OBIEE Group authorization

Hi,
We are using the LDAP security for Authenticating the users.. but when I try to Authorize the Users to see a Particular dashboard it is failing. I have created a table in DB with Logon and the group details and created a session variable by using the below sql. But When I try to test this Initialization block the Test Button is not highlighting in the rpd .
SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
Please suggest me whether I am doing the correct approach to give access to dashboard.

Yes... The three steps you have mentioned is the standard way of doing an authentication using LDAP and Authorization using external database.
When ever a new user is added, you just have to add that user name and group name in the external db table.
No need to give permissions to that particular user in Presentation Catalog as you might have already given permission to the group to whcih this user belongs.
While logging in you have to give the correct username as it is configured in your LDAP server. For entering the new user in DB it need not be case sensitive as the Init block query takes care.
SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
Regards,
Bhavik

Similar Messages

LDAP Groups Authorization

Hi,
I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
Now at the " Builder->Application...->Security->Authorization Schemes->
I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
return wwv_flow_ldap.is_member
(:APP_USER,
null,
'cn=users,dc=wellesley,dc=edu',
'jadeland.wellesley.edu',
'389',
'wcd_HTMLDB',
'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
I have included 3 users in the group 'wcd_HTMLDB' .
Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
Where did I go wrong -?
What 's the proper way to authorise only LDAP users in a group ?
Any help would be really appreciated.
Thanks .

Indira,
The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
Scott

Where we check the authorization group & authorization object?

Hi all,
i have a std program & tcode like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
help me.
thanks.
Vipin

Hi,
Use transaction SU21 & SU22 for Auth Objects & Class

OBIEE Group Authentication Maintenance

Hi All,
I have set up Authorisation Via ms ADSI Server for OBIEE 10g , I have also setup Group Authorisation via Table .. Works well. But my problem is " Each user and group has to be created in the table" , Is there way around this or any common practise or procedure i can run to Maintain the groups and users within the Authorisation Table...
The ADSI (LDAP) is fine... Just problem with maintaining the groups. How does everyone else maintain their groups if you have the table authorization method...
Thanks
Bibi

That's up to you to decide how to do it. There are cons and pros on every approach. Personally I wouldn't stahe any LDAP data as this would require frequent updates or a big delay on new users/permissions feeding to OBIEE. People expect new permissions to be applied instantly. If that's not the case you might get pointless support calls etc. I would either use LDAP to store all permissions or OBIEE. There is little point in having security tables if you have to maintain them manually. We use tables because we have a custom permissioning tool which the help desk manage so we don't need to touch any permissions. You be better of maintain them manually using the Web Catalog and the web Administration console if you can't use LDAP.
Here is a way of getting a list of users from LDAP:
http://support.microsoft.com/kb/237677

OBIEE Groups - RPD Groups, Catalog Groups, LDAP Groups

Greeting Experts
I am trying to get a clear understanding of how these different groups play out in the OBIEE world. Ideally I am looking to get clarity around what the boundaries are for these groups (what they control and don't). Really appreciate if someone could enlighten me
Thank you very much.

will LDAP Group security takes precedence over Catalog Group security
Yes
when it comes to LDAP security, can it be extended to control Authorizations besides, just User Authentication ?
Basically LDAP groups are associated with the users and those groups are again associated to Application Roles so Authorization and authentication can be done using Application role rather than a group
But if you have catalog groups (default 10g security model) you can still assign application roles for those catalog group and enable the object level security (Goto Administrator ---> Manage Catalog Groups ---> select any default 10g group there you can search and add applicatoin roles)
thanks,
Saichand

OBIEE Group By on 2 facts and concatenated columns from different dimensions

Hi
I have a different kind of problem involving 2 fact tables with different dimensional attributes.
Fact 1 has Dim Attributes ( Cust,Facility )
Measure - Gross Amount
Fact2 has Dim attributes (Cust,Facility and Risk Group )
Measure : Exposure Amount
Since we have 2 facts with different dimensions,
to exclude the 'Risk Group' dimension column from the group by for the Fact1,
we set the 'Gross Amount' measure to total level (Risk Group Dimension ) in contents tab.
So the values from both the fact tables appears in the same report correctly.
But in the same report we have another requirement where the rating column from the customer dimension has to be concatenated with the ratings column in the facility dimension.
We have to concatenate customer.rating with the facility.rating and display it in the report.
when we just pull the individual columns from the dimensions into the report it works fine.
But when we try to concatenate the 2 columns and show it in the report,
the concatenated column does not appear in the select or the group by in the SQL Fact2.( Generated by OBIEE )
The other fact1 has the concatenated column in the select as well as the group by clause ( Generated by OBIEE )
As a result the report shows the concatenated values only for the results from the Fact1. But the results from Fact2 does not have the concatenated column values.
The report should look like the below:
Custor.Name,     Customer.Id,     Facility.Name,     Facility.Id,     Customer.Rating/Facility.Rating,     Risk Group,     Gross Amount,     Exposure Amount
===========    =========      ===========     =========   ========================      =========     ===========     ===============
JPMC                123                    GROSS               123               08/10                                                  LNL                    45,000               25,000
CLAIRE               456                    NET                    456               07/10                                                  RNK                    50,000               30,000
Thanks,
Chandra

