Row level security with session variables, not a best practice?

Similar Messages

• Urgent: row level security with VPD

  Has any one implemented the row level security in Virtual private database(VPD) for Discoverer.
  Please let me know how well does it work with discoverer and are there any flip sides that one needs to be aware of.
  Thanks

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• Row level security problem.

  Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
  I'm using sql developer and Oracle 10g.
  I have this two tables :
  CREATE TABLE HR_employees
  (codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
  coddep NUMBER(4) not null,
  DB_user VARCHAR2(10),
  and
  CREATE TABLE Candid
  (codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
  codHr NUMBER(3) NOT NULL,
  CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
  I tried to implement row level security on them by using two views:
  CREATE OR REPLACE VIEW employees_v AS
  SELECT * FROM hr_employees
  WHERE DB_user = user
  UNION
  SELECT * FROM hr_employees
  WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
  AND coddep IN (4000,5000);
  CREATE OR REPLACE VIEW candid_v AS
  SELECT cand.*
  FROM candid cand , hr_employees hr
  WHERE cand.codhr= hr.codhr
  AND hr.db_user=user
  UNION
  SELECT cand.* FROM candid cand, hr_employees hr
  WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
  WHERE H.db_user=user
  AND H.coddep IN (4000,5000) );
  What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
  Sorry for the bad english,it's a foreign language to me ,
  I hope you can help me

  Hi,
  Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
  I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
  If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
  Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
  CREATE OR REPLACE VIEW employees_v AS
  SELECT * FROM hr_employees
  WHERE DB_user = user
  OR    (   codhr = user_codhr
        AND coddep IN (4000,5000)
        );If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
  If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...".

• Crystal reports LOV cascading prompts row level security not working

  Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
  Using XIR2 environment.
  Appreciate the response.
  Thanks
  Chenthil

  Hi Chen,
  In terms of what could be done on the Crystal Reports end, there is no such controls available.  However, your question may be better answered if it was posted to our Business Objects Enterprise forum. 
  It is at "BusinessObjects Enterprise Administration" section of the forums.
  FYI.

• Obi 11g row level security not working

  All,
  I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
  Very frustrated... ;(

  Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
  1) I created a test user
  2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
  3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
  4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
  5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool.

• Row level security not working if I hit the aggregate

  I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...

  Hi Ingo,
  Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
  This custom auth object is maintained for the PA0001 table.
  This object is added at the role level with the restricted access to the Company Code..

• Reports XI: Infoview behavior with Row Level Security

  Post Author: pwilliamsbssp
  CA Forum: General
  I have a report that is based off a business view that has project information with an additional table used to assign report users to certain clients (each project has a client).  A filter is used to assign the report user to the current ce username.The report is scheduled by the administrator login.  Each user goes to view their report on Infoview and is able to view data for only those clients specifically assigned.   This functionality seems to work fine - everyone views one instance of the report and InfoView assigns the row level security.However, I'm running into a problem viewing report histories when adding or changing client assignments.   The historical reports come up either blank or with erroneous information (such as the current week's information instead of the previous week's data saved with the instance of the report).   I have not found a logical link between the behavior of the historical reports and the specific users.  Some can see one week and not another while others have the reverse, regardless of their security assignments.Does anyone understand the behavior of view historical reports with row-level security?  I have no idea what data/metadata is saved with each report instance and when the row-level security is being read.  Is it read when viewing the report? or, is it specific to the structure of the data when the report was run?With other reports using the same row-level security model I'm able to view the historical reports although it has the client assignments at the time the report was created.  But, at least I'm able to view the reports.Any insight welcome.Patrick Williams

  Post Author: pwilliamsbssp
  CA Forum: General
  Bump.  Anyone is welcome to tackle this question.  Please.

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Row Level Security Not working for the ECC table.

  Hi All,
  We have created a crystal report using SQL Driver.
  We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
  But when I run the report, it bypasses the row level security and gives access.
  Am I missing some configuration?

  Hi Ingo,
  Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
  This custom auth object is maintained for the PA0001 table.
  This object is added at the role level with the restricted access to the Company Code..

• Help with implementing Row Level Security in Interactive Reporting

  We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
  The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
  I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

  The 3 tables used with the RLS are stored in the same schema as your repository by default.
  The RLS store all the Rules for any database that you are using.
  You define the rules based on the tablename (owner.tablename) and the column name.

• Universe row level security workiing in main report but not subreports

  I have a report with a couple of sub reports that are running against a universe with row level security. The security works in the main report but when the sub reports run, the security is missing. The report is running through BOE, CR XI R2. Is there something Im missing...? Being new to BOE...

  Hi Michael,
  I am sure the Sub-report is also based on Universe.
  Try to create query with atleast one object/column coming from table on which row level security is applied in universe.
  Hope this will solve the problem.
  Thanks,
  Sushil

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• Parent-child hierarcy - row level security

  Hi,
  Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
  I have created a parent-child dimension, simlar to:
  a1
  --a1.1
  ----a1.1.1
  ----a1.1.2
  --a1.2
  ----a1.2.1
  By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
  a1.1
  --a1.1.1
  --a1.1.2
  To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
  I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
  How can I build a security system, that a member can only see its child hierarchy only?
  Thanks for answers and links...
  Edited by: user4516917 on 16.Nis.2012 06:54
  Edited by: user4516917 on 16.Nis.2012 06:55

  According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
  This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
  I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
  Any comments appriciated..

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation