Restrict data based on role ?

There are several levels in on organization structure - how would i implement security such that folks in the org. tree can seen only data at/below their levels.
ex;
CEO->VP->DIR->MGR->DEPT
The fact table carries dept only. So CEO should be able to see rollups at VP,DIR,MGR,DEPT levels. DIR should be able to see across all departments he manages.
What facilities does discoverer provide to handle this kind of a requirement.
The reports i have all need to present the same kind of information but the content should be based on the role.

http://download-west.oracle.com/docs/html/B13918_03/security2.htm#sthref1002
14.8.1 Introducing Virtual Private Databases, Single Sign-On, and Discoverer
The Oracle9i Release 1 (and later) Enterprise Edition database's powerful Virtual Private Database (VPD) feature enables you to define and implement custom security policies. Among other things, the VPD feature enables you to enforce fine-grained access control based upon attributes of a user's session information (referred to as application context). This VPD functionality is commonly employed as a way of controlling access to data using the currently logged-on user's Single Sign-On (SSO) identity. For more information about setting up a VPD, see Oracle9i Application Developer's Guide - Fundamentals.
If Discoverer has been configured to require SSO authentication, Discoverer can pass a Discoverer end-user's SSO user name to the database (as the CLIENT_IDENTIFIER attribute of the built-in application context USERENV). Providing a VPD policy based on SSO user names has been implemented in the database, the data returned to a Discoverer worksheet will be restricted to the data that the SSO user is authorized to access.
You can optionally add user-defined PL/SQL statements to both database LOGON (and subsequent) triggers and to a Discoverer trigger (eul_trigger$post_login) to use the SSO user name to further control the data that is returned. You can use the database and Discoverer triggers separately or in conjunction with each other.
14.8.2 Example showing how SSO user names can limit Discoverer data
The Discoverer manager at Acme Corp. does the following:
1.
Configures the Discoverer middle tier machines so that SSO authentication is necessary to access the Discoverer URLs.
2.
Creates a Discoverer public connection called 'Analysis', that has access to a workbook called 'Sales'.
3.
Creates a VPD policy against the base tables of the workbooks. The VPD policy determines the data that is returned, based on the value of a variable called 'CONTEXT1'.
4.
Creates a database LOGON trigger that sets variable CONTEXT1 to the value of the SSO user name (extracted from the application context information passed to the database by Discoverer).
The Sales workbook is used by two Discoverer users at ACME Corp., Fred Bloggs and Jane Smith. A typical workflow for these two users is shown below:
1.
User 'Fred.Bloggs' authenticates via SSO and accesses the top level Discoverer URL.
2.
Fred selects the public connection 'Analysis', and opens the workbook 'Sales'.
3.
Fred views the data in the default worksheet, and then logs out.
4.
User 'Jane.Smith' authenticates via SSO and accesses the top level Discoverer URL.
5.
Jane selects the public connection 'Analysis', and then opens workbook 'Sales'.
6.
Jane views the data in the default worksheet.
Jane sees different data to Fred, despite the identical database connection, workbook, worksheet and database query. The difference is determined by the VPD policy being based on SSO user identities.
FYI

Similar Messages

  • Restrict Dashboard based on Role

    Hi
    Is it possible to Restrict Dashboards based on Role. I want hide out-of-the-box dashboards and display custom dashboards based on Role.
    Regards
    Sundar

    Hi,
    but note that the Look In function is not available in the custome web tab. this is really a shame because the lookin allows managers to see the data in different ways. If any of you found a way to get the look in functionaliyt into the web tab, I would love to find out.
    Regards,
    Gonzalo

  • How to restrict a table with its set of data based on a column value in it?

    Hi,
    I have a scenario in which I have to show a set of data of a pivot table by restricting data based on a column value. I am creating BIP report whose source is from BIA ie.RPD. Based on a column value I want to restrict the data being displayed in the table. Since I also want the hidden data in the first table to be displayed in another table in the same report I cannot restrict the data at the query level i.e at RPD or at BIA. For this reason I used
    <?xdofx:if saw3_ = 1?>
    the pivot table
    <?end if?>
    But it does not restrict any data.
    Also I tried using the if condition inside the table before the row level looping happens. But no good show even then.
    How can I forgo this problem?
    Regards,
    The MM

    Hi,
    See : http://download.oracle.com/docs/cd/E12096_01/books/PubUser/T421739T481157.htm#4535373 regarding column and row.
    Regards,
    Colectionaru

  • Restrict Query Data based on Date range and Users

    Hi All,
    I have a few web reports that I need do restrict data based on Users.
    In all the queries i have an infoobject 0CALDAY, and  a User Entry range variable on it. Because of performance issues  I need to restrict the range of dates a User can see. Typically most of users could go to a max date range of 1 month back. But some others would need the ability to see data for much bigger range of dates.
    Pls suggest how should i go about with this. Should I have to enforce this at Variable level(user exit).... but then i might have to maintain a table for the users.. Is there any other way of doing it.
    thanks
    Raj

    Any thoughts ?

  • How to Restrict Search based on the Roles for External crawled sites

    I have a situation where the search results have to be restricted based on role
    When External sites are crawled, how can we restrict the search results based on roles,
    I know that we can restrict the search to a group or set of groups that can contain many users but if the group have different roles and if that group has given access to a web repository search, how can we restrict the document/search access based on roles for the same group?
    For Example an Index that has external site as data source and the permissions were set for a group and that group has 2 roles, lets say <b>"Admin" and "user"</b> and the external site have some documents when searched the documents should come up only for the "Admin" role during search, but should not come up for the "user" role
    Is it possible to achieve this? Is there a solution?
    Any advices are greatly appreciated and awarded
    Thanks,
    kk

    Is it possible to restrict on role based?
    Any suggestions are appreciated
    Thanks
    KK

  • Overriding the default "date-based" restrictions in time reporting

    Hi all.
    When using CATS/ESS for reporting time on tasks / roles there are some built in date based rules which limits when time reporting is possible.
    The cProjects 4.5 (SP05) help describes this as follows for a task-based set-up
    The system creates a worklist in CATS to enable you to record your time for a role or task. The system selects all objects (tasks, project roles, or project definitions) to which you are assigned in the confirmation time frame:
    If you set up confirmation via tasks, the worklist displays all tasks for confirmation to which your user is assigned by means of a role for the confirmation time frame and which have been released. For the confirmation time frame, the system first checks
    the time frame you specified on the Staffing tab page. Then it checks the time frame you specified in the Tasks Assigned to Selected Project Role group box on the Tasks tab page. If you only made entries on one of the tab pages, these apply.
    Put differently there is as I understand it a two-step check against the date that the user is trying to report on
    a) check against dates in staffing tab of role
    b) check against dates in the "tasks assigned to selected project role" tab of the role
    The requirement we are looking at now is to make this check a bit more loose.  An example could be to say that time reporting is OK as long as the dates lie within the projects scheduled dates.
    Any comments / experiences around this?  Possible?  I assume one would need to try to influence how the worklist is built up.
    Best regards / Anders

    Hi Anders,
    The building up the CATS worklist is done in two side, ERP system and cProject system. Regarding your requirment I think, the logic is done in cProject side, where the logic is hard coded and no Badi to enhance it.
    Please see my report in the Wiki to have more details:
    https://www.sdn.sap.com/irj/sdn/wiki?path=/pages/viewpage.action&pageid=61926
    Kind regards,
    Zhenbo

  • Problem with FC security when data restrictions are based on RU dimention

    Dear Sirs,
    The data access restrictions for users in our system is configured, that reporting unitu2019s data can be accessed only by users that are responsible for ancestor's data based on RU hierarchy (restriction by RU dimension in data analysis).
    When reporting unit is moved in hierarchy from one parent to another -  old ancestor canu2019t access itu2019s data as only new ancestor do. But in that case we have a very big problem as users can't build old ancestoru2019s consolidated reports for previous periods - they are incorrect since RU dimension access is restricted for all periods.
    Are any ideas how the issue can be solved ?

