GL Security in Discoverer - VALIDATE_SEGVAL

Hi,
We are using GL security in a number of our business and it is working fine.
However, when we apply use the VALIDATE_SEGVAL function on segment1 (i.e. the balancing segment), we encounter significant performance problems.
The data that eventually comes back is correct, but it takes too long to be acceptable to our users.
Short term we have had to come up with a customised way of validating segment1, which will not be sustainable in the long term and also moves us away from standard Oracle security, which we don't want to do.
Has anyone experienced similiar problems in GL and foud a way of improving performance?
We run Discoverer off a clone of our EBS data, so we do have the luxury of creating new indexes as required, if this helps.
Many thanks for reading.

Hi,
Yes, using the GL_SECURITY_PKG will kill your performance. One technique to improve performance is to use a wrapper round the function to cache the results. This Re: Speeding up or Caching the gl_security_pkg.validate_access(sob_id, ccid) gives details of how to cache the validate_access function. You could probably do a similar thing with the validate_segvals.
Another option is to use a denormalised copy of the gl_code_combinations table.
Rod West

Similar Messages

  • Row level security in discoverer desktop

    currently, I have designed a business area on one of my star schema, and I created several other business area in order to allow different level of users to view the pre-defined reports on discoverer desktop. and I want different users to view different data from my star schema tables. So I created some criteria on those business area.
    e.g. condition on bus_area1 : sales_manager="man01",
    condition on bus_area2 : sales_manager="man02"
    in short, i want to enable record level security by using discoverer's conditions.
    but unfortunately, even I un-checked "Create/Edit Query" privileges on discoverer administrator for those users, they still can modify the worksheet. So they can just remove my condition and to view data that they shouldnot be able to see..
    can any one tell me how to solve this problem, or how to do row level security in discoverer?
    What can I do if I want to disable "edit worksheet" in discoverer desktop from users??
    thanks in advance..
    Marco

    Marco,
    Probably the best way to achieve row-level security is to upgrade to 9.0.4.1 and take advantage of the new functionality of Discoverer to pass the SSO user to the DB query. You would apply Oracle Fine Grained Security/VPD/striping on the DB tables using a policy based on SSO userid. Then using Disco 9.0.4.1 the user would see only the data they are privileged to see. However this works only in a web environment (Discoverer Plus, Viewer and Portlets) not for Desktop.
    Discoverer Product Management - mpd

  • How can you securly call discoverer through a form button?

    How can you send a user's creditentials securly to discoverer when in forms without using SSO? Is there something similar to calling oracle reports using a cookie to pass the credentials?
    Thanks,
    Jim

    Dr_Chris wrote:
    Just looked into the HBH-PV720 which is a Mono headset (version 2.0) whereas the Samsung Star is A2DP (version 2.1) capable, which means that you will need a compatible BT stereo headset in order to stream music to the phone.Hope this helps.
    I looked up on Sony Ericsson's products page and found dad's headset.
    http://www.sonyericsson.com/cws/products/accessories/compatiblephonesotherbrands/hbh-pv720?cc=gb&lc=...
    Then looked at the (Other Brands) Compatible Phones and noticed that Samsung Star (s5230) wasn't included there
    Dad's old phone was a W302 and I found it at the compatible Sony Ericsson phones section,which means incompatibility is actually the problem.At least he can use it when driving(which was actually the main reason why I bought him the headset,because I hated it when he drove and held his phone at the same time).
    Thanks so much for your replies,I might aswell have wasted my entire day trying to figure out how to fix this,not knowing though what the actual problem was

  • How to implement row-level security in Discoverer?

