Ignoring security in JAAS based on Subject

Similar Messages

• Security Provider(JAAS chaine module)logging with SAP J2EE Agent Policy 2.2

  Hello,
  I have installed and configured a SAP J2EE Policy Agent 2.2 on a SAP J2EE Application Server 7.0 and installed an opensso 8.0.
  I have configured and deployed a jsp application with the descriptor containing the agent filter on the SAP J2EE.
  I have configured the security provider (based on JAAS) as follows:
  EvaluateTicketModule
  AmSAPWASLoginModule
  CreateTicketLoginModule
  I have then increased the severity check of logging on the SAP J2EE Application Server for:
  com.sap.security.server.jaas
  com.sap.engine.services.security
  But since the installation of the agent, I am not able to see the logs of the different logon modules and be sure that the CreateLoginModule has been done.
  I need to check that after the success of the agent login module, it goes through the CreateTicketLoginModule, how can I check that.
  Thanks,
  Tanguy Mezzano
  amFilter log:
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: Notification Task Handler
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: Port Check Task Handler
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  PortCheckTaskHandler: request is on valid port
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: FQDN Task Handler
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  FQDNHelper: Incoming Server Name: [myserver] Result: null
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: Not Enforced List Task Handler
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  NotenforcedURIHelper.isNotEnforced(/myApp.jsp) found in enforced cache
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  NotenforcedURIHelper.isNotEnforced(/myApp.jsp) => false
  11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: SSO Task Handler
  11/13/2008 06:02:40:122 PM CET: SAPEngine_Application_Thread[impl:3]_35
  SSOTaskHandler: SSO Validation successful for id=myUser,ou=user,dc=myCompany,dc=com
  11/13/2008 06:02:40:122 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: URL Policy Task Handler
  11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
  URLPolicyTaskHandler: access allowed by AmWebPolicy
  11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: now processing: Redirect Check Result Handler
  11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
  RedirectCheckResultHandler: removing redirect counter cookie
  11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
  AmFilter: result =>
  FilterResult:
  Status : CONTINUE
  RedirectURL : null
  RequestHelper:
  null
  Data:
  null
  -----------------------------------------------------------

  I want to use my login page in BEA instead of Access Manager or Distributed Authentication Module. I think it is similar to the problem you have? Did you come up with a solution?
  My problem is described in more detail on this thread:
  http://forum.java.sun.com/thread.jspa?threadID=5197783

• I Need to Create a report for batch jobs Based on Subject Area.

  Hi SAP Guru's,
  I need to create a report , that it must show the status of batch jobs Completion Times based on Subject area(SD,MM,FI).
  Please help me in this issue ASAP.
  Thanks in Advance.
  Krishna.

  You may need to activate some additional business content if not already installed but there are a lot BI statistics you can report on. Have a look at this:
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/46/f9bd5b0d40537de10000000a1553f6/frameset.htm

