Instance row level security on BW
The scenario is that one crystal report is shared between different business units but the data needs to be secured. The report also needs to be scheduled in advance for performance reasons.
Option One: Copy the report to each BU folder and add a record selection specific for that BU. The issue is that you now have multiple copies of the same report and if you republish the reports you have to reapply the filters again. This will cause maintenance overhead and increased potential for user error.
Option Two: View Time Security (VTS), but as weu2019re not running against a standard data warehouse, we can't just add a security table to restrict the return set.
Option Three: What would be great is... Create instance security for a user group. i.e. Schedule report instance for user group u201CBU1u201D then set user security to u201Cview group instanceu201D. Currently, if you schedule for group, it will create an instance for every user of the group. i.e. there would be 100 identical reports, one for each user in the group.
Any thoughts on how to do this efficiently?
Please re-post if this is still an issue or purchase a case and have a dedicated support engineer work with you directly:
http://store.businessobjects.com/store/bobjamer/DisplayProductByTypePage&parentCategoryID=&categoryID=11522300?resid=-Z5tUwoHAiwAAA8@NLgAAAAS&rests=1254701640551
Similar Messages
-
Applying row-level security to crystal report instance
Hi
we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
Thanks in advance.
KamalHi,
I didn't try it so far
but I found this Link:
http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
-> create Instance with full authorization
-> Join CR-Result with Customer-Table: User Authorization
Max -
Row level security with session variables, not a best practice?
Hello,
We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
The problem is that this method is listed as a "non best practice" in the Oracle documentation.
Alternative Security Administration Options - 11g Release 1 (11.1.1)
(This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
Managing Session Variables
System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
How confusing... what is the best practice then?
Thank you for your help.
Joao Moreiraauthenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
Init block for authenticating / authorizing and session variables are different, i guess you are mixing both. -
Parent-child hierarcy - row level security
Hi,
Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
I have created a parent-child dimension, simlar to:
a1
--a1.1
----a1.1.1
----a1.1.2
--a1.2
----a1.2.1
By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
a1.1
--a1.1.1
--a1.1.2
To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
How can I build a security system, that a member can only see its child hierarchy only?
Thanks for answers and links...
Edited by: user4516917 on 16.Nis.2012 06:54
Edited by: user4516917 on 16.Nis.2012 06:55According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
Any comments appriciated.. -
[Security] Row-level security in ADF
Hi all,
I want to implement row-level security in my application, the scenario is like this:
There are several users that connect to the application
These users are authenticated in some way (XML file, OID, DB)
When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
I have tried VPD and it has some useful features but my problems are:
1) Where and how to define the 'where conditions'?
2) How to attach the 'where conditions' to the executing DML?
3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
4) What is the best authentication approach?
Any helps will be really appreciated.
S/\EE|)Hi,
yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
public void prepareSession(SessionData SessionData)
super.prepareSession(SessionData);
oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
// Specify the user that connects through the proxy user and its roles
Properties prop = new Properties();
prop.put(OracleConnection.PROXY_USER_NAME,"hr");
//prop.put(OracleConnection.PROXY_ROLES, roles);
String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
java.sql.CallableStatement st= null;
// Open the proxy session (DB-authenticated users)
try
oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
st = getDBTransaction().createCallableStatement(appContext,0);
st.execute();
catch (SQLException e)
e.printStackTrace();
package oracle.sample.dbprxy.adfbc;
import oracle.jbo.server.DBTransactionImpl2;
import oracle.jbo.server.DatabaseTransactionFactory;
* TransactionFactory that returns PrxTransactionImpl, which is a subclass of
* DBTransactionImpl2
* @author Frank Nimphius
public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
public PrxyDatabaseTransactionFactory()
super();
* Override the create method to return an instance of PrxyTransactionImpl instead
* of DBTransactionImpl2
* @return PrxyTransactionImpl
public DBTransactionImpl2 create()
return new PrxyTransactionImpl();
package oracle.sample.dbprxy.adfbc;
import oracle.jbo.server.DBTransactionImpl2;
import oracle.jdbc.OracleConnection;
public class PrxyTransactionImpl
extends DBTransactionImpl2
public PrxyTransactionImpl()
super();
* The DBTransactionImpl2 does not expose the connection in a public
* method. This class is a wrapper to expose the connection to the
* BC app, so it can be accessed in the ApplicationModuleImpl class
* @return OracleConnection - SQL Connection
public OracleConnection getPrxyConnection()
return (OracleConnection) this.getJdbcConnection();
}Note that for EUS ApplicationModule pooling should be disabled
Frank -
Row level security in Xcelsius through scheduled reports?
Hi Experts,
Our requirement is to implement row level security in Xcelsius dashboards from SAP BW source through Bex queries which would have authorization variables. We have seen that these Bex authorization variables work in Webi reports and security is applied appropriately. But do they work in upto Xcelsius as well, if we use Live Office Parameter binding option? If it does, then do we need to create prompts agian in Webi?
We have also seen that security is applied if we use the BICS (SAP Netweaver native connectivity) option. However our objective is to schedule as many reports as possible in the dashboard to save on report refresh time at run-time, which is not possible is BICS or QAAWS. Therefore the best option for us would have been if we could apply row level security on scheduled reports.
Can you please advise on the best approach? Your help is greatly appreciated.
Thanks,
SougataSince you are using BEx queries as data sources authorization variables is the only way to apply row level security. This will work fine also for XCelsius dashboards that run in the InfoView (in an SAP logon context eg. when the user uses it's SAP credentials to login into the InfoView) and fetch data on-demand over LO from your WebI reports. Just make sure that the underlying webi reports are set to use SSO.
If you are using scheduled report instances no row level security is applied depending on the context of the user that started the dashboard. XCelsius will get the data that have been saved in the instances. In this case the row level security has been already applied at the moment the report instance was created BUT for the user who scheduled the reports to run.
