Order Management Data Level Security

Hi All,
I have worked on OBIEE standalone and implemented data level security from custom data warehouse but never worked on BI Apps.Currently I am working Order Management and trying to implement data level security but I have no clue which OOTB init block to use for it.When i check the Order Management Group's--> permission there is no filter condition on them which i am thinking there no data level security on OM may i thinking wrong.Here is req users must able to see data by Division and Region they belong to and I am trying use OOTB security option for it OR do i need to build custom init block and related keys in all the sales order fact tables to implement it.
Any documentation or links or information will be appreciated.
This might be silly question but I would find a way better way.Please let me know if you need any information.
Thanks

Forgot to mention :Soruce is Oracle EBS

Similar Messages

  • Authorization: data level security by cost center to finance line items

    We have a business unit request requiring implementation of cost center data level security through FI transaction codes for financial line items.  Example requirement:  Cost center manager can execute FS10N GL account line item display, drill into the balance and only return those line items to which the cost center manager has access.   Cost center managers currently report their cost center expenses via cost center accounting report and through those reports are able to drill into the FI line items to display document and line item details.  Cost Center managers, due to their varied responsibilities, also have access to tcode FS10N, from which if they execute reports directly, can access data for cost centers which they are not responsible for.
    Our security team has stated that the determination of authorization objects which are checked at transaction code/program execution are not configurable.  We’ve found when debugging that it would be possible to implement user exits for additional authorization checks, but that in order for the authorization check to actually get called, the object must be set as ‘checked’ within SU22/SU24.
    Has anyone had a request to implement such cost center data level security for financial line items through Financial transaction codes?  If so, what steps were taken to be implemented?   Was this able to be accomplished via security configuration and PFCG security role updates or was custom code logic needed?  If custom  logic was needed, to what extent was this implemented (what tcodes/programs were included; how was the decision of what to include and exclude determined).   What was the duration of this effort?
    Has anyone had a request to implement such cost center data level security request for financial line items via Financial transaction codes and not implemented the request?  How was this communicated to the business that the request for data level security goes against SAP’s authorization design?
    Thank you in advance for your input,
    Becky Zick

    Hi Becky
    Have you tried with object K_REPO_CCA? You have available these fields to filter authorizations.
    I hope this helps you
    Regards
    Eduardo

  • Data level Security issue in obiee 11g

    Hi,
    We are trying to implement data level security, let me explain the issue
    The requirement is, we have 7 schools and each school has one principle , there will be a Superdintent who has 3 schools under him. so now when each principle logs in to dashboard we have a prompt for school i.e Name of school in that prompt he should see only his school and even the data of that school only which are assigned to him, now when Superdintent logs in he should see all 3 schools in the prompt and data. I have gone through this link (http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/) but could not achieve.
    We are able to achieve by writing SQL in BMM layer ( LTS Table) so where ever the table is used in dashboards the security is being applied and we are able to see what we want. We want to achieve this by application role, But when we are creating session variables and applying on Application Role its not working. We want to achieve this by using Application role because suppose in other dashboards when the table is not used or pulled in, it will not work.But if we do it using application role its applies to all dashboards and data is resticted. so that when principle or Superdintent logs in automatically its restricts the data.
    Below is the SQL which we used in BMM LTS, its working fine. But when the same SQL is applied in Application Role it's not working.
    SQL used in session variable -
    select  'SCHOOL_CD1', school_cd1 from w_staff_d where empl_id ='VALUEOF(NQ_SESSION.USER)'
    and job_desc1 = 'Principal High School - KPI'
    Any suggestions please ??
    Thanks,
    VRP

    Hi,
    I pasted the log view below by applying SET VARIABLE LOGLEVEL=2, DISABLE_CACHE_HIT=1;, ran this report by applying SQL in Session variable. Let me know if you want anything -
    Thanks
    [OracleBIServerComponent] [TRACE:2] [USER-0] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] ############################################## [[
    -------------------- SQL Request:
    SET VARIABLE QUERY_SRC_CD='Report',SAW_SRC_PATH='/shared/Key Performance Analytics/Analysis/Climate and Culture/Analysis for total school suspensions',LOGLEVEL=2, DISABLE_CACHE_HIT=1; SELECT s_0, s_1, s_2, s_3, s_4, s_5, s_6, s_7, s_8, s_9, s_10, s_11 FROM (
    SELECT
    0 s_0,
    "High School KPI"."- Date"."School Year" s_1,
    "High School KPI"."- Grade"."Grade Level" s_2,
    "High School KPI"."- School"."School Name" s_3,
    "High School KPI"."- School Suspensions"."% of Students Suspended" s_4,
    "High School KPI"."- School Suspensions"."Count of Students Enrolled" s_5,
    "High School KPI"."- School Suspensions"."Count of Students with Incidents" s_6,
    CASE WHEN (CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END +(CASE WHEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END)=0 THEN CASE WHEN CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END <0 THEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END *-1) ELSE CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END END ELSE (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END) END /10))<0 THEN 1 ELSE 2 END s_7,
    CASE WHEN (CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END)=0 THEN CASE WHEN CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END <0 THEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END *-1) ELSE CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END END ELSE (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END) END s_8,
    CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END s_9,
    CASE WHEN MIN("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY ) END s_10,
    REPORT_AGGREGATE("High School KPI"."- School Suspensions"."% of Students Suspended" BY "High School KPI"."- Date"."School Year") s_11
    FROM "High School KPI"
    WHERE
    (("- Discipline Action"."Discipline Action Code" = 'Suspension') AND ("- Date"."School Year Desc" = VALUEOF("school_year_desc")))
    ) djm ORDER BY 1, 2 ASC NULLS LAST
    [2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-23] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- General Query Info: [[
    Repository: Star, Subject Area: High School KPI, Presentation: High School KPI
    [2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- Sending query to database named SPA (id: <<62064>>), connection pool named Initialization Block Connection Pool: [[
    WITH
    SAWITH0 AS (select T30351.SCHOOL_YEAR_DESC as c2,
    T26564.GRADE_LONG_DESC as c4,
    T26686.SCHOOL_NM as c5,
    T29835.STDNT_WID as c6,
    ROW_NUMBER() OVER (PARTITION BY T30351.SCHOOL_YEAR_DESC, T29835.STDNT_WID ORDER BY T30351.SCHOOL_YEAR_DESC DESC, T29835.STDNT_WID DESC) as c7
    from
    W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
    W_SCHOOL_YEAR_D T30351 /* KPI_W_SCHOOL_YEAR_D */ ,
    W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
    W_STDNT_ENROLL_SCHOOL_F T29835 /* KPI_W_STDNT_ENROLL_SCHOOL_F */
    where ( T26564.GRADE_LEVEL_WID = T29835.GRADE_LEVEL_WID and T26686.ORGANIZATION_WID = T29835.ORGANIZATION_WID and T29835.SCHOOL_YEAR_WID = T30351.SCHOOL_YEAR_WID and T30351.SCHOOL_YEAR_DESC = '2011-2012' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
    SAWITH1 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
    D1.c2 as c2,
    count(distinct D1.c6) as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH0 D1
    group by D1.c2, D1.c4, D1.c5),
    SAWITH2 AS (select sum(D1.c1) over (partition by D1.c2) as c1,
    D1.c2 as c2,
    D1.c3 as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH1 D1),
    SAWITH3 AS (select T30647.SCHOOL_YEAR as c3,
    T26564.GRADE_LONG_DESC as c4,
    T26686.SCHOOL_NM as c5,
    T26023.STDNT_WID as c6,
    ROW_NUMBER() OVER (PARTITION BY T30647.SCHOOL_YEAR, T26023.STDNT_WID ORDER BY T30647.SCHOOL_YEAR DESC, T26023.STDNT_WID DESC) as c7
    from
    W_DISCIPLINE_ACTION_D T29975 /* KPI_W_DISCIPLINE_ACTION_D */ ,
    W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
    W_KPI_QTR_DAY_D T30647,
    W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
    W_STDNT_DISCIPLINE_F T26023 /* KPI_W_STDNT_DISCIPLINE_F */