• Research on the Security of NGDC Based on ASP

  Research on the Security of NGDC Based on ASP
  Zhang Li Gong Jianya Zhu Qing
  Key Words
  active server pages (ASP); national geospatial data clearinghouse (NGDC); geographic information system (GIS); Internet
  Abstract
  On the basis of the authors? experience of setting up an NGDC Web site, this paper attempts to present some significant aspects about the security of NGDC based on ASP. They include data storing, database maintenance, new technical support and so on. Firstly, this paper discusses how to provide the security of data which is saved in the host of NGDC. The security model of ?New works ?DB Sever-DB-DB Object? is also presented. In Windows NT Server, Internet Information Server (I IIS) is in charge of transferring message and the management of Web sites. ASP is also based on IIS. The advantages of virtual directory technique provide by IIS are emphasized.
  An NGDC Web site, at the Research Center of GIS in Wuhan Technical University of Surveying and Mapping is also mentioned in this paper. Because it is only an analogue used for case study, the transmission of digital spatial products is not included in the functions in this NGDC Web site. However, the management of spatial metadata is more important and some functions of metadata query are implemented in it. It is illustrated clearly in the functional diagram of the NGDC Web site.
  1 Introduction
  Needless to say, it is very important for most GIS users to acquire and integrate the geospatial information from various districts. However, the current situation of geospatial information production and dissemination in the world is still unsatisfactory. On one hand, users do not know where the geospatial data files are stored and what geospatial data is useful for their applications, or have not necessary computer facilities. On the other hand, due to the lack of coordination and cooperation, the duplication of geospatial data production widely exists. Most of geospatial information is stored by different organizations including governmental organizations, commercial companies. What?s more, the lack of geospatial data exchange and sharing mechanism results in relative low benefit of geospatial data use. It is difficult for some products to get necessary information from other producers to integrate with or to update their own databases. In short, the value of geospatial information has not been shown exactly in GIS industry of China.
  It is obvious that the information distribution technique based on Internet can play a great role in GIS industry. National Geospatial Data Clearinghouse users will be able to query what geospatial data is being produced, how about is quality, where it is produced, and how to get the geospatial data economically and conveniently.
  2 NGDC and ASP technology
  As mentioned above, NGDC is a geospatial information distributed network system which is concerned with geospatial data producers, managers and users. So the relationship among them must be harmonized. The NGDC provides the service of geospatial information through internet. In detail, it will allow various data formats to exist in this opened geospatial information service system and it supports the share and query of the geospatial data from different sources. The main mission of NGDC is to offer a means of fast, efficient, safe, economical service of geospatial data provision to users. At the same time, it will offer means for data providers to advertise their new products and collect users? demands and feedbacks in order to promote the geospatial data production.
  To date, the model of NGDC is usually described as a provider-oriented model. In this model, every geospatial data provider is linked with internet as an NGDC node... user?s access NGDC nodes through internet and browses the catalogues of geospatial data stored in NGDC, and then they query the metadata about the available products for their applications. After selecting the desired data set, the user can send an order to the relevant producer on-line or by E-mail system. If users can not find the geospatial data available in this NGDC node for their applications, they will be able to access other NGDC nodes.
  So the construction of NGDC is concerned with the planning and maintenance of dynamic Web sites linked with internet. Since Active Server Pages (ASP) came out with its peculiar characteristics several years ago, which is applied to the construction of more and more dynamic Web sites in the diverse fields? In comparison with common gateway interface (CGI), ASP is more effective and flexible as a server scripts environment.
  With html pages, script commands and active X components, ASP can set up dynamic, interactive and efficient Web server programs. It is not important whether browsers can run those ASP codes, because all of ASP programs including scripts plugged in html, such as VBScript, JScript, are executed in servers. ASP programs will send a series of commands to the script engine, and then the script engine translates the commands into some codes which can be executed by servers. After running the executive codes, the results will be sent by servers to users? browsers in html. In this way, it is sufficient for browsers to have basic function of browse. As a result, the speed of the system increases rapidly.
  NGDC Web site provides users with a catalogue of geospatial data entity, data entity and the relevant metadata. Therefore it is inevitable to access various databases in the construction of NGDC. It is convenient to connect database systems with ASP plug-in Active X components, so Web pages can be linked to all kinds of databases which provide ODBC interfaces for other programs. Active X components provide the objects whose tasks are to finish certain functions. So Active X components are of great significance in setting up Web programs.
  3 Research on security of NGDC
  This paper attempts to present some significant aspects about the security of NGDC base on ASP, such as data storing, database, maintenance, new technical supporting and so on.
  3.1 Security of data storing
  The information stored in NGDC includes geospatial data, relevant metadata and catalogues of data products. The maintenance of all the information is a very hard task. Of course, the security of data storing is included in it. From the point of system maintenance, the security of data storing in NGDC is concerned with disk error-tolerance and back-up supporting.
  With the rapid development of manufacturing technique of hard disk, the life-span of hard disk has been lengthened. Disk error-tolerance decreases usually the possibility of data-losing because of errors of hard disks. It is inevitable that some errors cannot be limited in spite of any error-tolerance system. In order to maintain the security of data, the significance of data should be assessed firstly and so should the loss of data-losing. There are three kinds of dump plans for database or data files: full data dump, increment data dump and combination of them. As in NGDC the need of data back-up depends on its significance.
  3.2 Security of database maintenance
  As for popular large-scale database systems such as Microsoft SQL Server, Sybase, Oracle, Informix, security maintenance is implemented by four levels of ?New works ?DB Sever-DB-DB Object? security model. Every user has his network login ID and his password, with which the user ID and the password, users can login into network. Take Windows NT Server for example, Windows NT Server provides some security maintaining methods such as encoded password, minimum password length and so on.
  In general, network cannot automatically permit its network users to access databases in it. The fact that a user can access databases does not mean that he can automatically access databases in it. Only those users who have their database user IDs stored in system tables in database can access database.
  3.3 Security with ASP
  In the environment of Windows NT Server, Internet Information Server (IIS) is in charge of distributing information and maintenance of Web sites. ASP is also based on IIS. When users access some ASP files in their browsers, the relevant ASP scripts will run in server and the results will be sent users in Web pages.
  Virtual directories are different from physical directories in hosts or servers. Net work administrators may make good use of the mechanism of virtual directory in order to maintain the security. IIS supports virtual directory which plays a great role in the security maintenance of Web sites. Firstly, virtual directory conceals the information about actual directory structure. In normal browsers, users can get the path information of a certain Web site; the directory information of Web sites will be exposed to users linked with Internet. As a result, it is easy for the Web sites to be attacked by hikers. Secondly, it is convenient to transfer the WWW service from one server to another without updating the code in Web pages if there is the same virtual directory structure in two servers. Finally, when putting Web pages into virtual directories, administrators can assign different attributes to the directories. For example, in the construction of NGDC Web site, it is important to put normal html files and ASP files into different virtual directories. The attribute of directories in which normal html files are stored may be ?Read? while the attribute of directories in which ASP files are stored may be ?Execute?. On one hand, it simplifies the maintenance and management of NGDC Web sites. On the other hand, ASP source files will never be sent to user browsers. In other words, hikers cannot get the ASP source codes through their browsers. Thus it improves the security of ASP files.
  4 An NGDC model Web site in WTUSM
  Some other security aspects in operational model, programming, management in the plan and construction of NGDC should be concerned. As an example the construction of an NGDC model Web site is presented below in order to explain the security maintenance of NGDC in detail. On the basis of authors? research on relevant problems, this NGDC model Web site was planned and deployed in early 1999. As a model project, the purpose of construction of this Web site is to provide some useful experiences for other projects on NGDC. Therefore the process of geospatial metadata plays a great role in this Web site. In fact, there are not actual geospatial data products stored in this NGDC model Web site. The main task of this Web site is to provide relevant geospatial metadata services, so the functions of data product maintenance cannot be found. Geospatial metadata is stored into meta-database in Microsoft SQL Server. With ?New works -DB Sever-DB-DB Object? security model in Microsoft SQL Server, the relations between user and access rights are set up. In order to simplify the problem, those two tasks are assigned to two DB users. One is a user who is the owner of DB objects. (Of course, he has all rights to access, update and delete DB objects); the other is a normal user who can only access DB objects such as tables. While developing ASP programs in the integrate developing environment of Microsoft Interdev, the functions may be fulfilled by script programs running either in clients or in servers. As a result, it improves the confidentiality of ASP programs and the efficiency of NGDC service system.
  In the NGDC Web site, something has been done in order to improve the security of operation: a table named providers? information table is stored in NGDC to keep some useful information about relevant geospatial data providers, such as name, ID, passwords, contact methods and son on. The information may be a long, irregular string whose length is less than 1024. It is produced and maintained by NGDC. The providers? information table is stored in the server in NGDC. In this way, data producers provide geospatial products together with their identifying information through Internet.
  5 Conclusions
  In short, it is very convenient and efficient to distribute geospatial data in the NGDC nodes through internet. On the other hand, with the development and construction of NGDC, there will come more and more challenges and problems about the security of NGDC. Obviously some researches and discussions in this field need to be further carried on.

