Level 0 Security Filter

Similar Messages

• Data level security filter to groups imported from database

  The groups that a user belongs to are stored in a table in the database. How do I create a group in the rpd to define data level security filters when the group name is retrieved from the database table depending on who logs in. One user can be a part of several groups.
  Please help.

  I created the groups manually in the rpd first and assigned security filters to the group. The same group was created in the presentation services assigning some object level security (dashboard pages visibility). But the user picks the groups (row wise initialization) correctly and not the security filters applied to the group in the rpd. The privileges to the group in the presentation services works fine. Why is the group definition in the rpd being bypassed.

• Issue with write Security filter in ASO 9.3.1

  Hello All -
  I'm having a strange security filter issue in system 9.3.1 ASO cube. We've the native users for the ASO cube and created several write security filters based on cost centers in that cube.
  For example, the below security filter sometime works, and sometime not:
  Write "Adjustments", @RELATIVE ("S532179", 0), @RELATIVE ("S587724", 0), @RELATIVE ("S525701", 0)
  There are total 8 standard dimensions in the cube. I tried all possible combinations to make it work constantly, but it doesn't. Even modified the filter like below so that it has all dimensions (using LEVMBBRS, IDESCENDANTS, RELATIVE) , still users can't load data at level 0 members.
  Write @LEVMBRS ("Chart of Accounts",0),@LEVMBRS ("Full Year",0),@LEVMBRS ("Business Unit",0),@LEVMBRS ("Fixed/Variable",0),@LEVMBRS ("Source",0),@LEVMBRS ("Products",0),@LEVMBRS ("Scenario",0),@LEVMBRS ("Cost Center",0)
  It looks like the user and filter association is not working. If I give the user direct write access to the cube (bypassing filter totally), the users can write fine. Please help!

  I didn't know that the logs didn't work; I tested it and they are not generated for ASO updates in 9.3.1. I didn't see any other setting that would cause them to be created; my guess is that the logs are created based on block manipulations that Essbase does internally using BSO. As there are no blocks in ASO then the same algorithm doesn't apply.
  We log Essbase changes in our Dodeca product but we use a different algorithm. We evaluate the update in our server before committing the changes and generate a relational log that has the datapoint information plus the old value, new value and standard 'who' information for the person making the update.
  Tim Tow
  Applied OLAP, Inc

• Data level Security in Essbase

  I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
  Asia and America are defined in my location dimension.
  Please tell me how to do it?
  Regards,
  Suman

  to make your security maintenance easier, I would suggest putting the users into groups and assigning the filters to the group. If you do it at the indivual level, the user can only have one filter assigned to them, but each group could have a different filter. So for someone who should see Americas and Asia have a group calle America and one called asia. put the user into both groups and assign the america filter to the first group and asia filter to the second group

• How to check the row level security in TOAD for oracle

  Hi ,
  for ex, i have 2 types of users
  normal user and super user
  super user can see the group set (some column name) created by normal user
  but normal user can not see the set created by super user
  this set crestion aslso has 3 types "U','P',S'
  P & S can be viewed by even normal user
  but U should not
  so here we are having some row level security for the normal user .....
  So, in TOAD for oracle how to check that......
  Let me know if i'm not clear

  Like
  I'm the super user....
  And some records are inserted to a table by different users ('a' , 'b', etc....)
  So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
  how to see in TOAD where such type of scripts (filter conditions) are written.....

• Group Level Data Level Security not working

  I'm trying to test the data level security at the group level.
  Here's what I did
  1. Went to the security -> Groups -> Permissions -> Filters
  2. In Name added the Fact table on which I want to filter.
  3. Selected "Enable"
  4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
  When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
  Am I missing something in the creation of filters?
  Thanks in Advance.
  Rama.

  Hi,
  If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
  Hope this helps.
  Regards,
  Sandeep

• Database Level Security not working ???

  The 10 g (10.1.2.1) documentation states the following:
  Chapter 7 Controlling access to information:
  "Regardless of the access permissions and task privileges that you set in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):
  ex: SELECT privilege on all the underlying tables used in the folder "
  So how come a folder (view in my case - not table) cannot be queried directly by a user, but the folder still shows up a choice when building a report using PLUS ? I am misreading the above ? For is sounds lilke to me if the user account does not have SELECT privilege then they will not see the folder in Discoverer ?
  Anyone run into the same issue or have an explanantion ?
  thanks
  OBX

  I think the user has access to see all the folders in the business area in Discoverer if he has permission to do so. This is a Discoverer level security to filter people who should not have access to the business area at all. You'll find that although they can see these Discoverer folders because the permission is set in Discoverer Administrator, that the database tables they are based on will not allow the users to see any of the data if they don't have those rights at the database level.

