Row level security in Cross References Section

Similar Messages

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• How to Migrate Row Level Security Configuration

  Hi Guys,
  Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
  Thank you in advance,
  Bob

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Crystal reports LOV cascading prompts row level security not working

  Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
  Using XIR2 environment.
  Appreciate the response.
  Thanks
  Chenthil

  Hi Chen,
  In terms of what could be done on the Crystal Reports end, there is no such controls available.  However, your question may be better answered if it was posted to our Business Objects Enterprise forum. 
  It is at "BusinessObjects Enterprise Administration" section of the forums.
  FYI.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• Row level security.... yes or no in HTMLDB???

  Hi Guys,
  This is just a little confusing... in the application developer of HTMLDB, it has a section to implement VPD features, but when I come round to doing pete finnigans (http://www.securityfocus.com/infocus/1743) RLS tutorial, i get the following error when creating the vpd policy:
  ORA-00439: feature not enabled: Fine-grained access control.
  So can I get row level security to work in Oracle XE or do I have to integrate Oracle 10g EE with HTMLDb to get this to work?
  If so... how do I do that?
  Best Regards
  Shahram Shirazi

  Virtual private database / fine grained access control is not supported in Oracle XE, it is an Enterprise Edition feature.
  http://download-uk.oracle.com/docs/cd/B25329_01/doc/license.102/b25456/toc.htm#BABECIEG
  Re: Got ORA-00439:  feature not enabled: Fine-grained access control
  ~Dietmar.

• Row level security without using VPD

  I am wondering if there is a way to have row level security in APEX without having to use the virtual private database (VPD). I cannot afford the Enterprise Edition license that is required for VPD.
  I need a way to customize the list of rows that appear for each user on a report page.
  For example, I only want managers to be able to see their employees and not employees of other managers.
  Thanks for your help !
  -Reid

  While it wont provide all the features that Oracle RLS does, you can leverage Oracle 'Contexts' to provide a form of Row Level Security.
  This article describes how
  http://www.dbazine.com/oracle/or-articles/jlewis15
  Within APEX you can set your application to call the 'context' setting function in the 'VPD' section of the 'Edit Security Attributes' page.
  Varad

• Row level security problem.

  Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
  I'm using sql developer and Oracle 10g.
  I have this two tables :
  CREATE TABLE HR_employees
  (codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
  coddep NUMBER(4) not null,
  DB_user VARCHAR2(10),
  and
  CREATE TABLE Candid
  (codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
  codHr NUMBER(3) NOT NULL,
  CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
  I tried to implement row level security on them by using two views:
  CREATE OR REPLACE VIEW employees_v AS
  SELECT * FROM hr_employees
  WHERE DB_user = user
  UNION
  SELECT * FROM hr_employees
  WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
  AND coddep IN (4000,5000);
  CREATE OR REPLACE VIEW candid_v AS
  SELECT cand.*
  FROM candid cand , hr_employees hr
  WHERE cand.codhr= hr.codhr
  AND hr.db_user=user
  UNION
  SELECT cand.* FROM candid cand, hr_employees hr
  WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
  WHERE H.db_user=user
  AND H.coddep IN (4000,5000) );
  What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
  Sorry for the bad english,it's a foreign language to me ,
  I hope you can help me

  Hi,
  Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
  I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
  If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
  Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
  CREATE OR REPLACE VIEW employees_v AS
  SELECT * FROM hr_employees
  WHERE DB_user = user
  OR    (   codhr = user_codhr
        AND coddep IN (4000,5000)
        );If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
  If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...".

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav

• Row level security in BI Publisher

  Hi All ,
  I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
  e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
  I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
  Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
  Can anyone help me on this?
  Thanks!!

  Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.

• Setting up Row Level Security in EPM 11.1.1.3

  I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
  i) Enable row level security in Workspace.
  Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
  Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
  Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
  Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
  Any log I can inspect for the connectivity error?
  ii) Configure Row Level Security setting
  I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
  thank you very much.

  I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
  i) Enable row level security in Workspace.
  Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
  Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
  Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
  Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
  Any log I can inspect for the connectivity error?
  ii) Configure Row Level Security setting
  I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
  thank you very much.

• How to check the row level security in TOAD for oracle

  Hi ,
  for ex, i have 2 types of users
  normal user and super user
  super user can see the group set (some column name) created by normal user
  but normal user can not see the set created by super user
  this set crestion aslso has 3 types "U','P',S'
  P & S can be viewed by even normal user
  but U should not
  so here we are having some row level security for the normal user .....
  So, in TOAD for oracle how to check that......
  Let me know if i'm not clear

  Like
  I'm the super user....
  And some records are inserted to a table by different users ('a' , 'b', etc....)
  So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
  how to see in TOAD where such type of scripts (filter conditions) are written.....

• Row level security in Hyperion System 9 - 9.3.1

  Hi Gurus,
  I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
  The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
  matches then they get to see records for that location.
  The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
  In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
  z

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• Obi 11g row level security not working

  All,
  I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
  Very frustrated... ;(

  Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
  1) I created a test user
  2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
  3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
  4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
  5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool.