Regarding Data Level Security in OBIEE

Hi,
We are currently implementing Data level security in our project. We have created multiple groups in the repository and put business filters in the permissions tab for each of the groups. When a user belongs to more than one group then the backend SQL fired by the BI server has an OR condition between the business filters from different groups. Is there a way to force an AND condition between the filters passed from different groups?
Thanks,
Kartik

Try this link
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
If the business unit is a column then try this
Repository --> presentation Layer --> column --> properties --> permissions --> Give access to the user/group,for others disable the permission.
Thanks
Don

Similar Messages

Data Level Security In OBIEE 11g based on the filters setup in RPD

Hello All,
We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
Regards,
-Amith.

A.Y wrote:
Hello All,
We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
Regards,
-Amith.Not sure, if anyone has yet ran into this issue, but the workaround we have implemented is to build a report in OBIEE and use the analysis query as the source for BI Publisher.

Data Level Security in OBIEE Enterprise Edition

HI,
would like to know how to implement row-level security in OBIEE Enterprise Edition
Setting up the context right here, considering a hierarchy of an organization that goes up to 4 levels as below:
VP >Senior manager>Manager>clerk
Now, the situation is such that a manager should be able to view its subordinates data but not the data of any other team to which he does not have access. And also the manager should view only his regions data.Same goes for other hierarchies in the organization.
Any pointers in this regards i.e OBIEE ADMIN TOOL: SECURITY AUTHENTICATION THROUGH EXTERNAL DATABASE would be of great help.
Source system is SIEBEL CRM 7.8
THanks
Gutha

Hi,
I can help you for Authentication using BI Server.
For teh same you can use admin tool then manage>security> users and Groups.
You can create different groups as well as users accrording to you hierarchy and then provide privilages users or groups according to your need like particular user can view the data of particular level.
When you create users then in the user page you can provide the filter conditions in filter tab and same as in groups.
Regards
Tarang Jain

Data level security in OBIEE

We have implemented data level security by applying filters on groups in Obiee Administration tool. Here we have set filter on division(which is a column in Customer table). This is done so that user can see data for division for which he has access.
When user creates report which consists of division column filter is working fine. E.g. if user1 has access to division1
and when user1 cretes a report for (customerName,division,sales columns) he can see sales of customers belong to division1. But if user1 cretes report which does not contain division column e.g.(customerName,sales columns report) he can see all the customers sales data. How can we aoide that. We want User1 to see division1's data only irrespective whether division column is there in report or not.
Can any one suggest what should be done to achive this.
Thanks,
Avdhut

Hi friend,
You need to create group of users and then apply filters over that groups.
you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
- Manage -> Security...
- Groups -> click right group1 and select propierties.
- Select button 'Permissions...'
- Select tab 'Filters' -> add new filter.
- On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
I hope this can help you.
Good luck.

Alternative Data Level Security in OBIEE 11g

Gurus - Wanted to put it out there if there are alternatives ways of achieving data level security as opposed to going the route of creating blocks that initialize session variables which can be applied onto tables through roles in the RPD? The main reason for asking was to try and prevent performance impact of having a significant number of init blocks running when an user logs into the application.
Ganesh

VPD [Virtual Private Database] would be an alternative for this.

Need help on Data level security in OBIEE

Hi All,
Currently there are for few users who are accessing OBIEE dashboard. Here each user is responsible for 2 or 3 regions.
Requirement:
User wants there should be 2 dashboards First and Second. When a user login he should see the data for only those regions to whom he belongs in first dashboard. If user want to see data for all regions then he want to click on second dashboard which contains all regions data. Default dashboard for the user should be first dashboard to whom he is responible for the regions when he login.
I have created users and groups in the security and am able to restrict the data in the first dashboard as per the filters applied on the user. Is this possible to show all regions data in second dashboard for the same user?
Any Suggestions/help would be appreciated.
Regards,
Rajkumar.

Hi,
It looks like your problem is not the security, but the displaying.
You can use repository variables (in this case session type). This variable gets filled when the user logon. You then store his 'own' regions (the 3 regions) in this variable. On the report(s) shown on the dashboard you add a filter on the region and base it on the repository variable. Of course you have to remove the security filter otherwise the user will never see more than his own regions.
Regards

Data level security in OBIEE 11g

Hi all,
I am using OBIEE 11g. I have a table called "USER_ACCESS_T" which has four columns user_name,Access_level_name,Access_level_type,status_flag.
User_Name Access_Level Access_Type Status_Flag
XX Project ABC Project Group Yes
YY Project DEF Project sub Group Yes
ZZ Project GH Project Yes
My requirement is
When user XX logs in BI answers, he has to access only Project group ie.., Project ABC.
When user yy logs in BI answers, he has to access only Project sub group ie.., Project DEF.
Kindly Guide me.
Thanks and regards
Haree
Edited by: Haree on Dec 23, 2011 11:44 AM

Hi Haree,
Please follow the follow steps to restrict users on the project dimension.
1) Create an init block to populate the list of project a user belongs to. You have to do this row - wise initialized as a user can belong to multiple projects.
Select 'PROJECT_NUMBER', project_number from w_project_d where UPPER(user_name)=UPPER(':USER');
2) Now as you have all the project numbers for a particular user in a variable, you can use that to filter on the dimension table.
3) In the rpd, go to the group/role - Permissions - Select the dimension table project - and put the following filter.
"Core"."Dim - Project.Project Number" = VALUEOF(NQ_SESSION.PROJECT_NUMBER)
That's it. Your security is now in place for projects.
i think this will give you an solution.

Data Level Security OBIEE,PLEASE HELP

How can we implement data level security in OBIEE. For example, a Sales officer should only see data for his customers, similarly a Sales Manager should only be able to see data for Sales Officers working under him....
any help would be appreciated

Hi there are many blogs on data level security..
understand the concepts and try to implement, if you stuck up anywhere will help you out..
http://obieeblog.wordpress.com/2009/01/15/obiee-data-security-column-level-security/
Data level security in OBIEE

OBIEE Data level security - OR condition among multiple filters

Hi All,
we have an requirement in OBIEE 11.1.1.5 to apply data level security based on mutiple dimension ( for example: Product, Geography and Customer). we have implemented by creating 3 groups one for each dimension,
added appropriate filters for each group and applied on presentation layer. But when we see the query generated by OBIEE server all filters are getting applied with OR condition instead of AND.
Could someone explain why this is happening so.. is this the actual behaviour of OBIEE or am i doing something wrong !!!!
Example of the conditions added is
Select * from table
where Country='XYZ' OR Customer ='ABC' OR Product='123'
Expected behavior is
Select * from table
where Country='XYZ' AND Customer ='ABC' AND Product='123'
Thanks in advance..!
Thanks & Regards
Subhakar Parigi

Hi,
Any suggestion would be helpful.
Regards,
Subhakar P

Data level Security issue in obiee 11g

Hi,
We are trying to implement data level security, let me explain the issue
The requirement is, we have 7 schools and each school has one principle , there will be a Superdintent who has 3 schools under him. so now when each principle logs in to dashboard we have a prompt for school i.e Name of school in that prompt he should see only his school and even the data of that school only which are assigned to him, now when Superdintent logs in he should see all 3 schools in the prompt and data. I have gone through this link (http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/) but could not achieve.
We are able to achieve by writing SQL in BMM layer ( LTS Table) so where ever the table is used in dashboards the security is being applied and we are able to see what we want. We want to achieve this by application role, But when we are creating session variables and applying on Application Role its not working. We want to achieve this by using Application role because suppose in other dashboards when the table is not used or pulled in, it will not work.But if we do it using application role its applies to all dashboards and data is resticted. so that when principle or Superdintent logs in automatically its restricts the data.
Below is the SQL which we used in BMM LTS, its working fine. But when the same SQL is applied in Application Role it's not working.
SQL used in session variable -
select 'SCHOOL_CD1', school_cd1 from w_staff_d where empl_id ='VALUEOF(NQ_SESSION.USER)'
and job_desc1 = 'Principal High School - KPI'
Any suggestions please ??
Thanks,
VRP