• Row level security in Hyperion System 9 - 9.3.1

  Hi Gurus,
  I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
  The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
  matches then they get to see records for that location.
  The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
  In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
  z

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• Issue in Implementing OR Logic in Security Filter for Essbase in OBIEE

  I am implementing OBIEE using Essbase as the data source. The requirement is to implement OR logic in the security filter. And I got error message from the MDX query generated by OBIEE. Below is the details. Anyone knows how to solve this issue? Thank you very much.
  1.     The “Booking Location” dimension has three hierarchies (ragged hierarchies).
  http://img.photobucket.com/albums/v216/stewart_life/1.png
  2.     I only want to take the first hierarchy, which is “Total booking”. Thus, I filter the Logical Table Source of “Booking Location” in the business model layer.
  http://img.photobucket.com/albums/v216/stewart_life/2.png
  3.     The “Incorporation Country” dimension doesn’t have any multiple hierarchies.
  http://img.photobucket.com/albums/v216/stewart_life/3.png
  4.     Thus, I don’t filter the Logical Table Source of “Incorporation Country” in the business model layer.
  http://img.photobucket.com/albums/v216/stewart_life/4.png
  5.     I filter the permission of a user. This filter applied to the fact table (RISK) in the business model layer.
  http://img.photobucket.com/albums/v216/stewart_life/5.png
  6.     Then the filter applied so that the particular user can only see the data where the Incorporation Country level is Singapore OR the Booking Country level is Singapore:
  "Risk"."Incorporation Country"."Country" = 'SINGAPORE (INC)' OR "Risk"."Booking Location"."Booking Country" = 'SINGAPORE (CBE)'
  http://img.photobucket.com/albums/v216/stewart_life/6.png
  7.     Here is the first report that is working fine if run by a user without any security filter.
  http://img.photobucket.com/albums/v216/stewart_life/7.png
  8.     The result of that report when run by the user whose security filter above has been applied to.
  http://img.photobucket.com/albums/v216/stewart_life/8.png
  9.     The MDX query generated from that report is shown below. Note that the error refers to the line 4, which is in bold below. Somehow, the query generated always include Incorporation Country and Booking Location in the “With” clause, since both of them are placed in the security filter.-----
  Sending query to database named Risk-MI Essbase (id: <<399750>>):
  With
  set [Booking Location2|http://forums.oracle.com/forums/] as '{[Booking Location|http://forums.oracle.com/forums/].[Total booking|http://forums.oracle.com/forums/]}'
  set [Booking Location4|http://forums.oracle.com/forums/] as 'Generate({[Booking Location2|http://forums.oracle.com/forums/]}, Descendants([Booking Location|http://forums.oracle.com/forums/].currentmember, [Booking Location|http://forums.oracle.com/forums/].Generations(4),SELF), ALL)'
  *set [Incorporation Country4|http://forums.oracle.com/forums/] as ''*
  set [Time3|http://forums.oracle.com/forums/] as 'Time.Generations(3).members'
  set [Year2|http://forums.oracle.com/forums/] as 'Year.Generations(2).members'
  member Measures.[MS1|http://forums.oracle.com/forums/] as 'Rank(Time.Generations(3).Dimension.CurrentMember, Time.Generations(3).Members)'
  set [Axis1Set|http://forums.oracle.com/forums/] as 'crossjoin ({[Booking Location4|http://forums.oracle.com/forums/]},crossjoin ({[Incorporation Country4|http://forums.oracle.com/forums/]},crossjoin ({[Time3|http://forums.oracle.com/forums/]},{[Year2|http://forums.oracle.com/forums/]})))'
  select
  {Measures.[Netted EAD|http://forums.oracle.com/forums/],Measures.[Netted Nominal|http://forums.oracle.com/forums/],Measures.[Wt_LGD|http://forums.oracle.com/forums/],
  MS1} on columns,
  NON EMPTY filter({[Axis1Set|http://forums.oracle.com/forums/]}, [Incorporation Country|http://forums.oracle.com/forums/].currentmember IS [Incorporation Country|http://forums.oracle.com/forums/].[SINGAPORE (INC)|http://forums.oracle.com/forums/] OR [Booking Location|http://forums.oracle.com/forums/].currentmember IS [Booking Location|http://forums.oracle.com/forums/].[SINGAPORE (CBE)|http://forums.oracle.com/forums/]) properties ANCESTOR_NAMES, GEN_NUMBER on rows
  from [http://RISK-P.RISK]
  where ([CRG (ORG)|http://forums.oracle.com/forums/].[Good Book (ORG)|http://forums.oracle.com/forums/], Method.ADV)
  +++stewart:370000:370021:----2009/02/17 13:56:06
  Query Status: Query Failed: Essbase Error: Syntax error in input MDX query on line 4 at token '''

  From what I have read on this forum, people have managed to get the DC In Board replaced for a little over US $100. This would be at an Apple authorized repair shop rather than by Apple itself. This is much less than the cost of a new MacBook. I don't know what might be available in your area, but it would be worth asking at a repair shop.
  Good luck!

