Row level security not working if I hit the aggregate

I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...

Hi Ingo,
Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
This custom auth object is maintained for the PA0001 table.
This object is added at the role level with the restricted access to the Company Code..

Similar Messages

  • Row Level Security not working for SAP R/3

    Hi Guys
    We have an environment where the details are as mentioned below:
    1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
    2. The SAP roles are imported in Business Objects CMC.
    3. Crystal Reports are published on the Enterprise as well.
    3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
    Any help in this issue is greatly appreciated.
    Thanks and Regards
    Kamal

    Hi,
    In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
    This tool defined which tables are to be restricted based on authorizations.
    However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
    You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
    thanks
    Mike

  • Obi 11g row level security not working

    All,
    I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
    Very frustrated... ;(

    Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
    1) I created a test user
    2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
    3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
    4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
    5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool.

  • Crystal reports LOV cascading prompts row level security not working

    Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
    Using XIR2 environment.
    Appreciate the response.
    Thanks
    Chenthil

    Hi Chen,
    In terms of what could be done on the Crystal Reports end, there is no such controls available.  However, your question may be better answered if it was posted to our Business Objects Enterprise forum. 
    It is at "BusinessObjects Enterprise Administration" section of the forums.
    FYI.

  • Row Level Security Not working for the ECC table.

    Hi All,
    We have created a crystal report using SQL Driver.
    We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
    But when I run the report, it bypasses the row level security and gives access.
    Am I missing some configuration?

    Hi Ingo,
    Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
    This custom auth object is maintained for the PA0001 table.
    This object is added at the role level with the restricted access to the Company Code..

  • Item level security not working when placed in a portlet page

    I have three page links linking to separate pages and have two of them with item level security turned on for specific groups with view privilges. I have the access for those groups with view privilges in the page level as well. I have published that as portlet and placed the portlet in another page which has view priviliges for the groups specified in item level as well.
    But I notice that when i place the portlet in a page, the item level security is not working.
    Item Level Security Not Working for Items Placed on a page and published as portlet and placed in another page. Is there some work around for this.
    Thanks
    Valli

    Would you please clarify for me? Is the problem that unauthorized people can see the portlet, or that unauthorized people can see the links?

  • Item Level Security not working with Tabs

    I've Portal 9.0.2.2.22
    This issue is with Item Level Security with Tabs. Here is what I've have:
    Page Group: MyPagegroup (Privs: portal => Manage All)
    Page: MyTestPage (Privs: portal => Manage All,
    testUser => View)
    There is a tab called MyTab on page MyTestPage which has two items (simple images) image1 and image2. The tab's access privs have been set NOT to inherit from the page. The public check box has not been checked for the tab. I've specifically assigned access privs to the tab.
    Now here are the two scenarios that I'm having problem with:
    1) MyTab (portal => Manage All, testUser => view)
    image1 (ILS enabled: portal => Manage All)
    image2 (ILS enabled: portal => Manage All,
    testUser => View)
    When logged in as "testUser", I still see both the images on MyTab although image2 doesn't have view priv to testUser. My expected result is to see just image2 on the tab.
    2) MyTab (portal => Manage All)
    image1 (ILS enabled: portal => Manage All,
    testUser => View)
    image2 (ILS enabled: portal => Manage All)
    When logged in as "testUser", I still see NO images on MyTab although image1 has view privs to testUser. I would expect to see image1 on the tab.
    Question: In both the above cases, the tab privs seem to be dictating what the user sees regardless of what the item level privs are set to. Is this normal behavior or a bug? If a bug, is there a patch? Is there any way so that even after setting the tab privs, I still have finer control of what the user can access through item level privs?
    If I don't put the items under a tab, then things work as expected.
    thanks
    Lalit Agarwal
    Vienna, VA
    703-521-5200 x3610

    This is a known problem with the 9.0.2 release - fixed in 9.0.2.6.
    Regards,
    Jerry
    PortalPM

  • Object Level security not working on OBIEE 11g 11.1.1.7

    Hi,
    I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
    We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
    Regards,
    Sandeep

    Hello Sandeep,
    I have just verified the below scenario as you said but didnt find any issue.
    I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
    This might not be a 11.1.1.7 bug check it from upgrade end.
    Regards,
    Srikanth

  • Group Level Data Level Security not working

    I'm trying to test the data level security at the group level.
    Here's what I did
    1. Went to the security -> Groups -> Permissions -> Filters
    2. In Name added the Fact table on which I want to filter.
    3. Selected "Enable"
    4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
    When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
    Am I missing something in the creation of filters?
    Thanks in Advance.
    Rama.

    Hi,
    If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
    Hope this helps.
    Regards,
    Sandeep

  • Database Level Security not working ???

    The 10 g (10.1.2.1) documentation states the following:
    Chapter 7 Controlling access to information:
    "Regardless of the access permissions and task privileges that you set in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):
    ex: SELECT privilege on all the underlying tables used in the folder "
    So how come a folder (view in my case - not table) cannot be queried directly by a user, but the folder still shows up a choice when building a report using PLUS ? I am misreading the above ? For is sounds lilke to me if the user account does not have SELECT privilege then they will not see the folder in Discoverer ?
    Anyone run into the same issue or have an explanantion ?
    thanks
    OBX

    I think the user has access to see all the folders in the business area in Discoverer if he has permission to do so. This is a Discoverer level security to filter people who should not have access to the business area at all. You'll find that although they can see these Discoverer folders because the permission is set in Discoverer Administrator, that the database tables they are based on will not allow the users to see any of the data if they don't have those rights at the database level.

  • Access Control Mechanism (data level security) not working properly

    Hi Experts,
    I have done datalevel security for groups by help of a database table. This table contains UserId, Dept. code, GroupName column. UserID are verified by LDAP server during logging into Dashboard. I have made two init blocks for GroupName and Dept.Code .
    Query is :
    SELECT 'Group', GroupName from TABLE
    Where
    UserId = ':USER'
    Similiar query is for Dept Code.
    There are two groups ; 1. CC_User 2. Full_User. I have applied filter in PERMISSIONS for CC_User on Fact table on Dept Code. So, user in this group may see data for Dept Code aligned to him in the table. All_User may see whole data for All Dept Codes as NO filter is applied on this group.
    Dept Code , UserId and GroupName are Varchar.
    Now problem is this when a user have membership of one group , it works fine. For CC_user it shows data for its Dept Code and All_user may see whole data.
    But When A user have permission of both the groups , only data related to CC_User group is visible. But, in my view , maximum permmision out of the both groups must be applied to the user if he belongs to more than one group.
    So , here , he must see whole data, as All_user group can see full data.
    Does least restrictive permmission happens in case of membership of more than one group in OBIEE.

    848839 wrote:
    Does least restrictive permmission happens in case of membership of more than one group in OBIEE.Indeed it does. The most restrictive filters get applied if a user belongs to multiple groups that have filters at various levels of data because its always an AND clause in the where condition. This is the sort of behavior in various tools I have seen apart from OBIEE.
    Hope this helps.
    Regards,
    -Amith.

  • Row level security.... yes or no in HTMLDB???

    Hi Guys,
    This is just a little confusing... in the application developer of HTMLDB, it has a section to implement VPD features, but when I come round to doing pete finnigans (http://www.securityfocus.com/infocus/1743) RLS tutorial, i get the following error when creating the vpd policy:
    ORA-00439: feature not enabled: Fine-grained access control.
    So can I get row level security to work in Oracle XE or do I have to integrate Oracle 10g EE with HTMLDb to get this to work?
    If so... how do I do that?
    Best Regards
    Shahram Shirazi

    Virtual private database / fine grained access control is not supported in Oracle XE, it is an Enterprise Edition feature.
    http://download-uk.oracle.com/docs/cd/B25329_01/doc/license.102/b25456/toc.htm#BABECIEG
    Re: Got ORA-00439:  feature not enabled: Fine-grained access control
    ~Dietmar.

  • Row level security in Xcelsius through scheduled reports?

    Hi Experts,
    Our requirement is to implement row level security in Xcelsius dashboards from SAP BW source through Bex queries which would have authorization variables. We have seen that these Bex authorization variables work in Webi reports and security is applied appropriately. But do they work in upto Xcelsius as well, if we use Live Office Parameter binding option? If it does, then do we need to create prompts agian in Webi?
    We have also seen that security is applied if we use the BICS (SAP Netweaver native connectivity) option. However our objective is to schedule as many reports as possible in the dashboard to save on report refresh time at run-time, which is not possible is BICS or QAAWS. Therefore the best option for us would have been if we could apply row level security on scheduled reports.
    Can you please advise on the best approach? Your help is greatly appreciated.
    Thanks,
    Sougata

    Since you are using BEx queries as data sources authorization variables is the only way to apply row level security. This will work fine also for XCelsius dashboards that run in the InfoView (in an SAP logon context eg. when the user uses it's SAP credentials to login into the InfoView) and fetch data on-demand over LO from your WebI reports. Just make sure that the underlying webi reports are set to use SSO.
    If you are using scheduled report instances no row level security is applied depending on the context of the user that started the dashboard. XCelsius will get the data that have been saved in the instances. In this case the row level security has been already applied at the moment the report instance was created BUT for the user who scheduled the reports to run.
    Regards,
    Stratos

  • Help with implementing Row Level Security in Interactive Reporting

    We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
    The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
    I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

    The 3 tables used with the RLS are stored in the same schema as your repository by default.
    The RLS store all the Rules for any database that you are using.
    You define the rules based on the tablename (owner.tablename) and the column name.

  • Data Level Security In OBIEE 11g based on the filters setup in RPD

    Hello All,
    We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
    Regards,
    -Amith.

    A.Y wrote:
    Hello All,
    We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
    Regards,
    -Amith.Not sure, if anyone has yet ran into this issue, but the workaround we have implemented is to build a report in OBIEE and use the analysis query as the source for BI Publisher.

Maybe you are looking for

  • Hierarchy download using bsp

    I have a requirement where I have to display all hierarchies on an infoobject to a user. The user should be able to select a particular hierarchy and download it as a flat file to a location. Can this be done using bsp?

  • How to create login page for application with jheadstart

    Is there a how to section for jheadstart? After reviewing the jheadstart developer's guide. I am still left with lot of questions: 1. how to create a login page to allow access to an application using username/password from a database table 2. how to

  • Where the Instance are saved

    Hi, I want to know where the instances of the particular report (When we schedule a report) is saving in server.I am able to find the instances in History tab of the report object.But i want to know where it is saved in server.Will it affect the perf

  • Windows Presentation Foundation (WPF) and XAML

    Hi, I just saw a high-level presentation about Windows Presentation Foundation (WPF) and XAML. I understand that one of the advantages to using this new desktop technology is better control over image resolution. I'm no techie, but I immediately thou

  • Multiple form printing

    Hi I am new in sapscript, and I would like to know, if is it possible to make more output for more data. If for example I have in printing report an internal table with three element, and I want to trigger distinct print for each element, how can I d