Hi,
I pasted the log view below by applying SET VARIABLE LOGLEVEL=2, DISABLE_CACHE_HIT=1;, ran this report by applying SQL in Session variable. Let me know if you want anything -
Thanks
[OracleBIServerComponent] [TRACE:2] [USER-0] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] ############################################## [[
-------------------- SQL Request:
SET VARIABLE QUERY_SRC_CD='Report',SAW_SRC_PATH='/shared/Key Performance Analytics/Analysis/Climate and Culture/Analysis for total school suspensions',LOGLEVEL=2, DISABLE_CACHE_HIT=1; SELECT s_0, s_1, s_2, s_3, s_4, s_5, s_6, s_7, s_8, s_9, s_10, s_11 FROM (
SELECT
0 s_0,
"High School KPI"."- Date"."School Year" s_1,
"High School KPI"."- Grade"."Grade Level" s_2,
"High School KPI"."- School"."School Name" s_3,
"High School KPI"."- School Suspensions"."% of Students Suspended" s_4,
"High School KPI"."- School Suspensions"."Count of Students Enrolled" s_5,
"High School KPI"."- School Suspensions"."Count of Students with Incidents" s_6,
CASE WHEN (CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END +(CASE WHEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END)=0 THEN CASE WHEN CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END <0 THEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END *-1) ELSE CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END END ELSE (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END) END /10))<0 THEN 1 ELSE 2 END s_7,
CASE WHEN (CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END)=0 THEN CASE WHEN CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END <0 THEN (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END *-1) ELSE CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END END ELSE (CASE WHEN MAX("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END - CASE WHEN MIN("- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY )END) END s_8,
CASE WHEN MAX("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 10 ELSE MAX("- School Suspensions"."% of Students Suspended" BY ) END s_9,
CASE WHEN MIN("High School KPI"."- School Suspensions"."% of Students Suspended" BY ) IS NULL THEN 0 ELSE MIN("- School Suspensions"."% of Students Suspended" BY ) END s_10,
REPORT_AGGREGATE("High School KPI"."- School Suspensions"."% of Students Suspended" BY "High School KPI"."- Date"."School Year") s_11
FROM "High School KPI"
WHERE
(("- Discipline Action"."Discipline Action Code" = 'Suspension') AND ("- Date"."School Year Desc" = VALUEOF("school_year_desc")))
) djm ORDER BY 1, 2 ASC NULLS LAST
[2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-23] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- General Query Info: [[
Repository: Star, Subject Area: High School KPI, Presentation: High School KPI
[2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- Sending query to database named SPA (id: <<62064>>), connection pool named Initialization Block Connection Pool: [[
WITH
SAWITH0 AS (select T30351.SCHOOL_YEAR_DESC as c2,
T26564.GRADE_LONG_DESC as c4,
T26686.SCHOOL_NM as c5,
T29835.STDNT_WID as c6,
ROW_NUMBER() OVER (PARTITION BY T30351.SCHOOL_YEAR_DESC, T29835.STDNT_WID ORDER BY T30351.SCHOOL_YEAR_DESC DESC, T29835.STDNT_WID DESC) as c7
from
W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
W_SCHOOL_YEAR_D T30351 /* KPI_W_SCHOOL_YEAR_D */ ,
W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
W_STDNT_ENROLL_SCHOOL_F T29835 /* KPI_W_STDNT_ENROLL_SCHOOL_F */
where ( T26564.GRADE_LEVEL_WID = T29835.GRADE_LEVEL_WID and T26686.ORGANIZATION_WID = T29835.ORGANIZATION_WID and T29835.SCHOOL_YEAR_WID = T30351.SCHOOL_YEAR_WID and T30351.SCHOOL_YEAR_DESC = '2011-2012' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
SAWITH1 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
D1.c2 as c2,
count(distinct D1.c6) as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH0 D1
group by D1.c2, D1.c4, D1.c5),
SAWITH2 AS (select sum(D1.c1) over (partition by D1.c2) as c1,
D1.c2 as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH1 D1),
SAWITH3 AS (select T30647.SCHOOL_YEAR as c3,
T26564.GRADE_LONG_DESC as c4,
T26686.SCHOOL_NM as c5,
T26023.STDNT_WID as c6,
ROW_NUMBER() OVER (PARTITION BY T30647.SCHOOL_YEAR, T26023.STDNT_WID ORDER BY T30647.SCHOOL_YEAR DESC, T26023.STDNT_WID DESC) as c7
from
W_DISCIPLINE_ACTION_D T29975 /* KPI_W_DISCIPLINE_ACTION_D */ ,
W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
W_KPI_QTR_DAY_D T30647,
W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
W_STDNT_DISCIPLINE_F T26023 /* KPI_W_STDNT_DISCIPLINE_F */
where ( T26023.DISCIPLINE_ACTION_WID = T29975.DISCIPLINE_ACTION_WID and T26023.ORGANIZATION_WID = T26686.ORGANIZATION_WID and T26023.DATE_WID = T30647.DATE_WID and T26023.GRADE_LEVEL_WID = T26564.GRADE_LEVEL_WID and T29975.DISCIPLINE_ACTION_CD = 'Suspension' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
SAWITH4 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
count(distinct D1.c6) as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH3 D1
group by D1.c3, D1.c4, D1.c5),
SAWITH5 AS (select sum(D1.c1) over (partition by D1.c3) as c1,
D1.c2 as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH4 D1)
select distinct case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end as c1,
case when D1.c4 is not null then D1.c4 when D2.c4 is not null then D2.c4 end as c2,
case when D1.c5 is not null then D1.c5 when D2.c5 is not null then D2.c5 end as c3,
case when D1.c3 = 0 then NULL else D2.c2 * 100.0 / nullif( D1.c3, 0) end as c4,
D1.c3 as c5,
D2.c2 as c6
from
SAWITH2 D1,
SAWITH5 D2
where ( nvl(D1.c2 , '1') = nvl(D2.c3 , '1') and nvl(D1.c2 , '2') = nvl(D2.c3 , '2') and nvl(D1.c4 , '1') = nvl(D2.c4 , '1') and nvl(D1.c4 , '2') = nvl(D2.c4 , '2') and nvl(D1.c5 , '1') = nvl(D2.c5 , '1') and nvl(D1.c5 , '2') = nvl(D2.c5 , '2') )
order by c1, c2, c3
[2012-10-17T18:36:55.000+00:00] [OracleBIServerComponent] [TRACE:2] [USER-18] [] [ecid: c9928ce086f2ff4f:4405c138:13a559973e0:-8000-000000000000f7e9] [tid: 128c] [requestid: 5e40000b] [sessionid: 5e400000] [username: weblogic] -------------------- Sending query to database named SPA (id: <<62434>>), connection pool named Initialization Block Connection Pool: [[
WITH
SAWITH0 AS (select T30351.SCHOOL_YEAR_DESC as c2,
T26564.GRADE_LONG_DESC as c4,
T26686.SCHOOL_NM as c5,
T29835.STDNT_WID as c6,
ROW_NUMBER() OVER (PARTITION BY T30351.SCHOOL_YEAR_DESC, T29835.STDNT_WID ORDER BY T30351.SCHOOL_YEAR_DESC DESC, T29835.STDNT_WID DESC) as c7
from
W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
W_SCHOOL_YEAR_D T30351 /* KPI_W_SCHOOL_YEAR_D */ ,
W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
W_STDNT_ENROLL_SCHOOL_F T29835 /* KPI_W_STDNT_ENROLL_SCHOOL_F */
where ( T26564.GRADE_LEVEL_WID = T29835.GRADE_LEVEL_WID and T26686.ORGANIZATION_WID = T29835.ORGANIZATION_WID and T29835.SCHOOL_YEAR_WID = T30351.SCHOOL_YEAR_WID and T30351.SCHOOL_YEAR_DESC = '2011-2012' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
SAWITH1 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
D1.c2 as c2,
count(distinct D1.c6) as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH0 D1
group by D1.c2, D1.c4, D1.c5),
SAWITH2 AS (select sum(D1.c1) over (partition by D1.c2) as c1,
D1.c2 as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH1 D1),
SAWITH3 AS (select T30647.SCHOOL_YEAR as c3,
T26564.GRADE_LONG_DESC as c4,
T26686.SCHOOL_NM as c5,
T26023.STDNT_WID as c6,
ROW_NUMBER() OVER (PARTITION BY T30647.SCHOOL_YEAR, T26023.STDNT_WID ORDER BY T30647.SCHOOL_YEAR DESC, T26023.STDNT_WID DESC) as c7
from
W_DISCIPLINE_ACTION_D T29975 /* KPI_W_DISCIPLINE_ACTION_D */ ,
W_GRADE_LEVEL_D T26564 /* KPI_W_GRADE_LEVEL_D */ ,
W_KPI_QTR_DAY_D T30647,
W_ORGANIZATION_D T26686 /* KPI_W_ORGANIZATION_D */ ,
W_STDNT_DISCIPLINE_F T26023 /* KPI_W_STDNT_DISCIPLINE_F */
where ( T26023.DISCIPLINE_ACTION_WID = T29975.DISCIPLINE_ACTION_WID and T26023.ORGANIZATION_WID = T26686.ORGANIZATION_WID and T26023.DATE_WID = T30647.DATE_WID and T26023.GRADE_LEVEL_WID = T26564.GRADE_LEVEL_WID and T29975.DISCIPLINE_ACTION_CD = 'Suspension' and (T26564.GRADE_LONG_DESC in ('Grade 10', 'Grade 11', 'Grade 12', 'Grade 9')) and (T26686.SCHOOL_NM in ('Central Sr', 'Como Park Sr', 'Harding Sr', 'Highland Park Sr', 'Humboldt Secondary School', 'Johnson Sr', 'Washington Technology Secondary')) ) ),
SAWITH4 AS (select count(distinct case D1.c7 when 1 then D1.c6 else NULL end ) as c1,
count(distinct D1.c6) as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH3 D1
group by D1.c3, D1.c4, D1.c5),
SAWITH5 AS (select sum(D1.c1) over (partition by D1.c3) as c1,
D1.c2 as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH4 D1),
SAWITH6 AS (select case when max(D1.c1) = 0 then NULL else max(D2.c1) * 100.0 / nullif( max(D1.c1), 0) end as c11,
case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end as c12
from
SAWITH2 D1,
SAWITH5 D2
where ( nvl(D1.c2 , '1') = nvl(D2.c3 , '1') and nvl(D1.c2 , '2') = nvl(D2.c3 , '2') and nvl(D1.c4 , '1') = nvl(D2.c4 , '1') and nvl(D1.c4 , '2') = nvl(D2.c4 , '2') and nvl(D1.c5 , '1') = nvl(D2.c5 , '1') and nvl(D1.c5 , '2') = nvl(D2.c5 , '2') )
group by case when D1.c2 is not null then D1.c2 when D2.c3 is not null then D2.c3 end )
select D2.c11 as c1,
D2.c12 as c2
from
SAWITH6 D2
order by c2
Edited by: 965968 on Oct 17, 2012 11:49 AM

OBIEE BI Apps data level security involving multiple PeopleSoft Segments

Has anyone implemented OBIEE BI Apps data level security involving multiple PeopleSoft Segments and can provide some tips?
Our PeopleSoft security grants access by 2 segment combinations:
All Segment 3 (Department) and any Segment 6 (Project)
Specific Segment 6
Specific combinations of Segment 3 and Segment 6
In addition, there is a flag to indicate if the user also has access to payroll data. Payroll access is a subset of the general finance access.
We've got a security init blocks running successfully for general finance and payroll access. We've created Data filters on the Segments for general finance access and GL Account for payroll access. We designed dashboards to use Dept and Project from the Segments on the general finance dashboards and pull Dept and Project from GL Account for the payroll dashboards.
The problem is both data filters are being applied to the general finance dashboards since the joins behind the scenes on the general finance dashboards use GL Account.
Does anyone have a suggestion?

Business Intelligence Applications

Object Level Security in OBIEE 11.1.1.5

Hi All,
I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
1) Created application roles in OBIEE with the same resposiblity names
2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
4) Restarted the BI server and presentation servers.
Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
Regards,
Sandeep

Sandeep Saini wrote:
I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
Hope this helps.!
SVS

Row level security in OBIEE 11g

Hi guys,
We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
to a structure that is above another structure in hierarchy, then he should see both data from his structure and
the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
in the data model? And how could I create the type of filter mentioned above?

This needs to be implemented in 3 different levels. 1. in database 2. in RPD 3 in reports
1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
3. Add this position variable as a content filter in your LTS in you BMM layer.
4. You can also use this session variable as a filter in you reports too.
hope this helps.
Senthil

Data Level Security In Answers

Hello Experts
Can we configure data level security in answers and dashboards without using any variables ?? If so ..please guide me how to ..
Thanks for your time .
Edited by: newbi on Sep 13, 2010 2:14 PM
Edited by: newbi on Sep 13, 2010 2:15 PM

Hi
Follow the link
http://obieeblog.wordpress.com/category/obiee/obiee-security/
Regards
Debo

Dats Level Security @Dashboard

Hi ,
I want some clarifications for below
1) Can we Implement Data Level Security in Dashboard? If yes How to do this in Dashboard.
2) I want to divide dashboard into 4 equal parts? Pls give some iDea
3) In want situations we will use 2 LTS under one Dimension table?
If Any one knows pls give some idea.

Hi RamOBI,
Just as an FYI, it makes it easier for others to help you if you keep one question to each thread. Right now you've got three questions. Here's my response to the one stated in your thread subject.
1. You implement data level security in the Repository file (RPD). You'll build out a subject area with the data level security and use that subject area to build out your dashboard with data level security. Here is a website that walks you through the data level security. http://www.rittmanmead.com/2007/05/13/obiee-and-row-level-security/
If you post the other questions in their own threads, I'll be more than willing to give you feedback.
Let me know if this helps.
Best regards,
-Joe

Regarding Data Level Security in OBIEE

Similar Messages

Maybe you are looking for