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• Data Level Security implementation question

  I had a quick data-level security scenario and wanted to solicit any input from the experts.
  In our current Subject Area we have one Presentation Layer using one Business Model. In this Subject Area have a Task and Employee Dimension. There is row-level Security on the Task Dimension that is done in the Business Model on the LTS Content tab. There are a batch of reports built off this Subject Area.
  There is now a request to build a new batch of reports, however, they want to now filter on the Employee Table and NOT filter on the Tasks. So the opposite of what has been applied above.
  From my perspective there are only a few ways this Security can be applied
  Business Layer: Basically either create an Alias of Employee and Task or build a second LTS for both. Then create new columns and map to these accordingly. Basically have 2 of each column in the Business Layer. One with Security applied and one without.
  Presentation Layer: Created a second Presentation Subject Area and apply the security at the Presentation Layer and remove it from the Business Layer.
  I know a third option could be put security on the Role/Group but for this case these reports are open to everyone.
  I'd just like to verify from the experts that I may have covered all solutions for this scenario or if there are any other suggestions?
  Thanks!

  Alright...
  If you have two LTS say A & B (basically duplicate) then add a column say LTS Indicator and assign 'A' for LTS A and 'B' for LTS B. Add the fragmentation content and apply the security filter and you can also create two different Presentation folders under same Subject Area if users have Answers Access so that the users know if they are querying for LTS A or LTS B.
  Similarly, build your reports making use of LTS indicators which will BI server to pick correct LTS. Say, where you want LTS A to be picked...use filter of LTS Indicator = 'A' and thats it.

• Authorization: data level security by cost center to finance line items

  We have a business unit request requiring implementation of cost center data level security through FI transaction codes for financial line items.  Example requirement:  Cost center manager can execute FS10N GL account line item display, drill into the balance and only return those line items to which the cost center manager has access.   Cost center managers currently report their cost center expenses via cost center accounting report and through those reports are able to drill into the FI line items to display document and line item details.  Cost Center managers, due to their varied responsibilities, also have access to tcode FS10N, from which if they execute reports directly, can access data for cost centers which they are not responsible for.
  Our security team has stated that the determination of authorization objects which are checked at transaction code/program execution are not configurable.  We’ve found when debugging that it would be possible to implement user exits for additional authorization checks, but that in order for the authorization check to actually get called, the object must be set as ‘checked’ within SU22/SU24.
  Has anyone had a request to implement such cost center data level security for financial line items through Financial transaction codes?  If so, what steps were taken to be implemented?   Was this able to be accomplished via security configuration and PFCG security role updates or was custom code logic needed?  If custom  logic was needed, to what extent was this implemented (what tcodes/programs were included; how was the decision of what to include and exclude determined).   What was the duration of this effort?
  Has anyone had a request to implement such cost center data level security request for financial line items via Financial transaction codes and not implemented the request?  How was this communicated to the business that the request for data level security goes against SAP’s authorization design?
  Thank you in advance for your input,
  Becky Zick

  Hi Becky
  Have you tried with object K_REPO_CCA? You have available these fields to filter authorizations.
  I hope this helps you
  Regards
  Eduardo

• Data level security in OBIEE

  We have implemented data level security by applying filters on groups in Obiee Administration tool. Here we have set filter on division(which is a column in Customer table). This is done so that user can see data for division for which he has access.
  When user creates report which consists of division column filter is working fine. E.g. if user1 has access to division1
  and when user1 cretes a report for (customerName,division,sales columns) he can see sales of customers belong to division1. But if user1 cretes report which does not contain division column e.g.(customerName,sales columns report) he can see all the customers sales data. How can we aoide that. We want User1 to see division1's data only irrespective whether division column is there in report or not.
  Can any one suggest what should be done to achive this.
  Thanks,
  Avdhut

  Hi friend,
  You need to create group of users and then apply filters over that groups.
  you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
  - Manage -> Security...
  - Groups -> click right group1 and select propierties.
  - Select button 'Permissions...'
  - Select tab 'Filters' -> add new filter.
  - On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
  I hope this can help you.
  Good luck.

• Data level Security with Oracle Apps as Source

  Hi all
  I am implementing Data level Security with Apps as Source(OLTP) on Single Sign On.(Oracle has provided the Vanila rpd & we are working on that)
  I need to Filter data based on Business Group, Users are created in Apps and they are registered with some Responsibilities.
  (for eg, OBI User CHINA is a Responsibility; Now he will get only Business Group ID for China)
  I have created Groups in rpd with same name as the responsibility in Apps.
  I have created Initialization Blocks from which I m getting only 1 business group ID for every :USER.(I tried the code in TOAD & I m getting the correct BG ID)
  I have created Group in WEB with the same name as the Group name in rpd.
  If I say show all Users and Groups in WEB, I m getting the APPS Users.
  I hv Reloaded the server metadata files and restarted the BI Server/WEB Server also...
  But in the Report, I m getting all the Business Group Ids,
  Plz advice if I m doing something wrong.
  ThanQ
  Anand

  You need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
  Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
  I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box.

• Row level security in OBIEE 11g

  Hi guys,
  We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
  Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
  to a structure that is above another structure in hierarchy, then he should see both data from his structure and
  the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
  i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
  data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
  in the data model? And how could I create the type of filter mentioned above?  

  This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
  1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
  2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
  3. Add this position variable as a content filter in your LTS in you BMM layer.
  4. You can also use this session variable  as a filter in you reports too.
  hope this helps.
  Senthil