How To Setup User Row Level Security In Answers From Values In Table

I am trying to setup row level security when a user logs into BI Answers. Basically I want the user to create any report that they would like but only see the data that they are associated to being retrieved in the Answer Report results. I have users stored in an Oracle authentication table where they have multiple values for schools that they can view. I have data in my RPD file that contain tables with multiple rows for schools. What I would like is to capture the associated school values for the user logged into BI Answers and place a filter on the data being retrieved in the RPD file to only show rows for the user's associated schools. Can I add a WHERE clause on the Business Model and Mapping layer of the RPD that would retrieve the multiple associated schools in my authentication table and filter/match them (IN clause maybe) to the school values in the RPD data being retrieved?
Thank you in advance for any information you my have to help me along,
Kyle

Turribeach,
I appologize, I did not use those exact words to search on in the forum. I should have and what I did use didn't turn anything up for my situation.
Thank you for the link. It helped me find the below link which describes the setup in detail and resolved my issue:
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
What I needed was a row-wise variable/initialization block that stored the multiple school values for my logged in user. I then edited the "Content" tab of the Logical Table Source with a WHERE/IN clause that filtered down the result set based on my variable/initialization block SQL query.
This solution works great!
Thanks again!

Similar Messages

  • How to check the row level security in TOAD for oracle

    Hi ,
    for ex, i have 2 types of users
    normal user and super user
    super user can see the group set (some column name) created by normal user
    but normal user can not see the set created by super user
    this set crestion aslso has 3 types "U','P',S'
    P & S can be viewed by even normal user
    but U should not
    so here we are having some row level security for the normal user .....
    So, in TOAD for oracle how to check that......
    Let me know if i'm not clear

    Like
    I'm the super user....
    And some records are inserted to a table by different users ('a' , 'b', etc....)
    So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
    how to see in TOAD where such type of scripts (filter conditions) are written.....

  • How to implement Bursting(Row level security) in Xcelsius

    Hi,
    We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
    Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
    We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
    Thanks for the help in advance.
    Thanks,
    Nimesh.

    Nimesh,
    Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
    Row level security works.
    combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
    i am curious to know how you implemeted this?
    Thanks
    Pushpa

  • Row-level Security Filters applied to Columns and Tables only? no Areas?

    Good day all,
    Just quick question (obiee 10.3.3.2) - Is there a way to edit row-level security using Whole subject areas (instead of bringing in the individual Fact tables and applying filters by copying/pasting them).
    Follow up question - if I have nested facts in presentation layer (ones preceding with "-" - do I specifically add them to conditions, or would they be inherited by only including parent fact)?
    Thanks!
    Message was edited by:
    wildmight

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • Row Level Security Not working for the ECC table.

    Hi All,
    We have created a crystal report using SQL Driver.
    We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
    But when I run the report, it bypasses the row level security and gives access.
    Am I missing some configuration?

    Hi Ingo,
    Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
    This custom auth object is maintained for the PA0001 table.
    This object is added at the role level with the restricted access to the Company Code..

  • How to embed user credentials in Secured Web Service from OBIEE 11gFMW?

    I am trying to invoke a webservice that I successfully exposed as a WSDL Web Service using EBS Integrated SOA Gateway. I am using OBIEE 11g Action Framework which uses WebLogic.
    Here are the steps I completed:
    - I exposed a WSDL web service in EBS R12 via Integrated SOA Gateway
    - I granted the access to this service in EBS R12 to user SYSADMIN
    - I used OBIEE 11g to make a Action to call the Web service (using Action Framework) by searching for the WSDL
    - When I try to execute the action: I get the error:
    Action could not be invoked.
    ServiceExecutionFailure :
    Error invoking web service HR_PHONE_API_Service at endpoint http://ip-10-87-33-3.ec2.internal:8000/webservices/SOAProvider/plsql/hr_phone_api/ Missing <wsse:Security> in SOAP Header
    PROBLEM: I am unsure how to add the credentials for SYSADMIN user and password to add the SOAP username/pwd to the outgoing call. According to the documentation in the Integrators guide, FMW Security guide, and Web Logic guides..seems we have to configure the SOAP call to have the proper credentials. The documentation is not very clear on exactly how to do this. I tried to set up the credential store and an account in ActionFrameWorkConfig.xml but I am still missing something. I am logged into OBIEE as biadmin and I am trying to call a webservie in EBS that is granted to SYSADMIN/sysadmin user. Pls advise.