  Jaya
  We have two ways to achieve this scenario
  1.Going with PCR where we Query No of Years Completed
  2. Going for Custom Function
  In the above two ways  we have to maintain the year of completion in Date Specification Either Manually or Thorugh Dynamic Action which shd automaticallly update....IT00041
  I prefer the second one since PCR is some wht complicated

• Creating MTA filters based on subject

  hi,
  Could anyone help me out in creating MTA filter for bolcking mails based on subject of an email.In the documentation it says you have to do it using seive lang .If you have a sample template pls provide.
  rgds
  rajeev nair

  please read RFC3028��Sieve: A Mail Filtering Language,
  you can find many examples

• Migrating ADF Security from file-based provider to LDAP provider

  We have deployed a small application using ADF Security with file-based provider in OAS and it works fine.
  Now we want to migrate to ADF Security using LDAP provider.
  In order to make this possible we followed the next steps:
  - Migrate all the roles and policies from the file to OID with JAZNMigrationtool.
  - In OAS we've changed the Application Security Provider to 'Oracle Identity Management'.
  - Reset the OC4J instance.
  But there was no success, the application continues working with the file-based provider.
  What more is necessary to configurate?

  Hi,
  if you use EM make sure you change the setting for the application, not the general OC4J setting.
  You can also deploy the provider settings with the orion-application.xml file added to your project
  Frank

• Loader, Unload SWF and Warning: Ignoring 'secure' attribute........

  Hey all
  I was just simply trying to load one swf into another.  in my document class I have the following line of code in my constructor.
  var loadBoard:LoadBoard = new LoadBoard("Directory.swf");
  in my LoadBoard class:
  package com.myproject
       import flash.display.Loader;
       import flash.display.MovieClip;
       import flash.net.URLRequest;
       public class LoadBoard extends MovieClip
            public function LoadBoard(nameOfBoard:String)
                 var boardLoader:Loader = new Loader();
                 addChild(boardLoader);
                 boardLoader.load(new URLRequest(nameOfBoard));
                 trace("swf should be loaded");
  In my console I get the following when I debug"
  [SWF] U:\fullPath\Directory.swf - 69,058 bytes after decompression
  [SWF] U:\fullPath\Directory.swf - 2,067 bytes after decompression
  [SWF] U:\fullPath\Directory.swf - 322,606 bytes after decompression
  [SWF] U:\fullPath\Directory.swf - 112,558 bytes after decompression
  [Unload SWF] U:\fullPath\Directory.swf
  Warning: Ignoring 'secure' attribute in policy file from http://fpdownload.adobe.com/pub/swz/crossdomain.xml.  The 'secure' attribute is only permitted in HTTPS and socket policy files.  See http://www.adobe.com/go/strict_policy_files for details.
  Not sure why I am getting this warning, when I googled it, the erro has to do with trying to load a file from another domain. My Directory.swf file is in the same location as my main swf, the bin-debug folder.  Also the Directory.swf does not seem to load into my main swf as I don't see it show up in the flash player when i run my app.   I am also a little confused on the [Unload SWF], I am not doing anything to tell it to Unload my swf.
  I am using FB to do all my coding and debugging if that matters.
  Does anyone have any ideas.
  thanks,

  Apparently I was, so I changed it to classic text in my Directory.fla and that seemed to remove the weird error.  However it seem that my swf is still not loading.  any Ideas why that might be?
  [EDIT]  Ok, my Directory swf is defenatly loading. but not showing up in the display list. I updated my LoadBoard to the following.
  package com.aces
       import flash.display.Loader;
       import flash.display.MovieClip;
       import flash.events.Event;
       import flash.net.URLRequest;
       public class LoadBoard extends MovieClip
            public function LoadBoard(nameOfBoard:String)
                 var boardLoader:Loader = new Loader();
                 boardLoader.load(new URLRequest(nameOfBoard));
                 boardLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, finishLoading);
            public function finishLoading(loadEvent:Event):void
                 addChild(loadEvent.currentTarget.content);
                 trace("swf should be loaded");
  any Ideas?
  Thanks,

• New Technical Article: Securing a Cloud-Based Data Center

  Securing a Cloud-Based Data Center
  by Orgad Kimchi, Ron Larson, and Richard Friedman
  Orgad, Ron, and Richard and explain the precautions you need to take when deploying a private cloud in a data center, and show you how to employ the security features in Oracle Solaris 11 to protect its infrastructure. Part 2 of a three-part article on cloud deployments that use the Oracle Solaris Remote Lab as a case study.
  - Rick

  The beautiful curve drawn by LDPC code caught my eyes, but several points hardly built up user confidence.Some details should be submitted carefully, especially comparison with BCH codes. In my opinion, X-axis is exact error bit count and Y axis is frame error rate. Then, BCH comparison is a theoretical vertical line. LDPC code will be well described in a group of points.
  Moreover, can Xilinx provide more codes with different rate to support flexible design?

• Server is ignoring my csapi plugin based on sample code

  I'm trying to change the functionality of "authlogin" as used in "Logon" based on the code in the samples.
  I'm able to compile the example code csAuthenticationLocal.cpp and run a testcase from the command line.
  But when I try to add the .so file to the plugins directory and modify the ics.conf file to use my .so file I'm finding that the server ignores my changes.
  Is there any documentations that outlines in a step by step manner how to compile/create the .so and generally implement a change made through the csapi?
  Thank you.
  Eric

  Privet Pavel!
  See thread
  http://forum.java.sun.com/thread.jsp?forum=60&thread=169227
  I think the cure there is the same as for your problem.
  So use
     Subject.doAsPrivileged(subject,action,null);instead of
     Subject.doAs(subject,action);see documentation of doAsPrivileged.
  Happy coding,
  Kullervo

• JAAS Principals and subject

  Hi,
  I am not sure on what is the correct way to use subject and principals for jaas authentication.
  Assume I have my custom Login Module.
  This is the simple unit test I have done:
  // create the header to authenticate.
            HeaderT header = new HeaderT();          
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.USERNAME, "user");
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.PASSWORD, "password");
            LoginContext ctx = new LoginContext("mtosi", new HeaderCallbackHandler(header));          
            //login
            ctx.login();
            header = new HeaderT();          
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.USERNAME, "user2");
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.PASSWORD, "password2");
            LoginContext ctx2 = new LoginContext("mtosi", new HeaderCallbackHandler(header));
            ctx2.login();
            assertEquals(2, ctx2.getSubject().getPrincipals().size());The header contains the username and password info that are authenticated in a custom LoginModule.
  What I expected was that calling the LoginContext login somehow the different users would have been stored in the subject. So that the second time I would have called the login (on a different insance of Login Context) I would have had the 2 principals authenticated.
  The first Principal gets lot instead.
  What I am missing?
  Where should the Principals have to be stored?
  Does the Login Context maintains a list of the Principals that get authenticated or they are new each time I call a login on a different instance of Login Context?
  thanks
  Edited by: Davide_Gesino on Feb 7, 2008 7:37 AM

  danielm26,
  You can create a class that implements the Pricipal interface, adding anything that you want to it. Populate the object at login method from your LoginModule and add it to the subject object - subject.getPrincipals().add(yourPrincipal).
  In you jsp page you can retrieve this subject as fallows:
  Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
  Then iterate subject.getPrincipal() testing if the Principal object is an instance of your Principal class, cast the found one and be happy.
  Pedro.

• How to do data level security on users based on region

  Hello guys
  I currently have created a report with dashboard prompt on column "state" with a default value "CA"
  Now, the requirement is to perform data level security on this report, so different users based out of different state will log in to the dashboard and this prompt will change its default value accordingly so the user will have the report on only users home state prompted, and users can't see other state data..
  I have thought of creating session variables to achieve the same, but how should i set up the initialization string?
  Do I need to create a new table called "user table" that stores username/password and state columns and make that user table join to the fact table in the db?
  If so, how should I configure the session value so that users get filtered date based on its state location?
  PLease provide guidance
  Thanks

  Here’s an idea off the top of my head (untested):
  First, set up your security constraints normally using Manage…Security in the Administration Tool, so that each user can only see his/her state. Refer to the previous responses to this post for guidelines.
  Then, in your dashboard prompt, for the “Default Value”, write a tiny bit of logical SQL to query the “state” column from the presentation layer. If your security constraints are properly in place, the SQL should only return one value.
  To get an idea of what the logical SQL should look like, select “All Values” as the default value, then switch it to ‘SQL Results’. That will show you the basic format of the logical SQL. It’s really just normal SQL (select <this> from <that> where <the other>), but referring to presentation layer objects rather than to physical tables and columns.
  Untested. Please reply back and let us know how it goes.

