Row-level security at the Database level

Similar Messages

• How to apply row level security against the database administrator

  I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
  There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
  HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
  Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
  Is there additional ways to achieve the aim?

  Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
  If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
  This includes DBAs.
  The simple fact of being DBA doesn't guarantee the exemption.
  Everything goes to depend of the VPD config.

• Row level access at the Group level assignments

  I know the concept ROW LEVEL security or "Access Restrictions" but I haven't really implemented it before.
  1. Create a Row level security from the BO -UNIVERSE designer from the TOOLS> MANAGE SECURITY>MANAGER ACCESS RESTRICTIONS.
           RESTRICTION-EMPLOYEE ( If user is available in the table then only display the results)
           In the where clause Employees.Employee_Name = @Variable('BOUSER') here the BO user always at the user level ID.
  2. Then assign the above restriction to the USER or GROUP.
  The question what I have.. if I assign the Restriction at the GROUP level, will this condition be applied for all users under that group. Do I need to do anything else.
  Please confirm.

  THose are two different things you are talking about here:
  1) @Variable('BOUSER') is a placeholder that is replaced during the runtime with the ID of the user who is running the report accessing your universe. Adding this expresson somewhere in your universe (does not have to be necessary the where clause of an access restriction) will mean that the generated SQL statement will contain the user ID at the related place.
  2) Access restrictions: You can setup access restriction for users or even groups. If you set those for groups then the restriction will be applied to ALL users being members of this group, when they run a report that uses your universe. If a specific user belongs to 2 different groups for which universe restrictions are applied, then the conflict will be solved according to the settings in your universe. Access restrictions can be used to change the where clause of the generated statements but also for using different credentilas to connect to the database (based on the group) and/or a different set of parameters eg. the maximum bnumber of rows fetched by the universe can vary among different groups.
  Hope this helps.
  Regards,
  Stratos

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav

• Updates to the table from the database level.

  Hi Dear All,
  If we do some updates to the table at the Database Level, like i deleted some records from the table at the Oracle level. But I'm still able to see the same deleted records from the Data Dictionary(SE11) at the application level.
  Can you pl explain the mechanism, that how it is possible and why.
  best regards
  Mahesh

  transparent tables store data directly....if you delete some data from transparent tables, the same is reflected in the database (oracle) but the reverse is not true...if you modify the database table contents directly...the dictionary table remains intact...
  transparent tables have a one-to-one relationship with the database tables....
  hope that clarifies a bit....
  (somebody correct me if i am horribly wrong)

• User defined tables:  amending Index on the database level. Opinions???

  Hi everybody who has some spare time to read my stuff
  I had a problem that some of you might have had. I have a user defined table, let’s call it ProductTypes. Now system by default creates two columns in this table, one is Code (primary key) and another is Name (Index). I have added third column called Department. Now, if I wanted to add the following data (see bellow) to the table I would have had a constraint violation message pointing me out that I have problems with indexing.
  Code, Name, Department
  1, Cream, Fragrances
  2, Cream, Beauty Products
        ^^
  I could thing of couple workarounds of this problem
  1. Is to duplicate Code into Name and storing rest of the data using user columns
  Code, Name, Product Name, Department
  1, 1,Cream, Fragrances
  2, 2, Cream, Beauty Products
  This approach isn’t very convenient as it requires UI development should we decide to attach this table to the Item master data form in a form of combo box.
  2. Is to amend Index on the database level. Initially, the index KProductTypes_Name consisted of only one column Name, what I have done is added another column which is Code to indexing. I don’t see how this can harm database consistency or damage the core system.  Please correct me if I am wrong.
  Another way of amending index in order to solve my problem could be choosing ignoring duplicate values option for column Name.
  Please let me know what are your thoughts.
  Best wishes

  > Why don't you try adding a trigger 'instead of
  > insert' where code = max(code)1 and name=max(name)1
  > and use only user columns for your data. This
  > provided you know SQL basics.
  in this scenario we would have to do UI SDK development for the output and going to have an extra column with meaningless data in it.

