Help with implementing Row Level Security in Interactive Reporting

We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

The 3 tables used with the RLS are stored in the same schema as your repository by default.
The RLS store all the Rules for any database that you are using.
You define the rules based on the tablename (owner.tablename) and the column name.

Similar Messages

  • Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

    Environment: Business Objects XI R2; Oracle 10g
    Functional Requirement:
    Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
    What do we need from the Business Objects support team?
    1.     Review the 2 attempted solutions that we have tried to implement
    2.     Propose solutions/answers to open questions for each of the attempted solutions
    3.     Propose any alternate solution that will help us implement the Function Requirement stated above
    Attempted Solution 1: Connection String uses Oracle Proxy User
    The connection string that is specified in the Universe is the following:
    app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
    app_user = generic application user
    end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
    We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
    Open Question for Solution 1:
    i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
    ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
    iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
    Attempted Solution 2: Using the ConnectInit parameter
    Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
    Therefore, we tried to set the parameter in the Universe using several different options:
    ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
    Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
    One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
    Open Questions for Solution 2:
    How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
    Note: Arroba word is being used instead of the symbol in order to avoid following error message:
    We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

    the connectinit setting should look something like this:
    declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
    The vpd_setup procedure (in Oracle) should look like this:
    CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
    BEGIN
      DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
    END vpd_setup;
    Then you can retrieve the value of the context variable in your vpd functions
    and set the vpd.

  • SAP Lumira - Implementing row level security

    Hi All,
    I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
    But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
    Thanks,
    Abhijit

    Hi,
    Sorry for the delay in getting back to you.
    As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
    now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
    once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
    According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
    I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
    I hope this helps.
    Regards,
    H

  • Tips on Implementing Row Level Security

    Dear All,I am currently trying to implement row level security in Hyperion Intelligent version 8.2. The user guide is straight forward on explaining the steps. However, when I tried it, the row level security does not filter the information at all eventhough I have set the row level security setting in System Administration. Is there Anyone who can share their problems and experience when implementing row level security in Hyperion Intelligent version 8?Regards,Ricky

    I don't believe you need the bqy file anymore, as you set up the ODBC to connect to the database of the EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR).
    (I don't have an EPM instance with IR installed to check currently).
    Note: from the docs quoted earlier:
    If you want to implement row-level security in Reporting and Analysis, keep these points in mind:
    At least one Hyperion Interactive Reporting Data Access Service instance must be configured to access the data source storing your row-level security information.
    The database client library should be installed on the computer where the Hyperion Interactive Reporting Data Access Service is running.
    The data source for the Reporting and Analysis repository that has the row-level security table information should be configured.
    For security reasons, the user name and password to access the data source should differ from that used for the Reporting and Analysis user account.
    Regards, Iain

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • Applying row-level security to crystal report instance

    Hi
    we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
    Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
    Thanks in advance.
    Kamal

    Hi,
    I didn't try it so far
    but I found this Link:
    http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
    -> create Instance with full authorization
    -> Join CR-Result with Customer-Table: User Authorization
    Max

  • How to implement row-level security in Discoverer?

    Dear all,
    I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
    The 2 folders are constructed by 2 SQL statements.
    There exists a set of tables controlling which product line's sales and inventory data a person can read.
    A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
    So, can you suggest how to integrate the 2 components in Discoverer?
    thanks
    George
    My blog: http://hktour.blogspot.com

    hi Rod,
    Thanks for your suggestions.
    I took your 1st option, ie.
    "You can use VPD at the database level to secure the tables."
    I have a view BUDGET_V with the following columns:
    PERIOD_YEAR
    PERIOD_MONTH
    PRODUCT_LINE
    BUDGET_AMOUNT
    Every salesman can only read the budget amount of certain product lines.
    I built the security function which will be binded to the view BUDGET_V (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
    Then, I bind the security function security_policy_function() to the view BUDGET_V with
    begin
    dbms_rls.add_policy
    object_schema => 'APPS',
    object_name => 'BUDGET_V',
    policy_name => 'MY_POLICY',
    function_schema => 'APPS',
    policy_function => 'security_policy_function',
    statement_types => 'select',
    update_check => FALSE,
    enable => TRUE
    end;
    The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
    I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    This time, Discoverer returns only the records with product lines visible to user "A".
    So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    Can you give me some light on this issue?
    thanks
    George (HK)
    My blog at http://hktour.blogspot.com

  • Row level security with session variables, not a best practice?

