Implicit Fact and Group Security Filters

Hi All,
Can somebody confirm for me if the Group Security filter as specified under 'Hr Org-Based security' is supposed to be applied in answers when the only reference to the fact table is via its selection as the implicit fact within the presentation catalog.
E.g User selects Dim1, Dim 2 and Fact Measure , the query is filtered correctly by users organisation, when the fact measure is removed, OBIEE keeps the same fact table within the generated SQL as it is the implicit fact used to join the two dimension tables together. The results this time are not filtered by organization and its possible to return dimension records for fact rows that are from a different Org - In this case the user can return absense start and end dates for employees outside of his org (Customer wants this prevented)
Is this expected behaviour ?
Thanks.

Hi John
Thanks for your suggestion
I tried this and He still doesnt have write access
He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
Do you have any other suggestions?
Thank you
PD

Similar Messages

  • User and group security

    Not sure if this fits here, but here goes...
    I have a subportal folder, with a community in side. Inside the community, I have groups. If I give one group the admin level authority, is it just for that community and all of its content, or is it the whole portal. The admin docs are very granular on user and group security throughout the various ways of applying it. WHat I am trying to do is give a group admin control over a singel community as well as full admin control of all groups in the communities admin folder. BUT just those things.
    thanks

    If I recall correctly, there is no inheritance of user and group rights in PT, at least not in 5.x. If you give some rights on a specific object/folder to a specific group, then it will be for that object only and none of its children.
    You do have a choice of propagating of user rights down the ownership tree however. I.e., if you select a community and set some rights for yourself, it will prompt you if you want to propagate the same permissions down the chain, to all of its children. If you say yes, it will replacepermissions on all its children by creating copies. If you say no, you'll have to go and apply different permissions on each child individually.
    Ruslan.

  • Creating New Security group and Refreshing Security Filters

    Hi
    I have created a new security group (and added people to it)
    I have given this security group write access to certain dimension members within the planning application
    I have refreshed the security filters via Planning_Manage Database_Security Filters
    But the people in the new security group still dont have write access to the dimension members
    If I look in EAS ... I cant see the the new security group that I have created
    Question 1
    Do I need to refresh the security filters via EAS
    If I do this ... I know that I need to make sure that no one is in the Essbase application
    Do I also need to make sure that no one is within the relavent planning application?
    Question 2
    Is it enough to refresh the security filters (tick security filters) .. or Do I need to tick database in the manage database options
    Question 3
    Does anyone have any suggestions that I havent mentioned above?
    Thank you
    PD

    Hi John
    Thanks for your suggestion
    I tried this and He still doesnt have write access
    He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
    I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
    Do you have any other suggestions?
    Thank you
    PD

  • AGPM and policy security/filtering

    I'm having a problem figuring out how you change security filtering & WMI filtering under the 'Scope' tab and edit groups/users on the 'Delegation' tab on a controlled policy in AGPM.
    All the options are greyed out in GPMC for controlled policies, but not on uncontrolled.
    I've tried checking the policy out, but those properties still remain unchangeable.
    Is there a special way to change these properties on an AGPM controlled policy? Or is it not possible?

    Below link might be helpful,
    http://www.grouppolicy.biz/2010/06/how-to-create-make-changes-to-group-policy-objects-in-agpm/
    Regards,
    Gopi
    JiJi
    Technologies

  • Implicit fact and Alias table with

    Hi Gurus,
    May i know what is the use of alias table and implicit fact with some real time scenarios for better under standing.
    Thanks,
    Rafi

    For alias tables, refer to the oracle's documentation here which is explained in great detail: ( http://docs.oracle.com/cd/E14571_01/bi.1111/e10540/physicallayer.htm )
    For implicit fact refer to the oracle's documentation here: ( http://oracle-bi.siebelunleashed.com/articles/implicit-fact-column/ ) . To define in layman's terms, implicit fact is set on a subject area when you are reporting out of dimensions in the report without any fact columns and you want the fact table to be part of the report's query.

  • User and Group Security Provisioning

    Hi,
    I have a question regarding Group security in Planning. I am using EPM system 11. My basic question is, if I create a new Planning user (interactive user with no default access to dimensions), and assign that user to a Planning group, does the user automatically inherit all the dimension access assigned to that Group? From my experience, it seems that I must explicitly assign each User access to the dimensions they should be able to Read or Write, and that simply adding them to a group that has been given Write access to the Expense Account (for example) does not give a newly added user to that Group Write access.
    A quick note - when creating new Users, I first create and provision them in Shared Services. However, in order to be able to log in with them, I must recreate the user in EAS's User Directory. This seems redundant to make a user twice, but is the only way I am able to successful login with new users, otherwise the Planning login page says "failed to sync with user provisioning". I have not done this same procedure for the Groups I have created (i.e. I have made and provisioned the Groups in Shared Services, but not recreated them in EAS). Is it possible that this is why Users aren't inherittiing the access rights of the Group? I can provide more information if needed, any help or comments are appreciated. Thanks in advance.

    user3x3 wrote:
    1) EAS method is to open EAS, then open the Essbase Server Node, right-click on security, and click Externalize Users. When I do this there is no right-click option to externalize the users, and since it can only be done once and then not reversed I assume the previous administrator already did this. Since this is not availalbe, I must use the second method.
    If you log in with an administrator account you should see the "Externalize Users" option even if you have already externalized.
    I take it you did not configure your system, I take it was documented so you could have a look how it was configured.
    If essbase is on a different server than shared services then maybe the essbase server was not registered with the shared services registry when it was configured, that might the reason why you are getting the shared services error when you try to convert to shared services security, basically it doesn't know where shared services is. If that is the case then it will need to be configured again.
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Is there a way to get GPO's security filtering groups only.

