How to provide Responsiblity level security in OBIEE 11g

Similar Messages

• How to create Database level Security in OBIEE

  Dear Experts,
  Can you kindly tell me the steps on how to create a database level security on OBIEE.
  Please can some one give me the scripts and tell me how to implement tht in the RPD.
  Thanks in advance,
  Anand

  If you are looking for Database Level security in OBIEE the only route to truly accomplishing this is using the Oracle Virtual Private Database concept.
  http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
  http://gerardnico.com/wiki/dat/obiee/vpd

• Row level security in OBIEE 11g: Which is better: VPD or RPD

  We can apply row level security in OBIEE by 2 ways.
  1. by Creating Initialize Block in RPD
  2. or Applying VPD in Database, which restricts source tables
  Which one is more efficient and why?
  Thanks,
  Sunil Jena

  you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

• How to provide page-level security..

  HI,
  I have a requirnment that a single report having multiple pages is generated such that each or some of the pages have security tags that are compared to a security identifier list of a particular user that acts as a security clearance for that user. How to do this programatically.
  Through this comparison, a subset of pages from the report is formed which makes up a "report" from the user's point of view that contains only data the user is allowed to see. This allows multiple users to view only authorized portions of a single report having page-level security determined by level breaks in the data.How to do this also programatically.
  including both the task is one requirnment. if any one know how to do this using java program or xml, please reply as soon as possible.
  thanks in advance.

  How does you post have anything to do with SQLJ/JDBC? If this is an Oracle Report then post it to the Oracle Reports forum. Otherwise, look at the JDeveloper forum.

• Row level security in OBIEE 11g

  Hi guys,
  We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
  Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
  to a structure that is above another structure in hierarchy, then he should see both data from his structure and
  the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
  i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
  data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
  in the data model? And how could I create the type of filter mentioned above?  

  This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
  1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
  2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
  3. Add this position variable as a content filter in your LTS in you BMM layer.
  4. You can also use this session variable  as a filter in you reports too.
  hope this helps.
  Senthil

• Data Level Security In OBIEE 11g based on the filters setup in RPD

  Hello All,
  We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
  Regards,
  -Amith.

  A.Y wrote:
  Hello All,
  We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
  Regards,
  -Amith.Not sure, if anyone has yet ran into this issue, but the workaround we have implemented is to build a report in OBIEE and use the analysis query as the source for BI Publisher.

• Alternative Data Level Security in OBIEE 11g

  Gurus - Wanted to put it out there if there are alternatives ways of achieving data level security as opposed to going the route of creating blocks that initialize session variables which can be applied onto tables through roles in the RPD? The main reason for asking was to try and prevent performance impact of having a significant number of init blocks running when an user logs into the application.
  Ganesh

  VPD [Virtual Private Database] would be an alternative for this.

• Data level security in OBIEE 11g

  Hi all,
  I am using OBIEE 11g. I have a table called "USER_ACCESS_T" which has four columns user_name,Access_level_name,Access_level_type,status_flag.
  User_Name Access_Level Access_Type Status_Flag
  XX Project ABC Project Group Yes
  YY Project DEF Project sub Group Yes
  ZZ Project GH Project Yes
  My requirement is
  When user XX logs in BI answers, he has to access only Project group ie.., Project ABC.
  When user yy logs in BI answers, he has to access only Project sub group ie.., Project DEF.
  Kindly Guide me.
  Thanks and regards
  Haree
  Edited by: Haree on Dec 23, 2011 11:44 AM

  Hi Haree,
  Please follow the follow steps to restrict users on the project dimension.
  1) Create an init block to populate the list of project a user belongs to. You have to do this row - wise initialized as a user can belong to multiple projects.
  Select 'PROJECT_NUMBER', project_number from w_project_d where UPPER(user_name)=UPPER(':USER');
  2) Now as you have all the project numbers for a particular user in a variable, you can use that to filter on the dimension table.
  3) In the rpd, go to the group/role - Permissions - Select the dimension table project - and put the following filter.
  "Core"."Dim - Project.Project Number" = VALUEOF(NQ_SESSION.PROJECT_NUMBER)
  That's it. Your security is now in place for projects.
  i think this will give you an solution.