• Insert multiple rows of records into the database

  The codes below allow me to insert a row of record into the database. How would I changed these to insert multiple rows at once? Please help!
  String sql = "INSERT INTO EMPLOYEES" +
  "(First_Name, Last_Name, Title, Phone) " +
  " VALUES " +
  PreparedStatement statement = conn.prepareStatement(sql);
  statement.setObject (1, First_Name);
  statement.setObject (2, Last_Name);
  statement.setObject (3, Title);
  statement.setObject (4, Phone);
  boolean returnValue = statement.execute();

  Hi mystiqueX,
  As wmolosho has suggested in his answer to this very same question that you also posted to the JavaServer Pages forum, you can create a batch of inserts and perform them using the "executeBatch()" method. I will use Craig's sample code to demonstrate:
  (Note that this code is untested!)
  conn.setAutoCommit(false);
  PreparedStatement statement = conn.prepareStatement(sql);
  // assume you have an array of objects here
  for (int i = 0; i < data.length; i++) {
    statement.setString(1, data<i>.getFirstName());
    statement.setString(2, data<i>.getLastName());
    statement.setString(3, data<i>.getTitle());
    statement.setString(4, data<i>.getPhone());
    statement.addBatch();
  statement.executeBatch();
  conn.commit();If you are not familiar with it, allow me to suggest looking at the Making Batch Updates lesson on the Java Tutorial.
  Hope it helps.
  Good Luck,
  Avi.

• Column masking row level security in Peoplesoft Databases

  Hi
  How about the credibility of using VPD( for column masking,row level security) in People soft Databases?where the sensitive data is redundant across 100's of tables.
  My intention is to use the VPD across all the tables that contain the sensitive data ( ssn,bank accno, etc)
  Appreciate your help.
  Chelli

  Hi.
  I also have a trouble like yours,but mine is more simple.
  I'd tried to solve,and find that it's really hard and must lost a lot of time to solve,because some table have 2,3 or more derive information that to use VPD is not easy.
  Can i ask for any aspect to solve problem like this.
  Thanks for any answer and support.
  Thinhbk.

• Enable single item recovery with two retention settings at the database level.

  Hello All,
  We have an Exchange 2010 SP3 RU4 environment and planning on moving from third party archives solution to Native Exchange archives for cost reduction purposes, upgrading to Exchange 2013 to benefit from added in place features is not within scope at
  this stage.
  We are looking at implementing the following steps and want to know if it will work:
  1-Create archive DB(s) as per our usage and growth projections
  2-Enable archives for all our users and migrate current archive content to it.
  3-Create Retention Tag/Policy to move all records from live to archive "Age limit for retention" 90 days (no retention tags on the policy)
  4-Enable Single Item recovery for all of our users (script the same to run twice daily to enable SIR for newly created accounts)
  5-Set the "Keep Deleted Items" on the Live DB(s) to 90 days and the Archive DB(s) to 7 Years
  6-We are NOT using Legal Hold or plan to use it except on per as need basis
  Are we accomplishing the following:
  1-Items are automatically archived after 90 days
  2-Items archived now have a 7year retention based on the "keep deleted items" set for the archive DB(s)
  3-Items copied back to the live mailbox by a user will be returned to the archive database the next time the folder assistant runs against this user account (based on load or if run manually)
  4-Hard deleted items by a user is recoverable as long as the email record is within the retention period set at the database where it resides.
  5-Hard deleted items are recoverable using MFCMapi or by a restore.
  6-Items are permanently purged on the archive DB(s) after 7 years.
  Any input, ideas, recommendations, clarifications would be greatly valued and appreciated.  
  Ash

  Thanks CodexCZ,
  So, SIR will "kind of" do the same as the retention tag except I can use different durations based on the limits on each DB? am I correct?
  thanks again.
  Ash

• Screen Level Security for the Material Master

  We need to create security for the material master by screen views. The Purchasing group needs to be able to change the Purchasing and MRP screens but none of the other screens. How would we accomplish this with SAP security?
  Thanks!

