Object Level security not working on OBIEE 11g 11.1.1.7

Similar Messages

• Item level security not working when placed in a portlet page

  I have three page links linking to separate pages and have two of them with item level security turned on for specific groups with view privilges. I have the access for those groups with view privilges in the page level as well. I have published that as portlet and placed the portlet in another page which has view priviliges for the groups specified in item level as well.
  But I notice that when i place the portlet in a page, the item level security is not working.
  Item Level Security Not Working for Items Placed on a page and published as portlet and placed in another page. Is there some work around for this.
  Thanks
  Valli

  Would you please clarify for me? Is the problem that unauthorized people can see the portlet, or that unauthorized people can see the links?

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Obi 11g row level security not working

  All,
  I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
  Very frustrated... ;(

  Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
  1) I created a test user
  2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
  3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
  4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
  5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool.

• Crystal reports LOV cascading prompts row level security not working

  Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
  Using XIR2 environment.
  Appreciate the response.
  Thanks
  Chenthil

  Hi Chen,
  In terms of what could be done on the Crystal Reports end, there is no such controls available.  However, your question may be better answered if it was posted to our Business Objects Enterprise forum. 
  It is at "BusinessObjects Enterprise Administration" section of the forums.
  FYI.

• Row level security not working if I hit the aggregate

  I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...

  Hi Ingo,
  Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
  This custom auth object is maintained for the PA0001 table.
  This object is added at the role level with the restricted access to the Company Code..

• Item Level Security not working with Tabs

  I've Portal 9.0.2.2.22
  This issue is with Item Level Security with Tabs. Here is what I've have:
  Page Group: MyPagegroup (Privs: portal => Manage All)
  Page: MyTestPage (Privs: portal => Manage All,
  testUser => View)
  There is a tab called MyTab on page MyTestPage which has two items (simple images) image1 and image2. The tab's access privs have been set NOT to inherit from the page. The public check box has not been checked for the tab. I've specifically assigned access privs to the tab.
  Now here are the two scenarios that I'm having problem with:
  1) MyTab (portal => Manage All, testUser => view)
  image1 (ILS enabled: portal => Manage All)
  image2 (ILS enabled: portal => Manage All,
  testUser => View)
  When logged in as "testUser", I still see both the images on MyTab although image2 doesn't have view priv to testUser. My expected result is to see just image2 on the tab.
  2) MyTab (portal => Manage All)
  image1 (ILS enabled: portal => Manage All,
  testUser => View)
  image2 (ILS enabled: portal => Manage All)
  When logged in as "testUser", I still see NO images on MyTab although image1 has view privs to testUser. I would expect to see image1 on the tab.
  Question: In both the above cases, the tab privs seem to be dictating what the user sees regardless of what the item level privs are set to. Is this normal behavior or a bug? If a bug, is there a patch? Is there any way so that even after setting the tab privs, I still have finer control of what the user can access through item level privs?
  If I don't put the items under a tab, then things work as expected.
  thanks
  Lalit Agarwal
  Vienna, VA
  703-521-5200 x3610

  This is a known problem with the 9.0.2 release - fixed in 9.0.2.6.
  Regards,
  Jerry
  PortalPM

• Column Sorting and Rowspanning not working in OBIEE 11g (worked in OBI 10)

  Hi all,
  i have a report with columns like this:
  Customer Nbr. | Customer Name | Salesorder | EBIT | EBIT (Total p. Customer)
  In the table view i have a total sum line at customer level.
  The column "EBIT (Total p. Customer)" is an Aggregate with Formula (SUM(Invoices.Ebit) BY Customer."Customer Nbr.") which is exactly the same value as in the report sum line (column EBIT).
  This Aggregate colum is only for sorting purposes and is hidden in the view.
  The business case is:
  "We want to see the EBIT per Salesorder for each customer, sorted from worst to best customer.
  So i sorted by "EBIT (Total p. Customer)" ascending in criteria tab and adviced answers to show the sum for each customer (column customer nbr.) in the table definition view.
  OBIEE 10 behaviour: Answers shows all customers sorted by EBIT (Total p. Customer), i see one line for each salesorder, the customer columns are rowspanned over all salesorder lines and there is exactly on sum line after each customer.
  OBIEE 11 behaviour: Answers shows all customers sorted by EBIT (Total p. Customer), i see one line for each salesorder BUT there is one sum line after each salesorder too. So there is no sum at customer level but on salesorder level
  Any idea how to solve this?
  BTW:
  1.) I still tried to place this column as the first (left) column in the report to get the right sorting ... with no success.
  2.) Sorting data at BI Server level is NO option since there are some other reports with different sorting requirements
  While searching in "Oracle Support" i found document ID: 1371247.1 "OBIEE 11g: How To Apply a Custom Sort in Answers" which says "... The functionality to custom sort in Answers does not currently exist There is an enhancement request for this functionality. For more information, see Bug 13261597 - be able to apply a custom sort in answers ..."