    I am trying to invoke a webservice that I successfully exposed as a WSDL Web Service using EBS Integrated SOA Gateway. I am using OBIEE 11g Action Framework which uses WebLogic.
    Here are the steps I completed:
    - I exposed a WSDL web service in EBS R12 via Integrated SOA Gateway
    - I granted the access to this service in EBS R12 to user SYSADMIN
    - I used OBIEE 11g to make a Action to call the Web service (using Action Framework) by searching for the WSDL
    - When I try to execute the action: I get the error:
    Action could not be invoked.
    ServiceExecutionFailure :
    Error invoking web service HR_PHONE_API_Service at endpoint http://ip-10-87-33-3.ec2.internal:8000/webservices/SOAProvider/plsql/hr_phone_api/ Missing <wsse:Security> in SOAP Header
    PROBLEM: I am unsure how to add the credentials for SYSADMIN user and password to add the SOAP username/pwd to the outgoing call. According to the documentation in the Integrators guide, FMW Security guide, and Web Logic guides..seems we have to configure the SOAP call to have the proper credentials. The documentation is not very clear on exactly how to do this. I tried to set up the credential store and an account in ActionFrameWorkConfig.xml but I am still missing something. I am logged into OBIEE as biadmin and I am trying to call a webservie in EBS that is granted to SYSADMIN/sysadmin user. Pls advise.

  • SAP-BO SSO and Row Level Security

    Hi,
    We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
    When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
    In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
    My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
    System Information
    Business Objects XI 3.1
    SAP Intg. Kit 3.1
    Thanks a lot,
    Omer

    Hi Omer,
    please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
    As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
    Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
    Regards,
    Stratos
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
    Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

  • Suggestion required for using row level security

    We have a scenario to provide row level security to some of the transaction tables like HR_EMPLOYEE which has a foreign key column DEPT_ID to HR_DEPARTMENTS table. This table may grow up to about 5 million records. There could be regular SELECT operations on this table and not so frequent UPDATES compared to the SELECT operation.
    We were looking at the following approaches...
    Table :
    HR_EMPLOYEE
         EMPNO
         DEPT_ID
         LAST_NAME
         FIRST_NAME
    1. Enable Oracle Label Security policy on this table and use static predicates.
    In this approach we add the OLS policy column (POLICY_COLUMN) and add predicate to access data.
    e.g. we will be giving access to global data by predicate like
    OR POLICY_COLUMN =CHAR_TO_LABEL('POLICY_NAME','C::DEPT1')
    where C::DEPT is the OLS Label
    2. Using VPD policy. We donot add any column, instead use the existing column DEPT_ID to provide row label security. In this approach the DEPT_ID is to be compared against an additional table and DOMINATES function will be used to verify the permission for the user to access the data.
    e.g. In this approach, the policy function is like
    'DOMINATES(char_to_label(''POLICY_NAME'', SA_SESSION.LABEL(''POLICY_NAME''))
    ,char_to_label(''POLICY_NAME'', POLICY_PKG.GET_LABEL_FROM_DEPTID(DEPT_ID))) = 1'
    The GET_LABEL_FROM_DEPTID function returns the OLS label for the corresponding department. This is compared with the user's session label and appropriate rows are given access.
    Can someone suggest on which of the above approaches is more performance effective considering the number of records and the additional OLS column added to the table.

    Hi there,
    would you be able to describe as detailed as possible what you want to achieve? From my first glimpse at your code, it seems as if you are using both OLS and VPD in a rather extraordinary way.
    Best, Peter

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

  • How to set up row-level data security in BO XI r2

    I need to get Data/Row level security into my BO XI r2 report.
    A logged in user should be able to view info on pertaining to him without refreshing it.
    how do i incorporate this feature into my report?
    its possible to do this by setting a filter using the currentuser() function.
    however it requires a refresh of the report.
    hence the new user shall be able to view the data of the previous user. i need to enforce more security on the data. How do i do this???

