How to enforce row level security on MSAS Cube
We have to enforce row level security on MSAS Cube based on BOUSER.
We are using a security table which contains BOUSER ID and Location ID
We need help in joining the security table with MSAS Cube.
Thanks
HI,
I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
Hope this helps.
Similar Messages
-
How to implement row level security?
Hi all,
There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
Many Thanks
AmyHere are two options to achieve what you want.
A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
1. create a security codes table. Say for example
001 - company a
002 - company b
2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
4. update all data in the tables according to which company they belong to.
5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
Table name = Employee.
Create a view employee_a on employee
create a view employee_b on employee
Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
create synonym employee on employee_a in x schema.
create synonym employee on employee_b on y schema.
This i have not tried but believe should work.
Hope one of these options serve your purpose. -
How to Migrate Row Level Security Configuration
Hi Guys,
Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
Thank you in advance,
BobHere are two options to achieve what you want.
A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
1. create a security codes table. Say for example
001 - company a
002 - company b
2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
4. update all data in the tables according to which company they belong to.
5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
Table name = Employee.
Create a view employee_a on employee
create a view employee_b on employee
Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
create synonym employee on employee_a in x schema.
create synonym employee on employee_b on y schema.
This i have not tried but believe should work.
Hope one of these options serve your purpose. -
How to implement row level security using external tables
Hi All Gurus/ Masters,
I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
I can use a filter condition in my user level so that he can access his data only.
But when i have 4 tables in external tables
users
groups
usergroups
webgrups
Then in which table I need to give the filter conditions..
Pl let me know this ...You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
Hope this helps -
How To Apply Row level security ??
Hi all,
I want to apply row level security on one of my custom objects created in PO schema in R12. How to do that??
Thanks and Regards
RajThank You Gaurav
--Raj -
How to apply row level security against the database administrator
I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
Is there additional ways to achieve the aim?Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
This includes DBAs.
The simple fact of being DBA doesn't guarantee the exemption.
Everything goes to depend of the VPD config. -
How to implement row-level security in Discoverer?
Dear all,
I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
The 2 folders are constructed by 2 SQL statements.
There exists a set of tables controlling which product line's sales and inventory data a person can read.
A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
So, can you suggest how to integrate the 2 components in Discoverer?
thanks
George
My blog: http://hktour.blogspot.comhi Rod,
Thanks for your suggestions.
I took your 1st option, ie.
"You can use VPD at the database level to secure the tables."
I have a view BUDGET_V with the following columns:
PERIOD_YEAR
PERIOD_MONTH
PRODUCT_LINE
BUDGET_AMOUNT
Every salesman can only read the budget amount of certain product lines.
I built the security function which will be binded to the view BUDGET_V (see below)
FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
return varchar2
as
begin
if (user = p_schema) then
return '';
else
return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
end if;
end;
The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
Then, I bind the security function security_policy_function() to the view BUDGET_V with
begin
dbms_rls.add_policy
object_schema => 'APPS',
object_name => 'BUDGET_V',
policy_name => 'MY_POLICY',
function_schema => 'APPS',
policy_function => 'security_policy_function',
statement_types => 'select',
update_check => FALSE,
enable => TRUE
end;
The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
return varchar2
as
begin
if (user = p_schema) then
return '';
else
return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
end if;
end;
This time, Discoverer returns only the records with product lines visible to user "A".
So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
Can you give me some light on this issue?
thanks
George (HK)
My blog at http://hktour.blogspot.com -
Row level security in discoverer desktop
currently, I have designed a business area on one of my star schema, and I created several other business area in order to allow different level of users to view the pre-defined reports on discoverer desktop. and I want different users to view different data from my star schema tables. So I created some criteria on those business area.
e.g. condition on bus_area1 : sales_manager="man01",
condition on bus_area2 : sales_manager="man02"
in short, i want to enable record level security by using discoverer's conditions.
but unfortunately, even I un-checked "Create/Edit Query" privileges on discoverer administrator for those users, they still can modify the worksheet. So they can just remove my condition and to view data that they shouldnot be able to see..
can any one tell me how to solve this problem, or how to do row level security in discoverer?
What can I do if I want to disable "edit worksheet" in discoverer desktop from users??
thanks in advance..
MarcoMarco,
Probably the best way to achieve row-level security is to upgrade to 9.0.4.1 and take advantage of the new functionality of Discoverer to pass the SSO user to the DB query. You would apply Oracle Fine Grained Security/VPD/striping on the DB tables using a policy based on SSO userid. Then using Disco 9.0.4.1 the user would see only the data they are privileged to see. However this works only in a web environment (Discoverer Plus, Viewer and Portlets) not for Desktop.
Discoverer Product Management - mpd -
SAP-BO SSO and Row Level Security
Hi,
We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
System Information
Business Objects XI 3.1
SAP Intg. Kit 3.1
Thanks a lot,
OmerHi Omer,
please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
Regards,
Stratos
Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM -
Dynamically creating policies for Row-level security (RLS)
Hi everybody,
I’m looking for suggestions on how to configure Row-level security (RLS).