    where ( T26023.DISCIPLINE_ACTION_WID = T29975.DISCIPLINE_ACTION_WID and T26023.ORGANIZATION_WID = T26686.ORGANIZATION_WID and T26023.DATE_WID = T30647.DATE_WID and T26023.GRADE_LEVEL_WID = T26564.GRADE_LEVEL_WID and T29975.DISCIPLINE_ACTION_CD = 'Suspension' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
    SAWITH4 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
    count(distinct D1.c6) as c2,
    D1.c3 as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH3 D1
    group by D1.c3, D1.c4, D1.c5),
    SAWITH5 AS (select sum(D1.c1) over (partition by D1.c3) as c1,
    D1.c2 as c2,
    D1.c3 as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH4 D1)
    select distinct case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end as c1,
    case when D1.c4 is not null then D1.c4 when D2.c4 is not null then D2.c4 end as c2,
    case when D1.c5 is not null then D1.c5 when D2.c5 is not null then D2.c5 end as c3,
    case when D1.c3 = 0 then NULL else D2.c2 * 100.0 / nullif( D1.c3, 0) end as c4,
    D1.c3 as c5,
    D2.c2 as c6
    from
    SAWITH2 D1,
    SAWITH5 D2
    where ( nvl(D1.c2 , '1') = nvl(D2.c3 , '1') and nvl(D1.c2 , '2') = nvl(D2.c3 , '2') and nvl(D1.c4 , '1') = nvl(D2.c4 , '1') and nvl(D1.c4 , '2') = nvl(D2.c4 , '2') and nvl(D1.c5 , '1') = nvl(D2.c5 , '1') and nvl(D1.c5 , '2') = nvl(D2.c5 , '2') )
    order by c1, c2, c3
    [2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- Sending query to database named SPA (id: <<62434>>), connection pool named Initialization Block Connection Pool: [[
    WITH
    SAWITH0 AS (select T30351.SCHOOL_YEAR_DESC as c2,
    T26564.GRADE_LONG_DESC as c4,
    T26686.SCHOOL_NM as c5,
    T29835.STDNT_WID as c6,
    ROW_NUMBER() OVER (PARTITION BY T30351.SCHOOL_YEAR_DESC, T29835.STDNT_WID ORDER BY T30351.SCHOOL_YEAR_DESC DESC, T29835.STDNT_WID DESC) as c7
    from
    W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
    W_SCHOOL_YEAR_D T30351 /* KPI_W_SCHOOL_YEAR_D */ ,
    W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
    W_STDNT_ENROLL_SCHOOL_F T29835 /* KPI_W_STDNT_ENROLL_SCHOOL_F */
    where ( T26564.GRADE_LEVEL_WID = T29835.GRADE_LEVEL_WID and T26686.ORGANIZATION_WID = T29835.ORGANIZATION_WID and T29835.SCHOOL_YEAR_WID = T30351.SCHOOL_YEAR_WID and T30351.SCHOOL_YEAR_DESC = '2011-2012' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
    SAWITH1 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
    D1.c2 as c2,
    count(distinct D1.c6) as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH0 D1
    group by D1.c2, D1.c4, D1.c5),
    SAWITH2 AS (select sum(D1.c1) over (partition by D1.c2) as c1,
    D1.c2 as c2,
    D1.c3 as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH1 D1),
    SAWITH3 AS (select T30647.SCHOOL_YEAR as c3,
    T26564.GRADE_LONG_DESC as c4,
    T26686.SCHOOL_NM as c5,
    T26023.STDNT_WID as c6,
    ROW_NUMBER() OVER (PARTITION BY T30647.SCHOOL_YEAR, T26023.STDNT_WID ORDER BY T30647.SCHOOL_YEAR DESC, T26023.STDNT_WID DESC) as c7
    from
    W_DISCIPLINE_ACTION_D T29975 /* KPI_W_DISCIPLINE_ACTION_D */ ,
    W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
    W_KPI_QTR_DAY_D T30647,
    W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
    W_STDNT_DISCIPLINE_F T26023 /* KPI_W_STDNT_DISCIPLINE_F */
    where ( T26023.DISCIPLINE_ACTION_WID = T29975.DISCIPLINE_ACTION_WID and T26023.ORGANIZATION_WID = T26686.ORGANIZATION_WID and T26023.DATE_WID = T30647.DATE_WID and T26023.GRADE_LEVEL_WID = T26564.GRADE_LEVEL_WID and T29975.DISCIPLINE_ACTION_CD = 'Suspension' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
    SAWITH4 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
    count(distinct D1.c6) as c2,
    D1.c3 as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH3 D1
    group by D1.c3, D1.c4, D1.c5),
    SAWITH5 AS (select sum(D1.c1) over (partition by D1.c3) as c1,
    D1.c2 as c2,
    D1.c3 as c3,
    D1.c4 as c4,
    D1.c5 as c5
    from
    SAWITH4 D1),
    SAWITH6 AS (select case when max(D1.c1) = 0 then NULL else max(D2.c1) * 100.0 / nullif( max(D1.c1), 0) end as c11,
    case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end as c12
    from
    SAWITH2 D1,
    SAWITH5 D2
    where ( nvl(D1.c2 , '1') = nvl(D2.c3 , '1') and nvl(D1.c2 , '2') = nvl(D2.c3 , '2') and nvl(D1.c4 , '1') = nvl(D2.c4 , '1') and nvl(D1.c4 , '2') = nvl(D2.c4 , '2') and nvl(D1.c5 , '1') = nvl(D2.c5 , '1') and nvl(D1.c5 , '2') = nvl(D2.c5 , '2') )
    group by case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end )
    select D2.c11 as c1,
    D2.c12 as c2
    from
    SAWITH6 D2
    order by c2
    Edited by: 965968 on Oct 17, 2012 11:49 AM

  • Data level security in OBIEE

    We have implemented data level security by applying filters on groups in Obiee Administration tool. Here we have set filter on division(which is a column in Customer table). This is done so that user can see data for division for which he has access.
    When user creates report which consists of division column filter is working fine. E.g. if user1 has access to division1
    and when user1 cretes a report for (customerName,division,sales columns) he can see sales of customers belong to division1. But if user1 cretes report which does not contain division column e.g.(customerName,sales columns report) he can see all the customers sales data. How can we aoide that. We want User1 to see division1's data only irrespective whether division column is there in report or not.
    Can any one suggest what should be done to achive this.
    Thanks,
    Avdhut

    Hi friend,
    You need to create group of users and then apply filters over that groups.
    you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
    - Manage -> Security...
    - Groups -> click right group1 and select propierties.
    - Select button 'Permissions...'
    - Select tab 'Filters' -> add new filter.
    - On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
    I hope this can help you.
    Good luck.

  • How to do data level security on users based on region

    Hello guys
    I currently have created a report with dashboard prompt on column "state" with a default value "CA"
    Now, the requirement is to perform data level security on this report, so different users based out of different state will log in to the dashboard and this prompt will change its default value accordingly so the user will have the report on only users home state prompted, and users can't see other state data..
    I have thought of creating session variables to achieve the same, but how should i set up the initialization string?
    Do I need to create a new table called "user table" that stores username/password and state columns and make that user table join to the fact table in the db?
    If so, how should I configure the session value so that users get filtered date based on its state location?
    PLease provide guidance
    Thanks

    Here’s an idea off the top of my head (untested):
    First, set up your security constraints normally using Manage…Security in the Administration Tool, so that each user can only see his/her state. Refer to the previous responses to this post for guidelines.
    Then, in your dashboard prompt, for the “Default Value”, write a tiny bit of logical SQL to query the “state” column from the presentation layer. If your security constraints are properly in place, the SQL should only return one value.
    To get an idea of what the logical SQL should look like, select “All Values” as the default value, then switch it to ‘SQL Results’. That will show you the basic format of the logical SQL. It’s really just normal SQL (select <this> from <that> where <the other>), but referring to presentation layer objects rather than to physical tables and columns.
    Untested. Please reply back and let us know how it goes.

  • Data-level security in user level

    Hi All,
    In our OBIEE we have created several application roles and assign them to the users. We set data-level security for each application role, and the filter does apply to all related users. But we want to do more specific data-level security for each user, which we did by clicking on user name in Manage Identity, and set permission with additional data filter. But this does not work.
    Let's say we have Application Role1 with access to region='Asia', but then we want to set User1 to access only subregion='North Asia' and User2 to access only subregion='South East Asia', where User1 and User2 belongs to Application Role1.
    Is this possible to work in OBIEE 11g?
    Thanks.

    Hi,
    Yes it is possible,
    Please refer the below link.
    http://satyaobieesolutions.blogspot.in/2012/06/obiee-11g-security-week-row-level.html -- stey by step is there.
    Hope this help's
    Thanks
    Satya

  • Data Level Security issue

    Hello Gurus:
    I am having a problem with Data Level security.
    I copied my Production RPD and Webcat in Test, changed connection pool DSN and user/passwords.
    Now the problem is, a user who has same rights in Prod and Test, is seeing properly in Production, but sees nothing in Test.
    I am using initialization block from Siebel CRM Application. So customers are assigned to users based on their responsibility from S_RESP and S_USER.
    based on that, users can see the list of customers. Authentication is LDAP, same server for production and Test.
    Now, a user sees properly assigned list in Production, but not in Test. I dont know how to solve it. I searched query logs and stuff, but couldnt find anything.
    Please help me how should I investigate this issue.
    Thanks.
    Vinay

    Thanks for quick reply Stijn:
    Here are my inputs..
    1)"they see nothing"? means the dont see any customers in drop down. This is data level and not related to column or subject area. The only filter I use is
    "ATLAS Reports"."Dim - Accounts Hierarchy".LVL1ANC_ID = VALUEOF(NQ_SESSION."ORGS")
    This filter is applied to Customer hierarchy and couple of sensitive facts.
    The users are able to see all products because filter is not applied. I disabled the filter, and users could see everything. But I cant disable this in Production.
    2) What is the physical sql generated by the report? Set the loglevel of a user to a higher level in order to seet this.
    I am not able to set higher loglevel because i dont see the user in repository. All I see is GROUP, and they are assigned to particular groups based on GROUP session variable. Then filters are set on particular groups. How do I set logging level at Group level?
    3)Can you copy the query and run it against the test database. What results do you get?
    I can not see the query because of above reason.
    4)Does the user get the proper groups assigned? Yes. I put the session variable in title view to verify this.
    5) Are S_USER and S_RESP in Test equal to S_USER and S_REPS in Production? Yes.
    Let me know if you need more information.
    ~Vinay.

  • Data Level Security OBIEE,PLEASE HELP

    How can we implement data level security in OBIEE. For example, a Sales officer should only see data for his customers, similarly a Sales Manager should only be able to see data for Sales Officers working under him....
    any help would be appreciated

    Hi there are many blogs on data level security..
    understand the concepts and try to implement, if you stuck up anywhere will help you out..
    http://obieeblog.wordpress.com/2009/01/15/obiee-data-security-column-level-security/
    Data level security in OBIEE

  • BIP Security - Data Level Security / Init Blocks

    Hello, I am using BIP 11.1.1.5. I am aware that in OBIEE data-level security can be implemented by placing permissions on a application role. However, I am wondering if this can be accomplished in BIP if I use a BI Analysis or SQL as the datasource for my data model. I have a catalog of 100 BIP reports and was wondering if I can implemented data-level security via the RPD. I am exploring the various options of executing this type of security. I already performed some research and found Oracle's whitepaper on Row Level Security with BI Publisher.
    Another Question: Does session init blocks work with BIP? I flipped the switch for BIP security model to 'Oracle BI Server' on the Admin security page. Next, I went to the RPD in online mode and created a simple query inside a init block. However, when I logged into BIP I didn't see the variable from the session init block in the Manage Sessions window.
    Thanks

    Look at the below link..It has three options. this one is from veeravalli I believe..I personally like the second option if there are not many reports to work with.
    cool-bi.com

  • Dynamic filtering, data level security

    In order to enforce data level security we would like to do the following:
    1. Send a user identification parameter through a URL that calls a BAM report.
    2. According to this parameter retrieve from a dedicated data object the list of organization units for which the user has privileges.
    3. Filter the data displayed in the report according to the values retrieved in (2).
    Any ideas how to implement this.
    TX in advance ,
    Alon

    Hello Alon- Looks like you are doing some advanced stuff and interesting security handling.
    Well - all the 3 points you mentioned are built-in the product ready to use. I have built a sample on this (yet to be published on OTN). This feature is called row level security, you can see the architect dataobject security documentation. In short -to acheive this-
    1. build a security object called mySecurity with example 2 fields, username & orgunit.
    2. populate this security object, username should be of format DomainName/UserName.
    3. There can be multiple rows containing same usernames, to emphasis (model) multiple orgunit access.
    4. In your main dataobject, add additional column called orgunit and populate it.
    5. In your main dataobject, add security filter with security object mySecurity
    6. Run the report- during runtime, it will prompt for username/passwd, after authentication, it will use the 'username' logged in along with security filter object, and the report will ONLY display data for which this user has access.
    Hope this addresses your question.

  • Implementing Data level Security ?

    I would like to Impelement Data level Security in Universe level itself. I have Set For users belonging to Branch (Mumbai, Delhi Etc) And One set of Users Belonging to Segment (CWG, IFA Etc) and  Set of users that are combination oif Branch and Segment.
    In the Universe I need to set the Security so that only the data related to them can be viewed. When I use a restriction I have to create many restirction and implement the same in Objects as required.
    This consumes a lot of time. Is there a easier way out.
    I have already Tables in the Database where the secuity values for the users are already stored.
    Any help is welcome
    Thanks in advance
    Suresh

    Hi Alan,
    Ok....But How Can I use the Restriction I have created in All the objects of the universe.
    For e.g.. I have Two Classes Named Channel and Relation Manager respectively.
    The Channel Class has the following Objects Namely : Channel Type, Channel Country, Channel Zone, Channel State, Channel City and Channel Name. and is Derived from BIDIMCHANNEL Table
    The Relation Manager Class has following Objects Namely: RM Segment, RM City, RM Branch RM Name. and is Derived from BIDIMRM Table.
    I have Created the a Restriction on Channel name By Using the Clause  "BIDIMChannel.ChannelName = 'AHMEDABAD' and have assigned it to an BO User.
    While using WEBI whenever I Select Anything regarding the Channel Class the restriction works fine. When We I Exclusively Select "Relation Manager" Class, the restriction is Not Applied and the entire data is visible.
    Can you Suggest a manner in which the restriction given above can be applied for all the objects belonging to the universe and not just to the class objects where the restrictions are being applied.
    Regards
    Suresh

  • Data level Security in Essbase

    I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
    Asia and America are defined in my location dimension.
    Please tell me how to do it?
    Regards,
    Suman

    to make your security maintenance easier, I would suggest putting the users into groups and assigning the filters to the group. If you do it at the indivual level, the user can only have one filter assigned to them, but each group could have a different filter. So for someone who should see Americas and Asia have a group calle America and one called asia. put the user into both groups and assign the america filter to the first group and asia filter to the second group

  • Group Level Data Level Security not working

    I'm trying to test the data level security at the group level.
    Here's what I did
    1. Went to the security -> Groups -> Permissions -> Filters
    2. In Name added the Fact table on which I want to filter.
    3. Selected "Enable"
    4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
    When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
    Am I missing something in the creation of filters?
    Thanks in Advance.
    Rama.

    Hi,
    If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
    Hope this helps.
    Regards,
    Sandeep

  • Dashboard prompts are getting cached and not working as per data level security

    Hi,
    Version: OBIEE 11.1.1.5 BP2
       We have dashboard prompts that have data level security defined in RPD - Content tab of an LTS.
    After clearing cache, the dashboard prompt applies the security properly. When another user who has a different security defined, is seeing the same prompt values on clicking the drop down of a prompt and also when they click search prompt popup.
    Issue is, for second user, I do not even see cached query in the session logs. Tried applying the DISABLE_CACHE_HIT=1 in the prompt sql results, no luck.
    But reports are applying the security correctly, issue is with prompts alone.
    Any thoughts on this?
    Thanks,
    Rajesh

    Just for others reference: We disabled caching on the table to avoid this issue.

  • Data Level Security implementation question

    I had a quick data-level security scenario and wanted to solicit any input from the experts.
    In our current Subject Area we have one Presentation Layer using one Business Model. In this Subject Area have a Task and Employee Dimension. There is row-level Security on the Task Dimension that is done in the Business Model on the LTS Content tab. There are a batch of reports built off this Subject Area.
    There is now a request to build a new batch of reports, however, they want to now filter on the Employee Table and NOT filter on the Tasks. So the opposite of what has been applied above.
    From my perspective there are only a few ways this Security can be applied
    Business Layer: Basically either create an Alias of Employee and Task or build a second LTS for both. Then create new columns and map to these accordingly. Basically have 2 of each column in the Business Layer. One with Security applied and one without.
    Presentation Layer: Created a second Presentation Subject Area and apply the security at the Presentation Layer and remove it from the Business Layer.
    I know a third option could be put security on the Role/Group but for this case these reports are open to everyone.
    I'd just like to verify from the experts that I may have covered all solutions for this scenario or if there are any other suggestions?
    Thanks!

    Alright...
    If you have two LTS say A & B (basically duplicate) then add a column say LTS Indicator and assign 'A' for LTS A and 'B' for LTS B. Add the fragmentation content and apply the security filter and you can also create two different Presentation folders under same Subject Area if users have Answers Access so that the users know if they are querying for LTS A or LTS B.
    Similarly, build your reports making use of LTS indicators which will BI server to pick correct LTS. Say, where you want LTS A to be picked...use filter of LTS Indicator = 'A' and thats it.

Maybe you are looking for

  • Itunes from old pc to new mac.

    so i just bought a new macbook and i need to know how to transfer my itunes from my old pc to my mac. is there an easy way to do this that won't skrew up either computer? thanks.

  • I feel so stupid - I can't drag my "pin it" icon on my ipad

    Pinterest tells me to drag the "pin it" icon to the toolbar on my new IPad 2 - we can't make that happen.  Any tips ?

  • Identify the Primary Account for a Contact on a report

    I want to build a report that show cases all the accounts for a contact which I can do using the Account-Contact History report. The challenge that I am facing is to the particular contact I would like to identify their primary account. How would I d

  • Restriction of cost center priod

    Hi, I have try to  change validity period of cost center   from 01.04.2000 to 31.03.9999 to 01.04.2000 to 04.02.2009 but i am receiving the error message like Deletion is not possible (dependent records exist in table COKA) Message no. KS133 Diagnosi

  • Excel Web Service - yet another "Unable to process the request"

    Hello, On Windows Server 2008 R2 SP1 and SharePoint 2010 SP1 we are receiving the following error while trying to open Excel document in Excel Web Part. It shows the standard error: "An error has occured". When exploring ULS we found the non-informat