  Janet,
  It is hard for us to know how your authorization profiles or roles are constructed.  You really should consult your local authorization expert.
  The Authorization object you are looking for is M_MATE_STA.  It is probably contained in at least one of your Roles or Profiles that are currently assigned to your MM maintenance people. At a minimum, it should exist in standard SAP profile M_MATE_ALL in your system.  You can review all of these types of authorization info in the User Information System (transaction SUIM).
  You would have to create roles or profiles that narrowly define the "User department" fields for M_MATE_STA object.  You would also have to search for existing roles/profiles that contain "*" in this field, and determine if these entries are still appropriate in your new authorization business process you want to begin.
  Below is the SAP help about this authorization object
  M_MATE_STA
  Definition
  Maintenance status authorization for material master records
  The data contained in a material master record is divided into user departments or views (Purchasing, MRP, and so on). The maintenance status is a single-character key for the relevant user department or view.
  This object determines which user departments or views a user is authorized to process; that is, which data he or she may process from this view.
                                                                                  Note                                                                      
  To use material master functions, a user needs the authorization for at least one user department.
  Defined Fields
  Fields               Possible values      Meaning
  ACTVT                01                   User may create data.
                       02                   User may change data.
                       03                   User may display data.
                       06                   User may flag data for deletion.                       
                       08                   User may display change documents. 
  STATM                                     Here, you specify the maintenance status for which the user is authorized.         
  The maintenance statuses possible are as follows:
  User department                Maintenance status
  Work scheduling                   A
  Accounting                        B
  Classification                    C
  MRP                               D
  Purchasing                        E
  Production resources/tools        F
  Costing                           G
  Basic data                        K
  Storage                           L
  Forecasting                       P
  Quality management                Q
  Warehouse management              S
  Sales                             V
  Plant stocks                      X
  Storage location stocks           Z
  Notes
  This authorization object also determines:
  o   Whether a user may flag a material master record for deletion. In this case, 06 must be entered in field ACTVT; the maintenance status is irrelevant here.
  o   Whether a user may change the material type. In this case, 02 must be entered in field ACTVT; the maintenance status is irrelevant here.
  o   Whether a user may process an MRP profile or forecast profile. In this case, the following values must be entered in field ACTVT:
  -   01 to create
  -   02 to change or delete
  -   03 to display
  The maintenance status must be D for the MRP profile or P for the forecast profile.
  o   Whether a user may create an overview of all extendable materials. In this case, 01 must be entered in field ACTVT; the maintenance status is irrelevant here.
  o   Whether a user may call up the materials list. In this case, 03 must be entered in field ACTVT; the maintenance status is irrelevant here.
  o   Whether a user may create or change production versions from task lists. In this case, 02 must be entered in field ACTVT, and A in field STATM.
  Rgds,
  DB49

• How can I delete a row in access using the database toolkit?

  I want to delete just one row of a access table using the database toolkit. Can it be done and if so How?

  Take a look at page A-1 of the database connetivity manual. It has information on making a sql query that will delete. You will need to use this command with the dbtools execute query function. Look in the shipping examples for an example with this function.

• How to include non-joining records from level one in the lowest level?

  As an example the dimension has three levels with data coming from three source tables. The relationships between these tables are zero to many. As a result of this e.g. there are records at the first level that do not join to the second table for level two, i.e. there is a customer entry but the customer has not acquired any products. However, we would like to see in the query for the lowest level also the customers that didn't acquire any products. They are there when there is no filter for the lowest level, but that returns duplicate data. I was hoping I could accomplish this by using outer joins when loading the dimension, but it loads the same as without the outer joins. Hopefully, this trivalized example describes what I am trying to accomplish.

  You won't be able to have a true "default" value in the various cascading levels, since there aren't default values in a dynamic cascading parameter.  That being said, I've created a sample report in Crystal Reports 2008 that has a Command-driven DCP with '*' values for the 2nd and 3rd levels of my 3-tier DCP and have accounted for them in the record selection criteria.  You can find the sample here at https://www.box.net/shared/mav5qp337j

• Task level data at the Project level?

  Hi all,
      I have a custom date field in Project 2010 that if certain text is displayed in the task name, this field is populated by the task finish date.
  Essentially this task is connected within Project Server to an external 'deliverable'.
  I need to grab this date and have it at the Project  Information level - is this possible?
  Even using Enterprise flags, I still could not obtain the task date at a Project level.
  Any thoughts much appreciated.
  -CL

  Rob,
  Maybe my latest post on this need may be of interest. How to show Implementation Milestone Dates in Project Center. #msproject
  http://aboutmsproject.com/how-to-show-implementation-milestone-dates-in-project-center/  I'm able to use formulas to bring task data up to the Project level.
  Treb Gatte, Project MVP |
  http://AboutMSProject.com |
  @tumbleroad

• Revision Level Field at the Haeder Level

  Hi,
  I want to see the revision level field in SUS at the header level(Am able to see it at the item level)
  Please let me know how to view the same at the header level.
  Best regards,
  Manu

  Hi All,
  Could anyone please provide some insight?
  Is there any userexit that I could ue or will I have to develop a call transaction to edit the PR and change the revision level??
  Regards
  Deepak

• Security in essbase at the database level

  i need to edit users ability to access various databases within an application in essbase. the user has been provisioned in shared services to the app, but, it appears to further restrict particular databases, that has to be done in essbase. right? i apparently don't have that "role" assigned to me. what is that "role" that i need to have assigned to me?

  Hi
  It sounds like you need to create specific Essbase security filters, these are created in Essbase and can then either be assigned to users in Essbase or via Shared Services. Filters are specific to databases so you can have different access to different databases or none at all to some.
  Take a look at the Essbase database administrators guide.
  Hope this helps
  Stuart