How To Apply Row level security ??

Hi all,
I want to apply row level security on one of my custom objects created in PO schema in R12. How to do that??
Thanks and Regards
Raj

Thank You Gaurav
--Raj                                                                                                                                                                                                                                       

Similar Messages

  • How to apply row level security against the database administrator

    I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
    There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
    HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
    Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
    Is there additional ways to achieve the aim?

    Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
    If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
    This includes DBAs.
    The simple fact of being DBA doesn't guarantee the exemption.
    Everything goes to depend of the VPD config.

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to Migrate Row Level Security Configuration

    Hi Guys,
    Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
    Thank you in advance,
    Bob

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

  • How to Apply Row level restrictions On objects

    Hi All,
    I am working on universe designer(BO 3.1) .....
    I would like to apply row level restrictions on a cloumn of table based on the user who is running the report .
    can any one please help me on this..
    Thanks in Advance.............

    Hi
    Universe access and row-level security can also be managed at the group or individual user level from within the design environment.
    Find the below video row level restrictions
    http://www.youtube.com/watch?v=6yM0OLK6QlI
    Create a data security profile that restricts access to specific rows: Information design tool 4.x - YouTube
    Implementing row level security in IDT using Data Security Profile
    And You cannot set row-level security authorizations in an OLAP universe.
    User security can be defined at the most granular level for the following content objects.
    Folders and sub-folders
    Reports
    Categories
    Events
    Program Files
    Publications

  • How to enforce row level security on MSAS Cube

    We have to enforce row level security on MSAS Cube based on BOUSER.
    We are using a security table which contains BOUSER ID and Location ID
    We need help in joining the security table with MSAS Cube.
    Thanks

    HI,
    I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
    As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
    If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
    Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
    Hope this helps.

  • Applying row-level security to crystal report instance

    Hi
    we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
    Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
    Thanks in advance.
    Kamal

    Hi,
    I didn't try it so far
    but I found this Link:
    http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
    -> create Instance with full authorization
    -> Join CR-Result with Customer-Table: User Authorization
    Max

  • How to implement row-level security in Discoverer?

    Dear all,
    I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
    The 2 folders are constructed by 2 SQL statements.
    There exists a set of tables controlling which product line's sales and inventory data a person can read.
    A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
    So, can you suggest how to integrate the 2 components in Discoverer?
    thanks
    George
    My blog: http://hktour.blogspot.com

    hi Rod,
    Thanks for your suggestions.
    I took your 1st option, ie.
    "You can use VPD at the database level to secure the tables."
    I have a view BUDGET_V with the following columns:
    PERIOD_YEAR
    PERIOD_MONTH
    PRODUCT_LINE
    BUDGET_AMOUNT
    Every salesman can only read the budget amount of certain product lines.
    I built the security function which will be binded to the view BUDGET_V (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
    Then, I bind the security function security_policy_function() to the view BUDGET_V with
    begin
    dbms_rls.add_policy
    object_schema => 'APPS',
    object_name => 'BUDGET_V',
    policy_name => 'MY_POLICY',
    function_schema => 'APPS',
    policy_function => 'security_policy_function',
    statement_types => 'select',
    update_check => FALSE,
    enable => TRUE
    end;
    The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
    I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    This time, Discoverer returns only the records with product lines visible to user "A".
    So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    Can you give me some light on this issue?
    thanks
    George (HK)
    My blog at http://hktour.blogspot.com

  • Help with implementing Row Level Security in Interactive Reporting

    We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
    The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
    I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

    The 3 tables used with the RLS are stored in the same schema as your repository by default.
    The RLS store all the Rules for any database that you are using.
    You define the rules based on the tablename (owner.tablename) and the column name.

