IDoc Filtering at data level

Similar Messages

• Data Level Security In OBIEE 11g based on the filters setup in RPD

  Hello All,
  We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
  Regards,
  -Amith.

  A.Y wrote:
  Hello All,
  We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
  Regards,
  -Amith.Not sure, if anyone has yet ran into this issue, but the workaround we have implemented is to build a report in OBIEE and use the analysis query as the source for BI Publisher.

• OBIEE Data level security - OR condition among multiple filters

  Hi All,
  we have an requirement in OBIEE 11.1.1.5 to apply data level security based on mutiple dimension ( for example: Product, Geography and Customer). we have implemented by creating 3 groups one for each dimension,
  added appropriate filters for each group and applied on presentation layer. But when we see the query generated by OBIEE server all filters are getting applied with OR condition instead of AND.
  Could someone explain why this is happening so.. is this the actual behaviour of OBIEE or am i doing something wrong !!!!
  Example of the conditions added is
  Select * from table
  where Country='XYZ' OR Customer ='ABC' OR Product='123'
  Expected behavior is
  Select * from table
  where Country='XYZ' AND Customer ='ABC' AND Product='123'
  Thanks in advance..!
  Thanks & Regards
  Subhakar Parigi

  Hi,
  Any suggestion would be helpful.
  Regards,
  Subhakar P

• Dynamic filtering, data level security

  In order to enforce data level security we would like to do the following:
  1. Send a user identification parameter through a URL that calls a BAM report.
  2. According to this parameter retrieve from a dedicated data object the list of organization units for which the user has privileges.
  3. Filter the data displayed in the report according to the values retrieved in (2).
  Any ideas how to implement this.
  TX in advance ,
  Alon

  Hello Alon- Looks like you are doing some advanced stuff and interesting security handling.
  Well - all the 3 points you mentioned are built-in the product ready to use. I have built a sample on this (yet to be published on OTN). This feature is called row level security, you can see the architect dataobject security documentation. In short -to acheive this-
  1. build a security object called mySecurity with example 2 fields, username & orgunit.
  2. populate this security object, username should be of format DomainName/UserName.
  3. There can be multiple rows containing same usernames, to emphasis (model) multiple orgunit access.
  4. In your main dataobject, add additional column called orgunit and populate it.
  5. In your main dataobject, add security filter with security object mySecurity
  6. Run the report- during runtime, it will prompt for username/passwd, after authentication, it will use the 'username' logged in along with security filter object, and the report will ONLY display data for which this user has access.
  Hope this addresses your question.

• How do I query a SharePoint List using a url and filtering on date?

  I am reading a SharePoint list using jquery.  Everything is working fine
  except for the filter.  Each list item has an expiration date.  I want to retrieve JUST the items that have not expired (Expires > Today) but I can't figure out the url syntax and I've been searching all day for an example and
  can't find one.  Could someone please help?!?  See bold code below.
  Thanks,
  Glen
  $(document).ready(function ()
  <strong>var qryWCFUrl = "/sites/MMTP1/_vti_bin/listdata.svc/MMAlerts?$filter=(Expires gt '08/10/2011')&$orderby=Title";
  </strong> $.getJSON(qryWCFUrl, function (results)
  $.each(results.d.results, function (i, mmAlert)
  itemID = mmAlert.Id;
  mmTitle = mmAlert.Title;
  mmClass = mmAlert.ClassValue;
  //alert("Item="+itemID+" Title="+mmTitle+" Class="+mmClass);
  AddMMStatus(mmAlert.Id,mmAlert.Title,mmAlert.ClassValue);

  Fadi,
  Thanks for your response.  I actually have another version of the code that uses the SP client objects that works.  The problem is site boundries.  Let me give a more complete project explanation.
  I am creating a master page for a new intranet.  As part of this master page, I want to read from an SP list of alerts and post each alert (if not expired) in the SP status bar.  I've gotten this to work with SP client objects and jquery (except
  for the date filter part).  Both of these solutions work fine on the top site level.  BUT when trying it out at the sub-site level, the SP client objects version of my code fails. The jQuery version works except the date filtering.
  I looked at the example from your link and it looks like a bit of a hybrid to my approaches:  JQuery with CAML.  My question is; does this example permit me to access a list in the top-level site from the subsites?  Please excuse my ignorance,
  but I am an EXTREME newbie in this having spent the past 8 years as a VB.Net developer and a little bit of ASP.Net.
  Below are the two different versions of my code in different versions of my master page definition:
  SP Client Object Version
  <script type="text/javascript">
  // <![CDATA[
  ExecuteOrDelayUntilScriptLoaded(LoadAlerts, "sp.js");
  var ctx;
  var currAlerts;
  function LoadAlerts() {
  ctx = new SP.ClientContext.get_current();
  list = ctx.get_web().get_lists('/sites/MMTP1/Lists/').getByTitle('MMAlerts');
  var cmlQry = new SP.CamlQuery();
  var camlExp = '<query><Query><Where><Gt><FieldRef Name="Expires" /><Value IncludeTimeValue="FALSE" Type="DateTime"><Today /></Value></Gt></Where></Query></query>';
  cmlQry.set_viewXml(camlExp);
  currAlerts = list.getItems(cmlQry);
  ctx.load(currAlerts,'Include(ID,Title,Class)');
  ctx.executeQueryAsync(GetAlertsSuccess,GetAlertsFailed);
  function GetAlertsSuccess() {
  var lstEnum = currAlerts.getEnumerator();
  while(lstEnum.moveNext()) {
  var mmAlert = lstEnum.get_current();
  AddMMStatus(mmAlert.get_item('ID'),mmAlert.get_item('Title'),mmAlert.get_item('Class'));
  function GetAlertsFailed(sender,args) {
  alert('Alerts load failed: ' + args.tostring);
  function AddMMStatus(msgID, strTitle, strClass) {
  var statID;
  var statClass;
  var statTitle;
  statClass = "<a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strClass + ": </a>";
  statTitle = "<a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strTitle + "</a>";
  statID = SP.UI.Status.addStatus(statClass, statTitle, true);
  SP.UI.Status.setStatusPriColor(statID,"red");
  function DisplayAlert(msgID) {
  var options = {
  title: "Miller & Martin Alert!",
  url: "/sites/MMTP1/SitePages/ShowAlert02.aspx?ID="+msgID,
  allowMaximize: false,
  showClose: true
  SP.UI.ModalDialog.showModalDialog(options);
  // ]]>
  </script>
  JQuery Version (works except for filtering by date)
  <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
  <script type="text/javascript" >
  // <![CDATA[
  var itemID;
  var mmTitle;
  var mmClass;
  $(document).ready(function ()
  var qryWCFUrl = "/sites/MMTP1/_vti_bin/listdata.svc/MMAlerts?$filter=(Expires gt '08/10/2011')&$orderby=Title";
  $.getJSON(qryWCFUrl, function (results)
  $.each(results.d.results, function (i, mmAlert)
  itemID = mmAlert.Id;
  mmTitle = mmAlert.Title;
  mmClass = mmAlert.ClassValue;
  AddMMStatus(mmAlert.Id,mmAlert.Title,mmAlert.ClassValue);
  function AddMMStatus(msgID, strTitle, strClass, strSeverity) {
  var statID;
  var statClass;
  var statTitle;
  statClass = "<div id=\"mmAlertTitle\" style=\"display:inline-block;\"><a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strClass + ": </a></div>";
  statTitle = "<div id=\"mmAlertDetail\" style=\"display:inline-block;\"><a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strTitle + "</a></div>";
  statID = SP.UI.Status.addStatus(statClass, statTitle, true);
  SP.UI.Status.setStatusPriColor(statID,"green");
  function DisplayAlert(msgID) {
  var options = {
  title: "Miller & Martin Alert!",
  url: "/sites/MMTP1/SitePages/ShowAlert02.aspx?ID="+msgID,
  allowMaximize: false,
  showClose: true
  SP.UI.ModalDialog.showModalDialog(options);
  // ]]>
  </script>

• Data level Security in Essbase

  I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
  Asia and America are defined in my location dimension.
  Please tell me how to do it?
  Regards,
  Suman

  to make your security maintenance easier, I would suggest putting the users into groups and assigning the filters to the group. If you do it at the indivual level, the user can only have one filter assigned to them, but each group could have a different filter. So for someone who should see Americas and Asia have a group calle America and one called asia. put the user into both groups and assign the america filter to the first group and asia filter to the second group

• Access Control Mechanism (data level security) not working properly

  Hi Experts,
  I have done datalevel security for groups by help of a database table. This table contains UserId, Dept. code, GroupName column. UserID are verified by LDAP server during logging into Dashboard. I have made two init blocks for GroupName and Dept.Code .
  Query is :
  SELECT 'Group', GroupName from TABLE
  Where
  UserId = ':USER'
  Similiar query is for Dept Code.
  There are two groups ; 1. CC_User 2. Full_User. I have applied filter in PERMISSIONS for CC_User on Fact table on Dept Code. So, user in this group may see data for Dept Code aligned to him in the table. All_User may see whole data for All Dept Codes as NO filter is applied on this group.
  Dept Code , UserId and GroupName are Varchar.
  Now problem is this when a user have membership of one group , it works fine. For CC_user it shows data for its Dept Code and All_user may see whole data.
  But When A user have permission of both the groups , only data related to CC_User group is visible. But, in my view , maximum permmision out of the both groups must be applied to the user if he belongs to more than one group.
  So , here , he must see whole data, as All_user group can see full data.
  Does least restrictive permmission happens in case of membership of more than one group in OBIEE.

  848839 wrote:
  Does least restrictive permmission happens in case of membership of more than one group in OBIEE.Indeed it does. The most restrictive filters get applied if a user belongs to multiple groups that have filters at various levels of data because its always an AND clause in the where condition. This is the sort of behavior in various tools I have seen apart from OBIEE.
  Hope this helps.
  Regards,
  -Amith.

• Group Level Data Level Security not working

  I'm trying to test the data level security at the group level.
  Here's what I did
  1. Went to the security -> Groups -> Permissions -> Filters
  2. In Name added the Fact table on which I want to filter.
  3. Selected "Enable"
  4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
  When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
  Am I missing something in the creation of filters?
  Thanks in Advance.
  Rama.

  Hi,
  If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
  Hope this helps.
  Regards,
  Sandeep

• Data level security in OBIEE

  We have implemented data level security by applying filters on groups in Obiee Administration tool. Here we have set filter on division(which is a column in Customer table). This is done so that user can see data for division for which he has access.
  When user creates report which consists of division column filter is working fine. E.g. if user1 has access to division1
  and when user1 cretes a report for (customerName,division,sales columns) he can see sales of customers belong to division1. But if user1 cretes report which does not contain division column e.g.(customerName,sales columns report) he can see all the customers sales data. How can we aoide that. We want User1 to see division1's data only irrespective whether division column is there in report or not.
  Can any one suggest what should be done to achive this.
  Thanks,
  Avdhut

  Hi friend,
  You need to create group of users and then apply filters over that groups.
  you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
  - Manage -> Security...
  - Groups -> click right group1 and select propierties.
  - Select button 'Permissions...'
  - Select tab 'Filters' -> add new filter.
  - On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
  I hope this can help you.
  Good luck.

• How to do data level security on users based on region

  Hello guys
  I currently have created a report with dashboard prompt on column "state" with a default value "CA"
  Now, the requirement is to perform data level security on this report, so different users based out of different state will log in to the dashboard and this prompt will change its default value accordingly so the user will have the report on only users home state prompted, and users can't see other state data..
  I have thought of creating session variables to achieve the same, but how should i set up the initialization string?
  Do I need to create a new table called "user table" that stores username/password and state columns and make that user table join to the fact table in the db?
  If so, how should I configure the session value so that users get filtered date based on its state location?
  PLease provide guidance
  Thanks

  Here’s an idea off the top of my head (untested):
  First, set up your security constraints normally using Manage…Security in the Administration Tool, so that each user can only see his/her state. Refer to the previous responses to this post for guidelines.
  Then, in your dashboard prompt, for the “Default Value”, write a tiny bit of logical SQL to query the “state” column from the presentation layer. If your security constraints are properly in place, the SQL should only return one value.
  To get an idea of what the logical SQL should look like, select “All Values” as the default value, then switch it to ‘SQL Results’. That will show you the basic format of the logical SQL. It’s really just normal SQL (select <this> from <that> where <the other>), but referring to presentation layer objects rather than to physical tables and columns.
  Untested. Please reply back and let us know how it goes.

• Data level Security for Oracle Apps as Source

  Hi all
  I need to implement Data level Security on Apps Users in OBIA
  We are using Apps as source with Single sign On. I need to apply Data level security on Business Group Field.
  We dont have users in OBI, we need to register apps users in OBI.
  Could anybody tell me how to register Apps users in OBI???
  OR tell me if you know some other way to implement D L Sec on Single sing On and Apps as source.
  Thanks in avd
  V P

  You need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
  Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
  I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box.

• Data level Security with Oracle Apps as Source

  Hi all
  I am implementing Data level Security with Apps as Source(OLTP) on Single Sign On.(Oracle has provided the Vanila rpd & we are working on that)
  I need to Filter data based on Business Group, Users are created in Apps and they are registered with some Responsibilities.
  (for eg, OBI User CHINA is a Responsibility; Now he will get only Business Group ID for China)
  I have created Groups in rpd with same name as the responsibility in Apps.
  I have created Initialization Blocks from which I m getting only 1 business group ID for every :USER.(I tried the code in TOAD & I m getting the correct BG ID)
  I have created Group in WEB with the same name as the Group name in rpd.
  If I say show all Users and Groups in WEB, I m getting the APPS Users.
  I hv Reloaded the server metadata files and restarted the BI Server/WEB Server also...
  But in the Report, I m getting all the Business Group Ids,
  Plz advice if I m doing something wrong.
  ThanQ
  Anand

  You need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
  Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
  I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box.

• Unable to retrieve records when filtering by date

  I am having difficulties getting this query to run when filtering by date. The code works fine if I remove the Date filter, and I have tested the query using SQL Developer and it works fine there so I am not sure what I am doing wrong:
  Public Sub CheckForNewCampaign()
  'Checks if the campaign received is new or not
  'if new update the database with the new campaign information
  'else check with the database for the existing campaign status
  Dim strcmdQuery As String = “SELECT FROM RSP_ORDER_QUEUE WHERE REQUEST_CODE = 'N' AND INSERT_DATE > TO_DATE('2010-01-19','YYYY-MM-DD') “*
  Dim strConn As String = System.Configuration.ConfigurationManager.AppSettings("SQLConnectionString")
  Dim objOraConn As OracleConnection = New OracleConnection(strConn)
  Dim objOraCmd As OracleCommand = New OracleCommand(strcmdQuery, objOraConn)
  Try
  objOraCmd.Connection.Open()
  objOraCmd.CommandText = strcmdQuery
  objOraCmd.CommandType = CommandType.Text
  Dim objReader As OracleDataReader = objOraCmd.ExecuteReader()
  If objReader.HasRows Then
  LoggingQueueIn("CheckForNewCampaign: " & strcmdQuery & " records found")
  bIsNewCampaign = True
  'Set the Attempt for new call
  oQueueKeyCols.memAttemps = 1
  oQueueKeyCols.memRetries = 1
  oQueueKeyCols.memSequenceNumber = 1
  mCollectNewCampaignElements(objReader)
  Else
  LoggingQueueIn("CheckForNewCampaign: " & strcmdQuery & " no records found")
  bIsNewCampaign = False
  End If
  Catch ex As Exception
  LoggingQueueIn("CheckForNewCampaign: " & ex.Message.ToString)
  Finally
  objOraCmd.Dispose()
  objOraConn.Close()
  End Try
  End Sub
  Any help would be greatly appreciated. I am spinning my wheels here and could use some assistance.

  I can't think of any reason that you'd get different results with a hard coded literal query. I assume that rdr.HasRows=false?
  My only guess would be that maybe you're connected to a different database, or as a different user, you inserted the data via sql develper but have not yet committed it, or something along those lines.
  Were you to log a SR with Oracle Support, we'd probably ask for a level 16 sqlnet trace of they query executed via the .net app and sql developer so we can compare them to make sure all else is indeed equal.
  Hope it helps,
  Greg

• Data level security for 30000 profir centers

  Hello Gurus
  I have a requirement to implement data level security for 30000 profit center . Now I can think of creating the groups and applying security filters ( both on Dimesion & Fact) on the top of that.
  But I cannot do so as I will have to create some 30,000 groups/roles which is not possible. because there are some users who have access to only one or two profit center and it forms a heirarchy.
  As a workaround what I did is created a user-profit center table and joined it with the profit center table which is actually a snowflaked with two more dimensions - gl_account & gl_segment.
  In the BMM layer , in the Content section of teh profit center dimension , I applied a where filter like below :
  "Oracle Data Warehouse"."Catalog"."dbo"."Dim_W_GL_SEGMENT_D_Segment11"."SEGMENT_LOV_ID" in (1000163) and "Oracle Data Warehouse"."Catalog"."dbo"."Dim_W_GL_SEGMENT_D_Segment11"."SEGMENT_LOV_NAME"='Profit_Centre' AND ( "Oracle Data Warehouse"."Catalog"."dbo"."PF_USER_MAPPING"."USER" = VALUEOF(NQ_SESSION.USER) OR 'UNMATCHED'=VALUEOF(NQ_SESSION.USER) )
  All is well if I create a report having Profit center as one of the dimension/component in the analysis (answers) .
  But when I don't take Profit center the roll up is happening with all the Profit center . Reason being I have not applied "security filter " in the fact table and I cannot do so because USER tabel is not directly joined with the fact table.
  Is there any workaround for this.
  Pls. advise.

  Hi,
  Yes, any dimension filters are applied only when you include that dimension in your analysis.
  As a workaround, you could create a filter as "Profit Centre" is not equal to 'Dummy Profit Centre' with "Protect Filter as ON" and add this filter to all of your analysis.
  So what it does is, even though you do not refer to profit centre dimension in your analysis, the filter in each analysis makes sure that the profit centre dimension is always mapped and the data restriction is applied.
  Hope this helps.
  Thank you,
  Dhar

• Data Level Security issue

  Hello Gurus:
  I am having a problem with Data Level security.
  I copied my Production RPD and Webcat in Test, changed connection pool DSN and user/passwords.
  Now the problem is, a user who has same rights in Prod and Test, is seeing properly in Production, but sees nothing in Test.
  I am using initialization block from Siebel CRM Application. So customers are assigned to users based on their responsibility from S_RESP and S_USER.
  based on that, users can see the list of customers. Authentication is LDAP, same server for production and Test.
  Now, a user sees properly assigned list in Production, but not in Test. I dont know how to solve it. I searched query logs and stuff, but couldnt find anything.
  Please help me how should I investigate this issue.
  Thanks.
  Vinay

  Thanks for quick reply Stijn:
  Here are my inputs..
  1)"they see nothing"? means the dont see any customers in drop down. This is data level and not related to column or subject area. The only filter I use is
  "ATLAS Reports"."Dim - Accounts Hierarchy".LVL1ANC_ID = VALUEOF(NQ_SESSION."ORGS")
  This filter is applied to Customer hierarchy and couple of sensitive facts.
  The users are able to see all products because filter is not applied. I disabled the filter, and users could see everything. But I cant disable this in Production.
  2) What is the physical sql generated by the report? Set the loglevel of a user to a higher level in order to seet this.
  I am not able to set higher loglevel because i dont see the user in repository. All I see is GROUP, and they are assigned to particular groups based on GROUP session variable. Then filters are set on particular groups. How do I set logging level at Group level?
  3)Can you copy the query and run it against the test database. What results do you get?
  I can not see the query because of above reason.
  4)Does the user get the proper groups assigned? Yes. I put the session variable in title view to verify this.
  5) Are S_USER and S_RESP in Test equal to S_USER and S_REPS in Production? Yes.
  Let me know if you need more information.
  ~Vinay.