Row Level Security from Universe to BOBJ Explorer Information Space

Similar Messages

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav

• How to implement row level secuirty at universe level

  Hi All
  How can we implement row level security in universe ?
  John

  HI,
  Can we try this?
  Open designer >>tools>>Manage security>Manage access retrictions
  Click on "new" under available restrictions area .
  Select "rows" tab click add select the table and an appropriate where condition.
  Click ok .
  Add a user\group on which the retriction is to be imposed Click Ok.
  Hope this will help
  Kultar

• How to implement Bursting(Row level security) in Xcelsius

  Hi,
  We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
  Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
  We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
  Thanks for the help in advance.
  Thanks,
  Nimesh.

  Nimesh,
  Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
  Row level security works.
  combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
  i am curious to know how you implemeted this?
  Thanks
  Pushpa

• Exporting visualizations from Lumira to Explorer Information Spaces

  When I export a visualization from Lumira to an Explorer Information Space, does it export data to the BO server as well? That is, can I then use that Explorer Information Space without needing either the Lumira Cloud or a Lumira HANA server at the backend?

  A possible use case is that you manipulate data in Lumira and want to expose that to others via Mobile BI (Explorer works very well with Mobile); You could also do this in Lumira Cloud
  It used to be Explorer was the path to Mobile BI but that sort of changed when Lumira Cloud came out.

• Universe row level security workiing in main report but not subreports

  I have a report with a couple of sub reports that are running against a universe with row level security. The security works in the main report but when the sub reports run, the security is missing. The report is running through BOE, CR XI R2. Is there something Im missing...? Being new to BOE...

  Hi Michael,
  I am sure the Sub-report is also based on Universe.
  Try to create query with atleast one object/column coming from table on which row level security is applied in universe.
  Hope this will solve the problem.
  Thanks,
  Sushil

• Row Level security in OLAP universe

  Hi,
  We have a OLAP universe based on a BeX query and we are planning to implement the row level security on it.
  As it is not possible to use the normal @BOUSER in the OLAP universe, what is the way to implement the same?
  Is it possible to have it in the BeX query itself? Any thoughts on this please.
  indus

  Hi,
  right now you can not implement row level security in an OLAP Universe, you need to setup BI Authorizations and use Authorization variables in the query.
  Ingo

• How To Setup User Row Level Security In Answers From Values In Table

  I am trying to setup row level security when a user logs into BI Answers. Basically I want the user to create any report that they would like but only see the data that they are associated to being retrieved in the Answer Report results. I have users stored in an Oracle authentication table where they have multiple values for schools that they can view. I have data in my RPD file that contain tables with multiple rows for schools. What I would like is to capture the associated school values for the user logged into BI Answers and place a filter on the data being retrieved in the RPD file to only show rows for the user's associated schools. Can I add a WHERE clause on the Business Model and Mapping layer of the RPD that would retrieve the multiple associated schools in my authentication table and filter/match them (IN clause maybe) to the school values in the RPD data being retrieved?
  Thank you in advance for any information you my have to help me along,
  Kyle

  Turribeach,
  I appologize, I did not use those exact words to search on in the forum. I should have and what I did use didn't turn anything up for my situation.
  Thank you for the link. It helped me find the below link which describes the setup in detail and resolved my issue:
  http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
  What I needed was a row-wise variable/initialization block that stored the multiple school values for my logged in user. I then edited the "Content" tab of the Logical Table Source with a WHERE/IN clause that filtered down the result set based on my variable/initialization block SQL query.
  This solution works great!
  Thanks again!

• SAP-BO SSO and Row Level Security

  Hi,
  We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
  When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
  In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
  My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
  System Information
  Business Objects XI 3.1
  SAP Intg. Kit 3.1
  Thanks a lot,
  Omer

  Hi Omer,
  please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
  As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
  Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
  Regards,
  Stratos
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• Row-level security tied to a user account.

  Bear with me, I'm not quite sure I know what I'm talking about.
  Recently we migrated from BO 5.1.7 to BO XII r2 on Solaris. Under Bo 5.1.7 our Finance users tell me there was a way to attach row level security to the account itself. For example, Finance users could only access RU's which belonged to Finance. This there a way to recreate this global security level so that we don't have to do it on a case-by-case basis?
  Thank you in advance.

  You can specify row-level security for a User or UserGroup on a Universe via the Universe Designer in Tools -> Manage Security
  But that would be per Universe, and not global to Enterprise.
  Sincerely,
  Ted Ueda

• Migrate 6.5 Row Level Security to XI 3.1

  We're in the process of upgrading to BOE XI 3.1 and want to be able to use the row level security built in BO 6.5 in our upgraded environment, so that we don't have to put a bunch of restriction statements (WHERE clauses on tables with sub-selects) in our Universes. What is the best API interface or other methodology to use to be able to expose the BO 6.5 security tables in BOE XI 3.1?

  Sorry...after re-reading my first post, I guess I didn't convey specifically enough on what we're trying to do...
  We have created Data Integrator jobs that pull account Id and group id information from the security (OBJ_*) tables maintained by the 6.5 application. We load this data into custom built tables which we use in row level security restrictions in the Universe. With the migration to XI 3.1, will we be able to access the XI 3.1 security tables, using DI, in order to create the security tables we currently use in our restriction sets?
  Edited by: Dennis Scoville on Jul 10, 2009 3:04 PM

• Column level versus row level security in SAP BI

  This is a question. Sorry about the terminology clarification but it really does get to a question. Thanks for your patience and help.
  There is some confusing terminology among BI users so let me explain terms. The terms appear to have some currency in the BOBJ world.
  Row level security = the ability to control access to some data based on the values of a characteristic. Only the data authorized will be selected.
  Column level security = the ability to exclude certain characteristics from display by any user.
  In SAP BI row level security is managed by analysis authorizations (RSECADMIN).
  To the extent of my experience (and I am unable to test it for about a month) column level security can only be managed by authorization object S_RS_IOBJ excluding the infoobject to be controlled with the sub-object DATA).
  However my experience is that any query that reads an infoprovider that contains that infoobject will fail. It won't exclude and present to the user all the other infoobjects (i.e. columns).
  Is this really so and if so is there any mechanism that can exclude columns without forcing the developer to either design an infoprovider or multicube that excludes the infoobject?
  Edited by: Corwin Slack on Dec 14, 2009 2:07 PM

  Two things
  1. I would prefer not to have to rely on developers to implement a restriction in a query. Then I have to police every query.
  2. I am not certain that the authorization isn't checked anyway because the query accesses the cube. (Sorry no test environment available until mid January)
  My preference is that any queries that contain this authorization object just bypass the displaying the characteristic. My frecollection to date is that this isn't what happens. The query fails entirely.

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike