OBIEE Row-Level Security Inquiry

I had discussed a security requirement with one of our resources and it seems like a simple concept but for some reason I can’t think of simple way to implement in OBIEE.
If we have a fact table with a security column that has values which state what groups can see the data in that row (Multiple groups separated by semi-colons). The data in the row is layed out like this:
Group 1;Group 2;Group 3;Group 4
There is a user and group mapping table as well where if I pull a user (Say User1) the data in the column for their group assignments would look like:
Group 3;Group 10; Group 11
Since this user is in Group 3 they can see the values in that row of the fact table above (Because Group 3 appears in both).
Now I can run a session variable to get the user groups but how to then correlate to what rows they can see in that fact table is where I am stuck.
Can I solicit any suggestions?

They are various problems with your approach. To start with let's how OBIEE would like you to have the data:
State Sales
1 99
2 30
3 50
Then your user to group table should be like this:
User State
1 1
1 2
1 3
2 1
3 3
You would then do an row-wise Init Block to populate the GROUP variable. Then you simply do a filter in your BMM layer State = VALUEOF(NQ_SESSION.GROUP). Note that GROUP is that a list of groups so OBIEE will take care to convert this to SQL correctly. Now the way you have your data I don't think you can easily do row-level security. Basically what you need is to have your Group as dimension in your fact. What you have a is concatenated value which is useless. Also your user to group mapping table needs to be flat so you can do the row-wise init block. Hope it helps.

Similar Messages

  • Row level security in OBIEE 11g: Which is better: VPD or RPD

    We can apply row level security in OBIEE by 2 ways.
    1. by Creating Initialize Block in RPD
    2. or Applying VPD in Database, which restricts source tables
    Which one is more efficient and why?
    Thanks,
    Sunil Jena

    you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

  • Row level security in OBIEE 11g

    Hi guys,
    We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
    Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
    to a structure that is above another structure in hierarchy, then he should see both data from his structure and
    the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
    i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
    data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
    in the data model? And how could I create the type of filter mentioned above?  

    This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
    1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
    2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
    3. Add this position variable as a content filter in your LTS in you BMM layer.
    4. You can also use this session variable  as a filter in you reports too.
    hope this helps.
    Senthil

  • Row Level Security in OBIEE using OID as authentication Mechanism

    Hi OBIEE Gurus,
    I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
    I want to implement RLS by doing the following :
    1. Have Security Groups defined in OID and assign users with group membership.
    2. Import these Security Groups into OBIEE metadata
    3. Apply filters to these Security Groups
    4. Run Answers requests to see if RLS works or not
    Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
    Appreciate your help.
    Edited by: drakesh on Sep 26, 2008 7:09 AM

    Follow the steps in the following link to set up OID and Row level security:
    http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
    Instructions for the link above:
    1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
    2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
    Otherwise follow Matt's view
    Thanks,
    Amrita

  • Row Level Security in OBIEE

    Hi,
    In my project i have to implement the row level security. My scenario like follows
    I have one report called Customer - Revenue.The report contains the following fields. Company,Organisation,Office, Revenue.
    Dimensional Hiearchy is as follows
    Company --> Organization --> Office
    In each company,Organization,Office have their own user ids.
    If i enter with company user id the report should displayed concern company revenue details with organization and office details.
    When i enter with organization user id then the report displayed for that particular organization and office revenue details.
    When i enter with office user id then the report should displayed for that office revenue details with concern company and organization details.
    My Dimension table in following format
    Company
    Organization
    Office
    Address.
    I am usnig external table authentication.
    External authatication tables contains following fields...
    Loginid,Display Name, Group and Password.
    How can i achieve this in OBIEE 11.1.1.5. Kindly help me to come out from this.....

    Hi,
    Kindly refer the below
    http://gerardnico.com/wiki/dat/obiee/security_level#data
    http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security
    Thanks
    Deva

  • Row level security with session variables, not a best practice?

    Hello,
    We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
    The problem is that this method is listed as a "non best practice" in the Oracle documentation.
    Alternative Security Administration Options - 11g Release 1 (11.1.1)
    (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
    Managing Session Variables
    System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
    How confusing... what is the best practice then?
    Thank you for your help.
    Joao Moreira

    authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
    Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

  • Row level Security for BI Author Role

    Hi All,
    We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
    We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
    roles. But we are facing issue with configuring row level security for BI Author role.
    BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
    security is applied than he can see all the data. For eg.
    We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
    But if BI Author create a report with only Brand and Measures than row level security is not working.
    Does anyone has face this issue before.
    Please let me know if you want any other information from my side.
    Regards,
    Vikas

    If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
    If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
    Business Intelligence Beans Product Management Team
    Oracle Corporation

  • Row-level Security Filters applied to Columns and Tables only? no Areas?

    Good day all,
    Just quick question (obiee 10.3.3.2) - Is there a way to edit row-level security using Whole subject areas (instead of bringing in the individual Fact tables and applying filters by copying/pasting them).
    Follow up question - if I have nested facts in presentation layer (ones preceding with "-" - do I specifically add them to conditions, or would they be inherited by only including parent fact)?
    Thanks!
    Message was edited by:
    wildmight

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • Row level Security in 11g

    Hello,
    Is there any way to configure row level security in OBIEE 11g other than using external table? Please share your thoughts on this.
    Thanks,
    Kishore

    Check this http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
    ~ http://cool-bi.com

  • Object Level Security,Data Level Security&Row level Security

    can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
    Thanks in advance,
    Kumar

    Hi Kumar
    Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
    lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
    Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
    Please mark Correct or helpful if this clears

  • Row Level Security not working for SAP R/3

    Hi Guys
    We have an environment where the details are as mentioned below:
    1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
    2. The SAP roles are imported in Business Objects CMC.
    3. Crystal Reports are published on the Enterprise as well.
    3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
    Any help in this issue is greatly appreciated.
    Thanks and Regards
    Kamal

    Hi,
    In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
    This tool defined which tables are to be restricted based on authorizations.
    However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
    You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
    thanks
    Mike

  • Row level security at universe design level

    Hi,
    I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
    My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
    Regards,
    Mishra Vibhav.

    Thanks for the reply.
    Much Appriciated.
    My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
    Warm Regrads,
    Mishra Vibhav

  • Row level security in BI Publisher

    Hi All ,
    I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
    e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
    I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
    Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
    Can anyone help me on this?
    Thanks!!

    Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.

  • Setting up Row Level Security in EPM 11.1.1.3

    I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
    i) Enable row level security in Workspace.
    Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
    Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
    Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
    Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
    Any log I can inspect for the connectivity error?
    ii) Configure Row Level Security setting
    I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
    thank you very much.

    I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
    i) Enable row level security in Workspace.
    Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
    Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
    Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
    Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
    Any log I can inspect for the connectivity error?
    ii) Configure Row Level Security setting
    I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
    thank you very much.

  • How to check the row level security in TOAD for oracle

    Hi ,
    for ex, i have 2 types of users
    normal user and super user
    super user can see the group set (some column name) created by normal user
    but normal user can not see the set created by super user
    this set crestion aslso has 3 types "U','P',S'
    P & S can be viewed by even normal user
    but U should not
    so here we are having some row level security for the normal user .....
    So, in TOAD for oracle how to check that......
    Let me know if i'm not clear

    Like
    I'm the super user....
    And some records are inserted to a table by different users ('a' , 'b', etc....)
    So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
    how to see in TOAD where such type of scripts (filter conditions) are written.....

Maybe you are looking for

  • DO I GET AN AWARD FOR THIS??? WORST DELIVERY EVER???

    Hold on to your hats, because this one is a doozy, and I've worked in Warehouse Supervisor for many years, and worked closely with Customer/Client services for a large computer company, so I couldn't even believe the insanity that would follow. It’s

  • MP4 Thumnails not appearing correctly or at all after import

    I have tried the alt/ctrl/shift to no avail. LR4 will display them correctly as will Windows Live Photo Gallery. I've deleted from catalog and re-imported with same result. Using the "update thumbnail" tool does not work. Some times it will display i

  • How do I get links to open without copy and paste?

    I just started using Firefox, have used Thunderbird for a couple of years. Since using Firefox when I click on links in email they don't open. I have to copy the link then paste it to open.How do i fix this? Thanks for any and all help! Chigar

  • Loading video in flash

    is there any way how to load any video type into flash?.. like .avi (divx, ..), .mpeg, .3gp, .mov .. something i should put some codec .dll to load.. i know, flash player is not video player, but is there any chance how to do it and not to convert vi

  • Macs getting -13005 error when connecting to a 2003 server?

    I have a windows 2003 server that is my students file server. I am not an expert at windows by no means. I had a group policy that required users to change thier passwords every 180 days. I have removed this password because the server would not allo