    Hello,
    Is there a way to get the GPO and the Security filtering groups assigned or configured for that GPO.
    A VBSCRIPT would be greatfull
    Thanks,
    Schan.

    > A VBSCRIPT would be greatfull
    Have a look at the GPMC samle scripts:
    http://www.microsoft.com/en-us/download/details.aspx?id=14536
    Also a good starter to learn about how to use the GPMC COM interface :)
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Planning Security Filters not reflecting in Essbase filters for 2 of 4 cube

    We are using Hyperion Planning with essbase. In essbase we have 4 cubes in essbase (BSCF, EMP, IS, MGN). We would like to add security for the entity dimension as we don't use it currently but we do for other dimensions.
    I have created a new group (FIN_APAC) in SS so that restricted access be given to users in Asia for only their LE(s). Then I enabled security for the LE dimension in planning and set security filters through a command line load. For existing groups I gave write access to all LE members and for the new group (FIN_APAC) I gave write access to certain members.
    When I refresh the security filters in planning they should reflect in Essbase and it does for 2 cubes (BSCF & EMP) but for the other cubes (IS & MGN) the essbase security filters are NONE! In planning all the LE members are set to be included in all plan types.
    The main problem seems to be with this new group (CSR_FIN_APAC) as whenever this group is assigned the essbase filters are not assigned properly. For the existing groups that have added LE security for all members the security filters are updated for 4 cubes as expected.
    Any help appreciated
    x

    When you create a planning application we can create 3 essbase cubes as plan types. if you use Capex, Workforce you can able to create max of 5 databases in Essbase version 11.1.1.3.
    if it is 11.1.2 you can add one more cube
    In your question, have you created 4 Essbase cubes. can you explain how that is possible.
    if all the LE members in all plan types means in 3 Essbase cubes. when you refresh security from planning to essbase that works fine.
    Can you explain the situation perfectly so that can able to give ans.
    Thanks,
    Suneel kanthala.

  • Wallpaper GPO + Loop-back Merge mode+ security filtering. issue

    I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
    in the loopback GPO because they don’t in your security filtering allow list.
    So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
    Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
    ========================issue is below================
    Now GPO is applying to other workstations which are not part of group filtered in GPO.
    its randomly but not for all workstations..
    Workstations are XP operating systems..

    I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
    in the loopback GPO because they don’t in your security filtering allow list.
    So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
    Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
    ========================issue is below================
    Now GPO is applying to other workstations which are not part of group filtered in GPO.
    its randomly but not for all workstations..
    Workstations are XP operating systems..
    "Domain Users" or I would prefer "Authenticated Users" should only have Read, Not Apply Policy. 
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • IMPLICIT FACT & FACTLESS FACT

    Hello Gurus
    Can anybody please explain what is implicit fact and for what is it used for .
    And also
    Can anybody please explain Fact Less Fact and for what it is used for .

    follow this,
    1. open administration tool
    2. go to help
    3. click on Search tab
    4. type Implicit Fact
    5. only one topic you'll findin the results.. plz read it and let me know your doubts on that..
    coming to your next question...
    Factless Factohhh, got these links after googling..
    http://www.geekinterview.com/question_details/31538
    http://dylanwan.wordpress.com/bi-and-olap-glossary/factless-fact-table/
    http://www.allinterview.com/showanswers/36017.html

  • How to Add multiple entry to the group policy security filtering

    How to Add multiple entry to the group policy security filtering
    Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
    Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"

    Hi
    Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
    Try right clicking on the policy and then edit
    Then in Editor Right click on the name of the policy and Properties
    Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
    the correct option also "From this Location" is set to your entire directory not the local server.
    Update us with the above.
    Thanks

  • New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?

    We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new  security Group--named "Data Collection Users". These users are "Domain Users" and login to the
    2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS.  We do not have any other users that login to the RDS through terminal,
    including any Domain Admins.
    So far we have done these steps:
    On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
    Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
    Linked the Policy to the OU.
    Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
    Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
    We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
    We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
    We ran the Group Policy force update from within GP Management - ran successfully.
    We did not reboot the RDS.
    Neither of the settings we tried in Step 7 worked.  Why Not?
    Here are images from the Security Filtering:

    Ok--Do I reboot the RDS or the DC?  or both?
    Does it look like my Security Filtering is correct?  I have seen posts where you should not remove the "Authenticated users"?

