someone in both roles can see everything.
So if you want to restrict someone to City = New York and Country = France you have to create a
single role where both attributes are restricted. So if you have a lot of these combinations you will either have to create a lot of "combination" roles or look at dynamic security.
The other thing that might work is make sure that you only give some users access to certain cities and others access to certain countries. It's the mixing of the two for a single person that causes the issues.
http://darren.gosbell.com - please mark correct answers -
Urgent help needed in Cube Security implementation
I have a need in implementing security in one of the dimensions(Performance Rating) and users under different roles should be able to browse the cube as below.
The tables information is as below
Dimension Table
Description
Dim_Employee
Employee details-ID,Name,Gender,Age
Dim_PerformanceRating
Performance code,Descriptioin
Dim_Role_User
Role and users available under each role
Fact Table
PerfID,EmplyeeiD,HeadCount as measure
If the User under HR Role browses the cube he should be able to view the details as below:
All Employee Details , counts but performance ratings to be restricted only for the employees under his (HR) role.
Dim-Employee
Dim-Employee
Dim_Perfrating
Dim_Role_user
Measure
Emp ID
Name
Perf Rating
Employee Type
Emp Count
1
A
VP
1
2
B
Other
1
3
C
SM
HR
1
4
D
VP
1
5
E
HR
1
6
F
HR
1
7
G
FE
HR
1
8
H
CE
HR
1
9
I
DNM
HR
1
10
J
NR
HR
1
If the VP browses the cube he should be able to view all the details as below
All Employee Details, counts and all the performance ratings of all the employees under him
Dim-Employee
Dim-Employee
Dim_Perfrating
Dim_Role_user
Measure
Emp #
Name
Perf Rating
Employee Type
Emp Count
1
A
SM
VP
1
2
B
FE
HR
1
3
C
SM
Other
1
4
D
CE
VP
1
5
E
SM
HR
1
6
F
SM
HR
1
7
G
FE
Other
1
8
H
CE
Other
1
9
I
DNM
Other
1
10
J
NR
Other
1Hi,
You need to Implement a dynamic security. Implement a factless fact table which includes information which user is allowed to see which nodes. Create a Measuregroup for this Table "FactSecurity"
Create a UserDimension which includes Domain\Usernames.
Map the User Dimension and the Perfrating Dimension to the FactSecurity Measuregroup
In the Role implement the security like this:
EXISTS([Dim_Perfrating].[PerformanceCode].[PerformanceCode].Members, STRTOMEMBER("[Users].[DOMAIN].["+UserName+"]"), "FactSecurity")
If needed check Visual Totals.
Kr Jü+rgen
Maybe you are looking for
-
Purchase order price roundedoff in Print out
Hi In purchase order material price is 0.068 USD but in Purchase order print view It shows rounded off as 0.07USD how to change it as 0.068 in PO print view Thanks
-
Segment Release version issue - ECC6 to older ver.
Hi Our system was recently upgraded from ECC5 to ECC6 and we are facing an issue with one of the interfaces that is connected directly to the R/3 System. This issue is realted to an outbound interface and it used to work fine when we were on ECC5. Th
-
MS's plug in and Sun's plug in
In my company we have two legacy enterprise applets. One of them runs over MS's plug-in (Java1) and the other over Sun's plug-in (Java2). There exists some way to indicate the IE browser how plug-in have to choose for every applet? In production user
-
Public Synonyms...
SQL> show user USER is "SYS" SQL> select * from dba_synonyms where synonym_name = 'BANK'; OWNER SYNONYM_NAME TABLE_OWNER TABLE_NAME PUBLIC BANK SEGERP BANK AMCTESTLHR BANK AMCERPTEST BANK SQL> conn rakesh/rakesh@testapp Connected. SQL> select * from
-
Conversion of internal tables from ABAP to XML and Viceversa
Hi , I am writing a BAPI to pick the data from SAP system which gives its output to a .NET application. So, i designed XSD and i want the output of the BAPI according to that XSD rather than in the form of normal internal tables. Can any one please t