OBIEE Security Using VPD

I`ve read Venkat`s blog http://oraclebizint.wordpress.com/2007/08/29/obi-ee-10133-and-vpd/
I have an working policy on my table:
personal_history(district_id,city_id,company_id,department_id,job_id,employee_id, salary)
For example on my policy the chiefs of department see only information on his employees, the managers for their own department.
My policy function is far more complicated than Venkat`s Executive_Apply. I`ve checked VPD in database connection.My shared connection is based on vpd_admin which i gave him dba role.
I put "select set_context_function(':USER') from dual" on before query in OBIEE Connection script, still in Answers there is no difference between managers and chiefs of department in number of rows.
Why? What i`ve done wrong?
Thank you!
Razvan.

I succeded with setting context and policy, in Aswers appears different rows for managers and chiefs of department but there is another problem :
I have two connection pool , one with user dba owner of time dimension and fact table and the other with vpd_admin (context owner).
I also have a role in which vpd_admin has select wrights on personal_history and other tables who`s owner is dba2 (another dba user).
The two connection pools are in the same vpd database directory in Physical Layer.
When i gave "update rowcount" on personal_history and the other`s tables which vpd_admin has select wrights it works.Policy works. BUT after i created the role and give it to manager and chief users in Answers none of the joins with other presentation tables doesn`t work with error table not found for dimension different from personal_history dimension.
I modified just added vpd_admin to role and checked qualified table in second connection pool (the one with vpd_admin as user) .The query from each table without joining with each other works but in combination the error is table not found!
Any idea?
Thanks!

Similar Messages

  • Column Level Security Using VPD under oracle 11g

    Hi
    I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
    1. The Application Context -- that sets the session environment for the use is ok.
    2. The Logon Trigger that executes the above is ok. It had been tested.
    3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
    4. The security policy applied to the STOCK_TRX table is ok.
    5. Select and Insert from the database work.
    However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
    begin
    DBMS_RLS.ADD_POLICY
    ('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
    end;
    Note:
    PRICE is the sec_relevant_cols
    STOCK_TRX is the table
    Can you please help.
    Thx

    The syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
    begin
    DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
    end;
    I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation.

  • Database security using VPD

    Hi,
    I am trying to implement Virtual Private Database policy to restrict the user data access.
    I am creating this with Scott schema with 11g R1.
    While accessing DBMS_RLS package I am getting below error.
    SQL> begin
      2  dbms_rls.add_policy  (
      3    user,
      4    'department_secrets',
      5    'choosable policy name',
      6    user,
      7    'pck_vpd.predicate',
      8    'select,update,delete');
      9  end;
    10  /
    dbms_rls.add_policy  (
    ERROR at line 2:
    ORA-06550: line 2, column 1:
    PLS-00201: identifier 'DBMS_RLS' must be declared
    ORA-06550: line 2, column 1:
    PL/SQL: Statement ignoredCan someone help me to identify what's the issue here?

    Mak1980 wrote:
    Just wanted to know why we have to give grant to this package as this is also one of the Oracle supplied package like UTL_FILE and others.The DBMS_RLS package allows SQL injection in simplistic terms. The VPDB user function defined for the policy, changes the SQL statement by adding predicates to it that needs to be met. This allows certain rows to be hidden from the code that issued that SQL statement - and that code and user/developer is totally oblivious that SQL statements send to the database are changed by the VPDB function.
    How does it make sense to allow public access to all schemas to perform this type of SQL injection?
    Robust security is about giving code and users the absolute minimum set of privs needed, for that code/user to do the required job.
    UTL_FILE is no different. It allows the code/user to step outside of Oracle schema and database, and directly into operating system's file system. What is the first step in pwning a server? Getting backdoor code onto that server for execution. And UTL_FILE allows exactly that.

  • Using VPD and Portal

    Situation: Trying to implement row level security using VPD for
    applications created in PORTAL. using portal's
    Light weight users.
    Method: Created a fine grain access control policy to build a
    predicate based on a Portal user (not database user).
    1 Get Portal User (proc: portal30.wwctx_api.get_user)
    2 Determine what business rules are setup for this
    Portal User
    3 Based on the above rules, build predicate for the
    Portal User
    Problem: In the first step, not retrieving the Portal user -
    looks to be getting PUBLIC when the code is part of a
    VPD policy. When it is executed on its own, it gets the correct
    information back (ie. The portal user not PUBLIC).
    The idea is that we want to be able to set the VPD policy based
    on the light weight Portal User.
    Oracle Database version 8.1.7
    Oracle iAS 1.0.2.2.0
    There is a work around for this, which is to create a database
    schema for each portal user and then associate the
    Portal account with this database schema. When we do this, we
    get the correct information for use in the VPD policy,
    But we actually look for the Proxy Account (database schema the
    portal user is associated with) and not the portal
    user/session info. This work around in not desirable when we
    get a large number of portal users.
    I've included the VPD package below where we try to extract the
    Portal user acct using the
    portal30.wwctx_api.get_user function
    we also tried the
    WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
    When this PLSQL is executed within a portlet, it seems to return
    the correct information.
    Code:
    CREATE OR REPLACE PACKAGE
    BODY "P_CORPORATE_SECURITY_CONTEXT" as
    function f_company_security (p1 varchar2, p2 varchar2) return
    varchar2 is
    v_predicate VARCHAR2(4000);
    CURSOR cur_company(p_portal_user_name IN
    company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
    SELECT decode(rownum,1,to_char(company_id),','||to_char
    (company_id)) company_id
    FROM company_wwsec_person
    WHERE POLICY = '='
    and upper(WWSEC_PERSON_USER_NAME) = upper
    (p_portal_user_name);
    l_portal_user_name varchar2(256);
    l_oracle_user_name varchar2(30);
    l_all_policy_cnt number;
    l_equal_policy_cnt number;
    BEGIN
    l_portal_user_name := portal30.wwctx_api.get_user;
    -- l_portal_user_name := USER; Commented out since we
    want portal user not
    database user.
    select count(*)
    into l_all_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = 'ALL';
    select count(*)
    into l_equal_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = '=';
    IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
    v_predicate := ' company_id in (';
    FOR l_company IN cur_company(l_portal_user_name)
    LOOP
    v_predicate := v_predicate || l_company.company_id;
    END LOOP;
    v_predicate := v_predicate || ')';
    ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
    v_predicate := ' 1=2';
    ELSE
    v_predicate := NULL;
    END IF;
    -- Uncomment to allow access to everything
    -- v_predicate := ' 1=1';
    RETURN v_predicate;
    END;
    END;

