Row Level security on Projects view

Similar Messages

• Business View Row Level Security

  Hello,
  I would like to create a Row Level Security in Business View. We are using a stored procedure to pull the data from database. We have manager and employee hierarchy. There are two fields such as Manager and Emplyee in the stored proc or when the data is pulled. We want to restrict data at wholesaler if wholesaler is loged on and manager if manager is loged on.
  How can we do that? what filter should we apply? how can we pass on manager and wholesaler logon_Id to filter the rows in stored proc?
  Does anyone have any answers?

  Good luck with this, this was one of my issues.
  You can identify the user in Business View by using a seperate table that has the same information as BO XI R2 user name.
  CurrentCEUserName is what I am using in Business View so that I can identify what location this user has access to.
  And then I am creating an LOV filter on this information.
  We are then prompting on this LOV in CR XI R2.
  I have heard that it can be done in Stored Procedures but I am not sure what is involved.
  Rick

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation

• Reports XI: Infoview behavior with Row Level Security

  Post Author: pwilliamsbssp
  CA Forum: General
  I have a report that is based off a business view that has project information with an additional table used to assign report users to certain clients (each project has a client).  A filter is used to assign the report user to the current ce username.The report is scheduled by the administrator login.  Each user goes to view their report on Infoview and is able to view data for only those clients specifically assigned.   This functionality seems to work fine - everyone views one instance of the report and InfoView assigns the row level security.However, I'm running into a problem viewing report histories when adding or changing client assignments.   The historical reports come up either blank or with erroneous information (such as the current week's information instead of the previous week's data saved with the instance of the report).   I have not found a logical link between the behavior of the historical reports and the specific users.  Some can see one week and not another while others have the reverse, regardless of their security assignments.Does anyone understand the behavior of view historical reports with row-level security?  I have no idea what data/metadata is saved with each report instance and when the row-level security is being read.  Is it read when viewing the report? or, is it specific to the structure of the data when the report was run?With other reports using the same row-level security model I'm able to view the historical reports although it has the client assignments at the time the report was created.  But, at least I'm able to view the reports.Any insight welcome.Patrick Williams

  Post Author: pwilliamsbssp
  CA Forum: General
  Bump.  Anyone is welcome to tackle this question.  Please.

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• How to check the row level security in TOAD for oracle

  Hi ,
  for ex, i have 2 types of users
  normal user and super user
  super user can see the group set (some column name) created by normal user
  but normal user can not see the set created by super user
  this set crestion aslso has 3 types "U','P',S'
  P & S can be viewed by even normal user
  but U should not
  so here we are having some row level security for the normal user .....
  So, in TOAD for oracle how to check that......
  Let me know if i'm not clear

  Like
  I'm the super user....
  And some records are inserted to a table by different users ('a' , 'b', etc....)
  So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
  how to see in TOAD where such type of scripts (filter conditions) are written.....

• Row level security in Hyperion System 9 - 9.3.1

  Hi Gurus,
  I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
  The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
  matches then they get to see records for that location.
  The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
  In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
  z

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• Row level security with session variables, not a best practice?

  Hello,
  We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
  The problem is that this method is listed as a "non best practice" in the Oracle documentation.
  Alternative Security Administration Options - 11g Release 1 (11.1.1)
  (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
  Managing Session Variables
  System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
  How confusing... what is the best practice then?
  Thank you for your help.
  Joao Moreira

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Parent-child hierarcy - row level security

  Hi,
  Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
  I have created a parent-child dimension, simlar to:
  a1
  --a1.1
  ----a1.1.1
  ----a1.1.2
  --a1.2
  ----a1.2.1
  By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
  a1.1
  --a1.1.1
  --a1.1.2
  To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
  I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
  How can I build a security system, that a member can only see its child hierarchy only?
  Thanks for answers and links...
  Edited by: user4516917 on 16.Nis.2012 06:54
  Edited by: user4516917 on 16.Nis.2012 06:55

  According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
  This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
  I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
  Any comments appriciated..

