Row level security in OBIEE 11g: Which is better: VPD or RPD

Similar Messages

• Row level security in OBIEE 11g

  Hi guys,
  We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
  Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
  to a structure that is above another structure in hierarchy, then he should see both data from his structure and
  the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
  i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
  data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
  in the data model? And how could I create the type of filter mentioned above?  

  This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
  1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
  2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
  3. Add this position variable as a content filter in your LTS in you BMM layer.
  4. You can also use this session variable  as a filter in you reports too.
  hope this helps.
  Senthil

• How to provide Responsiblity level security in OBIEE 11g

  Hi all,
  Can any one tell me how to provide the responsibility level security in OBIEE 11G.

  Hi,
  You need to create group of users and then apply filters over that groups.
  you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
  - Manage -> Security...
  - Groups -> click right group1 and select propierties.
  - Select button 'Permissions...'
  - Select tab 'Filters' -> add new filter.
  - On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
  you should add the Customer table to your Sales-fact LTS add apply the filter to this combined LTS as well
  For more:
  http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
  also try http://www.biblogs.com/1969/12/31/obiee-11gr1-security-explained-an-11g-security-overview/
  http://forums.oracle.com/forums/thread.jspa?threadID=1120336
  Thanks
  Deva
  Edited by: Devarasu on Oct 11, 2011 6:08 PM

• Row Level Security in OBIEE using OID as authentication Mechanism

  Hi OBIEE Gurus,
  I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
  I want to implement RLS by doing the following :
  1. Have Security Groups defined in OID and assign users with group membership.
  2. Import these Security Groups into OBIEE metadata
  3. Apply filters to these Security Groups
  4. Run Answers requests to see if RLS works or not
  Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
  Appreciate your help.
  Edited by: drakesh on Sep 26, 2008 7:09 AM

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• Data Level Security In OBIEE 11g based on the filters setup in RPD

  Hello All,
  We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
  Regards,
  -Amith.

  A.Y wrote:
  Hello All,
  We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
  Regards,
  -Amith.Not sure, if anyone has yet ran into this issue, but the workaround we have implemented is to build a report in OBIEE and use the analysis query as the source for BI Publisher.

• Row Level Security in OBIEE

  Hi,
  In my project i have to implement the row level security. My scenario like follows
  I have one report called Customer - Revenue.The report contains the following fields. Company,Organisation,Office, Revenue.
  Dimensional Hiearchy is as follows
  Company --> Organization --> Office
  In each company,Organization,Office have their own user ids.
  If i enter with company user id the report should displayed concern company revenue details with organization and office details.
  When i enter with organization user id then the report displayed for that particular organization and office revenue details.
  When i enter with office user id then the report should displayed for that office revenue details with concern company and organization details.
  My Dimension table in following format
  Company
  Organization
  Office
  Address.
  I am usnig external table authentication.
  External authatication tables contains following fields...
  Loginid,Display Name, Group and Password.
  How can i achieve this in OBIEE 11.1.1.5. Kindly help me to come out from this.....

  Hi,
  Kindly refer the below
  http://gerardnico.com/wiki/dat/obiee/security_level#data
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security
  Thanks
  Deva

• Data level security in OBIEE 11g

  Hi all,
  I am using OBIEE 11g. I have a table called "USER_ACCESS_T" which has four columns user_name,Access_level_name,Access_level_type,status_flag.
  User_Name Access_Level Access_Type Status_Flag
  XX Project ABC Project Group Yes
  YY Project DEF Project sub Group Yes
  ZZ Project GH Project Yes
  My requirement is
  When user XX logs in BI answers, he has to access only Project group ie.., Project ABC.
  When user yy logs in BI answers, he has to access only Project sub group ie.., Project DEF.
  Kindly Guide me.
  Thanks and regards
  Haree
  Edited by: Haree on Dec 23, 2011 11:44 AM

  Hi Haree,
  Please follow the follow steps to restrict users on the project dimension.
  1) Create an init block to populate the list of project a user belongs to. You have to do this row - wise initialized as a user can belong to multiple projects.
  Select 'PROJECT_NUMBER', project_number from w_project_d where UPPER(user_name)=UPPER(':USER');
  2) Now as you have all the project numbers for a particular user in a variable, you can use that to filter on the dimension table.
  3) In the rpd, go to the group/role - Permissions - Select the dimension table project - and put the following filter.
  "Core"."Dim - Project.Project Number" = VALUEOF(NQ_SESSION.PROJECT_NUMBER)
  That's it. Your security is now in place for projects.
  i think this will give you an solution.