    Situation: Trying to implement row level security using VPD for
    applications created in PORTAL. using portal's
    Light weight users.
    Method: Created a fine grain access control policy to build a
    predicate based on a Portal user (not database user).
    1 Get Portal User (proc: portal30.wwctx_api.get_user)
    2 Determine what business rules are setup for this
    Portal User
    3 Based on the above rules, build predicate for the
    Portal User
    Problem: In the first step, not retrieving the Portal user -
    looks to be getting PUBLIC when the code is part of a
    VPD policy. When it is executed on its own, it gets the correct
    information back (ie. The portal user not PUBLIC).
    The idea is that we want to be able to set the VPD policy based
    on the light weight Portal User.
    Oracle Database version 8.1.7
    Oracle iAS 1.0.2.2.0
    There is a work around for this, which is to create a database
    schema for each portal user and then associate the
    Portal account with this database schema. When we do this, we
    get the correct information for use in the VPD policy,
    But we actually look for the Proxy Account (database schema the
    portal user is associated with) and not the portal
    user/session info. This work around in not desirable when we
    get a large number of portal users.
    I've included the VPD package below where we try to extract the
    Portal user acct using the
    portal30.wwctx_api.get_user function
    we also tried the
    WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
    When this PLSQL is executed within a portlet, it seems to return
    the correct information.
    Code:
    CREATE OR REPLACE PACKAGE
    BODY "P_CORPORATE_SECURITY_CONTEXT" as
    function f_company_security (p1 varchar2, p2 varchar2) return
    varchar2 is
    v_predicate VARCHAR2(4000);
    CURSOR cur_company(p_portal_user_name IN
    company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
    SELECT decode(rownum,1,to_char(company_id),','||to_char
    (company_id)) company_id
    FROM company_wwsec_person
    WHERE POLICY = '='
    and upper(WWSEC_PERSON_USER_NAME) = upper
    (p_portal_user_name);
    l_portal_user_name varchar2(256);
    l_oracle_user_name varchar2(30);
    l_all_policy_cnt number;
    l_equal_policy_cnt number;
    BEGIN
    l_portal_user_name := portal30.wwctx_api.get_user;
    -- l_portal_user_name := USER; Commented out since we
    want portal user not
    database user.
    select count(*)
    into l_all_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = 'ALL';
    select count(*)
    into l_equal_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = '=';
    IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
    v_predicate := ' company_id in (';
    FOR l_company IN cur_company(l_portal_user_name)
    LOOP
    v_predicate := v_predicate || l_company.company_id;
    END LOOP;
    v_predicate := v_predicate || ')';
    ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
    v_predicate := ' 1=2';
    ELSE
    v_predicate := NULL;
    END IF;
    -- Uncomment to allow access to everything
    -- v_predicate := ' 1=1';
    RETURN v_predicate;
    END;
    END;

  • Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

    Environment: Business Objects XI R2; Oracle 10g
    Functional Requirement:
    Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
    What do we need from the Business Objects support team?
    1.     Review the 2 attempted solutions that we have tried to implement
    2.     Propose solutions/answers to open questions for each of the attempted solutions
    3.     Propose any alternate solution that will help us implement the Function Requirement stated above
    Attempted Solution 1: Connection String uses Oracle Proxy User
    The connection string that is specified in the Universe is the following:
    app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
    app_user = generic application user
    end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
    We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
    Open Question for Solution 1:
    i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
    ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
    iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
    Attempted Solution 2: Using the ConnectInit parameter
    Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
    Therefore, we tried to set the parameter in the Universe using several different options:
    ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
    Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
    One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
    Open Questions for Solution 2:
    How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
    Note: Arroba word is being used instead of the symbol in order to avoid following error message:
    We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

    the connectinit setting should look something like this:
    declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
    The vpd_setup procedure (in Oracle) should look like this:
    CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
    BEGIN
      DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
    END vpd_setup;
    Then you can retrieve the value of the context variable in your vpd functions
    and set the vpd.

  • OBIEE Security 10g to 11g: Groups

    I had a Security scenario that I wanted to throw out to the forum...
    In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
    Data-level and object-level security was different for each group.
    In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
    In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
    I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
    My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
    Edited by: DustinC on Jan 19, 2012 1:29 PM
    Edited by: DustinC on Jan 20, 2012 3:54 PM
    Edited by: DustinC on Jan 22, 2012 12:45 PM
    Edited by: DustinC on Jan 23, 2012 11:40 AM

    Q1. how deploy external database security(users, groups) to OBIEE 11g.
    we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
    Solution:
    http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
    http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
    http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
    Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
    Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
    while configuring AD via weblogic console we need to give the users and group info
    Solution refer:
    http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
    http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
    Thanks
    Deva

  • Report on OBIEE Security

    We use Default Authenticator and implemented the security using Weblogic console. Now my client want to see a report on the OBIEE security implemented; he want to see all the groups, roles, users listed and also interested in seeing what users and roles assigned to various groups for the project.
    Is it possible to read Weblogic security Metadata?
    Appreciate your thoughts on this.
    Thanks
    Bees

    Was my answer correct? If so, please indicate so (top right of my last post). If not, then what was your answer?