  • AGPM and security security filtering: gpos not showing up in uncontrolled tab

    Why Does a gpo not show up in uncontrolled tab? The only thing that is removed is "authenticated users" from security filtering of said gpo. Once I add authenticated users back, bang! its back visible in uncontrolled tab.
    Adding specific groups and removing authenticated users from security filtering is a standard practice to apply group policy. Can this not be used with AGPM?
    version 4.2

    Hi,
    For AGPM questions, in order to get accurate help, it's recommended that we ask for advice in the following dedicated AGPM forum.
    Microsoft Advanced Group Policy Management (AGPM)
    https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopagpm
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Subject area security validating users and groups from external table

    Hi all.
    I don't have practice to put question here, but there is one problem, that seems don't work correctly in OBIEE.
    I'm trying to put users in groups within external table and this works fine.
    I put security on the subject area level like this:
    SA1 -> GroupA allow, Everyone not allow
    SA2 -> GroupB allow, Everyone not allow
    External table:
    User----------Group
    A---------GroupA;GroupB
    B---------GroupB
    Users A, B and GroupA, GroupB exists in the RPD, but I didn't put users inside them, I want this from table.
    From the init block, external table I'm taking users and join them in the group. Same name users and groups are also in the presentation service.
    When i connect with user A i don't see any subject area, when go to My Account i see in Group Membership/GroupA and GroupB, so it's readed from the external table.
    Why in this case the subject area permission is not working?
    It works if I explicitly put users in groups, in the RPD.
    I have read this blog entry http://kpipartners.blogspot.com/2009/07/groups-webgroups-and-delivers.html and it is said that this works, but I'm interested how.
    What should we have in the presentation part, administration, Manage Privileges -> Access within Oracle BI Answers option for those two subject area?
    This doesn't work or something is missing:
    Re: Security on Subject Areas
    Regards
    Goran
    http://108obiee.blogspot.com

    What should we have in the presentation part, administration, Manage Privileges -> Access within Oracle BI Answers option for those two subject area?Yes, you should remove Everyone and add the relevant groups to each Subject Area. You don't need to set privileges in the RPD, in fact that's probably why it doesn't work for you. Leave your RPD Presentation Catalog as "Everyone" = Read as you will controlling access from the Presentation Services and it should work.

  • System 9 Security Filters and VB Essbase API

    I currently maintain a lock and send Excel template sporting a custom login dialog which I use to capture the user's employee id. Having that, I then use a generic admin username/password and the API to get the security filter stored under the user's "underscored" ID on the Analytic server. I parse out the organizational entities stored in the write filter and use that to build a treeview to which the user can only select entities to which he/she can access. Basically, it gives me the ability to maintain a standard template across many lines of business. I also use the same code in a security management applet where superadmins can build/modify/delete the security filters of those people who have access to entities which are descendents of the entity to which the superadmin has access.
    Anyway, I understand in System 9, there is no longer an "underscored" id. I think I read that on the Planning forum. Other than a minor code change, will this have any further impact? The write filter has been migrated over to the non-underscored filter yes? We're going to System 9 soon and I'm just trying to get my hands around the impact this is going to have on all of the API (7.1.6) code I have deployed. This is just the first question that came to me. I expect I'll be on here for a few more. Any help or advice is appreciated.

    I wouldn't copy Essbase.sec from one server to another. The server name is embedded in there and it's drive/folder dependent.
    What you can do is use MaxL's display filter all command and then pipe the output to a text file. In turn you can import those definitions back into Essbase with a little work.
    I wonder if OlapUnderground's Advanced Securtity Manager might be used to move filters across servers and versions:
    http://www.appliedolap.com/free-tools/advanced-security-manager
    I've personally never used it, but I'm sure someone on this board will chime in.
    Regards,
    Cameron Lackpour

Maybe you are looking for

  • Diffrence in xi 3.0 and  pi( xi 7.0)

    hi all. what is the difference between xi 3.0 and pi(xi 7.0) and what are the compnents list in both the version thanks and regards viju

  • EOIO in SOAP Receiver Adapter

    Hi, My Scenario is Proxy ->Xi-> Webservice, Can i send the messages to the Webservice as EOIO(Quality of Service) . If yes how can i do that? there is no option in receiver saop adapter to mention the quality of service. Thanks Srinivas

  • Problems with HTML in 11g

    Got 11g up and running without too much difficulty (Win2003) but I'm having trouble getting HTML content to render. For example, create a simple analysis, add a narrative view, check the "Contains HTML Markup" button, and put HTML in there, but it co

  • Third party SIP Endpoints in BE6K

    Hi I have a doubt about BE6K,  Is this solutions support Third part SIP Endpoints, like grandstream or polycom? And if is true, What license support thjis pohone? Best regards

  • Grid value( Field J_3ASIZE ) in the report MB5T in SAP-AFS

    Hi How can i bring the Grid value ( Field J_3ASIZE ) in the report MB5T for particular STO in SAP-AFS industry solution. I tried in the layout but there are no such fields to bring in !! Help me out swiftly. cheers Maruthi Edited by: MARUTHI RAM on A