    Dear all,
    I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
    The 2 folders are constructed by 2 SQL statements.
    There exists a set of tables controlling which product line's sales and inventory data a person can read.
    A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
    So, can you suggest how to integrate the 2 components in Discoverer?
    thanks
    George
    My blog: http://hktour.blogspot.com

    hi Rod,
    Thanks for your suggestions.
    I took your 1st option, ie.
    "You can use VPD at the database level to secure the tables."
    I have a view BUDGET_V with the following columns:
    PERIOD_YEAR
    PERIOD_MONTH
    PRODUCT_LINE
    BUDGET_AMOUNT
    Every salesman can only read the budget amount of certain product lines.
    I built the security function which will be binded to the view BUDGET_V (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
    Then, I bind the security function security_policy_function() to the view BUDGET_V with
    begin
    dbms_rls.add_policy
    object_schema => 'APPS',
    object_name => 'BUDGET_V',
    policy_name => 'MY_POLICY',
    function_schema => 'APPS',
    policy_function => 'security_policy_function',
    statement_types => 'select',
    update_check => FALSE,
    enable => TRUE
    end;
    The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
    I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    This time, Discoverer returns only the records with product lines visible to user "A".
    So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    Can you give me some light on this issue?
    thanks
    George (HK)
    My blog at http://hktour.blogspot.com

  • GL Security in Discoverer.

    Hi.
    I have some urgent issue for which i'm struggling since couple of days.
    We have a GL report in discoverer which has data coming from both GL Accounts and LD(Labour distribution) accounts.
    Now i need to provide a security so that the users should only be able to see the accounts for which they have access.
    Can someone tell me how??
    I appreciate your help on this.
    Thanks a lot
    --Kumar                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

    Hi,
    Yes, using the GL_SECURITY_PKG will kill your performance. One technique to improve performance is to use a wrapper round the function to cache the results. This Re: Speeding up or Caching the gl_security_pkg.validate_access(sob_id, ccid) gives details of how to cache the validate_access function. You could probably do a similar thing with the validate_segvals.
    Another option is to use a denormalised copy of the gl_code_combinations table.
    Rod West

  • Security Flaw Discoverer 10g

    I hope you dont mind me contacting you
    but we have a small problem, i just wondered if you know about this or have a solution
    We have created a suite of reports in discoverer 10g.
    Problem is that someone is sending a url around ... with a username + password + resp in it, and people are using this
    url to access reports and info they are not supposed to see... So its not asking for the person to login, just accepting
    whats given in the url ... Any ideas ??.... On how to enable security even if there is a username in the url or something like that
    We need a global solution , as others users can do this too...... Is this normal....

    Hi,
    I am not sure what solution you are looking for. If you send out url with username and resp but not password then Discoverer will prompt for the password. If you send the password then there is no authentication hence anyone can use the url.
    Another option is to use Oracle single signon then the user will logon once with their username/password which will can give them access to Discoverer. Then a Discoverer url will work even without the username and password.
    Rod West

  • Security in discoverer

    hi
    i have just installed discoverer 10.1.0.2 on linux,and created a eul.my problem i have no idea how to create user to access the discoverer plus and the appropriate business area.any idea or any guide book to which i can refer.
    thnx
    regards

    Hi,
    Please refer to:
    Oracle Discoverer Documentation
    http://www.oracle.com/technology/documentation/discoverer.html
    Oracle by Example - Oracle Business Intelligence Discoverer
    http://www.oracle.com/technology/obe/obe_bi/discoverer/discoverer_1012/index.html
    want to switch to Oracle Discoverer
    Re: want to switch to Oracle Discoverer
    Regards,
    Hussein

  • Added security in Discoverer Admin

    Hi
    In addition to assigning specific Business Areas to responsibilities, we also want to use the custom Profile Options to restrict access to tables and views through Discoverer Admin.
    Has anybody done this? I guess I would have to create conditions in Admin.
    Thanks,

    Hi,
    Please refer to:
    Oracle Discoverer Documentation
    http://www.oracle.com/technology/documentation/discoverer.html
    Oracle by Example - Oracle Business Intelligence Discoverer
    http://www.oracle.com/technology/obe/obe_bi/discoverer/discoverer_1012/index.html
    want to switch to Oracle Discoverer
    Re: want to switch to Oracle Discoverer
    Regards,
    Hussein