Regards,
Stratos -
Help with implementing Row Level Security in Interactive Reporting
We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?The 3 tables used with the RLS are stored in the same schema as your repository by default.
The RLS store all the Rules for any database that you are using.
You define the rules based on the tablename (owner.tablename) and the column name. -
Reports XI: Infoview behavior with Row Level Security
Post Author: pwilliamsbssp
CA Forum: General
I have a report that is based off a business view that has project information with an additional table used to assign report users to certain clients (each project has a client). A filter is used to assign the report user to the current ce username.The report is scheduled by the administrator login. Each user goes to view their report on Infoview and is able to view data for only those clients specifically assigned. This functionality seems to work fine - everyone views one instance of the report and InfoView assigns the row level security.However, I'm running into a problem viewing report histories when adding or changing client assignments. The historical reports come up either blank or with erroneous information (such as the current week's information instead of the previous week's data saved with the instance of the report). I have not found a logical link between the behavior of the historical reports and the specific users. Some can see one week and not another while others have the reverse, regardless of their security assignments.Does anyone understand the behavior of view historical reports with row-level security? I have no idea what data/metadata is saved with each report instance and when the row-level security is being read. Is it read when viewing the report? or, is it specific to the structure of the data when the report was run?With other reports using the same row-level security model I'm able to view the historical reports although it has the client assignments at the time the report was created. But, at least I'm able to view the reports.Any insight welcome.Patrick WilliamsPost Author: pwilliamsbssp
CA Forum: General
Bump. Anyone is welcome to tackle this question. Please. -
Tips on Implementing Row Level Security
Dear All,I am currently trying to implement row level security in Hyperion Intelligent version 8.2. The user guide is straight forward on explaining the steps. However, when I tried it, the row level security does not filter the information at all eventhough I have set the row level security setting in System Administration. Is there Anyone who can share their problems and experience when implementing row level security in Hyperion Intelligent version 8?Regards,Ricky
I don't believe you need the bqy file anymore, as you set up the ODBC to connect to the database of the EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR).
(I don't have an EPM instance with IR installed to check currently).
Note: from the docs quoted earlier:
If you want to implement row-level security in Reporting and Analysis, keep these points in mind:
At least one Hyperion Interactive Reporting Data Access Service instance must be configured to access the data source storing your row-level security information.
The database client library should be installed on the computer where the Hyperion Interactive Reporting Data Access Service is running.
The data source for the Reporting and Analysis repository that has the row-level security table information should be configured.
For security reasons, the user name and password to access the data source should differ from that used for the Reporting and Analysis user account.
Regards, Iain -
Row Level Security not working for SAP R/3
Hi Guys
We have an environment where the details are as mentioned below:
1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
2. The SAP roles are imported in Business Objects CMC.
3. Crystal Reports are published on the Enterprise as well.
3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
Any help in this issue is greatly appreciated.
Thanks and Regards
KamalHi,
In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server. This is a server side tool which the Integration solution for SAP offers as a transport.
This tool defined which tables are to be restricted based on authorizations.
However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview. If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
thanks
Mike -
Row level security at universe design level
Hi,
I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
Regards,
Mishra Vibhav.Thanks for the reply.
Much Appriciated.
My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
Warm Regrads,
Mishra Vibhav -
Row level security in BI Publisher
Hi All ,
I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
Can anyone help me on this?
Thanks!!Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.
-
Setting up Row Level Security in EPM 11.1.1.3
I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
i) Enable row level security in Workspace.
Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
Any log I can inspect for the connectivity error?
ii) Configure Row Level Security setting
I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
thank you very much.I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
i) Enable row level security in Workspace.
Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
Any log I can inspect for the connectivity error?
ii) Configure Row Level Security setting
I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
thank you very much. -
How to check the row level security in TOAD for oracle
Hi ,
for ex, i have 2 types of users
normal user and super user
super user can see the group set (some column name) created by normal user
but normal user can not see the set created by super user
this set crestion aslso has 3 types "U','P',S'
P & S can be viewed by even normal user
but U should not
so here we are having some row level security for the normal user .....
So, in TOAD for oracle how to check that......
Let me know if i'm not clearLike
I'm the super user....
And some records are inserted to a table by different users ('a' , 'b', etc....)
So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
how to see in TOAD where such type of scripts (filter conditions) are written..... -
Row level security in Hyperion System 9 - 9.3.1
Hi Gurus,
I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
matches then they get to see records for that location.
The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
zFollow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita
Maybe you are looking for
-
Can no longer read plist files
I've got a script that iterates through a list of hostnames, connects to each host, looks for the existence of a list of applications, and if they exist reads their Info.plist for the version. This worked seamlessly until a couple of days ago. The
-
Error installing CS5 Illustrator (Exitcode 6)
Hi, We got this error when installing Illustrator from the CS5 suite. PS and ID installed just fine. Insttallation on iMac late 2012/2013, OSX 10.8.2, german locale. -- START -- Exit Code: 6 Please see specific errors and warnings below for troubles
-
Hello I don't know what else to call it! I have a 20" iMac (2 months old) with a Benq 19" (1 yr old) as external display. Never had any troubles then moved a window from iMac to Benq and the inside of the window became a conglomeration of brightly co
-
im trying to contact customer service but the wait time is too much, and i tried email but the link is not working so im stuck talking to no one! if there is anyone out there that li'ves in Califonia, Los Angeles and has a different number to custome
-
Publishing Business Objects Reports in Portal
Hi All, 1. In BO we have different reports like, web intelligence, crystal, deski reports. By default sap provided two iviews A) Business Objects Enterprise Integration Kit - IView Template B) Crystal Enterprise Report By using Busine