    Hello,
    We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
    The problem is that this method is listed as a "non best practice" in the Oracle documentation.
    Alternative Security Administration Options - 11g Release 1 (11.1.1)
    (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
    Managing Session Variables
    System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
    How confusing... what is the best practice then?
    Thank you for your help.
    Joao Moreira

    authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
    Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

  • VPD (Row Level Security) Implementation at Middle Layer

    Hi All,
    Is there any provison to implement Row Level Security at the Entity Object level?
    We have a table where in some rows need to be displayed based on the user logged in.
    We are aware of the VPD implementation using a function and adding a policy.
    We are looking for implementing VPD at the Middle Tier.
    Any help in this regard will be greatly appreciated.
    Thanks in Advance,
    Raghu

    Raghu,
    Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
    John

  • ADFBC 10.1.3.3 Row Level Security

    Hello.
    Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
    We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
    In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
    Any help would be great.
    Thanks a lot.
    John

    Thanks for the response Frank.
    Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
    I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
    Thanks again

  • Row-level security problem using VPD

    Hi all,
    I've implemented row-level security for my application using the following procedure:
    1) Created a procedure for setting the context for the application:
    PROCEDURE set_empno
    IS
    emp_id NUMBER;
    BEGIN
    BEGIN
    SELECT empno
    INTO emp_id
    FROM SCOTT.EMP
    WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
    DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
    EXCEPTION
    WHEN OTHERS THEN emp_id := 0;
    END;
    END;
    2) Created the application context:
    CREATE CONTEXT emp_sel_context USING secman.app_security_context;
    In which secman is my security schema and app_security_context is the name of above procedure package.
    3) Created a function to access the application context:
    FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
    IS
    e_predicate VARCHAR2(2000);
    BEGIN
    e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
    RETURN e_predicate;
    END;
    END;
    4) Created a logon trigger:
    CREATE OR REPLACE
    TRIGGER INIT_CONTEXT AFTER
    LOGON ON DATABASE
    BEGIN
    SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
    END;
    5) Added a policy on scott.emp like this:
    begin
    dbms_rls.add_policy (
    object_schema => 'SCOTT',
    object_name => 'EMP',
    policy_name => 'EMP_SEL_POLICY',
    function_schema => 'SECMAN',
    policy_function => 'EMP_SECURITY.EMP_SEC',
    statement_types => 'SELECT',
    update_check => TRUE
    end;
    My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
    Any helps is really appreciated.
    S/\EE|)

    i,
    I suggest:
    create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
    procedure set_empno as
    PROCEDURE set_empno
    IS
    emp_id NUMBER;
    BEGIN
    BEGIN
    SELECT empno
    INTO emp_id
    FROM SCOTT.EMP1
    WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
    DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
    EXCEPTION
    WHEN OTHERS THEN emp_id := 0;
    END;
    END;
    certainly ,you should grant select on emp1 to the user who will be test.
    lixinzhu
    2007/09/17

  • [Security]   Row-level security in ADF

    Hi all,
    I want to implement row-level security in my application, the scenario is like this:
    There are several users that connect to the application
    These users are authenticated in some way (XML file, OID, DB)
    When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
    So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
    I have tried VPD and it has some useful features but my problems are:
    1) Where and how to define the 'where conditions'?
    2) How to attach the 'where conditions' to the executing DML?
    3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
    4) What is the best authentication approach?
    Any helps will be really appreciated.
    S/\EE|)

