Object Level Security in OBIEE 11.1.1.5
Hi All,
I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
1) Created application roles in OBIEE with the same resposiblity names
2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
4) Restarted the BI server and presentation servers.
Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
Regards,
Sandeep
Sandeep Saini wrote:
I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
Hope this helps.!
SVS
Similar Messages
-
Object Level security by creating catalog groups in OBIEE-10G
Hi All,
I have a requirement to display the dashboard based on the user login. Ex. Mike belongs to HR, Smith belongs to Accounts
When Mike logs in he should see only these three dashboards. HR View, Common data1, common data2. When Smith logs in he should see only these three dashboards. Accounts view, Common data1, commondata2.
The commondata1 and commondata2 dashboards has common reports for all the departments. The other dashboards are department specific with all different reports. How can I implement this?
From one of my earlier posts I was advised to do it using Object Level security by creating catalog groups. Can you please provide me end to end instructions on how to create Object level security based on catalog groups.
Thanks for your time and help.Hi,
Mike to HR
Smit - Account
Yes, You achive by Object Level security by creating catalog groups
1) Create Catalog group and users in RPD part(Ex: Account_grp,HR_grp)
2)assign user to that particular group(let say Ex: Account_grp= Smith and HR_grp=Mike )
3) login (Admin user id ) into dashboard page and --->mange dashboard page -->add users to that particular
dashboard to relevent users and save it then
try to login that mike and smith user it will work
kindly refer below link
http://www.rittmanmead.com/2010/01/obiee-10g-web-catalog-best-practices/
http://www.rittmanmead.com/2007/05/obiee-and-row-level-security/
thanks
Deva -
Object Level security not working on OBIEE 11g 11.1.1.7
Hi,
I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
Regards,
SandeepHello Sandeep,
I have just verified the below scenario as you said but didnt find any issue.
I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
This might not be a 11.1.1.7 bug check it from upgrade end.
Regards,
Srikanth -
Object Level Security Issue.
Hi,
I am facing an issue in applying object level security in OBIA.
I have successfully done the LDAP authentication.
In object level, I want to give permission for the currently logged in user to a page of General Ledger dashboard.
Regarding this I have added the group corresponding to the logged in user through "Manage privilege" and given Access to the Dashboards.
But after doing this I am getting following error in my report when I ll loggin as the same user.
"Odbc driver returned an error (SQLExecDirectW).
Error Details
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 27004] Unresolved table: "Financials - GL Balance Sheet". (HY000)
SQL Issued: {call NQSGetQueryColumnInfo('SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"')}
SQL Issued: SELECT "Profit Center"."Profit Center Name", Ledger."Ledger Name", Time."Fiscal Quarter", Time."Fiscal Year" FROM "Financials - GL Balance Sheet"
Please suggest me where else I need do any setting.Hi,
Looks like the user does not have access to the presentation table/column, check and see if the group has access.
See: http://obiee-tips.blogspot.com/2009/09/obiee-security.html
Regards,
Matt -
Object Level Security,Data Level Security&Row level Security
can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
Thanks in advance,
KumarHi Kumar
Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
Please mark Correct or helpful if this clears -
Row level security in OBIEE 11g: Which is better: VPD or RPD
We can apply row level security in OBIEE by 2 ways.
1. by Creating Initialize Block in RPD
2. or Applying VPD in Database, which restricts source tables
Which one is more efficient and why?
Thanks,
Sunil Jenayou will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.
-
How to get object level security in Universe?
Hi,
I need to get the object level security for an Universe. I'm able to get the list of objects and its security access level (Public / Controlled / Restricted / Confidential / Private / ) from the (.Unv) file using the Designer SDK.
But I need to get the list of users who has the object level security in the universe. In the CMC, by clicking the Universe and click on the Object Level Security tab, we can see the list of users there.
I need to get the same using BOE SDK.
I have used the following query to get the universe from the repository,
"select * from ci_appobjects where si_kind='universe' "
But I'm not able to get the list of users having obj. level security for that universe.
Kindly help me to proceed.
Thanks.The access security level is encapsulated in the SI_KIND='Overload' object.
Look for those types of objects, and the doc for the Overload class.
An Overload references the Universe to which it's associated, and User/UserGroup objects are associated with the Overload via SecurityInfo.
Sincerely,
Ted Ueda -
Data Level Security in OBIEE Enterprise Edition
HI,
would like to know how to implement row-level security in OBIEE Enterprise Edition
Setting up the context right here, considering a hierarchy of an organization that goes up to 4 levels as below:
VP >Senior manager>Manager>clerk
Now, the situation is such that a manager should be able to view its subordinates data but not the data of any other team to which he does not have access. And also the manager should view only his regions data.Same goes for other hierarchies in the organization.