• Simplest way to secure static HTML based on certificate

  Trying to handle too many jobs at once - but is there a simple way to hide a group of static html pages behind a check to make sure that the user has a certificate signed by a trusted CA. I do not want to authorize the user against any list of valid users, in fact, I specifically want to allow all users whose certificate is signed by chains in the truststore. Thanks!
  It's odd that this seems more difficult than getting a rich-client application secure using certificates.

  Hi Roberto,
  For this you could use a "certificate-map", as following:
  tunnel-group Financials type remote-access
  tunnel-group IT type remote-access
  crypto ca certificate map AnyConnect_Map 10
  subject-name co ou = financials
  crypto ca certificate map AnyConnect_Map 20
  subject-name co ou = it
  webvpn
  enable outside
  certificate-group-map AnyConnect_Map 10 Financials
  certificate-group-map AnyConnect_Map 20 IT
  So in this case, I am looking at the OU attribute of each certificate.
  Let me know if you have any questions.
  Thanks.
  Portu.
  Please rate any helpful posts.

• Security for value based hierarchy + OLAP

  Hi,
  I am using row-level security mechanism described here: http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
  It works well for level based hierarchies... but is there a way to apply it to value based OLAP hierarchy in OBIEE 11.1.1.6?
  My case is:
  - I have parent-child value based hierarchy representing management structure with various depth.
  - of course facts are always linked to leaf members of hierarchy
  - I need to apply security at different levels. E.g. Office manager should have access to one/multiple offices information (basically all employees he manage currently + his previous office before he was moved)
  - In report I display presentation hierarchy that starts at country level and then manager drill to his offices
  - At country level, manager should see a measure aggregate only for his offices (not whole country)
  In relational database there is no problem:
  - I follow rittman blog
  - create session variable that store list of all leaf members of hierarchy (employees) managed by manager
  - with OBIEE "Manage"->"Identity" I apply filter on fact table and get right measure aggregates at all levels of hierarchy
  Issue for OLAP:
  - with OBIEE "Manage"->"Identity" I apply filter on OLAP value based hierarchy
  - in case of filter "MY_BMM"."Org Str"."Org Str Key" = VALUEOF(NQ_SESSION."LEAFS_LIST") -> when manager include hierarchy column to report there are no results because hierarchy starts at country level and he have no access to country data
  - to workaround it I tried: "MY_BMM"."Org Str"."Org Str Key" = VALUEOF(NQ_SESSION."LEAFS_LIST_AND_ALL_ANCESTORS") -> manager can see all aggregates at country level because he have access to country, and OLAP just use country level aggregate
  - IsDescendant("MY_BMM"."Org Str" , VALUEOF(NQ_SESSION."OFFICE_ID")) will work only for single office as we can not use row wise variables here
  One solution I can imagine is to create additional level based dimension that have only 2 levels: "All"->"Org Str Leaf". Then apply filter on this "artifitial" dimension. It is not perfect solution to duplicate dimensions only for security purposes... that's why I ask you for advice if you know better way?
  Regards,
  mudi

  Here is an example, how to set security in OBIEE 11.1.1.5 (or future versions)  against  Oracle OLAP dimensions.
  *(1). Create the Oracle OLAP Hierarchy Descendant View against Value-based hierarchy*
  These views return a row for each ancestor-descendent relationship in the hierarchy. As you can see how easy it is.
  CREATE OR REPLACE VIEW DEPT_DESCENDANTS
  AS
  SELECT 'DEPT' "DIMENSION", 'DEPTHIER' "HIER", ancestor, descendant
  FROM TABLE(OLAP_TABLE('BAWOLAP.BNSOLAP DURATION QUERY', null, 'LIMIT DEPT_HIERLIST TO 'DEPTHIER''',
  'DMNS DESCENDANT AS VARCHAR2(60) FROM DEPT
  DMNS GID_VAL AS NUMBER FROM ___AW_GID_DIMENSION
  MSR ANCESTOR AS VARCHAR2(60) FROM DEPT_FAMILYRELVAL'
  where ancestor is not null
  *(2). Create the User ACL Tables and Populate with Data*
  Create an Access Control list test table by user and Dept. Later this will be populated with production data.
  create table user_dept_acls
  username varchar2(30),
  dept varchar2(60)
  insert into user_dept_acls(username, dept) values ('user1', 'GWM');
  insert into user_dept_acls(username, dept) values ('user1', 'GT');
  insert into user_dept_acls(username, dept) values ('user1', 'SC');
  insert into user_dept_acls(username, dept) values ('user2', 'GWM');
  insert into user_dept_acls(username, dept) values ('user2', 'GT');
  insert into user_dept_acls(username, dept) values ('user3', 'SC');
  commit;
  *(3). Create an Init Block Connection Pool*
  Oracle BI EE requires a separate Connect Pool for Init blocks. It does not allow the default query connection pool to be reused for init blocks. So, we need to create a new init block.
  *(4). Create the ACL Session Variables*
  These session variables hold the list of all members that the user may access.
  Example Session Variable: DEPT_ACL
  Init Block: "Init DEPT_ACL"
  SQL:
  select 'DEPT_ACL', account from user_DEPT_acls where username = ':USER'
  union all
  select 'DEPT_ACL', descendant
  from DEPT_descendants
  where ancestor in (select account from user_DEPT_acls where username = ':USER')
  union all
  select 'DEPT_ACL', ancestor
  from DEPT_descendants
  where descendant in (select account from user_DEPT_acls where username = ':USER')
  The first query block of the init block SQL just selects the members explicitly entered into the ACL table. The second block selects all the descendants of those members from the descendants view. The third block selects all the ancestors to ensure that the user has access to all the members in the drill path starting from the root member.
  Make sure that row-wise initialization is checked in the Variable Target section of the init block.
  *(5). Add the Data Filters*
  In our test case we assigned the data filters to the BIAuthor role, but the filters should be added to whatever role makes the most sense.
  Data filter on "BNSGL"."Department":
  "BNSGL"."Department"."Dept" = VALUEOF(NQ_SESSION."DEPT_ACL")
  *(6). Log in as a Normal User and Query the Hierarchy*
  The user can only see to the members to which they are granted access in the ACL table plus all ancestors and descendants of those members.
  Drill down to the bottom of the hierarchy.
  *(7). Look at the Query Log*
  In the nqquery.log we see that the session variable is expanded into an IN list in the physical SQL query. The BI Server breaks the IN list into two IN lists to avoid the Oracle SQL limit of 1,000 items per IN list.
  Edited by: Nasar Ali-Khan on Jul 2, 2012 8:14 AM

• Securing Web Services based on simple Java Classes

  Hi @all!
  We`ve got the following problem.
  There`s a .NET client calling our Web services deployed on Bea Weblogic 8.1 (without
  SP).
  The Web Services are generated by the ANT task servicegen. They are based on simple
  Java classes containing the service methods as public members.
  Is there a possibility to secure these methods without using the console menu
  item "Define Security Policy" ?
  We can`t use this menu because it has got a javascript bug with methods returning
  an array.
  Thanks in advance for help.
  Michael

  Hi Michael,
  Could you use transport level security, SSL [1]?
  I'm not sure what limitation you are experiencing with the console? Is
  there a traceback? Have you contacted customer support on this issue?
  Thanks,
  Bruce
  [1]
  http://edocs.bea.com/wls/docs81/webserv/security.html#1053203
  Michael Albrecht wrote:
  >
  Hi @all!
  We`ve got the following problem.
  There`s a .NET client calling our Web services deployed on Bea Weblogic 8.1 (without
  SP).
  The Web Services are generated by the ANT task servicegen. They are based on simple
  Java classes containing the service methods as public members.
  Is there a possibility to secure these methods without using the console menu
  item "Define Security Policy" ?
  We can`t use this menu because it has got a javascript bug with methods returning
  an array.
  Thanks in advance for help.
  Michael

• OBIEE11g Implement Security on Value Based Hierarchy

  Hi All,
  I have a requirement to implement a security on hierarchical values on parent child hierarchy.
  Ex. Manager -> Employee -> Employee.
  Here, based on security requirement, Manager/Employee can see the respective hierarchy. If user is at 2nd Level, when he sees the data, hierarchy should start only from Employee -> Employee.
  What I have observed is that, P-C hierarchy/closure data push hierarchy starting from the TOP level only.
  Please suggest if there are any alternatives.

  Hi Patrick, I'm working on similar requirement. Have you managed to implement it?