Group security

Similar Messages

• Implicit Fact and Group Security Filters

  Hi All,
  Can somebody confirm for me if the Group Security filter as specified under 'Hr Org-Based security' is supposed to be applied in answers when the only reference to the fact table is via its selection as the implicit fact within the presentation catalog.
  E.g User selects Dim1, Dim 2 and Fact Measure , the query is filtered correctly by users organisation, when the fact measure is removed, OBIEE keeps the same fact table within the generated SQL as it is the implicit fact used to join the two dimension tables together. The results this time are not filtered by organization and its possible to return dimension records for fact rows that are from a different Org - In this case the user can return absense start and end dates for employees outside of his org (Customer wants this prevented)
  Is this expected behaviour ?
  Thanks.

  Hi John
  Thanks for your suggestion
  I tried this and He still doesnt have write access
  He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
  I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
  Do you have any other suggestions?
  Thank you
  PD

• Page & Page Group Security

  Looking for a fast way to check all the Page & Page Group Security? to see what they are all set to w/o having to go though everything manually.
  Thanks

  Did you ever find a solution to this?

• User and Group Security Provisioning

  Hi,
  I have a question regarding Group security in Planning. I am using EPM system 11. My basic question is, if I create a new Planning user (interactive user with no default access to dimensions), and assign that user to a Planning group, does the user automatically inherit all the dimension access assigned to that Group? From my experience, it seems that I must explicitly assign each User access to the dimensions they should be able to Read or Write, and that simply adding them to a group that has been given Write access to the Expense Account (for example) does not give a newly added user to that Group Write access.
  A quick note - when creating new Users, I first create and provision them in Shared Services. However, in order to be able to log in with them, I must recreate the user in EAS's User Directory. This seems redundant to make a user twice, but is the only way I am able to successful login with new users, otherwise the Planning login page says "failed to sync with user provisioning". I have not done this same procedure for the Groups I have created (i.e. I have made and provisioned the Groups in Shared Services, but not recreated them in EAS). Is it possible that this is why Users aren't inherittiing the access rights of the Group? I can provide more information if needed, any help or comments are appreciated. Thanks in advance.

  user3x3 wrote:
  1) EAS method is to open EAS, then open the Essbase Server Node, right-click on security, and click Externalize Users. When I do this there is no right-click option to externalize the users, and since it can only be done once and then not reversed I assume the previous administrator already did this. Since this is not availalbe, I must use the second method.
  If you log in with an administrator account you should see the "Externalize Users" option even if you have already externalized.
  I take it you did not configure your system, I take it was documented so you could have a look how it was configured.
  If essbase is on a different server than shared services then maybe the essbase server was not registered with the shared services registry when it was configured, that might the reason why you are getting the shared services error when you try to convert to shared services security, basically it doesn't know where shared services is. If that is the case then it will need to be configured again.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• User and group security

  Not sure if this fits here, but here goes...
  I have a subportal folder, with a community in side. Inside the community, I have groups. If I give one group the admin level authority, is it just for that community and all of its content, or is it the whole portal. The admin docs are very granular on user and group security throughout the various ways of applying it. WHat I am trying to do is give a group admin control over a singel community as well as full admin control of all groups in the communities admin folder. BUT just those things.
  thanks

  If I recall correctly, there is no inheritance of user and group rights in PT, at least not in 5.x. If you give some rights on a specific object/folder to a specific group, then it will be for that object only and none of its children.
  You do have a choice of propagating of user rights down the ownership tree however. I.e., if you select a community and set some rights for yourself, it will prompt you if you want to propagate the same permissions down the chain, to all of its children. If you say yes, it will replacepermissions on all its children by creating copies. If you say no, you'll have to go and apply different permissions on each child individually.
  Ruslan.

• Group Security Issue with Business Rules

  Hopefully you experts out there can follow this. We have about 200 users in our Planning application split into 3 categories (Admins, Interactive Users and Planners) via groups setup in Shared services. We also have an email group list setup in Outlook that has all 200 users in it that we use to send out emails to all users regarding the application. So in Shared Services we have the email group list as an assigned group in the Planners group. So as new people are added to the group list in email they are automatically included as a user in the Planning application. People that are Admins or Interactive Users are manually added to those groups in Shared Services. Everything seemed to be working fine until we tried blocking the Planners groups from running certain business rules in the application. We have clusters setup in Essbase to control access to the business rules. I went into the cluster and set the Planners group to cannot validate or launch on certain rules but found that I now could not run the business rules either even though I am an Admin and the Admin group has vaildate and launch privledges in the cluster. I believe the issue has to do with the fact that I am by default in the Planners group because I am in the email group list which is assigned to the Planners group in Shared Services. Other than setting up and managing 3 seperate email group lists and assigning them individually in Shared Services, does anyone know how I can manage business rules security using the 3 groups i have setup? I hope this makes sense. If not I can provide more detail. Thanks.

  Have you tried using Business Rules projects? Create a project for the admin Shared Services group and assign all rules to that group. Create a Planning project for planners and assign only rules that you want them to run. Any rule that planners should not have access to would be removed from the Planner business rules project, but still in the admin project for you to run.

• LDAP and Notes Group Security Authentication Troubles

  First, my apologies if this is in the wrong forum, but after looking at the forum names a few times this seemed the most appropriate.
  I have a PDF file that I would like to have access restricted to a certain group on my organization's directory server. I'm kind of the new guy here, so I'm not 100% certain on this, but I'm pretty sure that our setup is:
  A Lotus Domino LDAP server storing the directory information in a Lotus Notes database. Each user has a Notes certificate stored on the server for authentication to various databases we have on our intranet.
  I've entered the LDAP server information in the Security Settings... window in Acrobat, and I'm sure its correct as I can use the same information to browse the LDAP server with Softerra LDAP browser. There is no authentication required, but the server might restrict access based on domain; I'm not sure (shouldn't matter). Anyway, when I go to Manage Trusted Identities... then Add Contacts, then Search, I can never get any results to return.
  I wish to only allow users in a certain group, CN=ALLOWED - GROUP, to have access to the PDF. I feel that there should be a way to accomplish this with the Notes certificates. Anyone know what I'm doing wrong or need to do?
  If something I've said is wrong or unclear, I'd be happy to try again; this sort of thing isn't my forte.
  Thanks in advance,
  Mark

  > I guess the CA is the machine that's hosting the Lotus notes database
  No, the CA is merely an "entity". It's your Certificate Authority, the master certificate used to sign and authenticate all subsidiary certificates. You are talking about setting this up as a PKI for signature validation and managed security, right? Or am I way off base with your workflow and leading you away from where you should be (if so, feel free to ignore me - lots of people do)?
  Leonard is right though, for securing individual PDFs to a specific group you would need LiveCycle Rights Management ES. The security needs to be in the PDF itself otherwise its useless. Say you configure your security at an application level, as you are trying to do, and then someone copies the PDF to a USB key and takes it home. No longer on your network, so they can now freely open the document.

• CC&B User group Security

  Hi,
  When a user is attached to multiple User groups (User group 1, User group 2), if User group 1 has access to change premise and User group 2 does not have access to change premise then the User has no access to change Premise. This is the current behavior of CC&B. Anyway to change this ? User group 1 has Change access to Premise application service and User group 2 does not have change access to Premise application service. User is linked to both User group 1 and User group 2
  it appears to be only when there is custom security
  Requirement is to set up like even if one User group has access then allow the user to make changes in premise. How to accomplish this ? Suggestions please
  Edited by: user8861524 on Jun 3, 2013 4:31 PM

  Hi
  First have you maintained the usergroup authorisations for that Z table? first do that.
  Then in the at selection-screen event you have to write the code:
  If R1 = 'X'.   " when one of the radiobutton is selected
    if R_main = 'X'.    " when pressed the Maintain button
       <write a select or other check for User group authrisation for Z table>
  endif.
  endif.
  Reward points if useful
  Regards
  Anji

• Migrating HSS MSAD group security

  Hello All,
  I have been tasked to migrate Shared Services Security from one environment 11.1.2 to another 11.1.2. This is normally not a hard thing to do. This situation is different as the provisioning is done through MSAD groups (i.e. no Shared Services Native Groups). When I perform an LCM extract, there is no reference to any of the MSAD groups or any of the provisioning against that group. Does anyone know if this can be done? Please advise, thank you in advance for any help that you can provide.

  You will probably need issue a create first for example
  create or replace user 'essuser' type external;
  alter user 'essuser' add to group essgroup;
  or
  create or replace user 'essuser@LDAPNAME' type external;
  alter user 'essuser@LDAPNAME' add to group essgroup;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Group Security in Planning

  Hi All,
  I have a question related to Planning dimensions security using groups. Say there is User-A, User-B, and User-C and I created to 2 groups using these 3 users in Hyperion Shared Services in the following manner
  Group-1 : User-A and User-B
  Group-2 : User-B and User-C
  (User-B is present in Group-1 and Group-2.)
  The question is - in Planning, If I I give following access rights to the above two groups for a member of a dimension, what kind of access would User-B would get that member?
  Group-1 - Read/Write
  Group-2 - None (NoAccess)
  Is it None or Read/Write?
  Any help would be greatly appreciated.
  Thanks,
  Prashanth
  Edited by: HypUser on Mar 29, 2011 8:46 AM

  None takes precedence over Read/Write.

• Need Help - XI 3.1 Send to inbox Group security settings

  Hello All,
  I need some help on this. I have a few users belonging to a group and they should be able to send emails using 'send to inbox' option to other users belonging to the same group. They should be able to see users of the group that he belongs to and not others, similarly he should see only groups list that he belongs to and not the others. What should be the security settings for this. Any help will be greatly appreciated.
  I think I figured out a way to do this for Groups- On the user security of say 'Group1', I set the Everyone to No access, and added the principal Group1 and gave view access. Now Group1 is visible only to members belonging to that group and not others. I have to do this process to all the groups so that Group1 users can't see other groups. But the problem is the user is still able to see the rest of the users (in other groups). I think I can follow the above procedure for the users too but I don't want to do it for every individual user. It's too much work. Please suggest if there is a better way of doing it.
  And finally I need to restrict users ability to see the inboxes of other users(even in the same group). How do I do this?
  Thanks
  Kash

  Hello Mark,
  Thanks for your help. Appreciated.
  Do you know or some one know, how to create at report for Audit purpose of BO 3.1 Universes's Connection, Database type, Network Layer and so on... I want to pull all info in to Webi report which are you seeing in the pictures.
  Please see the attached file.

• Group Security in Essbase

  Hello,
  What is necessary so that a shared services native group that has forms and dimension security assigned, appears visible in Essbase Security?
  Thank you

  Some more info :)
  If you are starting from Release 9.2.0.3+, 9.3.0.x, 9.3.1.x (except for Essbase 9.3.1.4.1, 9.3.1.5, 9.3.1.6, and 9.3.1.7), or 11.1.1.x, Oracle recommends that you upgrade to Release 11.1.1.3 as your interim release. If you are starting from an earlier release, Oracle recommends that you upgrade to the highest level release that directly supports upgrade from your starting release. Security Synchronization between Essbase and Shared Services was removed in Essbase Release 9.3, starting with Release 9.3.1.4.1. Essbase and Shared Services Release 11.1.1.3, however, still
  synchronize security information. For this reason, if you are using Essbase Release 9.3.1.4.1, 9.3.1.5, 9.3.1.6, or 9.3.1.7, you must first upgrade all products to Release 9.3.3, instead of Release 11.1.1.3.
  got it from Oracle docs :) now it will be much clear

• Page group security through APIs

  Is there any way that one can set access security at page group level?

  Hi Naxtazzmataur,
  you can use the wwsec_api package which is documented here:
  - http://www.oracle.com/technology/products/ias/portal/html/plsqldoc/pldoc1014/index.html
  Cheers,
  Mick.

• Page Group Security API

  Hi,
  I'm looking for an API, or something, that will allow me to change the access properties of a page or page group. I need to be able to remove access to a page group with a script. Is this possible? I've looked at the documented APIs but do not see one to do this. Maybe I'm overlooking something.
  Thanks in advance.

  Ok,
  As I also mentioned you could use wwsec_api:
  * Removes a group's privileges.
  * <p>Call this API to perform one of three possible operations:
  * <ul>
  * <li>If NULL or nothing is passed into the p_privilege parameter,
  * then all privileges for the given group, object_type_name,
  * and name are removed.
  * <li>If a value is passed into p_privilege, the specified privilege is
  * removed.
  * <li>If group_id is null, the privilege is removed for all groups.
  * </ul>
  * <p><b>Example:</b>
  * <pre>
  * wwsec_api.remove_group_acl(
  * p_object_type_name => wwsec_api.PAGE_OBJ,
  * p_name => '0/156',
  * p_group_id => 3,
  * p_privilege => wwsec_api.MANAGE_PRIV
  * </pre>
  * @param p_object_type_name the type of object, e.g., ADMIN, FOLDER,
  * ITEM, etc.
  * @param p_name the reference to the object
  * @param p_group_id the portal's identifier for a group
  * @param p_privilege the privilege to be granted. this should
  * exist in WWSEC_PRIVILEGE$
  * @param p_owner the owner of the ACL entry
  * @param p_disable_invalidations controls whether cache invalidations
  * are disabled when removing the group ACL
  * Removes a specified privilege from a user.
  * Removes all privileges for a given user, object_type_name, and name if
  * null or if nothing is passed into p_privilege. If p_privilege is
  * specified and p_person_id is null, this procedure removes the specified
  * privilege for all persons.
  * <p><b>Example:</b>
  * <pre>
  * wwsec_api.remove_user_acl(
  * p_object_type_name => wwsec_api.GROUP_OBJ,
  * p_name => '0/156',
  * p_person_id => 3,
  * p_privilege => wwsec_api.MANAGE_PRIV
  * </pre>
  * @param p_person_id the portal's identifier for a user
  * @param p_object_type_name - the type of secured object, referenced by
  * the security API constants that end with '_OBJ'. For example,
  * wwsec_api.GROUP_OBJ, wwsec_api.PAGE_OBJ, etc.
  * @param p_name the reference to the object
  * @param p_privilege the privilege to be granted. this should
  * exist in WWSEC_PRIVILEGE$
  * @param p_owner the owner of the ACL entry, used for avoiding
  * namespace collisions
  * @param p_disable_invalidations controls whether cache invalidations
  * are disabled when setting the user ACL
  Hope this helps,
  Higor

• Send Button and XMLP_SCHEDULER group security bug

  hi folks,
  My BIP users are grouped into basic users who can just read reports and advanced users who can schedule them. Obviously i've done this using the XMLP_SCHEDULER group, no problem. Those in XMLP_SCHEDULER see the scheduler button and it works fine and those not in the group cannot see the schedule button.
  However, the basic users who are NOT in the XMLP_SCHEDULER group still see the "send" button, but when they click on it it gives an error:
  "Unauthorized Access: please contact the administrator."
  I would like the basic users to be able to send, NOT to schedule. Or if this is not possible at least for them not to see the send button!
  This seems like a bug in the security setup which i wonder if anyone else has managed to work around.
  thanks
  neil

  Hi Saichand,
  I have a related and one requirement on SEND button in BI Publisher. we want to disable SEND button for the users for few reports or enable for few reports.
  I mean not taking of the buttion, anyways SEND buttion comes with the product. but they want to enable or disable the buttion for users.
  Any ideas / thoughts would be greatly apprecated.
  Thanks in advance
  skat

• Purchase group security in the create PO role

  Hi, What are other larger companies with multiple purchase groups across multiple plants, doing with purchase group in their create purchase order role?  Are you following the same practice for all the purchase order roles that include purchase group?
  Does anyone control the purchaser's access by purchase org, plant and purchase group or let them have all(*) for purchase group and follow business unit best practices.. We would potentially have 30 plus PO child roles per PO parent role for each plant if created by single purchase group access.
  tanks,
  Dawn Domina

  Hi,
  Follow the steps
  1. Go to "Personal Setting" Tab in PO
  2. Select "Default Values" menu
  3. In the PO Header section Select the Default Purchasing Group e.g. 000 initial
  Remember if the Purchasing group field is blank here then the Purchasing Group field will not appear in me21n transaction instead it will appear after you put relevant details like Material number and Plant. The purchasing group field is defaulted from Purchase Info record in such case. But you can always change it
  Regards,
  Niranjan