    Dear Egle,
    Indeed,  the historical data within the reports will not be accessible after the data analysis modifications and this is the normal behavior of BO Financial Consolidation.
    Please note that an enhancement request was escalated to allow users to belong to more than one Data Access Group. This enhancement is referenced under the reference ADAPT01028492 ( for more information, you can refer to  the SAP Note 1405946 - BOFC - Allowing multiple Data Access Groups).
    This new feature is not implemented yet in  Financial Consolidation  and the current  workaround is to create 2, 3 or 4 users for the same person.
    However, this workaround will oblige users to disconnect/reconnect many times or open more than one session  to apply necessary changes on BO Financial Consolidation.
    If this request is quite important for you, we recommend you to enter this enhancement in our new site ( Idea Place): https://ideas.sap.com. Indeed, SAP has defined a new process and a new tool that is now available to customers  which allow them to log Enhancement Requests themselves and have the ability to work more directly with our technology and Development group.
    If the request sent by the customer is pertinent and voted by 10 other customers at minimum, the Enhancement Request will be probably accepted by the Product Group(to have more information  about this new process, you can refer to the SAP note 1515837 - NEW Enhancement Request Process - "Idea Place" )
    Let me know if you will need further details.
    Best regards,
    Emna.

  • Essbase Studio 11.1.2.1 - restrict/filter based on date

    Hi - I am trying to filter hierarchies/data based on date. For example, I am trying to use a user defined table below which runs in TOAD but not in Studio due to the TO_DATE and TO_CHAR functions. Can anyone help so this query runs in Essbase Studio?
    SELECT a.business_unit, a.operating_unit, a.fund_code, SUM (a.COST),
    c.descr, TO_CHAR (c.acquisition_dt, 'YYYY-MM-DD'), b.begin_depr_fy,
    a.CATEGORY, d.ACCOUNT, c.profile_id, e.descr, a.asset_id,
    a.project_id, f.project_type, e.setid, a.business_unit || '-' || a.project_id as DrillProjectID
    FROM ps_cost a, ps_book b, ps_asset c, ps_dist_tmplln_tbl d, (ps_profile_tbl e LEFT OUTER JOIN ps_project_fs f
    ON e.setid = f.setid AND e.profile_id = f.profile_id)
    WHERE a.business_unit = b.business_unit
    AND a.asset_id = b.asset_id
    AND a.book = b.book
    AND b.business_unit = c.business_unit
    AND b.asset_id = c.asset_id
    AND a.book = 'GAAP'
    AND d.CATEGORY = a.CATEGORY
    AND d.setid = 'TWC01'
    AND d.trans_type = 'ADD'
    AND d.distribution_type = 'FA'
    AND a.accounting_dt <= TO_DATE ('2011-12-31', 'YYYY-MM-DD')
    AND e.profile_id = c.profile_id
    AND d.ACCOUNT BETWEEN '16000' AND '16999'
    AND a.fund_code = '19'
    AND d.ACCOUNT = '16320'
    AND a.CATEGORY = 'PLANT'
    AND a.business_unit = '19510'
    AND a.fund_code = '19'
    AND c.acquisition_dt <= TO_DATE ('2011-11-30', 'YYYY-MM-DD')
    GROUP BY a.business_unit,
    a.operating_unit,
    a.fund_code,
    c.descr,
    TO_CHAR (c.acquisition_dt, 'YYYY-MM-DD'),
    b.begin_depr_fy,
    a.CATEGORY,
    d.ACCOUNT,
    c.profile_id,
    e.descr,
    a.asset_id,
    a.project_id,
    f.project_type,
    c.business_unit,
    c.asset_id,
    e.setid,
    e.profile_id
    HAVING SUM (a.COST) <> 0 AND SUM (a.COST) <> 0
    ORDER BY 1, 2;

