Row level security at universe design level

Similar Messages

• Row Level Security from Universe to BOBJ Explorer Information Space

  Hi Experts,
               We have got a Universe using Sql Server Database and had designed Row Level Security to restrict managers data only to manager who ever log on (@BOUSER), Directors data based on who ever log on(@BOUSER).......
            The above logic is working fine when designing Webi / Deski reports but when I create a BOBJ Explorer Infospace , I log on with my profile as Manager which brings me data relevant to me only, but when other Manager log on to Polestar and use same Infospace the @BOUSER security is not working to bring his own data and it is showin my manager id data to other manager.
      Requirement:  1 Infospace for Managers  and 1 Infosapce for Director's.
                             who ever logon's and uses same infospace from manager's group or Director's group they should see only
                              their data and not aother manager / director data.
  Thanks,
  Raju

  THis is a known issue. Should be solved in BO Explorer XI 3.1 SP2.
  Check SAP note 1365329 (http://service.sap.com/notes)
  Regards,
  Stratos

• Row Level security in OLAP universe

  Hi,
  We have a OLAP universe based on a BeX query and we are planning to implement the row level security on it.
  As it is not possible to use the normal @BOUSER in the OLAP universe, what is the way to implement the same?
  Is it possible to have it in the BeX query itself? Any thoughts on this please.
  indus

  Hi,
  right now you can not implement row level security in an OLAP Universe, you need to setup BI Authorizations and use Authorization variables in the query.
  Ingo

• Universe row level security workiing in main report but not subreports

  I have a report with a couple of sub reports that are running against a universe with row level security. The security works in the main report but when the sub reports run, the security is missing. The report is running through BOE, CR XI R2. Is there something Im missing...? Being new to BOE...

  Hi Michael,
  I am sure the Sub-report is also based on Universe.
  Try to create query with atleast one object/column coming from table on which row level security is applied in universe.
  Hope this will solve the problem.
  Thanks,
  Sushil

• How to implement row level secuirty at universe level

  Hi All
  How can we implement row level security in universe ?
  John

  HI,
  Can we try this?
  Open designer >>tools>>Manage security>Manage access retrictions
  Click on "new" under available restrictions area .
  Select "rows" tab click add select the table and an appropriate where condition.
  Click ok .
  Add a user\group on which the retriction is to be imposed Click Ok.
  Hope this will help
  Kultar

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• How to set up row-level data security in BO XI r2

  I need to get Data/Row level security into my BO XI r2 report.
  A logged in user should be able to view info on pertaining to him without refreshing it.
  how do i incorporate this feature into my report?
  its possible to do this by setting a filter using the currentuser() function.
  however it requires a refresh of the report.
  hence the new user shall be able to view the data of the previous user. i need to enforce more security on the data. How do i do this???

  Hi Anamika, here is a sample of what the cv_security view might look like:
  create or replace view cv_security
  as
  select distinct sec."gid", sec."uid", sec."from", sec."to"
  from
  -- All users where NO LIMITS APPLY (sg.group = 1)
  (select distinct
  sg.group_id as "gid",
  sg.user as "uid",
  '----' as "from",
  'ZZZZ' as "to"
  from dual sr, sec_groups sg, sec_users su
  where su.user(+) = sg.user
  and su.status = 1
  and sg.coding = 'GL'
  and sg.group = 1
  union all
  --All users with specified sec_ranges
  select distinct
  sg.group_id as "gid",
  sg.user as "uid",
  case when sr.from is NULL
  then ' '
  else sr.from
  end as "from",
  case when sr.to is NULL
  then ' '
  else sr.to
  end as "to"
  from sec_ranges sr, sec_groups sg. sec_users su
  where su.user(+) = sg.user
  and su.status = 1
  and sg.coding = 'GL'
  and sg.group_id(+) = sr.group_id) sec
  grant select on cv_security to ROLENAME
  Notes about cv_security:
  1) For those users with NO LIMITS APPLY (i.e. Admin staff) hard code an absolute range of RC codes from '----' to 'ZZZZ' to ensure you trap all possible alpha-numeric values.
  2) For those users with NO LIMITS APPLY (i.e. Admin staff) substitute the sec_ranges table with dual
  3) su.status = 1 to a filter to report on only active users
  4) sg.coding = 'GL' is assessing the General Ledger coding dimension of the multi-dimensioned security matrix of our Financial system (this may not apply to you)
  Responses to your questions:
  Q- Does it involve self join between view cv_secured_detail? A- Yes, the 1:N cardinality is a self join between view cv_secured_detail and itself.
  Q- What is the difference between steps 3) and a) below it. A- Step 3a) is simply the act of importing the cv_secured_detail Oracle View as a BO Universe Class, with it's columns known to the BO Universe as Objects
  Q- Can the tables from which report data is fetched be included in the Universe? or should they be part of cv_secured_detail view.
  A- I'm not sure if I understand your question, but I might phrase it another way - Once you create the cv_secured_detail view, and the Universe from this view, with the user = 'BOUSER' limiter. The universe is then used to design the CR, by virtue of it belonging to the CMS Repository, you as the report designer have to log into the CMS repository using your LDAP credentials, if a match is found against the cv_security view your data is automatically row-level secured. In outher words, whatever is declared in the view, is in the universe, and is ultimately available to the report.
  Does this help?
  Bill.

• Row-level security tied to a user account.

  Bear with me, I'm not quite sure I know what I'm talking about.
  Recently we migrated from BO 5.1.7 to BO XII r2 on Solaris. Under Bo 5.1.7 our Finance users tell me there was a way to attach row level security to the account itself. For example, Finance users could only access RU's which belonged to Finance. This there a way to recreate this global security level so that we don't have to do it on a case-by-case basis?
  Thank you in advance.

  You can specify row-level security for a User or UserGroup on a Universe via the Universe Designer in Tools -> Manage Security
  But that would be per Universe, and not global to Enterprise.
  Sincerely,
  Ted Ueda

• Row  level security in dashboard

  Hello Experts,
  We have a scenario where in my dev team is designing dashboard based on SAP BW (bex query) via OLAP universe -> Webi reports ->  Xcelsius. We need to implement data security(row level) in the dashboard i.e : The user when he sees the dashboard, should see data w.r.t only to his context.
  What are the different possible ways to handle such a situation?
  Can we use Xcelsius publishing plug in?
  Cheers,
  AK

  Hi Ingo,
  Thanks for your reply.
  So Xcelusis publishing plug in will not solve my problem right?  & I need to have BI authorizations defined in SAP system?
  I am having tough time convincing my customer about this.
  Thanks
  Cheers,
  AK

• SAP-BO SSO and Row Level Security

  Hi,
  We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
  When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
  In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
  My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
  System Information
  Business Objects XI 3.1
  SAP Intg. Kit 3.1
  Thanks a lot,
  Omer

  Hi Omer,
  please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
  As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
  Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
  Regards,
  Stratos
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

  To the Universe Gurus out there:
  I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
  Background:
  We have 11 tables that are to be restricted.
  Each table is accessible to potentially 1..* group of users only.
  For eg SALES is accessible to ALL_SALES members only.
  Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
  For eg
  1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
  2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
  3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
  This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
  Results:
  1) With the way I laid out the business rules above, I am ending up with 528 groups.
  2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
  Problems/Questions:
  How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
  AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
  Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
  Am I even thinking of this the right way or is there a more noble way to do this?
  Regards

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• How to implement Bursting(Row level security) in Xcelsius

  Hi,
  We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
  Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
  We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
  Thanks for the help in advance.
  Thanks,
  Nimesh.

  Nimesh,
  Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
  Row level security works.
  combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
  i am curious to know how you implemeted this?
  Thanks
  Pushpa

• How to enforce row level security on MSAS Cube

  We have to enforce row level security on MSAS Cube based on BOUSER.
  We are using a security table which contains BOUSER ID and Location ID
  We need help in joining the security table with MSAS Cube.
  Thanks

  HI,
  I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
  As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
  If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
  Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
  Hope this helps.