Row Level security in OLAP universe

Similar Messages

• Row level security at universe design level

  Hi,
  I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
  My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
  Regards,
  Mishra Vibhav.

  Thanks for the reply.
  Much Appriciated.
  My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
  Warm Regrads,
  Mishra Vibhav

• Universe row level security workiing in main report but not subreports

  I have a report with a couple of sub reports that are running against a universe with row level security. The security works in the main report but when the sub reports run, the security is missing. The report is running through BOE, CR XI R2. Is there something Im missing...? Being new to BOE...

  Hi Michael,
  I am sure the Sub-report is also based on Universe.
  Try to create query with atleast one object/column coming from table on which row level security is applied in universe.
  Hope this will solve the problem.
  Thanks,
  Sushil

• Row Level Security from Universe to BOBJ Explorer Information Space

  Hi Experts,
               We have got a Universe using Sql Server Database and had designed Row Level Security to restrict managers data only to manager who ever log on (@BOUSER), Directors data based on who ever log on(@BOUSER).......
            The above logic is working fine when designing Webi / Deski reports but when I create a BOBJ Explorer Infospace , I log on with my profile as Manager which brings me data relevant to me only, but when other Manager log on to Polestar and use same Infospace the @BOUSER security is not working to bring his own data and it is showin my manager id data to other manager.
      Requirement:  1 Infospace for Managers  and 1 Infosapce for Director's.
                             who ever logon's and uses same infospace from manager's group or Director's group they should see only
                              their data and not aother manager / director data.
  Thanks,
  Raju

  THis is a known issue. Should be solved in BO Explorer XI 3.1 SP2.
  Check SAP note 1365329 (http://service.sap.com/notes)
  Regards,
  Stratos

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation

• Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

  To the Universe Gurus out there:
  I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
  Background:
  We have 11 tables that are to be restricted.
  Each table is accessible to potentially 1..* group of users only.
  For eg SALES is accessible to ALL_SALES members only.
  Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
  For eg
  1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
  2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
  3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
  This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
  Results:
  1) With the way I laid out the business rules above, I am ending up with 528 groups.
  2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
  Problems/Questions:
  How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
  AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
  Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
  Am I even thinking of this the right way or is there a more noble way to do this?
  Regards

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• How to implement Bursting(Row level security) in Xcelsius

  Hi,
  We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
  Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
  We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
  Thanks for the help in advance.
  Thanks,
  Nimesh.

  Nimesh,
  Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
  Row level security works.
  combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
  i am curious to know how you implemeted this?
  Thanks
  Pushpa

• How to enforce row level security on MSAS Cube

  We have to enforce row level security on MSAS Cube based on BOUSER.
  We are using a security table which contains BOUSER ID and Location ID
  We need help in joining the security table with MSAS Cube.
  Thanks

  HI,
  I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
  As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
  If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
  Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
  Hope this helps.

• Row-level security tied to a user account.

  Bear with me, I'm not quite sure I know what I'm talking about.
  Recently we migrated from BO 5.1.7 to BO XII r2 on Solaris. Under Bo 5.1.7 our Finance users tell me there was a way to attach row level security to the account itself. For example, Finance users could only access RU's which belonged to Finance. This there a way to recreate this global security level so that we don't have to do it on a case-by-case basis?
  Thank you in advance.

  You can specify row-level security for a User or UserGroup on a Universe via the Universe Designer in Tools -> Manage Security
  But that would be per Universe, and not global to Enterprise.
  Sincerely,
  Ted Ueda

• Migrate 6.5 Row Level Security to XI 3.1

  We're in the process of upgrading to BOE XI 3.1 and want to be able to use the row level security built in BO 6.5 in our upgraded environment, so that we don't have to put a bunch of restriction statements (WHERE clauses on tables with sub-selects) in our Universes. What is the best API interface or other methodology to use to be able to expose the BO 6.5 security tables in BOE XI 3.1?

  Sorry...after re-reading my first post, I guess I didn't convey specifically enough on what we're trying to do...
  We have created Data Integrator jobs that pull account Id and group id information from the security (OBJ_*) tables maintained by the 6.5 application. We load this data into custom built tables which we use in row level security restrictions in the Universe. With the migration to XI 3.1, will we be able to access the XI 3.1 security tables, using DI, in order to create the security tables we currently use in our restriction sets?
  Edited by: Dennis Scoville on Jul 10, 2009 3:04 PM

• SAP-BO SSO and Row Level Security

  Hi,
  We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
  When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
  In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
  My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
  System Information
  Business Objects XI 3.1
  SAP Intg. Kit 3.1
  Thanks a lot,
  Omer

  Hi Omer,
  please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
  As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
  Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
  Regards,
  Stratos
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Row level security in BI Publisher

  Hi All ,
  I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
  e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
  I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
  Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
  Can anyone help me on this?
  Thanks!!

  Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.