• Row Level Security in EPM Workspace 11.1.2.2

  Hi All,
  I'm facing an issue while implementing Row Level Security in Workspace.
  The error goes like this: "Error Accessing Row level security information Server Error: 1012 Unable to acquire row level security information from repository ..........".
  I have configured ODBC,DAS as per the documentation and enabled the RLS using Navigate option.Given below are windows and db info
  OS:Windows Server 2008- 64 bit
  DB:MS Sql Server 2008
  DBUser: with full admin permission on database.
  Thanks in Advance

  Hi All,
  Given below is the DAS log..
  [2013-06-25T10:16:21.761-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host:] [nwaddr: 10.24.206.86] [tid: 20] [userId: epmt] [ecid: 0000JxqQx2C4ulmLwqH7iW1Hm49K00000D,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: xxxxxxxx] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] SQL API: [SQLExecDirectW], SQL RETURN: [-1], SQL STATE: [42S02], SQL NATIVE ERROR: [208], SQL MESSAGE: [[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'RLSUser1.BRIOSECG'.][[
  [2013-06-25T10:16:21.761-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host: xxxxx] [nwaddr: 10.24.206.86] [tid: 22] [userId: epmt] [ecid: 0000JxqQx2F4ulmLwqH7iW1Hm49K00000E,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: gmarichetty] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] Unknown exception handled in RequestProcessor::GetRowLevelSecurityInfo()@D:\talleyrand\views\buster_talleyrand_bi_code\v1_bi_code\services\com\brio\one\services\das\proc\reqproc.cpp:1284[[
  [2013-06-25T10:16:21.762-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host: xxxxxx] [nwaddr: 10.24.206.86] [tid: 20] [userId: epmt] [ecid: 0000JxqQx2C4ulmLwqH7iW1Hm49K00000D,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: xxxxxxx] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] DAS Exception handled in IDataAccessServiceImpl::getRowLevelSecurityInfo()@D:\talleyrand\views\buster_talleyrand_bi_code\v1_bi_code\services\com\brio\one\services\das\idl\impl\idasimpl.cpp:1560[[
  Exception Message: Unable to acquire row level security information from repository.
  Please note that ODBC/DAS are configured as per the documentation.I am able to see BRIOSECG table in SQL Server,IR Studio and Web Client "Invalid object name 'RLSUser1.BRIOSECG'.][[" ,but when i select some fields from this tables in web client and process,then getting stated above error..
  Any Suggestions are appreciated...

• ADFBC 10.1.3.3 Row Level Security

  Hello.
  Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
  We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
  In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
  Any help would be great.
  Thanks a lot.
  John

  Thanks for the response Frank.
  Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
  I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
  Thanks again

• Row level security in OBIEE 11g

  Hi guys,
  We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
  Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
  to a structure that is above another structure in hierarchy, then he should see both data from his structure and
  the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
  i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
  data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
  in the data model? And how could I create the type of filter mentioned above?  

  This needs to be implemented in 3 different levels. 1. in database  2. in RPD  3 in reports
  1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
  2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
  3. Add this position variable as a content filter in your LTS in you BMM layer.
  4. You can also use this session variable  as a filter in you reports too.
  hope this helps.
  Senthil

• How to apply row level security against the database administrator

  I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
  There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
  HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
  Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
  Is there additional ways to achieve the aim?

  Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
  If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
  This includes DBAs.
  The simple fact of being DBA doesn't guarantee the exemption.
  Everything goes to depend of the VPD config.

• Row-level security(VPD) problem

  Hi,
  ADF BC, Jdeveloper 11.1.1.3.0
  We want to implement Row-level security in ADF by VPD, and do following:
  1, create VPD policy according to the following sample
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
  2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
  The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
  We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
  I appreciate your suggestion.
  thanks

  So how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.