Row-base security - mulitiple dimensions

Similar Messages

• Row-base security : how to filter on a set of value ?

  Hello all!
  I am currently trying to setup the row-based security in OBIEE and I am facing some difficulties, not sure if they are basic or not:
  I'd like my users or groups to access data depending on a list of value.
  I know the best practice is to create a session variable and to filter on it in the security filters. But what if I want to filter on n values?
  It looks like a session variable can only host one value. Should I then define n variables initialized in my initialization block ? this would limit the number of values I can filter on. I can't believe there isn't a way to make it clean.
  More precisely, my context is:
  each user can belong to one or more groups
  each group is granted access to one or more brands.
  So basically, I'd like to filter on "brand in group.brands where group in (all groups in nq_session.groups)"
  I don't have any prerequisite on where to store the filter data (repository, database) nor anything else.
  Any help much appreciated ! thanks in advance !
  Cedric

  Hi
  Thanks, I am able to figure out that.
  But I am stuck in performance issue with this approach, I am applying filter on my fact table , but my issue is that for a given user, filter values are in thousands, so OBIEE is putting them in a IN Clause(1,.... 20000) and when the actual query get executed it had performance issue.
  Is there any way where I can write subquery on fact table instead of storing multiple values in dynaic variable.
  Another issue is that when user log in , this variable get initialize which result in delay in login for the user.
  Deepak

• Row level security in OBIEE 11g: Which is better: VPD or RPD

  We can apply row level security in OBIEE by 2 ways.
  1. by Creating Initialize Block in RPD
  2. or Applying VPD in Database, which restricts source tables
  Which one is more efficient and why?
  Thanks,
  Sunil Jena

  you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

• Parent-child hierarcy - row level security

  Hi,
  Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
  I have created a parent-child dimension, simlar to:
  a1
  --a1.1
  ----a1.1.1
  ----a1.1.2
  --a1.2
  ----a1.2.1
  By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
  a1.1
  --a1.1.1
  --a1.1.2
  To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
  I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
  How can I build a security system, that a member can only see its child hierarchy only?
  Thanks for answers and links...
  Edited by: user4516917 on 16.Nis.2012 06:54
  Edited by: user4516917 on 16.Nis.2012 06:55

  According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
  This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
  I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
  Any comments appriciated..

• Row level security in OBIEE 11g

  Hi guys,
  We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
  Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
  to a structure that is above another structure in hierarchy, then he should see both data from his structure and
  the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
  i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
  data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
  in the data model? And how could I create the type of filter mentioned above?  

  This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
  1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
  2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
  3. Add this position variable as a content filter in your LTS in you BMM layer.
  4. You can also use this session variable  as a filter in you reports too.
  hope this helps.
  Senthil

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation

• OBIEE Row-Level Security Inquiry

  I had discussed a security requirement with one of our resources and it seems like a simple concept but for some reason I can’t think of simple way to implement in OBIEE.
  If we have a fact table with a security column that has values which state what groups can see the data in that row (Multiple groups separated by semi-colons). The data in the row is layed out like this:
  Group 1;Group 2;Group 3;Group 4
  There is a user and group mapping table as well where if I pull a user (Say User1) the data in the column for their group assignments would look like:
  Group 3;Group 10; Group 11
  Since this user is in Group 3 they can see the values in that row of the fact table above (Because Group 3 appears in both).
  Now I can run a session variable to get the user groups but how to then correlate to what rows they can see in that fact table is where I am stuck.
  Can I solicit any suggestions?

  They are various problems with your approach. To start with let's how OBIEE would like you to have the data:
  State Sales
  1 99
  2 30
  3 50
  Then your user to group table should be like this:
  User State
  1 1
  1 2
  1 3
  2 1
  3 3
  You would then do an row-wise Init Block to populate the GROUP variable. Then you simply do a filter in your BMM layer State = VALUEOF(NQ_SESSION.GROUP). Note that GROUP is that a list of groups so OBIEE will take care to convert this to SQL correctly. Now the way you have your data I don't think you can easily do row-level security. Basically what you need is to have your Group as dimension in your fact. What you have a is concatenated value which is useless. Also your user to group mapping table needs to be flat so you can do the row-wise init block. Hope it helps.

• Row-level security tied to a user account.

  Bear with me, I'm not quite sure I know what I'm talking about.
  Recently we migrated from BO 5.1.7 to BO XII r2 on Solaris. Under Bo 5.1.7 our Finance users tell me there was a way to attach row level security to the account itself. For example, Finance users could only access RU's which belonged to Finance. This there a way to recreate this global security level so that we don't have to do it on a case-by-case basis?
  Thank you in advance.

  You can specify row-level security for a User or UserGroup on a Universe via the Universe Designer in Tools -> Manage Security
  But that would be per Universe, and not global to Enterprise.
  Sincerely,
  Ted Ueda

• Row Level Security in OBIEE

  Hi,
  In my project i have to implement the row level security. My scenario like follows
  I have one report called Customer - Revenue.The report contains the following fields. Company,Organisation,Office, Revenue.
  Dimensional Hiearchy is as follows
  Company --> Organization --> Office
  In each company,Organization,Office have their own user ids.
  If i enter with company user id the report should displayed concern company revenue details with organization and office details.
  When i enter with organization user id then the report displayed for that particular organization and office revenue details.
  When i enter with office user id then the report should displayed for that office revenue details with concern company and organization details.
  My Dimension table in following format
  Company
  Organization
  Office
  Address.
  I am usnig external table authentication.
  External authatication tables contains following fields...
  Loginid,Display Name, Group and Password.
  How can i achieve this in OBIEE 11.1.1.5. Kindly help me to come out from this.....

  Hi,
  Kindly refer the below
  http://gerardnico.com/wiki/dat/obiee/security_level#data
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security
  Thanks
  Deva

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• How do I apply SAP's mantra, "Run Like a Factory" to my Basis/Security team?

  I will preface this by stating that I am a newbie to SAP, and I am not technical. Currently I manage a Basis/Security team, albeit understaffed.
  For the past 5 years I have been charged to:
  Organize the team into a highly-performing department. (Done!)
  Leverage existing SAP (and non-SAP) tools to drive up the performance and availability of our SAP landscape. (Currently on SolMan 7.1, SP12. Early Watch reports for 17 instances. Crank out CQC's like they are free candy)
  Take full advantage of our SAP Enterprise Support. (Monthly calls with our Ent. Support Advisor. Burn through our EGI's, AEI's, and Road Maps. Training curriculum built around the Ent. Support Academy offerings, etc.)
  But there is a part that is missing, and this is where I need guidance. What I am referring to is the integration and synchronization of my team with the abundance of proactive services of SAP's MarketPlace (MP) and Enterprise Support (ES). Here is what I mean:
  So I am subscribed to umpteen SAP "MP" & "ES" newsletters and RSS Feeds, I occasionally browse the Security Portal (because I can't find where to subscribe to an RSS Feed), I receive the "SAP Support Notification" email every couple of days, I am connected to their Social Media presence,and there are a few other communication channels I am connected to. But from all of this what I am missing is... Continuity!
  I have had this nagging feeling that I am missing, or not yet fully aware, of some basic elements within the "MP" or "ES" that I need to address so that the steady flow of information from these channels are relevant and substantial. Here is my best example:
  Every few days I receive the "SAP Support Notification" email. At first the email was basically empty. I figured out that I had to choose my instances within my subscription so that I receive relevant information. I accessed my instance list and found it was a mess. So I had my architect remove all obsolete instances.  The contents of the email is now more substantial, but there is more to the email that I don't understand the relevance of.
    Another example is the SAP Security Portal. I can't figure it out. Updates, announcements, etc. aren't sent out. I have to remind myself to visit the Portal.
  I have a few more examples, but this post is already too long. I need help with the manipulation of the basic elements of "MP" and "ES" to start receiving more substantial, and actionable, proactive support. Once I have this I can integrate this support into the daily administration of my SAP ecosystem, as well as define KPI's and metrics to strive for improved performance and availability.
  So what am I missing?

  Hi Pete,
  This is a great discussion item, and I am glad that you brought it up!  There is a lot of information out there, and how to syphon it so it relates to you is definitely something that is important.
  Couple points/questions on the above, and then some information that may help future wise.
  There are many notifications within the SAP Support Portal that you can subscribe to.  Some require filters, some are based on 'subscribing' to Spotlight News or to specific notes and KBAs.  Happy to set up some time with you to go through these in detail.
  What is the URL to the SAP Security Portal you mention?  Are you referring to this area: https://support.sap.com/kb-incidents/notifications/security-notes.html?
  Future direction is focusing on personalizing your experience within the portal.  Giving you what you need, when and how you prefer.  We can chat on that as well.
  Feel free to reach out to me directly.
  Cheers,
  Kristen

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav

• Row level security in BI Publisher

  Hi All ,
  I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
  e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
  I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
  Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
  Can anyone help me on this?
  Thanks!!

  Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.

• Setting up Row Level Security in EPM 11.1.1.3

  I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
  i) Enable row level security in Workspace.
  Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
  Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
  Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
  Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
  Any log I can inspect for the connectivity error?
  ii) Configure Row Level Security setting
  I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
  thank you very much.

  I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
  i) Enable row level security in Workspace.
  Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
  Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
  Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
  Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
  Any log I can inspect for the connectivity error?
  ii) Configure Row Level Security setting
  I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
  thank you very much.

• How to check the row level security in TOAD for oracle

  Hi ,
  for ex, i have 2 types of users
  normal user and super user
  super user can see the group set (some column name) created by normal user
  but normal user can not see the set created by super user
  this set crestion aslso has 3 types "U','P',S'
  P & S can be viewed by even normal user
  but U should not
  so here we are having some row level security for the normal user .....
  So, in TOAD for oracle how to check that......
  Let me know if i'm not clear

  Like
  I'm the super user....
  And some records are inserted to a table by different users ('a' , 'b', etc....)
  So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
  how to see in TOAD where such type of scripts (filter conditions) are written.....