    Hi Anamika, here is a sample of what the cv_security view might look like:
    create or replace view cv_security
    as
    select distinct sec."gid", sec."uid", sec."from", sec."to"
    from
    -- All users where NO LIMITS APPLY (sg.group = 1)
    (select distinct
    sg.group_id as "gid",
    sg.user as "uid",
    '----' as "from",
    'ZZZZ' as "to"
    from dual sr, sec_groups sg, sec_users su
    where su.user(+) = sg.user
    and su.status = 1
    and sg.coding = 'GL'
    and sg.group = 1
    union all
    --All users with specified sec_ranges
    select distinct
    sg.group_id as "gid",
    sg.user as "uid",
    case when sr.from is NULL
    then ' '
    else sr.from
    end as "from",
    case when sr.to is NULL
    then ' '
    else sr.to
    end as "to"
    from sec_ranges sr, sec_groups sg. sec_users su
    where su.user(+) = sg.user
    and su.status = 1
    and sg.coding = 'GL'
    and sg.group_id(+) = sr.group_id) sec
    grant select on cv_security to ROLENAME
    Notes about cv_security:
    1) For those users with NO LIMITS APPLY (i.e. Admin staff) hard code an absolute range of RC codes from '----' to 'ZZZZ' to ensure you trap all possible alpha-numeric values.
    2) For those users with NO LIMITS APPLY (i.e. Admin staff) substitute the sec_ranges table with dual
    3) su.status = 1 to a filter to report on only active users
    4) sg.coding = 'GL' is assessing the General Ledger coding dimension of the multi-dimensioned security matrix of our Financial system (this may not apply to you)
    Responses to your questions:
    Q- Does it involve self join between view cv_secured_detail? A- Yes, the 1:N cardinality is a self join between view cv_secured_detail and itself.
    Q- What is the difference between steps 3) and a) below it. A- Step 3a) is simply the act of importing the cv_secured_detail Oracle View as a BO Universe Class, with it's columns known to the BO Universe as Objects
    Q- Can the tables from which report data is fetched be included in the Universe? or should they be part of cv_secured_detail view.
    A- I'm not sure if I understand your question, but I might phrase it another way - Once you create the cv_secured_detail view, and the Universe from this view, with the user = 'BOUSER' limiter. The universe is then used to design the CR, by virtue of it belonging to the CMS Repository, you as the report designer have to log into the CMS repository using your LDAP credentials, if a match is found against the cv_security view your data is automatically row-level secured. In outher words, whatever is declared in the view, is in the universe, and is ultimately available to the report.
    Does this help?
    Bill.

  • How to Migrate Row Level Security Configuration

    Hi Guys,
    Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
    Thank you in advance,
    Bob

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to apply row level security against the database administrator

    I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
    There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
    HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
    Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
    Is there additional ways to achieve the aim?

    Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
    If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
    This includes DBAs.
    The simple fact of being DBA doesn't guarantee the exemption.
    Everything goes to depend of the VPD config.

  • How To Apply Row level security ??

    Hi all,
    I want to apply row level security on one of my custom objects created in PO schema in R12. How to do that??
    Thanks and Regards
    Raj

    Thank You Gaurav
    --Raj                                                                                                                                                                                                                                       

  • Row-level security tied to a user account.

    Bear with me, I'm not quite sure I know what I'm talking about.
    Recently we migrated from BO 5.1.7 to BO XII r2 on Solaris. Under Bo 5.1.7 our Finance users tell me there was a way to attach row level security to the account itself. For example, Finance users could only access RU's which belonged to Finance. This there a way to recreate this global security level so that we don't have to do it on a case-by-case basis?
    Thank you in advance.

    You can specify row-level security for a User or UserGroup on a Universe via the Universe Designer in Tools -> Manage Security
    But that would be per Universe, and not global to Enterprise.
    Sincerely,
    Ted Ueda

Maybe you are looking for