  • Security Framework in Discoverer

    Hi
    I am using Discoverer for reporting.And currently we are planning to incorporate security feature using Discoverer.Since I am new to Discoverer,Can anyone please suggest some Security features in Discoverer (any links or document about it.)
    We have listed down some parameters on which would like to build security Framefork.
    1) Report level security
    2) Data Level security
    3) EUL/Business Area Access
    4) Allowing user to view the report but restricting it to modify existing report(i.e removing conditions,some fields etc.)
    Not sure whether its feasible with discoverer or not.
    Please advice.
    Thanks

    1) Report level security
    Using Discoverer you can control access to specific workbooks, so that only certain users have access to the workbooks you want. Also, you can also share workbooks to database roles, and not just users.
    2) Data Level security
    Discoverer relies on the Oracle database to implement data security. What this means is that the Discoverer user connecting to Discoverer to run a workbook that queries the database for data will never be able to get to data that they do not have access/privilege to. For e.g. is user 'A' is not authorized to view data in table 'B' then user 'A' cannot use Discoverer to get to the data in table 'B'.
    3) EUL/Business Area Access
    This can be done using Discoverer Administrator - using the relevant menu options. Users can either have full access to the Business area, or you can specify whether a user has access to a business area to begin with. Secondly, using the Privileges dialog, you can furthermore specify whether a user has 'Administration' privileges or not, and even as an administrator whether the user can create new BAs, summaries, manage scheduled workbooks, etc...
    4) Allowing user to view the report but restricting it to modify existing report(i.e removing conditions,some fields etc.)
    Using Discoverer Administrator, you can also specify whether users have privileges like drill-out, save a workbook, etc... If for example a user does not have drill privileges, then the drill icon is not displayed when running the workbook.
    For concepts like how to setup row/column level security, you should consult the Oracle database documentation:
    See the Oracle® Label Security Administrator's Guide, 10g Release 2 (10.2), Part Number B14267-01 at http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm
    and
    Oracle® Database Security Guide, 10g Release 2 (10.2), Part Number B14266-01 at http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/toc.htm
    Thanks
    Abhinav

  • Security issues for Discoverer 10g apps 12i

    gurus,
    I have couple of things to get it done at client.
    We are on Oracle Apps rel 12i with dicoverer 10g.
    Did anyone setup MOAC to be enabled and operational in business areas?
    Setting up secure responsibilities in discoverer for MOAC?
    Any setup needs to be done for custom report security in discoverer ?
    thx

    Hi,
    I did setup new MOAC security profiles and assigned multiple organizations to that profile for testing purpose.
    After this, I did run concurrent program "Security List Maintennce" etc...
    Tested Upding profile at user level or responsibility level.
    On APPS side fine.
    I need the some basic steps on setup of security issues for discoverer side.
    1) Business areas (any security steps need to be followed in order to access data for single or multi-org)
    2) Custom Reports ( any security setup or any moac security profile setting against responsibilty for accessing single or multi-org data)
    Since we dont have default operating unit parameter as specified in the concurrent program, how do you restrict data?
    3) Reconciling security approach r12 with discoverer (any steps need to be followed here after r12 configuration with security issues)
    4) Custom Views ( any steps to be followed for single or multi-org data as security aspect)
    Looking for info on these setups.
    Thx

  • How to make Custom Discoverer workbook use Custom Security profile of Apps

    We use Discoverer in Oracle Apps setup. We have added Custom security in our HR People Form of Apps.
    This Custom Security restricts one HR Emplpoyee not view other HR employee record except for himself/herself. Also maintining that they should be able to view all other employee's records.
    The following code was put under the Security Profile Form -- > Custom Security Tab
    exists (select 1
    from per_jobs b
    where ASSIGNMENT.job_id = b.job_id
    and (b.name not like '%HR%')
    and (b.name not like '%Human%')
    and ASSIGNMENT.assignment_number is not null
    union
    select 1
    from fnd_user fu
    where fu.user_name = fnd_global.user_name
    and fu.employee_id = PERSON.person_id
    and ASSIGNMENT.assignment_number is not null)
    Above security profile works fine for HR People Form.
    However, It does not work for our Discoverer Workbooks. I found a note on Metalink 422841.1 which talks about leveraging the Custom Security of Apps in Discoverer Report. I read it, but did not get much clue.
    Can Anyone help.
    Thanks