    Hi - I am trying to filter hierarchies/data based on date. For example, I am trying to use a user defined table below which runs in TOAD but not in Studio due to the TO_DATE and TO_CHAR functions. Can anyone help so this query runs in Essbase Studio?
    SELECT a.business_unit, a.operating_unit, a.fund_code, SUM (a.COST),
    c.descr, TO_CHAR (c.acquisition_dt, 'YYYY-MM-DD'), b.begin_depr_fy,
    a.CATEGORY, d.ACCOUNT, c.profile_id, e.descr, a.asset_id,
    a.project_id, f.project_type, e.setid, a.business_unit || '-' || a.project_id as DrillProjectID
    FROM ps_cost a, ps_book b, ps_asset c, ps_dist_tmplln_tbl d, (ps_profile_tbl e LEFT OUTER JOIN ps_project_fs f
    ON e.setid = f.setid AND e.profile_id = f.profile_id)
    WHERE a.business_unit = b.business_unit
    AND a.asset_id = b.asset_id
    AND a.book = b.book
    AND b.business_unit = c.business_unit
    AND b.asset_id = c.asset_id
    AND a.book = 'GAAP'
    AND d.CATEGORY = a.CATEGORY
    AND d.setid = 'TWC01'
    AND d.trans_type = 'ADD'
    AND d.distribution_type = 'FA'
    AND a.accounting_dt <= TO_DATE ('2011-12-31', 'YYYY-MM-DD')
    AND e.profile_id = c.profile_id
    AND d.ACCOUNT BETWEEN '16000' AND '16999'
    AND a.fund_code = '19'
    AND d.ACCOUNT = '16320'
    AND a.CATEGORY = 'PLANT'
    AND a.business_unit = '19510'
    AND a.fund_code = '19'
    AND c.acquisition_dt <= TO_DATE ('2011-11-30', 'YYYY-MM-DD')
    GROUP BY a.business_unit,
    a.operating_unit,
    a.fund_code,
    c.descr,
    TO_CHAR (c.acquisition_dt, 'YYYY-MM-DD'),
    b.begin_depr_fy,
    a.CATEGORY,
    d.ACCOUNT,
    c.profile_id,
    e.descr,
    a.asset_id,
    a.project_id,
    f.project_type,
    c.business_unit,
    c.asset_id,
    e.setid,
    e.profile_id
    HAVING SUM (a.COST) <> 0 AND SUM (a.COST) <> 0
    ORDER BY 1, 2;

  • BAM views based on roles

    Hi All,
               Is it possible to have single BAM view with all the necessary details and based on roles only specific field should be viewed.
    Thanks

    Hi ChampBoss,
    BAM  views are nothing but SQL views. You can't restrict users for certain fields in views. BAM activities relates to SQL tables and BAM views are SQL views. BAM views are meant to providing authorisation over the BAM-Activities. Restricting the views
    to the data of the BAM-activities based on the roles.
    You can't restrict the views of the BAM-view's fields.  But what you can do is
     create new multiple views of the BAM-activities. new Views with fewer fields which you want to show to user.
    Completely hide all the users from the existing view ( from which you want to restrict the users for the view-fields, if you don't want you can delete it. Otherwise just hide is from other roles.)
    Provide access to the news BAM-views based on the user role.
    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

  • Restrict users based on Customers

    Hi ,
    In ECC system, we have general requirements to restrict users based on customer account group where customer account group is represented as Site/Store.
    Possible values for Customer Account group -
    - Reference Store
    - Head Store
    - Wholly Owner Store etc.
    Till this point everything is fine. However, Client has few additional External Stores which are represented as one Dummy Site and Customers belonging to that store are actual external Stores.
    Example, we have additional Value for Customer Account Group -
    - Dummy Site
    And now all the Customers part of dummy site is actual stores and we are needed to drill down our restriction to this Customer (So called Stores).
    To restrict used based on customer account group/Stores, we can utilize F_KNA1_GRP with filed KTOKD (Customer Account Group). However, is it possible to create roles based on individual customers of these Stores?
    If yes, how can we do that? 
    P.S. I had a look at authorization object F_KNA1_BED with filed BRGRU. Can this object help us in fulfilling our requirement? Or there is any other SAP provided authorization object which can help us to restrict on Customer values?
    Thanks,
    Sheenam

    You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
    It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
    Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
    Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

  • How to setup the security based on roles in Organization.

    Hi,
    How to setup the security based on roles in Organization.
    For example:Few users are Manager and a few user are Non Manager .Manager should have access to all work data including Non Manager and Non Manager should access based role.How to setup this? How OBI server identify the user role?
    kindly let me know.
    Regards.,
    CHR

    Hi,
    You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
    And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
    Hope this will solve your problem.
    Regards
    MuRam

  • How to restrict data in reports for different users...

    i created a monthly_sales report on XYZ_SALES_FACT table
    i have to give restriction on reports based on the users.
    i.e. user_1 will access only NORTH region sales info on monthly_sales report
    user_2 will access only SOUTH region sales info on monthly_sales report etc.
    Note: my client is not agreeing to create multiple reports based on the user/region.
    how i have to give user restriction on report based on the users?