• Alternative Data Level Security in OBIEE 11g

  Gurus - Wanted to put it out there if there are alternatives ways of achieving data level security as opposed to going the route of creating blocks that initialize session variables which can be applied onto tables through roles in the RPD? The main reason for asking was to try and prevent performance impact of having a significant number of init blocks running when an user logs into the application.
  Ganesh

  VPD [Virtual Private Database] would be an alternative for this.

• Row level Security in 11g

  Hello,
  Is there any way to configure row level security in OBIEE 11g other than using external table? Please share your thoughts on this.
  Thanks,
  Kishore

  Check this http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
  ~ http://cool-bi.com

• Data Level Security in OBIEE  Enterprise Edition

  HI,
  would like to know how to implement row-level security in OBIEE Enterprise Edition
  Setting up the context right here, considering a hierarchy of an organization that goes up to 4 levels as below:
  VP >Senior manager>Manager>clerk
  Now, the situation is such that a manager should be able to view its subordinates data but not the data of any other team to which he does not have access. And also the manager should view only his regions data.Same goes for other hierarchies in the organization.
  Any pointers in this regards i.e OBIEE ADMIN TOOL: SECURITY AUTHENTICATION THROUGH EXTERNAL DATABASE would be of great help.
  Source system is SIEBEL CRM 7.8
  THanks
  Gutha

  Hi,
  I can help you for Authentication using BI Server.
  For teh same you can use admin tool then manage>security> users and Groups.
  You can create different groups as well as users accrording to you hierarchy and then provide privilages users or groups according to your need like particular user can view the data of particular level.
  When you create users then in the user page you can provide the filter conditions in filter tab and same as in groups.
  Regards
  Tarang Jain

• Obi 11g row level security not working

  All,
  I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
  Very frustrated... ;(

  Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
  1) I created a test user
  2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
  3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
  4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
  5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool.

• OBIEE Row-Level Security Inquiry

  I had discussed a security requirement with one of our resources and it seems like a simple concept but for some reason I can’t think of simple way to implement in OBIEE.
  If we have a fact table with a security column that has values which state what groups can see the data in that row (Multiple groups separated by semi-colons). The data in the row is layed out like this:
  Group 1;Group 2;Group 3;Group 4
  There is a user and group mapping table as well where if I pull a user (Say User1) the data in the column for their group assignments would look like:
  Group 3;Group 10; Group 11
  Since this user is in Group 3 they can see the values in that row of the fact table above (Because Group 3 appears in both).
  Now I can run a session variable to get the user groups but how to then correlate to what rows they can see in that fact table is where I am stuck.
  Can I solicit any suggestions?

  They are various problems with your approach. To start with let's how OBIEE would like you to have the data:
  State Sales
  1 99
  2 30
  3 50
  Then your user to group table should be like this:
  User State
  1 1
  1 2
  1 3
  2 1
  3 3
  You would then do an row-wise Init Block to populate the GROUP variable. Then you simply do a filter in your BMM layer State = VALUEOF(NQ_SESSION.GROUP). Note that GROUP is that a list of groups so OBIEE will take care to convert this to SQL correctly. Now the way you have your data I don't think you can easily do row-level security. Basically what you need is to have your Group as dimension in your fact. What you have a is concatenated value which is useless. Also your user to group mapping table needs to be flat so you can do the row-wise init block. Hope it helps.

• Row level security with session variables, not a best practice?

  Hello,
  We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
  The problem is that this method is listed as a "non best practice" in the Oracle documentation.
  Alternative Security Administration Options - 11g Release 1 (11.1.1)
  (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
  Managing Session Variables
  System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
  How confusing... what is the best practice then?
  Thank you for your help.
  Joao Moreira

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation

• Object Level Security,Data Level Security&Row level Security

  can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
  Thanks in advance,
  Kumar

  Hi Kumar
  Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
  lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
  Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
  Please mark Correct or helpful if this clears