    Hi,
    If you want to use custom HR security with Discoverer you have to ensure that the correct security filters are applied when the Discoverer reports are run. These filters can use the supplied HR_SECURITY package or you can develop your own conditions using table lookups or functions. To get the filters applied to your reports you have a number of options:
    1. Build the security into custom folders using additional conditions
    2. Use custom database views in Discoverer and build the security into the views
    3. Use mandatory conditions in you Discoverer folders using either a function call or database contexts set at login time
    4. Use VPD (Virtual Private Database)
    I am not sure which of these options you are using to implement your HR security in Discoverer. The last option, VPD, is the most flexible and can give the best performance but maybe it is more complex to set up.
    Rod West

  • Discoverer/SSO/VPD combination

    In this post:
    row level security in discoverer desktop
    there is a reference to being able to pass the SSO user to the DB query. I'd like to do this for VPD. Can you provide or point to an example/reference that shows the SSO user being passed, preferably in an LDAP environment?

    Note 275404 on Metalink has information on this.Hi...
    I would like to know where i can find this particular patch(9.0.4 discoverer patch.)
    Can you please give patch number
    Rgds
    Vidhya

  • Discoverer Desktop Connection

    All,
    When connecting to Desktop as an ORACLE applications user I get a dialog 'Choose a Responsibility' that pops up. How can I change the list of responsibilities shown in that pop up? Also what is the significance of this pop up?
    Thanks,
    Vinay

    Hi,
    will you assign the responsibility to the BA or to the workbook. In (very) general there are several levels of security using discoverer, i'll go top-down:
    1. in BA level you define who can see the BA and what are the privileges he should have.
    It will be much easier to maintain using responsibility for that.
    inside the folders you can create a mandatory condition and by that force a security rule.
    best way to have in the database although it is really per demand.
    2.in the workbook level you define who will be able to see the workbook and use it (he must have access to the BA)
    3. in the database objects you created/ used for the BA you can define a security in the data level so that if for example you'll run a financial report each legal entity will see it's own data. the workbook can be the same but the data in it will be changed according to the security applied in the code.
    Also if you assign the resp. to the BA then will all workbooks under that BA be
    assigned automatically to that resp. as well.No, each workbook you want to share with a responsibility is defined manually (can assign several at once)
    but for each workbook you share, the responsibility (or user BTW) must have access to the BA and this is defined in the discoverer administrator tool.
    Tamir

  • Rest Security Framework using Internal user

    We are planning to use ATG 10.0.3 REST framework to expose web APIs for other channels as REST services. These services will be called in session context and will be used to place an Order for registered external user.
    We would like to use REST Security framework to restrict certain method / repository access to certain client only. There are 2 set of users involved here in one session 1. The client making the Rest service call and we would like to restrict access by these client. 2. The end user, who will login and create order and checkout. But we don't want to setup access rule based on the external customer profile.
    How should we approach this scenario? Any suggestion.

    1) Report level security
    Using Discoverer you can control access to specific workbooks, so that only certain users have access to the workbooks you want. Also, you can also share workbooks to database roles, and not just users.
    2) Data Level security
    Discoverer relies on the Oracle database to implement data security. What this means is that the Discoverer user connecting to Discoverer to run a workbook that queries the database for data will never be able to get to data that they do not have access/privilege to. For e.g. is user 'A' is not authorized to view data in table 'B' then user 'A' cannot use Discoverer to get to the data in table 'B'.
    3) EUL/Business Area Access
    This can be done using Discoverer Administrator - using the relevant menu options. Users can either have full access to the Business area, or you can specify whether a user has access to a business area to begin with. Secondly, using the Privileges dialog, you can furthermore specify whether a user has 'Administration' privileges or not, and even as an administrator whether the user can create new BAs, summaries, manage scheduled workbooks, etc...
    4) Allowing user to view the report but restricting it to modify existing report(i.e removing conditions,some fields etc.)
    Using Discoverer Administrator, you can also specify whether users have privileges like drill-out, save a workbook, etc... If for example a user does not have drill privileges, then the drill icon is not displayed when running the workbook.
    For concepts like how to setup row/column level security, you should consult the Oracle database documentation:
    See the Oracle® Label Security Administrator's Guide, 10g Release 2 (10.2), Part Number B14267-01 at http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm
    and
    Oracle® Database Security Guide, 10g Release 2 (10.2), Part Number B14266-01 at http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/toc.htm
    Thanks
    Abhinav