    Hi,
    You can create a VPD policy and then create a login trigger and pass SSO client_indentifier or database session_user (use if/then/else to protect both)
    You can check here for the VPD/login trigger.
    Disco Config Guide
    http://download.oracle.com/docs/html/B13918_03/security2.htm#sthref1002
    OTN articles
    http://www.oracle.com/technology/obe/10gr2_db_vmware/security/vpd/vpd.htm
    http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
    You can also use secure views, mandatory conditions in the EUL, etc.
    Some other related forums entries:
    Re: Using VPD with Oracle Discoverer without SSO
    Re: Restrict Data for a user without VPD
    May want to search, likely many others on the subject.
    Should give you a good place to start.
    Regards,
    Steve.

  • Worflows based on roles

    Hi,
    Is it possible to have multiple workflows and trigger them based on roles. For example, I have a workflow with, say, 6 steps and I want to trigger it when a person with 'Marketing' role tries to update a record. Then I have a different workflow with, say, 8 steps that I would like to trigger when a person with 'Power User' role tries to update a record. Is it possible to have different workflows for different types of roles?
    If it is not possible then what are the workarounds? Suggestions are welcome.
    Regards,
    -Y

    Hi,
        Yes, its always possible to assing workflow events to users depending upon there roles.  and its also possible to have n number of workflows with different users or roles assigned to each.
       Q: How its done?
       A: Firstly to create a workflow you need to select the workflow table from the drop down list of tables in the data manager(It will be the last table in the list).  then u right click in the right side area of the window and select ADD, this will add a new workflow to your repository.  The person using whose user id and password you logged in is the owenr of the workflow(Basically its the Admin).  Next when you go to the workflow diagram in MicroSoft Visco you can add different workflow events in that. when you assing an workflow event or activity then there you can specify who is process these step; it depends on the user name or the role.  When you requre it to be 'Marketing role'  select it from the drop down list.
    You have select roles where ever required.
    CHARAN
    Lead, Follow or Get out of Way

  • FD32 restrict users based on a schedule of authority

    All,
    I have a requirement within FD32 to restrict users based on a schedule of authority.  For example, only allowing credit limits to be changed in a user's authorized dollar range.  I was able to restrict the Credit Limit field (change/display) by using field groups, but I have an extension of the requirement for a schedule of authority.  Can someone please  help?

    You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
    It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
    Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
    Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

  • APEX - how to restrict data

    Hi,
    I am a new bee and looking for a way to restrict data (in a report) based on user type...
    as an example, I have a billing table with customer, product and sales rep details...
    I want my sales reps to see only details where they were involved in the sales... where as, sales manager should be able to see the details associated to the sales reps who report to him/her...
    Thanks in advance

    Hi,
    This might help you
    Re: Authorization to particular group of users
    Br,Jari

Maybe you are looking for

  • HT1692 I just upgraded my pc to Windows 8.  How can I sync my iPhone 5 and iPad using a USB cable with iTunes for Windows 8 ?

    How do I sync my iPhone 5 and iPad using iTunes with my new Windows 8 computer?  Windows support community implies it's an Apple problem.

  • Opening a page from email through link.

    Hi , In our application we are using spaces with custom task flow .We having some notification to send every time for some action..from the email , we will have a link.by clicking the link a page should open for unsubscribe functionality.I have to cr

  • Function Module/BAPI for Posting with Residual Clearing

    Hello All, I want to know whether any Function Module/BAPI avaialble for posting with residual clearing (FB05). Can we do residual clearing using the FM "Posting_Interface_Clearing"? Please let me know how this can be handled. Thanks in advance. With

  • Are there static methods in TOOL

    Do static or class methods exist in TOOL? If they do, I would appreciate a pointer to the documentation. If they don't exist, what is best practice for creating utility or helper methods for things like string operations, getting random numbers withi

  • JProgressBar and file transfer

    Hi, I am trying to use a JProgressBar to determine how many bytes have been sent so far. I have constructed the JProgressBar with the maximum size of the file size. For each 'segment' of the file sent, the progress bar should increment using the setP