As suggested you really want to move your none-aggregated fact attributes to a logical dimension (using the same physical table as the logical fact). Map this in the BMM layer as a snowflake, Place a hierarchy on this dimension with (at minimum) Total -> Detail levels, then on the other fact table you want to include in the report, set the content level on your other fact measures to the 'Total' level for your new logical Dim and it will allow them to be present in the same report.

Vendor Master Field Group Authorizations

Hi guys,
I want to give the authorization to specific users for only changing a few fields in the Vendor Master.
There is an authorization field in the vendor master ( XK02 ) under control Tab. But how do we create this authorization ?
There is also define vendor field groups where we can restrict which fields to be changeable by the user. But how do we link these field groups to the vendor master?
Please suggest.
Thanks,
Srikanth.

HI,
You can use dual control to provide more security when changes are made to sensitive data in your customer and vendor master records. This function can be used for changing customer master records (FI-AR) and vendor master records (FI-AP).
Prerequisites: You must define the required sensitive fields in the customer or vendor master record in Customizing (IMG) for Financial Accounting. To do so, choose Financial Accounting->Accounts Receivable and Accounts Payable->Customer Accounts-> Master Records->Preparations for Creating Customer Master Records->Define Sensitive Fields for Dual Control.
You must be authorized to change master records. You also define authorizations in Customizing (IMG) for Financial Accounting. To do so, choose Financial Accounting->Financial Accounting Global Settings->Maintain Profiles. The person who makes the changes is never allowed to confirm his or her own changes.
Features: You can define the required master data fields as sensitive in Customizing.
When an authorized accounting clerk changes a sensitive field in the customer or vendor master record (such as Alternative Payee), the relevant account is blocked for the payment run. The changes take effect immediately. The account remains blocked until a second authorized person confirms the master data changes. However, it is still possible to make a further change to an account that is already blocked. The second authorized person is informed of the changes by mail or by other means, and then uses the function Master records->Confirmation of change->Single (or->List) to edit the changes.
If the second authorized person does not confirm the master data change, the relevant account continues to be blocked for the payment run. The changes are likewise not reset.
Hope this helps you. Let me know if you need anyother information.
Rgds
Manish

HOW TO SET ITEM MASTER IN ITEM GROUP AUTHORIZATION

Hello,
Using Sap Business One 2007 B how to solve this item master authorization issue.
Kind regards,
Karunagaranjanani.

Hi,
Try this,
Create 1 Mendatory UDF field in Item Master Header.
->> Choose Tools on menu bar.
->> User Defined fields. -> Manager User Fields.
->> Open the Manager User Fields Window.
->> Master Data.
->> Items. -> Items.
and Click Add button in bottom right then add the UDF Title & Description.
put the Tick mark of Set Default value for Field and put the value of 0.
then, put the Tick mark of Mendatory Value and add the UDF.
Assign the below FMS in UDF.
->> Open the Item Master and ShiftAltF2 in UDF then put the Saved Query.
put the Tick mark of AutoRefresh and select the Item Group,
put the Tick mark of Display saved values.
Try assign the below FMS in UDF(Mendatory field).
for example: Item Group -> (100) -> Item.
Item Group -> (101) -> Accessories. Item Group -> (102) -> Hardware.
USer sign 1 -> Manager. USer sign 2 -> Admin.
SELECT ' ' FROM OITM T0
WHERE
$[OITM.ItmsGrpCod] in ('100', '101', '102')
AND
$[OITM.UserSign] in ('1', '2', '3')
Regards,
Madhan.

Purchasing Group authorization based on the user

Hi All,
Can anyone suggest me ideas on how to restrict in accessing details of a PO for a purchasing group based on the user who tries to access it .
the object is M-BEST_EKG.
need guidance in using AUTHORITY_CHECK in restriciting PO group based on the userid.
Thanks in advance.
Regards,
Ry

Hi,
ACTIVITY controls what user can do to the PO.
01-Create
02-Change
03-Display
EKGRP controls the purchasing group
To restrict to a specific purchasing group, modify the authorization object in the role which user has to allow the specfic P.Grp. only
Cheers !

Purchasing group authorization based on user

Hi All,
Can anyone suggest me ideas on how to restrict in accessing details of a PO for a purchasing group based on the user who tries to access it .
the object is M-BEST_EKG.
need guidance in using AUTHORITY_CHECK in restriciting PO group based on the userid.
how are the users assigned to the authorization object ?
Thanks in advance.
Regards,
Ry

Hi Roby,
I think you can control authorization using transaction PFCG.
refer below SAP link for details on authorization. May help you.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
Regards,
Atish

Target groups - Authorization

Hi,
We have requirement (implemented for two companies ( A & B ) in same system) , if user of company A creates target group, the target group shouldn't be displayed to user of company B and vice versa. Found the authorization object for tagert group (RSCRM_TG) , the permitted activities are create/generate, change. ' Display ' is not available.
Please suggest me to achieve the requirement.
Regards,
Brahmaji
Edited by: brahmaji24 on Feb 14, 2012 7:09 AM

Hi, brahmaji24.
You can use the BAdI BADI_CRM_MKTTG_TARGET_GROUP (enhancement spot is BADI_CRM_MKTTG_TARGET_GROUP) and method CHECK_AUTHORITY.
This method can achieve your issue. If the user don't have authorization on target group, raise the exception no_authorization.
Example:
  select single created_by from crmd_mkttg_tg_h into lv_user where guid = iv_tg_guid.u2028
  if lv_user <> sy-uname.u2028
   raise no_authorization.u2028
endif.

User defined groups authorization

Hi Dear;
is there any possibility to manage the authorization of user defined field or user defined groups in a form?
regards;

Dear Mr Bittar,
Can you check the Expert Empowerment Session:
User unable to modify the UDF form settings
If you go to the following link and write authorisation in the search option the session will appear in the list.
https://websmp108.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000706503&_SCENARIO=01100035870000000183&_ADDINC=011000358700001192682007E&
Kind Regards,
Marcella Rivi
SAP Business One Forums Team

Planner group authorization in order

Hi,
i am planning to give the chnage authorization of maintenance orders and notifications on the basis of planner group. The planner group is maintained in equipment master data and copied to order and notification upon creation. Now the problem i am facing is that i created one role for change order and in that i used the authorization object I_INGRP and maintain planner group values and t code: IW32. now when user is changing the order the authorization is coming in to picture but during order creation also the authorization check is there. I dont want the authorization check at order creation level but only at order change level. That why i only put t code IW32 in role. Can anyone tell me why the system is checking authorization at creation level and how to avoid this.

System will check Planner group authorisation during work order creation, See [simulation|http://www.scribd.com/doc/24194024/authorisation-issue-check].
As i understood, the planner group XXX need to change the workorder created by YYY for the equipment planner group XXX.
or Create custom auth object and enhance the code to check the restriction
-S.N

Saved query groups authorization

Dear All,
Saved query groups - no.1 to no. 20 are available in the authorizations form.
I see there are only 15 groups in the query manager --> manage categories, and in the authorizations are 20. the remnants are 5. Where will the five groups to be used and be able to find ?
I use SBO 2004A. I also see that it is happened in SBO 2005A. I have tried to find in SAP notes but I can't see.
I appreciate your answers. TIA
Rgds,

Hi Steve,
Seems that noone here on SDN knows the answer (including myself)
I suggest that you raise that to SAP Support - to have them checking the case.
Sorry,
Frank

Cost element group authorization check on controlling area level

Hi!
When maintaining cost element groups (KAH1, KAH2, KAH3) is it possible to run an authorization check on controlling area level?
We have one global chart of account but several controlling areas. When we create a cost element group it is created at chart of account level for all the controlling areas. When someone changes a cost element group it changes in all controlling areas. I cannot restrict user's authorization to be able to change cost element groups only in their own controlling area.
Is it possible somehow?
Thanks for your help.

Hi,
Like how the global chart of accounts is at the client level, the cost element groups are also independent of the controlling areas. Infact, the cost element groups are created at the global COA level.
In such a case, I don't think it is possible to restrict the authorizations to amend the cost element groups at controlling area level.
Thanks and Regards,
Bhuvaneswari.S

OBIEE Group authorization

Similar Messages

Maybe you are looking for