  • Securing Private Information

    Like a lot of companies we need to 'hide' certain columns of data - such as social security number - from most of our Discoverer community. I know that I can address this by creating two custom folders - one with the social security number column defined, one without social security number being defined - for each of my "base" views/queries but that seems to me to be unnecessary overhead.
    In the application I address this with a forms personalization which would restrict users without the appropriate access (i.e. responsibility) from being able to view the social security number field on the form. With such a 'model' already implemented in the PUI, I'm wondering if there is something conceptually similar I can do with apps mode security in Discoverer that would give me the same result ? In other words, is there are easy way to leverage my existing PUI (EBS application) "non-viewing SSN" responsibility with Discoverer to hide SSN from users who shouldn't see SSN ?
    Thanks in advance to all who reply !
    Jeff

    Hi Jeff,
    This sounds like a great opportunity for you to use VPD to secure your columns. Rod West has documented his approach quite well (see http://ascbi.com/downloads/Third%20Party%20Documents/Using%20VPD%20to%20secure%20Discoverer%20Reports.pdf). I would also recommend looking over Tom Kyte's section on fine grain access control in his Expert One On One book. Both of these sources provide some very simple examples which can be implemented just to get a feel for how it works.
    Suppose you did not want to go this route, you might consider just making sure the eul owner has the execute privilege for the FND_GLOBAL package. You could then use one of its function, RESP_NAME to obtain the responsibility in your end user layer. Next, it would be easy to implement a statement like the following:
    decode (apps.fnd_global.RESP_NAME, desired_responsibility, column_wanting_to_share_with_desired_responsibility, NULL)
    For more on this, see the following:
    http://download.oracle.com/docs/html/B10270_01/oracle_a.htm#1004614, look for the section, How to display your Oracle Applications database user name and responsibility in a workbook.
    Patrick

Maybe you are looking for

  • Sort the Nodes and remove duplicate nodes

    Hello Experts, I have a requirement to sort the nodes based on a key value. e.g. <Node>     <Key>2<Key>     <Value1>name1<Value1>     <Value2>email1<Value2> </Node> <Node>      <Key>1<Key>      <Value1>name2<Value1>     <Value2>email2<Value2> </Node>

  • Can't copy .doc, .xls. pdf's

    Ok, I'm on OSX 10.4.7 connected to my windows xp home through my linksys wireless router... The problem I'm having is trying to transfer files over but I keep getting "The operation cannot be completed because you do not have sufficient privileges fo

  • ITunes music library has disapeared

    I have a Mac mini with all my music stored on a Time Capsule. I've recently put the Mac mini to sleep but turned the TC off at the plug. I've just gone to start up iTunes and now all the music has gone from my iTunes. It's still on my TC but the libr

  • Iphoto 6 (deleting pictures & working with RAW)

    two questions: (1) If I delete a picture in my library and then empty trash is the picture gone from my hard drive? From the Iphoto folder(s)? (2) I hear with Iphoto6 you can set preferences so that RAW files are saved as 16 bit TIFF files instead of

  • Function module to upload Excel in version 3.1

    Hi,        Please can anybody tell me what is the function module to upload Excel sheet in SAP version 3.1.its urgent     And also the user-command in radio buttons is not working in version 3.1. Please suggest me the right code for radio buttons in