    Hi,
    yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
        public void prepareSession(SessionData SessionData)
           super.prepareSession(SessionData);
           oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
           // Specify the user that connects through the proxy user and its roles
           Properties prop = new Properties();
           prop.put(OracleConnection.PROXY_USER_NAME,"hr");
           //prop.put(OracleConnection.PROXY_ROLES, roles);
           String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
           java.sql.CallableStatement st= null;
          // Open the proxy session (DB-authenticated users)
          try
            oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
            st = getDBTransaction().createCallableStatement(appContext,0);
            st.execute();
          catch (SQLException e)
            e.printStackTrace();
    package oracle.sample.dbprxy.adfbc;
    import oracle.jbo.server.DBTransactionImpl2;
    import oracle.jbo.server.DatabaseTransactionFactory;
    * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
    * DBTransactionImpl2
    * @author Frank Nimphius
    public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
      public PrxyDatabaseTransactionFactory()
        super();
       * Override the create method to return an instance of PrxyTransactionImpl instead
       * of DBTransactionImpl2
       * @return PrxyTransactionImpl
      public DBTransactionImpl2 create()
        return new PrxyTransactionImpl();
    package oracle.sample.dbprxy.adfbc;
    import oracle.jbo.server.DBTransactionImpl2;
    import oracle.jdbc.OracleConnection;
    public class PrxyTransactionImpl
      extends DBTransactionImpl2
      public PrxyTransactionImpl()
        super();
       * The DBTransactionImpl2 does not expose the connection in a public
       * method. This class is a wrapper to expose the connection to the
       * BC app, so it can be accessed in the ApplicationModuleImpl class
       * @return OracleConnection - SQL Connection
      public OracleConnection getPrxyConnection()
        return (OracleConnection) this.getJdbcConnection();
    }Note that for EUS ApplicationModule pooling should be disabled
    Frank

  • Row Level Security in OBIEE using OID as authentication Mechanism

    Hi OBIEE Gurus,
    I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
    I want to implement RLS by doing the following :
    1. Have Security Groups defined in OID and assign users with group membership.
    2. Import these Security Groups into OBIEE metadata
    3. Apply filters to these Security Groups
    4. Run Answers requests to see if RLS works or not
    Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
    Appreciate your help.
    Edited by: drakesh on Sep 26, 2008 7:09 AM

    Follow the steps in the following link to set up OID and Row level security:
    http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
    Instructions for the link above:
    1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
    2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
    Otherwise follow Matt's view
    Thanks,
    Amrita

  • Row level security problem.

    Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
    I'm using sql developer and Oracle 10g.
    I have this two tables :
    CREATE TABLE HR_employees
    (codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
    coddep NUMBER(4) not null,
    DB_user VARCHAR2(10),
    and
    CREATE TABLE Candid
    (codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
    codHr NUMBER(3) NOT NULL,
    CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
    I tried to implement row level security on them by using two views:
    CREATE OR REPLACE VIEW employees_v AS
    SELECT * FROM hr_employees
    WHERE DB_user = user
    UNION
    SELECT * FROM hr_employees
    WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
    AND coddep IN (4000,5000);
    CREATE OR REPLACE VIEW candid_v AS
    SELECT cand.*
    FROM candid cand , hr_employees hr
    WHERE cand.codhr= hr.codhr
    AND hr.db_user=user
    UNION
    SELECT cand.* FROM candid cand, hr_employees hr
    WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
    WHERE H.db_user=user
    AND H.coddep IN (4000,5000) );
    What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
    Sorry for the bad english,it's a foreign language to me ,
    I hope you can help me

    Hi,
    Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
    I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
    If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
    Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
    CREATE OR REPLACE VIEW employees_v AS
    SELECT * FROM hr_employees
    WHERE DB_user = user
    OR    (   codhr = user_codhr
          AND coddep IN (4000,5000)
          );If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
    If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...".

Maybe you are looking for