  • Error executing a query using VPD and BC4J

    Hi all,
    Our team is developing an application using an Oracle DB 9.2.0.4 and BC4J 10g (9.0.5.16.0) as persistence layer.
    We also are using the VPD (virtual private database) to have security in the database at row level.
    The problem we are facing is that every some time (days) we get a jdbc error when a query (see below) that uses VPD policies is executed. Once the error occurs I execute it from sqlplus without getting any error .. it only occurs from our java application.
    To temporary solve this problem, we delete and recreate the VPD policies, then the application continue working fine for some time ...
    I'll appreciate any comment / suggestions
    Thank in advance.
    Eduardo.
    ERROR LOG:
    oracle.jbo.SQLStmtException: JBO-27122: SQL error during statement preparation. Statement: SELECT * FROM (SELECT CalLocation.ID,
    CalLocation.CODE, eo
    CalLocation.NAME,
    CalLocation.ZIP,
    CalLocation.PHONE,
    CalLocation.FAX,
    CalLocation.ADDRESS1,
    CalLocation.ADDRESS2,
    CalLocation.URL,
    CalLocation.OWNER,
    CalLocation.CTY_ID,
    CalLocation.DESCRIPTION,
    ORefCity.CODE CTY_CODE,
    ORefCountry.ID CTR_ID,
    ORefCountry.CODE CTR_CODE,
    ORefRegion.ID REG_ID,
    ORefRegion.CODE REG_CODE
    FROM CAL_LOCATIONS CalLocation,
    OREF_CITIES ORefCity,
    OREF_COUNTRIES ORefCountry,
    OREF_REGIONS ORefRegion
    WHERE ORefCity.ID = CalLocation.CTY_ID
    and ORefCountry.ID = ORefCity.CTR_ID
    and ORefRegion.ID = ORefCountry.REG_ID) QRSLT WHERE ( ( (CTY_ID = 867) ) )
    ## Detail 0 ##
    java.sql.SQLException: Io exception: Broken pipe
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:231)
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:345)
         at oracle.jdbc.driver.OracleStatement.open(OracleStatement.java:717)
         at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:2605)
         at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:457)
         at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:387)

    The symptoms we have been getting are quite similar to the bug 3662364 .
    I'm going to implement the patch for that bug and see what happend then.
    Thank you very much for your help.
    Regards,
    Eduardo.

  • PreparedStatement error using VPD

    Hi all,
    Our team is developing an application using an Oracle DB 9.2.0.4 and BC4J 10g (9.0.5.16.0) as persistence layer.
    We also are using the VPD (virtual private database) to have security in the database at row level.
    The problem we are facing is that every some time (days) we get a jdbc error when a query (see below) that uses VPD policies is executed. Once the error occurs I execute it from sqlplus without getting any error .. it only occurs from our java application.
    To temporary solve this problem, we delete and recreate the VPD policies, then the application continue working fine for some time ...
    I'll appreciate any comment / suggestions
    Thank in advance.
    Eduardo.
    ERROR LOG:
    oracle.jbo.SQLStmtException: JBO-27122: SQL error during statement preparation. Statement: SELECT * FROM (SELECT CalLocation.ID,
    CalLocation.CODE, eo
    CalLocation.NAME,
    CalLocation.ZIP,
    CalLocation.PHONE,
    CalLocation.FAX,
    CalLocation.ADDRESS1,
    CalLocation.ADDRESS2,
    CalLocation.URL,
    CalLocation.OWNER,
    CalLocation.CTY_ID,
    CalLocation.DESCRIPTION,
    ORefCity.CODE CTY_CODE,
    ORefCountry.ID CTR_ID,
    ORefCountry.CODE CTR_CODE,
    ORefRegion.ID REG_ID,
    ORefRegion.CODE REG_CODE
    FROM CAL_LOCATIONS CalLocation,
    OREF_CITIES ORefCity,
    OREF_COUNTRIES ORefCountry,
    OREF_REGIONS ORefRegion
    WHERE ORefCity.ID = CalLocation.CTY_ID
    and ORefCountry.ID = ORefCity.CTR_ID
    and ORefRegion.ID = ORefCountry.REG_ID) QRSLT WHERE ( ( (CTY_ID = 867) ) )
    ## Detail 0 ##
    java.sql.SQLException: Io exception: Broken pipe
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:231)
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:345)
         at oracle.jdbc.driver.OracleStatement.open(OracleStatement.java:717)
         at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:2605)
         at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:457)
         at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:387)

    It seems to be related to the bug 3662364 .
    Regards,
    Eduardo.

  • Using VPD (Virtual Private Database) with Discoverer for Dummies

    Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
    Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
    “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
    VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
    With Regards to Discoverer, I would like to ask the following:
    -When would be best to use VPD in Discoverer?
    -Pro’s and Con’s of VPD?
    -Tips / Tricks?
    -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
    I've found a few handy links:
    http://www.adp-gmbh.ch/ora/security/vpd/index.html
    http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
    As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
    Lance

    Lance,
    You sure do raise some interesting questions here.
    I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
    If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
    I trust "My Positive Comment" may help!!
    Merry Christmas
    Si ;-)
    P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
    Message was edited by:
    Simon Pittaway

  • OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

    I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
    1) Create a standard authentication/security process at an enterprise level
    2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
    3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
    4) non-EBS users must go through the OBIEE portal
    5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
    So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
    For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
    My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
    Will this work? Does anyone have a better approach they'd like to share?

    Please post the details of the application release, database version and OS.
    We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
    It could be related that OAM generated cookies are not recognized by embedded OBIEE.
    Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
    For urgent issue, please always log a SR.
    Thanks,
    Hussein

  • Label security on VPD?

    I have a question on label security.(i am new in Oracle security area)
    The 9i Label Security is built on VPD(virtual private database). Does this means you have to set up VPD before you use the Label Security?
    I am trying to run the Label Security demo/sample(in ALlSchema.zip), and I saw the tables has DN field which is used in VPD demo. I guess if i want to use Lable security i have to use VPD too, but it is not metioned in the demo/sample that the VPD is required.
    Thanks in advance for any help.
    Tim

    label security automatically sets up VPD. you should not need to worry about how label security is implemented.
    <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by [email protected]:
    I have a question on label security.(i am new in Oracle security area)
    The 9i Label Security is built on VPD(virtual private database). Does this means you have to set up VPD before you use the Label Security?
    I am trying to run the Label Security demo/sample(in ALlSchema.zip), and I saw the tables has DN field which is used in VPD demo. I guess if i want to use Lable security i have to use VPD too, but it is not metioned in the demo/sample that the VPD is required.
    Thanks in advance for any help.
    Tim<HR></BLOCKQUOTE>
    null

  • How to use vpd to restrict rows by application and schema_name?

    We have a need to reuse a schema name many times in a test/dev. environment. Normally we just create a new instance so development can test their apps. using the same schema_name, let's call it test_user. This is very tedious and time consuming to create many db's and sometimes we don't have the hardware to support so many db's. So I was wondering if I could use vpd and an application_context to restrict the rows & columns that can be seen. But instead of restricting it by schema_name I want to restrict it by schema_name and another env. variable like app_name or something similar. So when the middle layer connects with test_user user name and the app is called accts_payable they see parts of the rows that pertain to them. But if the middle layer connects with the test_user user name and the app is called accts_payable2 they see completely different rows. Any help would be appreciated.
    Thanks,
    George

    I was hoping someone else had already been down this path so I don't have to re-invent the wheel. But it looks like I'm going to go down that path. I did find something in the manual that may help but again it's not exactly what I was hoping for so I will have to test it. It mentions using dbms_session to set the application name in the environment like this:
    Consider the application server, AppSvr, that has assigned the client identifier 12345 to client SCOTT. It then issues the following statement to indicate that, for this client identifier, there is an application context called RESPONSIBILITY with a value of 13 in the HR namespace.
    DBMS_SESSION.SET_CONTEXT( 'HR', 'RESPONSIBILITY' , '13', 'SCOTT', '12345' );
    Thanks for your help on this. If anyone else has been through a similar situation please reply.
    Thanks,
    George

  • Retrieving data from OBIEE server using ODBC

    Hello.
    I am having difficulty retrieving data from OBIEE 11g using the ODBC connection. My intention is to read OBIEE Server data via a SQL statement issued from an Oracle database using gateways.
    I have read and followed the material here:
    http://download.oracle.com/docs/cd/E14571_01/bi.1111/e16364/odbc_data_source.htm#CACBFCJA
    I have also tried this from Excel 2007, but have not succeeded:
    http://gerardnico.com/wiki/dat/obiee/import_data_from_obiee_to_excel
    I have setup a gateway in Oracle and a database link. Iknow it is connecting because when I change the password to something invalid, I get a message about not being able to connect due to username/password.
    I have taken a query from Answers (the advanced tab) and tried running it from Sql Developer. The nsqserver.log file ends up with the following Notification:
    [nQSError: 13013] Init block, 'DUAL Num (=3)', has more variables than the query select list.
    As an experiment, I am using the SampleApp, and have generated the following query in Answers:
    SELECT s_0, s_1, s_2, s_3 FROM (
    SELECT
    0 s_0,
    "A - Sample Sales"."Products"."P3 LOB" s_1,
    DESCRIPTOR_IDOF("A - Sample Sales"."Products"."P3 LOB") s_2,
    "A - Sample Sales"."Base Facts"."1- Revenue" s_3
    FROM "A - Sample Sales"
    ) djm ORDER BY 1, 2 ASC NULLS LAST
    Is there a way to issue this query from a database client like SQL Developer? I have setup a database link called obiee via gateways to the ODBC connection, and add @obiee after the table name in the above query, but get the nqs error above.
    Thanks for any help. I can provide addl info if such would be useful.
    Ari

    That would explain my difficulty. I went to the link:
    http://download.oracle.com/docs/cd/E14571_01/relnotes.1111/e10132/biee.htm#CHDIFHEE
    that describes the deprecated client. I am confused by the statement there:
    "one of the many widely available third-party ODBC/JDBC tools to satisfy previous NQClient functionality"
    My understanding of ODBC is not very strong, so please bear with me. The statement above is talking about a client tool, but there also needs to be an ODBC driver available for BI Server. I may be a bit confused between driver and client, and what piece nq handles. I don't understand the comment about third-party ODBC when it comes to the driver piece, as that must be coded for BI Server. When I go to create a new DSN, the only driver that makes sense for me to select is:
    Oracle BI Server 11g_OH<id>
    That all works fine to setup a DSN. But I am unable to connect from Excel, etc., using this DSN.
    Put more simply, should I be able to connect to BI Server via ODBC - not using the deprecated BI ODBC client, but using other clients? Is there ODBC connectivity at all in OBIEE 11g?
    Thanks,
    Ari

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

Maybe you are looking for

  • Excel in place

    When you transfer ALV Grid to excel, filter totals and subtotals are not transferred. Is there a way to transfer the Grid as she appears on the screen or do i have to do it manually using DOI classes. Regards,

  • HP 2000 - 2c12NR: Removed Win8, Installed Win7 64-bit; Touchpad Problems

    Greetings HP forums!  My name is Bob and I am having an issue with an HP 2000 laptop.  A friend requested I remove Windows 8 from a laptop, and install Windows 7 since he was much more familiar with the old GUI.   I installed Win7 64-bit and am havin

  • IE not working (again)

    I have built a e-commerce site (cant give you a link because the client hasent finished uploading products, brands, logos ect so it is still private) anyway one function is a "best seller" box. This uses a downloaded JS script which scrolls through t

  • Error #2032

    I wanted to try Adobe illistrator to see if it will work for me, and it wont even display a download button it just has a box that says Error #2032. i am using google chrome if that helps any ideas on what to do?

  • Unload 10,000,000 of rows from a table.

    Hi Group, Is there any optimized, quick way to unload 10 million of rows from a table to a text file on the server, each field has to be separated with "|" symbol. Thanks a lot Oracle version 10.2.0.4 Platform: Linux RH 64 bits