Obi 11g row level security not working
All,
I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
Very frustrated... ;(
Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
1) I created a test user
2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool.
Similar Messages
-
Row Level Security not working for SAP R/3
Hi Guys
We have an environment where the details are as mentioned below:
1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
2. The SAP roles are imported in Business Objects CMC.
3. Crystal Reports are published on the Enterprise as well.
3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
Any help in this issue is greatly appreciated.
Thanks and Regards
KamalHi,
In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server. This is a server side tool which the Integration solution for SAP offers as a transport.
This tool defined which tables are to be restricted based on authorizations.
However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview. If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
thanks
Mike -
Crystal reports LOV cascading prompts row level security not working
Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
Using XIR2 environment.
Appreciate the response.
Thanks
ChenthilHi Chen,
In terms of what could be done on the Crystal Reports end, there is no such controls available. However, your question may be better answered if it was posted to our Business Objects Enterprise forum.
It is at "BusinessObjects Enterprise Administration" section of the forums.
FYI. -
Row level security not working if I hit the aggregate
I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...
Hi Ingo,
Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
This custom auth object is maintained for the PA0001 table.
This object is added at the role level with the restricted access to the Company Code.. -
Row Level Security Not working for the ECC table.
Hi All,
We have created a crystal report using SQL Driver.
We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
But when I run the report, it bypasses the row level security and gives access.
Am I missing some configuration?Hi Ingo,
Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
This custom auth object is maintained for the PA0001 table.
This object is added at the role level with the restricted access to the Company Code.. -
Item level security not working when placed in a portlet page
I have three page links linking to separate pages and have two of them with item level security turned on for specific groups with view privilges. I have the access for those groups with view privilges in the page level as well. I have published that as portlet and placed the portlet in another page which has view priviliges for the groups specified in item level as well.
But I notice that when i place the portlet in a page, the item level security is not working.
Item Level Security Not Working for Items Placed on a page and published as portlet and placed in another page. Is there some work around for this.
Thanks
ValliWould you please clarify for me? Is the problem that unauthorized people can see the portlet, or that unauthorized people can see the links?
-
Object Level security not working on OBIEE 11g 11.1.1.7
Hi,
I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
Regards,
SandeepHello Sandeep,
I have just verified the below scenario as you said but didnt find any issue.
I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
This might not be a 11.1.1.7 bug check it from upgrade end.
Regards,
Srikanth -
Item Level Security not working with Tabs
I've Portal 9.0.2.2.22
This issue is with Item Level Security with Tabs. Here is what I've have:
Page Group: MyPagegroup (Privs: portal => Manage All)
Page: MyTestPage (Privs: portal => Manage All,
testUser => View)
There is a tab called MyTab on page MyTestPage which has two items (simple images) image1 and image2. The tab's access privs have been set NOT to inherit from the page. The public check box has not been checked for the tab. I've specifically assigned access privs to the tab.
Now here are the two scenarios that I'm having problem with:
1) MyTab (portal => Manage All, testUser => view)
image1 (ILS enabled: portal => Manage All)
image2 (ILS enabled: portal => Manage All,
testUser => View)
When logged in as "testUser", I still see both the images on MyTab although image2 doesn't have view priv to testUser. My expected result is to see just image2 on the tab.
2) MyTab (portal => Manage All)
image1 (ILS enabled: portal => Manage All,
testUser => View)
image2 (ILS enabled: portal => Manage All)
When logged in as "testUser", I still see NO images on MyTab although image1 has view privs to testUser. I would expect to see image1 on the tab.
Question: In both the above cases, the tab privs seem to be dictating what the user sees regardless of what the item level privs are set to. Is this normal behavior or a bug? If a bug, is there a patch? Is there any way so that even after setting the tab privs, I still have finer control of what the user can access through item level privs?
If I don't put the items under a tab, then things work as expected.
thanks
Lalit Agarwal
Vienna, VA
703-521-5200 x3610This is a known problem with the 9.0.2 release - fixed in 9.0.2.6.
Regards,
Jerry
PortalPM -
Group Level Data Level Security not working
I'm trying to test the data level security at the group level.
Here's what I did
1. Went to the security -> Groups -> Permissions -> Filters
2. In Name added the Fact table on which I want to filter.
3. Selected "Enable"
4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
Am I missing something in the creation of filters?
Thanks in Advance.
Rama.Hi,
If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
Hope this helps.
Regards,
Sandeep -
Database Level Security not working ???
The 10 g (10.1.2.1) documentation states the following:
Chapter 7 Controlling access to information:
"Regardless of the access permissions and task privileges that you set in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):
ex: SELECT privilege on all the underlying tables used in the folder "
So how come a folder (view in my case - not table) cannot be queried directly by a user, but the folder still shows up a choice when building a report using PLUS ? I am misreading the above ? For is sounds lilke to me if the user account does not have SELECT privilege then they will not see the folder in Discoverer ?
Anyone run into the same issue or have an explanantion ?
thanks
OBXI think the user has access to see all the folders in the business area in Discoverer if he has permission to do so. This is a Discoverer level security to filter people who should not have access to the business area at all. You'll find that although they can see these Discoverer folders because the permission is set in Discoverer Administrator, that the database tables they are based on will not allow the users to see any of the data if they don't have those rights at the database level.
-
Access Control Mechanism (data level security) not working properly
Hi Experts,
I have done datalevel security for groups by help of a database table. This table contains UserId, Dept. code, GroupName column. UserID are verified by LDAP server during logging into Dashboard. I have made two init blocks for GroupName and Dept.Code .
Query is :
SELECT 'Group', GroupName from TABLE
Where
UserId = ':USER'
Similiar query is for Dept Code.
There are two groups ; 1. CC_User 2. Full_User. I have applied filter in PERMISSIONS for CC_User on Fact table on Dept Code. So, user in this group may see data for Dept Code aligned to him in the table. All_User may see whole data for All Dept Codes as NO filter is applied on this group.
Dept Code , UserId and GroupName are Varchar.
Now problem is this when a user have membership of one group , it works fine. For CC_user it shows data for its Dept Code and All_user may see whole data.
But When A user have permission of both the groups , only data related to CC_User group is visible. But, in my view , maximum permmision out of the both groups must be applied to the user if he belongs to more than one group.
So , here , he must see whole data, as All_user group can see full data.
Does least restrictive permmission happens in case of membership of more than one group in OBIEE.848839 wrote:
Does least restrictive permmission happens in case of membership of more than one group in OBIEE.Indeed it does. The most restrictive filters get applied if a user belongs to multiple groups that have filters at various levels of data because its always an AND clause in the where condition. This is the sort of behavior in various tools I have seen apart from OBIEE.
Hope this helps.
Regards,
-Amith. -
Row level security.... yes or no in HTMLDB???
Hi Guys,
This is just a little confusing... in the application developer of HTMLDB, it has a section to implement VPD features, but when I come round to doing pete finnigans (http://www.securityfocus.com/infocus/1743) RLS tutorial, i get the following error when creating the vpd policy:
ORA-00439: feature not enabled: Fine-grained access control.
So can I get row level security to work in Oracle XE or do I have to integrate Oracle 10g EE with HTMLDb to get this to work?
If so... how do I do that?
Best Regards
Shahram ShiraziVirtual private database / fine grained access control is not supported in Oracle XE, it is an Enterprise Edition feature.
http://download-uk.oracle.com/docs/cd/B25329_01/doc/license.102/b25456/toc.htm#BABECIEG
Re: Got ORA-00439: feature not enabled: Fine-grained access control
~Dietmar. -
Row level security in OBIEE 11g: Which is better: VPD or RPD
We can apply row level security in OBIEE by 2 ways.
1. by Creating Initialize Block in RPD
2. or Applying VPD in Database, which restricts source tables
Which one is more efficient and why?
Thanks,
Sunil Jenayou will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.
-
Row level security with session variables, not a best practice?
Hello,
We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
The problem is that this method is listed as a "non best practice" in the Oracle documentation.
Alternative Security Administration Options - 11g Release 1 (11.1.1)
(This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
Managing Session Variables
System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
How confusing... what is the best practice then?
Thank you for your help.
Joao Moreiraauthenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
Init block for authenticating / authorizing and session variables are different, i guess you are mixing both. -
Row level security in OBIEE 11g
Hi guys,
We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
to a structure that is above another structure in hierarchy, then he should see both data from his structure and
the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
in the data model? And how could I create the type of filter mentioned above?This needs to be implemented in 3 different levels. 1. in database 2. in RPD 3 in reports
1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
3. Add this position variable as a content filter in your LTS in you BMM layer.
4. You can also use this session variable as a filter in you reports too.
hope this helps.
Senthil
Maybe you are looking for
-
Windows 8.1 slow printing on 8620 Pro
Just bought the 8620 printer to replace a HP 6500a. When printing from Windows 8.1 it will print about a thrid of the page and pause, print a couple more lines and pause, the print the rest of the page. It does this with every page. I have uninst
-
PO's Document type created from Shopping Cart
Hi all, I work on a SRM 5 system with Extend classic scenario. when I create a PO from a SC, the system assign automatically a document type. I have to change this assignment. I already define transaction type for BUS2201, but I'm not able to find wh
-
Dragging images in the browser
I'm grouping images in a project into stacks but not all the images for some stacks are conveniently displayed near each other. If I have to scroll to an image then try and drag it to the stack but to get to the stack requires scrolling the browser w
-
Collaboration service endpoint?
Hi, is there any way to use Adobe collaboration services with non-Adobe applications? For example with Silverlight? Probably I need some web service endpoint first. Did anybody try it? Thanks.
-
Is anyone else still getting 0xE8000001 errors?
When I connect my iPhone to a computer running XCode, about 1 time in 5 I get the "Your mobile device has encountered an unexpected error 0xE8000001" message, and have to go through a complete restore of everything on the iPhone. Then it works fine f