I have a large number of tables (about 500) and about 100 database users. Each user must see a portion of the data, filtered on a specific field. The field used to filter the data is a Client Id (let’s assume for simplicity that this field is present in all tables and has the same name everywhere).
Some users must be able to see just one client, other users must be able to see a group of clients, and some other users must be able to see all the clients. The association between Users and Client Id’s is stored in separate database tables.
I’d like to avoid having to manually create a policy for each table, so I’m looking for a solution that makes use of pl/sql programs to create policies dynamically.
Has anybody already implemented anything similar? Can you share your approach? Of course I’m looking for the easiest / most robust / most flexible way to implement this.
AndreaIt sounds like you would want a single policy function and that you would then apply that policy function to all 500 tables (at least given the simplifying assumptions you make in your question). If your policy function simply returned the `WHERE` clause
client_id IN (
SELECT client_id
FROM table_mapping_user_to_client
WHERE user_id = <<something that identifies the current user>> )Then you would simply apply that policy to all the tables
FOR x IN (SELECT * FROM dba_tables WHERE <<condition to find the 500 tables>>)
LOOP
dbms_rls.add_policy(
x.owner,
x.table_name,
'Restrict by client_id', -- name of policy
<<owner of function above>>,
<<name of function above>> );
END LOOP;Justin -
How to check the row level security in TOAD for oracle
Hi ,
for ex, i have 2 types of users
normal user and super user
super user can see the group set (some column name) created by normal user
but normal user can not see the set created by super user
this set crestion aslso has 3 types "U','P',S'
P & S can be viewed by even normal user
but U should not
so here we are having some row level security for the normal user .....
So, in TOAD for oracle how to check that......
Let me know if i'm not clearLike
I'm the super user....
And some records are inserted to a table by different users ('a' , 'b', etc....)
So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
how to see in TOAD where such type of scripts (filter conditions) are written..... -
How to implement Bursting(Row level security) in Xcelsius
Hi,
We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
Thanks for the help in advance.
Thanks,
Nimesh.Nimesh,
Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
Row level security works.
combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
i am curious to know how you implemeted this?
Thanks
Pushpa -
How To Setup User Row Level Security In Answers From Values In Table
I am trying to setup row level security when a user logs into BI Answers. Basically I want the user to create any report that they would like but only see the data that they are associated to being retrieved in the Answer Report results. I have users stored in an Oracle authentication table where they have multiple values for schools that they can view. I have data in my RPD file that contain tables with multiple rows for schools. What I would like is to capture the associated school values for the user logged into BI Answers and place a filter on the data being retrieved in the RPD file to only show rows for the user's associated schools. Can I add a WHERE clause on the Business Model and Mapping layer of the RPD that would retrieve the multiple associated schools in my authentication table and filter/match them (IN clause maybe) to the school values in the RPD data being retrieved?
Thank you in advance for any information you my have to help me along,
KyleTurribeach,
I appologize, I did not use those exact words to search on in the forum. I should have and what I did use didn't turn anything up for my situation.
Thank you for the link. It helped me find the below link which describes the setup in detail and resolved my issue:
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
What I needed was a row-wise variable/initialization block that stored the multiple school values for my logged in user. I then edited the "Content" tab of the Logical Table Source with a WHERE/IN clause that filtered down the result set based on my variable/initialization block SQL query.
This solution works great!
Thanks again! -
Row level security at universe design level
Hi,
I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
Regards,
Mishra Vibhav.Thanks for the reply.
Much Appriciated.
My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
Warm Regrads,
Mishra Vibhav -
How to implement row level secuirty at universe level
Hi All
How can we implement row level security in universe ?
JohnHI,
Can we try this?
Open designer >>tools>>Manage security>Manage access retrictions
Click on "new" under available restrictions area .
Select "rows" tab click add select the table and an appropriate where condition.
Click ok .
Add a user\group on which the retriction is to be imposed Click Ok.
Hope this will help
Kultar
Maybe you are looking for
-
Change Sequence from HD to NTSC after video build complete
Using Premiere Pro CS5 I inadvertently left the Sequence in HD format instead of changing back to NTSC. I complete the whole video (48 minutes) but when I exported it I found myself with a small resolution product about half the size it should be (
-
How to Recent file open in Reader
-
Hi Can anyone help me with the following example? I have a 4 byte String s when displayed in binary = 00 30 00 00. I would like to change the 30 which is equal to 48 to 79 which is equal to 121. thanks
-
Kernel panic after replacing hard drive in Powerbook 17"
I need help with a kernel panic that won't even let me start up. Here's a detailed account of what happened: The hard drive in my Powerbook 17" recently failed. Since it is out of warranty anyway, I decided to try to replace it myself. I found a good
-
Billing net value and tax is notpicking and condition also empty
Dear All We have a z t.code to generate the sales order ,delivery, Billing and also a/c document. We have did all settings and run in standard transaction and everything working fine up to a/c document. But in the Z T,code while running sales docume