  Did you ever get an answer to your question? We are seeing the same issue.

• ODBC and OCI not working with OBIEE 11g Client on 64 bit machine

  Hi,
  I have Installed OBIEE 11g client (Admin tool) on Windows XP Professional 64 bit machine.. I have Installed 11g database on the same machine but while importing Metadata using admin tool. getting "Connection has failed" error message... Can someone tell me whats the issue..
  ODBC and OCI works fine with OBIEE 10g Admin..

  Hi,
  Oracle_BI1\network\admin folder gets installed with full obiee 11g Installlation and I have installed only 11g client as I have OBIEE 10g already Installed on my machine..
  Installation is as follows:
  ORACLE 11g CLIENT Installation is as follows:
  C:\Program Files\Oracle Business Intelligence Enterprise Edition Plus Client
  ORACLE 10g Installation is as follows:
  C Drive:
  ORACLE BI
  ORACLE BI Data ( everything is working with this)
  latest Log Info is as follows:
  [2012-02-02T11:05:00.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: ] [tid: 24fc] [nQSError: 16001] ODBC error state: 08004 code: 12154 message: [Oracle][ODBC][Ora]ORA-12154: TNS:could not resolve the connect identifier specified.
  [2012-02-02T11:05:16.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: ] [tid: 2f3c] [nQSError: 16001] ODBC error state: 08004 code: 12154 message: [Oracle][ODBC][Ora]ORA-12154: TNS:could not resolve the connect identifier specified.
  [2012-02-02T11:32:53.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: ] [tid: 2f3c] [nQSError: 16001] ODBC error state: 08004 code: 12154 message: [Oracle][ODBC][Ora]ORA-12154: TNS:could not resolve the connect identifier specified.

• Filter Grouping not working for OBIEE 11g

  Hello!
  I need some help on the below:
  I have built a simple report in OBIEE 11g with FILTER grouping on two dimensions as below:
            Operative Hierachy is equal to Europe, IMEA, APAC, China Focus Country, Americas, US and Canada
       and      Accounts is equal to Net Sales (i), Gross Margin (i), GM% (i)
  or
            Accounts is equal to Gross Margin, Net Sales, Gross Margin %
       and      Operative Hierachy is equal to / is in Organizations Total
  The report was working as expected; but now suddenly it's showing no results with the error "+The specified criteria didn't result in any data. This is often caused by applying filters and/or selections that are too restrictive or that contain incorrect values.+" - even though data is present ! - I have tested this by splitting it into two reports (with only the AND conditions)- which is then woking as expected.
  Points to note:
  --There had been no change on the Report, when it stopped showing results.
  --I have tested this filter grouping with other dimensions- & they are working fine.
  --The OBIEE reports are fetching data from ESSBASE cube.
  --Only thing which I can remember when it stopped working is that, there had been a data load on the ESSBASE cube. But other reports using these dimensions are working.
  Has anyone faced the same issue before. Please help.
  Edited by: Anu on Jan 22, 2013 12:31 AM

  Hi User, Vijay,
  Yes I have checked the generated SQL queries and the MDX queries as well. Both queries are generated as expected, but returns no result.
  But now I have found out how these two different dimensions are different from my other dimensions. Only these two dimensions have a SORT order logical column defined in the BMM layer- which I think is causing the problem, BI Server not able decide which column to sort. So, the sql gives result when I cimment out one of the SORTKEY
  SELECT
  0 s_0,
  "PSS Essbase"."Accounts"."Accounts" s_1,
  "PSS Essbase"."Operative Hierarchy"."Operative Hierachy" s_2,
  -- SORTKEY("PSS Essbase"."Accounts"."Accounts") s_3,
  SORTKEY("PSS Essbase"."Operative Hierarchy"."Operative Hierachy") s_4,
  "PSS Essbase"."Facts"."Measure" s_5
  FROM "PSS Essbase"
  WHERE
  ((("Operative Hierarchy"."Operative Hierachy" = 'Europe') AND ("Accounts"."Accounts" = 'Gross Margin'))
  OR (("Operative Hierarchy"."Operative Hierachy" = 'Russia Focus Country') AND ("Accounts"."Accounts" = 'Sales ASP')))
  ORDER BY 1, 5 ASC NULLS LAST, 4 ASC NULLS LAST
  FETCH FIRST 65001 ROWS ONLY
  Any views on what happens when we use two dimensions in the same report which have sort columns defined in the repository...