Any pointers in this regards i.e OBIEE ADMIN TOOL: SECURITY AUTHENTICATION THROUGH EXTERNAL DATABASE would be of great help.
Source system is SIEBEL CRM 7.8
THanks
GuthaHi,
I can help you for Authentication using BI Server.
For teh same you can use admin tool then manage>security> users and Groups.
You can create different groups as well as users accrording to you hierarchy and then provide privilages users or groups according to your need like particular user can view the data of particular level.
When you create users then in the user page you can provide the filter conditions in filter tab and same as in groups.
Regards
Tarang Jain -
Row Level Security in OBIEE using OID as authentication Mechanism
Hi OBIEE Gurus,
I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
I want to implement RLS by doing the following :
1. Have Security Groups defined in OID and assign users with group membership.
2. Import these Security Groups into OBIEE metadata
3. Apply filters to these Security Groups
4. Run Answers requests to see if RLS works or not
Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
Appreciate your help.
Edited by: drakesh on Sep 26, 2008 7:09 AMFollow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita -
How to provide Responsiblity level security in OBIEE 11g
Hi all,
Can any one tell me how to provide the responsibility level security in OBIEE 11G.Hi,
You need to create group of users and then apply filters over that groups.
you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
- Manage -> Security...
- Groups -> click right group1 and select propierties.
- Select button 'Permissions...'
- Select tab 'Filters' -> add new filter.
- On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
you should add the Customer table to your Sales-fact LTS add apply the filter to this combined LTS as well
For more:
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
also try http://www.biblogs.com/1969/12/31/obiee-11gr1-security-explained-an-11g-security-overview/
http://forums.oracle.com/forums/thread.jspa?threadID=1120336
Thanks
Deva
Edited by: Devarasu on Oct 11, 2011 6:08 PM -
How to create Database level Security in OBIEE
Dear Experts,
Can you kindly tell me the steps on how to create a database level security on OBIEE.
Please can some one give me the scripts and tell me how to implement tht in the RPD.
Thanks in advance,
AnandIf you are looking for Database Level security in OBIEE the only route to truly accomplishing this is using the Oracle Virtual Private Database concept.
http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
http://gerardnico.com/wiki/dat/obiee/vpd -
Object level security will be done by bi-server or presentation server
hi all
object level security will be done by bi-server or presentation server?
r both will be done by bi-server?
TnksHi,
object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
Ya in simple words authorization and authentication.
Hope it helps you.
By,
KK -
How do you created object level security in BI for roles.
How do you created object level security in BI for roles. For example if I want users to only execute reports in BI for a particular "object" report how would I do that.
Thanks.Hi Maritza,
Can you be more specific.
If you are looking for BI Security concept, check this presentation:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Regards,
Zaheer -
Object Level Security Profile-Collaborators
Dear All,
I the document collaborator security profile one permission is change master data state, is master data considered all fields within the contract.Also what will happen if this permission is changed to not set.
Thanks,
JayHi,
object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
Ya in simple words authorization and authentication.
Hope it helps you.
By,
KK -
Data level and object level security how can we impliment in the obiee11g
How can we implement the data level security in obiee11g,
Concept is more or less same as in 10g
Data level
http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
Object level
http://docs.oracle.com/cd/E28271_01/bi.1111/e10543/intro.htm#BABHDGGB
Mark if helps
Edited by: Srini VEERAVALLI on Mar 5, 2013 6:48 AM
Maybe you are looking for
-
I'm making a script that adds "&fmt=22" (The YouTube high quality &addon), and I need to know what to do in applescript to relay the edited url (Example: www.youtube.com/watch?v=hLE0DpKnJsA&fmt=22) back to safari. Here's what I have already: Get curr
-
I open a document and all my documents open one after another. i cannot access anything in Microsoft Word. After about 30 seconds of opening documents, Word crashes. This behavior only occurs in Word.
-
Mods Help - Light Broadband user - surge in Upload...
Hi, I'm a light broadband user on the infinity 20GB, TV deal package. My normal usage has been around 12Gb per month which is high considering I just browse the web infequently. I don't game, stream tv, download music or videos. It's just two 60+ ye
-
I am running Win. 8.1 and had no issues with FF 24. Since upgrading to FF 25, firefox will appear closed when i close the window but the process doesn't shutdown. I have to go into Task Manager to end the process. I can then launch it again.
-
Large amounts of video data 2TB+
Over the next several months the University of Michigan will be videotaping elementary school classes. We hope to tape at least 40 classrooms with two cameras in each classroom for about 90min each. Im estimating I will have 2-3 TB of video files I n