• Data Level Security in OBIEE  Enterprise Edition

  HI,
  would like to know how to implement row-level security in OBIEE Enterprise Edition
  Setting up the context right here, considering a hierarchy of an organization that goes up to 4 levels as below:
  VP >Senior manager>Manager>clerk
  Now, the situation is such that a manager should be able to view its subordinates data but not the data of any other team to which he does not have access. And also the manager should view only his regions data.Same goes for other hierarchies in the organization.
  Any pointers in this regards i.e OBIEE ADMIN TOOL: SECURITY AUTHENTICATION THROUGH EXTERNAL DATABASE would be of great help.
  Source system is SIEBEL CRM 7.8
  THanks
  Gutha

  Hi,
  I can help you for Authentication using BI Server.
  For teh same you can use admin tool then manage>security> users and Groups.
  You can create different groups as well as users accrording to you hierarchy and then provide privilages users or groups according to your need like particular user can view the data of particular level.
  When you create users then in the user page you can provide the filter conditions in filter tab and same as in groups.
  Regards
  Tarang Jain

• Object Level Security in OBIEE 11.1.1.5

  Hi All,
  I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
  1) Created application roles in OBIEE with the same resposiblity names
  2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
  3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
  4) Restarted the BI server and presentation servers.
  Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
  Regards,
  Sandeep

  Sandeep Saini wrote:
  I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
  There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
  Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
  In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
  1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
  2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
  3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
  And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
  Hope this helps.!
  SVS

• How to Migrate Row Level Security Configuration

  Hi Guys,
  Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
  Thank you in advance,
  Bob

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• How to implement data level security

  How to implement data level security in BI Publihser?. I am using Obiee enterprise edition and bi publihser. My requirement is to show data based on User- Region relation ship.
  User A - belongs to Eastern Region
  User B - belongs to Southern Region
  so if user A logged in he should see only Eastern Region report. If user B logged in He should see only Southern region. I am using direct sql to my oralce database as data source.
  i appriciate your help

  I am using a common database username and password for jdbc connection. what i am looking is based the BI Publihser login, is there any way?
  say i have userregion table joined with fact. so that i can write a query to get the data
  select c1,c2,c3
  from userregion, fact
  where fact.region=userregion.region
  and userregion.user = BIPUBLIHSERUSER
  but my question is ithere any variable to tell who is logged in BI Publisher? Any server varaibles?
  Other related question is, In every report i want to show User name who is running the report. How can i get this?

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Row Level Security in OBIEE using OID as authentication Mechanism

  Hi OBIEE Gurus,
  I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
  I want to implement RLS by doing the following :
  1. Have Security Groups defined in OID and assign users with group membership.
  2. Import these Security Groups into OBIEE metadata
  3. Apply filters to these Security Groups
  4. Run Answers requests to see if RLS works or not
  Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
  Appreciate your help.
  Edited by: drakesh on Sep 26, 2008 7:09 AM

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• How to Calculate Leap Year ago in OBIEE 11g

  Hi Gurus,
  I have one fact table and having one measure column. I have to calculate current year and Last year.
  Using Time series function (Todate,Ago) have calculated current year as well last year also.
  The problem is Current year is showing correct value only but Last year was showing wrong data.
  We found the problem is Leap year, last year FEB month is having 29 dates. Due to this we are getting wrong date.
  Kindly suggest me how to achieve this requirement.
  Thanks

  Hi Gurus,
  How to resolve Leap Year calculation in OBIEE 11g.
  The problems is Year Ago column.
  Please suggest me how to resolve this.
  Thanks