How to get object level security in Universe?

Similar Messages

• Object Level Security in OBIEE 11.1.1.5

  Hi All,
  I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
  1) Created application roles in OBIEE with the same resposiblity names
  2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
  3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
  4) Restarted the BI server and presentation servers.
  Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
  Regards,
  Sandeep

  Sandeep Saini wrote:
  I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
  There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
  Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
  In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
  1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
  2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
  3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
  And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
  Hope this helps.!
  SVS

• Object Level security by creating catalog groups in OBIEE-10G

  Hi All,
  I have a requirement to display the dashboard based on the user login. Ex. Mike belongs to HR, Smith belongs to Accounts
  When Mike logs in he should see only these three dashboards. HR View, Common data1, common data2. When Smith logs in he should see only these three dashboards. Accounts view, Common data1, commondata2.
  The commondata1 and commondata2 dashboards has common reports for all the departments. The other dashboards are department specific with all different reports. How can I implement this?
  From one of my earlier posts I was advised to do it using Object Level security by creating catalog groups. Can you please provide me end to end instructions on how to create Object level security based on catalog groups.
  Thanks for your time and help.

  Hi,
  Mike to HR
  Smit - Account
  Yes, You achive by Object Level security by creating catalog groups
  1) Create Catalog group and users in RPD part(Ex: Account_grp,HR_grp)
  2)assign user to that particular group(let say Ex: Account_grp= Smith and HR_grp=Mike )
  3) login (Admin user id ) into dashboard page and --->mange dashboard page -->add users to that particular
  dashboard to relevent users and save it then
  try to login that mike and smith user it will work
  kindly refer below link
  http://www.rittmanmead.com/2010/01/obiee-10g-web-catalog-best-practices/
  http://www.rittmanmead.com/2007/05/obiee-and-row-level-security/
  thanks
  Deva

• How do you created object level security in BI for roles.

  How do you created object level security in BI for roles.  For example if I want users to only execute reports in BI for a particular "object" report how would I do that.
  Thanks.

  Hi Maritza,
  Can you be more specific.
  If you are looking for BI Security concept, check this presentation:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  Regards,
  Zaheer

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav

• How to implement row level secuirty at universe level

  Hi All
  How can we implement row level security in universe ?
  John

  HI,
  Can we try this?
  Open designer >>tools>>Manage security>Manage access retrictions
  Click on "new" under available restrictions area .
  Select "rows" tab click add select the table and an appropriate where condition.
  Click ok .
  Add a user\group on which the retriction is to be imposed Click Ok.
  Hope this will help
  Kultar

• Object Level Security Issue.

  Hi,
  I am facing an issue in applying object level security in OBIA.
  I have successfully done the LDAP authentication.
  In object level, I want to give permission for the currently logged in user to a page of General Ledger dashboard.
  Regarding this I have added the group corresponding to the logged in user through "Manage privilege" and given Access to the Dashboards.
  But after doing this I am getting following error in my report when I ll loggin as the same user.
  "Odbc driver returned an error (SQLExecDirectW).
  Error Details
  Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P:OI2DL65P
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 27004] Unresolved table: "Financials - GL Balance Sheet". (HY000)
  SQL Issued: {call NQSGetQueryColumnInfo('SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"')}
  SQL Issued: SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"
  Please suggest me where else I need do any setting.

  Hi,
  Looks like the user does not have access to the presentation table/column, check and see if the group has access.
  See: http://obiee-tips.blogspot.com/2009/09/obiee-security.html
  Regards,
  Matt

• Object Level Security,Data Level Security&Row level Security

  can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
  Thanks in advance,
  Kumar

  Hi Kumar
  Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
  lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
  Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
  Please mark Correct or helpful if this clears

• How to implement data level security

  How to implement data level security in BI Publihser?. I am using Obiee enterprise edition and bi publihser. My requirement is to show data based on User- Region relation ship.
  User A - belongs to Eastern Region
  User B - belongs to Southern Region
  so if user A logged in he should see only Eastern Region report. If user B logged in He should see only Southern region. I am using direct sql to my oralce database as data source.
  i appriciate your help

  I am using a common database username and password for jdbc connection. what i am looking is based the BI Publihser login, is there any way?
  say i have userregion table joined with fact. so that i can write a query to get the data
  select c1,c2,c3
  from userregion, fact
  where fact.region=userregion.region
  and userregion.user = BIPUBLIHSERUSER
  but my question is ithere any variable to tell who is logged in BI Publisher? Any server varaibles?
  Other related question is, In every report i want to show User name who is running the report. How can i get this?

• Object Level security not working on OBIEE 11g 11.1.1.7

  Hi,
  I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
  We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
  Regards,
  Sandeep

  Hello Sandeep,
  I have just verified the below scenario as you said but didnt find any issue.
  I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
  This might not be a 11.1.1.7 bug check it from upgrade end.
  Regards,
  Srikanth

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• How to Migrate Row Level Security Configuration

  Hi Guys,
  Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
  Thank you in advance,
  Bob

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Object level security will be done by bi-server or presentation server

  hi all
  object level security will be done by bi-server or presentation server?
  r both will be done by bi-server?
  Tnks

  Hi,
  object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
  Ya in simple words authorization and authentication.
  Hope it helps you.
  By,
  KK

• Object Level Security Profile-Collaborators

  Dear All,
  I the document collaborator security profile one permission is change master data state, is master data considered all fields within the contract.Also what will happen if this permission is changed to not set.
  Thanks,
  Jay

  Hi,
  object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
  Ya in simple words authorization and authentication.
  Hope it helps you.
  By,
  KK

• Anyone know how to get to the security screen with a " Crashed" phone?

  Getting the message "Restore Needed" but it says I can't connect with my Iphone because my phone has a security code. I can't get to the Security code screen on the phone.  Anyone know how to get to the security screen with a " Crashed" phone?

  Restore the phone on the same computer it was last synced to and it will not require the unlock code.
  If you don't have access to that computer you will have to use Recovery mode, which will wipe all content. See: http://support.apple.com/kb/HT1808