  • Row level security in discoverer desktop

    currently, I have designed a business area on one of my star schema, and I created several other business area in order to allow different level of users to view the pre-defined reports on discoverer desktop. and I want different users to view different data from my star schema tables. So I created some criteria on those business area.
    e.g. condition on bus_area1 : sales_manager="man01",
    condition on bus_area2 : sales_manager="man02"
    in short, i want to enable record level security by using discoverer's conditions.
    but unfortunately, even I un-checked "Create/Edit Query" privileges on discoverer administrator for those users, they still can modify the worksheet. So they can just remove my condition and to view data that they shouldnot be able to see..
    can any one tell me how to solve this problem, or how to do row level security in discoverer?
    What can I do if I want to disable "edit worksheet" in discoverer desktop from users??
    thanks in advance..
    Marco

    Marco,
    Probably the best way to achieve row-level security is to upgrade to 9.0.4.1 and take advantage of the new functionality of Discoverer to pass the SSO user to the DB query. You would apply Oracle Fine Grained Security/VPD/striping on the DB tables using a policy based on SSO userid. Then using Disco 9.0.4.1 the user would see only the data they are privileged to see. However this works only in a web environment (Discoverer Plus, Viewer and Portlets) not for Desktop.
    Discoverer Product Management - mpd

  • SAP-BO SSO and Row Level Security

    Hi,
    We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
    When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
    In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
    My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
    System Information
    Business Objects XI 3.1
    SAP Intg. Kit 3.1
    Thanks a lot,
    Omer

    Hi Omer,
    please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
    As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
    Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
    Regards,
    Stratos
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

  • Dynamically creating policies for Row-level security (RLS)

    Hi everybody,
    I’m looking for suggestions on how to configure Row-level security (RLS).
    I have a large number of tables (about 500) and about 100 database users. Each user must see a portion of the data, filtered on a specific field. The field used to filter the data is a Client Id (let’s assume for simplicity that this field is present in all tables and has the same name everywhere).
    Some users must be able to see just one client, other users must be able to see a group of clients, and some other users must be able to see all the clients. The association between Users and Client Id’s is stored in separate database tables.
    I’d like to avoid having to manually create a policy for each table, so I’m looking for a solution that makes use of pl/sql programs to create policies dynamically.
    Has anybody already implemented anything similar? Can you share your approach? Of course I’m looking for the easiest / most robust / most flexible way to implement this.
    Andrea

    It sounds like you would want a single policy function and that you would then apply that policy function to all 500 tables (at least given the simplifying assumptions you make in your question). If your policy function simply returned the `WHERE` clause
    client_id IN (
        SELECT client_id
          FROM table_mapping_user_to_client
         WHERE user_id = <<something that identifies the current user>> )Then you would simply apply that policy to all the tables
    FOR x IN (SELECT * FROM dba_tables WHERE <<condition to find the 500 tables>>)
    LOOP
      dbms_rls.add_policy(
        x.owner,
        x.table_name,
        'Restrict by client_id', -- name of policy
        <<owner of function above>>,
        <<name of function above>> );
    END LOOP;Justin

  • Row level security not working if I hit the aggregate

    I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...

    Hi Ingo,
    Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
    This custom auth object is maintained for the PA0001 table.
    This object is added at the role level with the restricted access to the Company Code..

  • Row level security in OBIEE 11g: Which is better: VPD or RPD

    We can apply row level security in OBIEE by 2 ways.
    1. by Creating Initialize Block in RPD
    2. or Applying VPD in Database, which restricts source tables
    Which one is more efficient and why?
    Thanks,
    Sunil Jena

    you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

Maybe you are looking for

  • ITunes will no longer accept my password

    The same password I have used previously will no longer get accepted so I changed it and that will not get accepted either.  Any suggestions?

  • Regarding performance tunnning

    hi experts,                i have developed a report but while execution  it is taking some extra time ,i already checked the extended program check and the code inspector,,i made it to zero for error ,warning etc.what extra sud i do to improve the p

  • Problem in extending material master data using BAPI?

    Hi all, I have created a program to upload material master using BAPI_MATERIAL_SAVEDATA WITH VIEWS Basic view, purchase view, account view , storage view and MRP view. I am successful while uploading this data while not  taking  the valuation type  f

  • Loop back adapter host file configuration issue?

    i did not exactly follow the following instructions : Add a line to the C:\winnt\system32\drivers\etc\hosts file with the following format, right after the localhost line: IP_address hostname.domainname hostname instead I have the following in my hos

  • RFC - XI - SOAP - XI - IDOC

    Hi All I have to implement an XI system that uses SOAP to call a webservice every 5 to 10 minutes (if possible we would prefer every minute). Data returned from the webservice then needs to be sent to SAP R/3 as an IDoc. Since the SOAP adapter cannot