How to enforce row level security on MSAS Cube

We have to enforce row level security on MSAS Cube based on BOUSER.
We are using a security table which contains BOUSER ID and Location ID
We need help in joining the security table with MSAS Cube.
Thanks

HI,
I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
Hope this helps.

Similar Messages

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to Migrate Row Level Security Configuration

    Hi Guys,
    Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
    Thank you in advance,
    Bob

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

  • How To Apply Row level security ??

    Hi all,
    I want to apply row level security on one of my custom objects created in PO schema in R12. How to do that??
    Thanks and Regards
    Raj

    Thank You Gaurav
    --Raj                                                                                                                                                                                                                                       

  • How to apply row level security against the database administrator

    I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
    There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
    HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
    Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
    Is there additional ways to achieve the aim?

    Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
    If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
    This includes DBAs.
    The simple fact of being DBA doesn't guarantee the exemption.
    Everything goes to depend of the VPD config.

  • How to implement row-level security in Discoverer?

    Dear all,
    I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
    The 2 folders are constructed by 2 SQL statements.
    There exists a set of tables controlling which product line's sales and inventory data a person can read.
    A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
    So, can you suggest how to integrate the 2 components in Discoverer?
    thanks
    George
    My blog: http://hktour.blogspot.com

    hi Rod,
    Thanks for your suggestions.
    I took your 1st option, ie.
    "You can use VPD at the database level to secure the tables."
    I have a view BUDGET_V with the following columns:
    PERIOD_YEAR
    PERIOD_MONTH
    PRODUCT_LINE
    BUDGET_AMOUNT
    Every salesman can only read the budget amount of certain product lines.
    I built the security function which will be binded to the view BUDGET_V (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
    Then, I bind the security function security_policy_function() to the view BUDGET_V with
    begin
    dbms_rls.add_policy
    object_schema => 'APPS',
    object_name => 'BUDGET_V',
    policy_name => 'MY_POLICY',
    function_schema => 'APPS',
    policy_function => 'security_policy_function',
    statement_types => 'select',
    update_check => FALSE,
    enable => TRUE
    end;
    The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
    I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    This time, Discoverer returns only the records with product lines visible to user "A".
    So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    Can you give me some light on this issue?
    thanks
    George (HK)
    My blog at http://hktour.blogspot.com

  • Row level security in discoverer desktop

    currently, I have designed a business area on one of my star schema, and I created several other business area in order to allow different level of users to view the pre-defined reports on discoverer desktop. and I want different users to view different data from my star schema tables. So I created some criteria on those business area.
    e.g. condition on bus_area1 : sales_manager="man01",
    condition on bus_area2 : sales_manager="man02"
    in short, i want to enable record level security by using discoverer's conditions.
    but unfortunately, even I un-checked "Create/Edit Query" privileges on discoverer administrator for those users, they still can modify the worksheet. So they can just remove my condition and to view data that they shouldnot be able to see..
    can any one tell me how to solve this problem, or how to do row level security in discoverer?
    What can I do if I want to disable "edit worksheet" in discoverer desktop from users??
    thanks in advance..
    Marco

    Marco,
    Probably the best way to achieve row-level security is to upgrade to 9.0.4.1 and take advantage of the new functionality of Discoverer to pass the SSO user to the DB query. You would apply Oracle Fine Grained Security/VPD/striping on the DB tables using a policy based on SSO userid. Then using Disco 9.0.4.1 the user would see only the data they are privileged to see. However this works only in a web environment (Discoverer Plus, Viewer and Portlets) not for Desktop.
    Discoverer Product Management - mpd

  • SAP-BO SSO and Row Level Security

    Hi,
    We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
    When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
    In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
    My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
    System Information
    Business Objects XI 3.1
    SAP Intg. Kit 3.1
    Thanks a lot,
    Omer

    Hi Omer,
    please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
    As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
    Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
    Regards,
    Stratos
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

  • Dynamically creating policies for Row-level security (RLS)

    Hi everybody,
    I’m looking for suggestions on how to configure Row-level security (RLS).
    I have a large number of tables (about 500) and about 100 database users. Each user must see a portion of the data, filtered on a specific field. The field used to filter the data is a Client Id (let’s assume for simplicity that this field is present in all tables and has the same name everywhere).
    Some users must be able to see just one client, other users must be able to see a group of clients, and some other users must be able to see all the clients. The association between Users and Client Id’s is stored in separate database tables.
    I’d like to avoid having to manually create a policy for each table, so I’m looking for a solution that makes use of pl/sql programs to create policies dynamically.
    Has anybody already implemented anything similar? Can you share your approach? Of course I’m looking for the easiest / most robust / most flexible way to implement this.
    Andrea

    It sounds like you would want a single policy function and that you would then apply that policy function to all 500 tables (at least given the simplifying assumptions you make in your question). If your policy function simply returned the `WHERE` clause
    client_id IN (
        SELECT client_id
          FROM table_mapping_user_to_client
         WHERE user_id = <<something that identifies the current user>> )Then you would simply apply that policy to all the tables
    FOR x IN (SELECT * FROM dba_tables WHERE <<condition to find the 500 tables>>)
    LOOP
      dbms_rls.add_policy(
        x.owner,
        x.table_name,
        'Restrict by client_id', -- name of policy
        <<owner of function above>>,
        <<name of function above>> );
    END LOOP;Justin

  • How to check the row level security in TOAD for oracle

    Hi ,
    for ex, i have 2 types of users
    normal user and super user
    super user can see the group set (some column name) created by normal user
    but normal user can not see the set created by super user
    this set crestion aslso has 3 types "U','P',S'
    P & S can be viewed by even normal user
    but U should not
    so here we are having some row level security for the normal user .....
    So, in TOAD for oracle how to check that......
    Let me know if i'm not clear

    Like
    I'm the super user....
    And some records are inserted to a table by different users ('a' , 'b', etc....)
    So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
    how to see in TOAD where such type of scripts (filter conditions) are written.....

  • How to implement Bursting(Row level security) in Xcelsius

    Hi,
    We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
    Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
    We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
    Thanks for the help in advance.
    Thanks,
    Nimesh.

    Nimesh,
    Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
    Row level security works.
    combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
    i am curious to know how you implemeted this?
    Thanks
    Pushpa

  • How To Setup User Row Level Security In Answers From Values In Table

    I am trying to setup row level security when a user logs into BI Answers. Basically I want the user to create any report that they would like but only see the data that they are associated to being retrieved in the Answer Report results. I have users stored in an Oracle authentication table where they have multiple values for schools that they can view. I have data in my RPD file that contain tables with multiple rows for schools. What I would like is to capture the associated school values for the user logged into BI Answers and place a filter on the data being retrieved in the RPD file to only show rows for the user's associated schools. Can I add a WHERE clause on the Business Model and Mapping layer of the RPD that would retrieve the multiple associated schools in my authentication table and filter/match them (IN clause maybe) to the school values in the RPD data being retrieved?
    Thank you in advance for any information you my have to help me along,
    Kyle

    Turribeach,
    I appologize, I did not use those exact words to search on in the forum. I should have and what I did use didn't turn anything up for my situation.
    Thank you for the link. It helped me find the below link which describes the setup in detail and resolved my issue:
    http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
    What I needed was a row-wise variable/initialization block that stored the multiple school values for my logged in user. I then edited the "Content" tab of the Logical Table Source with a WHERE/IN clause that filtered down the result set based on my variable/initialization block SQL query.
    This solution works great!
    Thanks again!

  • Row level security at universe design level

    Hi,
    I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
    My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
    Regards,
    Mishra Vibhav.

    Thanks for the reply.
    Much Appriciated.
    My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
    Warm Regrads,
    Mishra Vibhav

  • How to implement row level secuirty at universe level

    Hi All
    How can we implement row level security in universe ?
    John

    HI,
    Can we try this?
    Open designer >>tools>>Manage security>Manage access retrictions
    Click on "new" under available restrictions area .
    Select "rows" tab click add select the table and an appropriate where condition.
    Click ok .
    Add a user\group on which the retriction is to be imposed Click Ok.
    Hope this will help
    Kultar

Maybe you are looking for

  • Change Sequence from HD to NTSC after video build complete

    Using Premiere Pro CS5 I inadvertently left the Sequence in HD format instead of changing back to NTSC.  I complete the whole video (48 minutes) but when I exported it I found myself with a small resolution  product about half the size it should be (

  • How to recent file open

    How to Recent file open in Reader

  • Help with Bytes

    Hi Can anyone help me with the following example? I have a 4 byte String s when displayed in binary = 00 30 00 00. I would like to change the 30 which is equal to 48 to 79 which is equal to 121. thanks

  • Kernel panic after replacing hard drive in Powerbook 17"

    I need help with a kernel panic that won't even let me start up. Here's a detailed account of what happened: The hard drive in my Powerbook 17" recently failed. Since it is out of warranty anyway, I decided to try to replace it myself. I found a good

  • Billing net value and tax is notpicking  and condition also empty

    Dear All We have a z t.code to generate the sales order ,delivery, Billing and also a/c document. We have did all settings and run in standard transaction and everything working fine up to a/c document. But in the Z T,code  while running sales docume