• Group Level Data Level Security not working

  I'm trying to test the data level security at the group level.
  Here's what I did
  1. Went to the security -> Groups -> Permissions -> Filters
  2. In Name added the Fact table on which I want to filter.
  3. Selected "Enable"
  4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
  When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
  Am I missing something in the creation of filters?
  Thanks in Advance.
  Rama.

  Hi,
  If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
  Hope this helps.
  Regards,
  Sandeep

• Database Level Security not working ???

  The 10 g (10.1.2.1) documentation states the following:
  Chapter 7 Controlling access to information:
  "Regardless of the access permissions and task privileges that you set in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):
  ex: SELECT privilege on all the underlying tables used in the folder "
  So how come a folder (view in my case - not table) cannot be queried directly by a user, but the folder still shows up a choice when building a report using PLUS ? I am misreading the above ? For is sounds lilke to me if the user account does not have SELECT privilege then they will not see the folder in Discoverer ?
  Anyone run into the same issue or have an explanantion ?
  thanks
  OBX

  I think the user has access to see all the folders in the business area in Discoverer if he has permission to do so. This is a Discoverer level security to filter people who should not have access to the business area at all. You'll find that although they can see these Discoverer folders because the permission is set in Discoverer Administrator, that the database tables they are based on will not allow the users to see any of the data if they don't have those rights at the database level.

• Row Level Security Not working for the ECC table.

  Hi All,
  We have created a crystal report using SQL Driver.
  We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
  But when I run the report, it bypasses the row level security and gives access.
  Am I missing some configuration?

  Hi Ingo,
  Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
  This custom auth object is maintained for the PA0001 table.
  This object is added at the role level with the restricted access to the Company Code..

• Access Control Mechanism (data level security) not working properly

  Hi Experts,
  I have done datalevel security for groups by help of a database table. This table contains UserId, Dept. code, GroupName column. UserID are verified by LDAP server during logging into Dashboard. I have made two init blocks for GroupName and Dept.Code .
  Query is :
  SELECT 'Group', GroupName from TABLE
  Where
  UserId = ':USER'
  Similiar query is for Dept Code.
  There are two groups ; 1. CC_User 2. Full_User. I have applied filter in PERMISSIONS for CC_User on Fact table on Dept Code. So, user in this group may see data for Dept Code aligned to him in the table. All_User may see whole data for All Dept Codes as NO filter is applied on this group.
  Dept Code , UserId and GroupName are Varchar.
  Now problem is this when a user have membership of one group , it works fine. For CC_user it shows data for its Dept Code and All_user may see whole data.
  But When A user have permission of both the groups , only data related to CC_User group is visible. But, in my view , maximum permmision out of the both groups must be applied to the user if he belongs to more than one group.
  So , here , he must see whole data, as All_user group can see full data.
  Does least restrictive permmission happens in case of membership of more than one group in OBIEE.

  848839 wrote:
  Does least restrictive permmission happens in case of membership of more than one group in OBIEE.Indeed it does. The most restrictive filters get applied if a user belongs to multiple groups that have filters at various levels of data because its always an AND clause in the where condition. This is the sort of behavior in various tools I have seen apart from OBIEE.
  Hope this helps.
  Regards,
  -Amith.

• Function Calendar not working in OBIEE 11G - Analysis

  This code works in 10.1.3 but not in OBIEE 11.1.1, Please let me know the correct code.
  Error: Query Failed: [nQSError: 22025] Function Calendar Extract is called with an incompatible type
  case when "- Calendar"."Year" = YEAR('@{var_date}{2012-11-05}') then 'Current' Else 'Prior' end

  Check the data type of the column being used to populate the variable. The Year Function works fine. I suspect the data type is not date. If you don't have date columns in your database and are creating one (ex., using MM, DD, YYYY columns explicitly)then check the default date format in your environment either double click the physical database folder -> features or in your NQSconfig. it should be in date data type.