How to implement row level secuirty at universe level

Similar Messages

• Implement Chasm & Fan Trap at Universe level

  Hi All,
  Could anyone provide me some idea about 'how to implement Chasm & Fan Trap at Universe' practically??
  Thanks for ur time & help.
  Regards,

  Hi
  We cannot specify the real time scenarios here, search the SDN, forumtopic and many other site... there are lot of posts on that and solutions for that.
  for a quick glance
  These will occur at universe level while joining the tables.
  chasm trap :  The Chasm trap occurs when 2 u201Cmany-to-oneu201D joins converge on a single table, which has not been resolved by any context. The most common problem caused by a chasm trap is fetching more data than expected.
  Fan Trap:A Fan Trap is a join between 3 tables where a one-to-many join links the first table to the second and another one-to-many join links the second table to the third. Inflated results are obtained when fields from all 3 tables are included in the query.
  go trough these urls  it may help you out
  http://www.forumtopics.com/busobj/viewtopic.php?t=174405&sid=b10e205712fb102dae312173957b19f2
  http://davidlai101.com/blog/2008/11/18/preventing-chasm-and-fan-traps/
  http://biguru.wordpress.com/2008/05/01/its-all-in-the-universe-handling-chasm-and-fan-traps/
  Hope this will help you!!!!!!!!!!!
  Regards,
  Rajesh

• How to implement Rows Per Page Selector for a tabular form kind of report

  Hello,
  Can somebody please tell how to implement Rows Per Page Selector in a tabular form (updatable report)
  -- similar to what we can have in an Interactive report---
  Plz help me out.

  You have to create item text field or select list (in interactive report is select list, you can create static value for example 10, 15, 50 , 100,500,.....) . In the Tabular form you have to go Report Attributes, search Number of Rows (Item) and select your item. And thats all. If I help you please check CORRECT or Helpful.

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• How to implement authorization at sales order/projects level?

  If we open a sales order in VA02 and then try to open the same sales order in another session in VA02, there will be a message that the sales order is being processed. 
  I wish to implement similar functionality in my application which consists of editable report. 
  I tried to debug the situation in VA02 case mentioned above, to know something more about it, but could not understand anything!
  I know that lock objects can be helpful in this, but in my case there can a be range of sales orders (and projects within a range of profit centers). 
  How to implement such a functionality?
  Edited by: Ankit Modi on Dec 30, 2009 10:54 AM
  Edited by: Ankit Modi on Dec 30, 2009 10:55 AM

  @ Max -
  Yes Max, but the problem is that I want the lock on many sales orders at a time.  Its like, there is a report in which many rows (for sales orders) are editable.  I want all those to be locked at a time. This will not work by Lock object, I believe...
  @ Soumya -
  Yes Soumya, but, as I explained above, I want a range of sales orders rather than a sales order in particular.  That will not work by lock object.  Right?

• How to create Current Year Filter at Universe Level ?

  Hi,
  I want to create a Current Year, Next Year and Last Year filters at Universe Level.
  Can anyone help me with this.
  I am using Netezza database and not able to find the appropriate date function in Netezza to accomplish this.
  Any suggestions ?
  Thanks

  Hi,
  You would somehow need to extract the Year part from the system date..
  then
  Current Year = Year
  Next Year would be i.e Current Year + 1
  Last Year would be i.e Current Year - 1
  I guess this is the simple part... but you would need to find those functions on your RDBMS..
  Hope this helps
  Jacques

• How to implement row-level security in Discoverer?

  Dear all,
  I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
  The 2 folders are constructed by 2 SQL statements.
  There exists a set of tables controlling which product line's sales and inventory data a person can read.
  A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
  So, can you suggest how to integrate the 2 components in Discoverer?
  thanks
  George
  My blog: http://hktour.blogspot.com

  hi Rod,
  Thanks for your suggestions.
  I took your 1st option, ie.
  "You can use VPD at the database level to secure the tables."
  I have a view BUDGET_V with the following columns:
  PERIOD_YEAR
  PERIOD_MONTH
  PRODUCT_LINE
  BUDGET_AMOUNT
  Every salesman can only read the budget amount of certain product lines.
  I built the security function which will be binded to the view BUDGET_V (see below)
  FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
  return varchar2
  as
  begin
  if (user = p_schema) then
  return '';
  else
  return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
  end if;
  end;
  The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
  Then, I bind the security function security_policy_function() to the view BUDGET_V with
  begin
  dbms_rls.add_policy
  object_schema => 'APPS',
  object_name => 'BUDGET_V',
  policy_name => 'MY_POLICY',
  function_schema => 'APPS',
  policy_function => 'security_policy_function',
  statement_types => 'select',
  update_check => FALSE,
  enable => TRUE
  end;
  The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
  I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
  FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
  return varchar2
  as
  begin
  if (user = p_schema) then
  return '';
  else
  return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
  end if;
  end;
  This time, Discoverer returns only the records with product lines visible to user "A".
  So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
  Can you give me some light on this issue?
  thanks
  George (HK)
  My blog at http://hktour.blogspot.com

• How to implement row span and column span in JTable.

  Hi,
  How do we implement Col span and row span in JTable as in Html.
  Kindly help.
  Thank You

  Although I suppose you could extend JTable to support column and row spans, this would involve a lot of of work and quite a few hacks. I think you will be better off either creating a new custom JComponent with an appropriate model for this purpose or using an existing solution such as [JIDE Grids|http://www.jidesoft.com/products/grids.htm] which includes a CellSpanTable.

• How to build Restricted Key figures in Universe?

  Hi All,
  I have been trying to find a way to build restricted key figures at BO universe level.
  I have gone through the best practices documents and the mdx syntax documents.
  Even though building Restricted key figures at universe level is not a recommended approach, we had a requirement to achieve it.
  I have tried the below possilbe ways but could succeed only half way.
  Please help me and others who has been trying to build the restricted key figures at universe level by guiding us.
  Eg: A restricted key figure A1 is based on a basic key figure A, with a restriction on cost element  C (detail object,cost element key)
  I have built A1 with below syntax and  could get correct result in web intelligence report
  Select block of  A1 measure object in designer
  <Expression>@Select(Key figures\A)</Expression>
  Where block of A1 measure object in designer
  <FILTER KEY="[0COSTELMNT].[LEVEL01].[[20COSTELMNT]].[Value]"><CONDITION OPERATORCONDITION="Equal"><CONSTANT TECH_NAME="ABCD/1234567"/></CONDITION></FILTER>
  But when I build another restricted key figure A2 out of basic key figure A with restriction on the same cost element key field but a different value like  ="ABCD/678910".
  Both A1 and A2 give correct results individually when they are dragged in a web intelligence query.
  But when both of them are required to be dragged in the same query , no result comes because of the conflicting where clauses,as cost element key can't have both values at same time.
  Then I tried building A1 in below ways, as mentioned in the mdx examples document
  Trial 1:
  Select block of  A1 measure object in designer
  <Expression>(@Select(Key figures\A),[0COSTELMNT].[LEVEL01].[[20COSTELMNT]].[Value].[ABCD/1234567])</Expression>
  Trial 2:
  Select block of  A1 measure object in designer
  <Expression>(@Select(Key figures\A),[0COSTELMNT].[ABCD/1234567])</Expression>
  Trial 3:
  Select block of  A1 measure object in designer
  <Expression>([Measures].[D787I2PW5YTGMTKL83RWBH80W],[0COSTELMNT].[ABCD/1234567])</Expression>
  All the above expressions parse OK at universe level. Trial 1 gives a database error while running the query.
  Trial 2 and Trial 3 nither throw any error nor return any result for A1.
  If any one has tried and succeeded in implementing restricted key figures at universe level,please provide us some inputs.
  Thank You.
  Naresh

  Hi,
  this seems to be identical to this one:
  Re: Condition Object for previous month data on current month input
  I would suggest you close one of them as two entries asking the same is not a good idea
  Ingo

• How to implement Bursting(Row level security) in Xcelsius

  Hi,
  We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
  Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
  We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
  Thanks for the help in advance.
  Thanks,
  Nimesh.

  Nimesh,
  Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
  Row level security works.
  combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
  i am curious to know how you implemeted this?
  Thanks
  Pushpa

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• How to apply row restrictions to universes generated via Universe builder

  I have a universe generated via Universe Builder. The source is SAP BW.
  Now I want to apply row restrictions using some external security tables available inside another schema of my datawarehose. Restrictions should be like:
  0 < (select count(*) from SECURITY_TABLE x   where x.name = @Variable('BOUSER')   )
  How I can do it ? How I can reference this external security table ?
  Thanks

  Umberto,
  Row level securtity does not seem to be avaible in Designer when using a SAP BW source.
  For the SAP BW related sources you would need to set the connection to use SSO and within BW apply authorisations on the objects/dimesions restricting users i.e implementing row level restrictions and use this object in universe and report so that the authorisations are honored in SAP BW.

• Best Practice to implement row restriction level

  Hi guys,
  We need to implement a security row filter scenario in our reporting system. Following several recommendations already posted in the forum we have created a security table with the following columns
  userName  Object Id
  U1             A
  U2             B
  where our fact table is something like that
  Object Id    Fact A
  A                23
  B                4
  Additionally we have created row restriction on the universe based on the following where clause:
  UserName = @Variable('BOUSER')
  If the report only contains objects based on Fact table the restriction is never applied. This has sense as docs specify that the row restrictions are only applied if the table is actually invoked in the SQL statement (SELECT statment is supposed).
  Question is the following: Which is the best practice recommended in this situation. Create a dummy column in the security table, map into it into the universe and include the object in the query?
  Thanks
  Edited by: Alfons Gonzalez on Mar 8, 2012 5:33 PM

  Hi,
  This solution also seemed to be the most suitable for us. Problem that we have discover: when the restriction set is not applied for a given user (the advantage of using restriction set is the fact that is not always applied) the query joins the fact table with the security table withou applying any where clause based on @variable('USER'). This is not a problem if the secuity table contains a 1:1 relationship betwwen users and secured objects , but (as in our case) relathion ship is 1:n query provide "additional wrong rows".
  By the moment we have discarded the use of the restriction sets. The effect of putting a dummy column based on the security table may have undesired effects when the condition is not applied.
  I don't know if anyone has found how to workaround this matter.
  Alfons

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav