SAP BOBI 4.0: Data Security Profile Issue

Similar Messages

• Data security (Data from SAP BW) for AD users

  Hi  All,
  I have a scenario.
  BO env : Business Objects 3.1 Sp3
  Sap Integration kit Sp3
  My target is to implement AD SSO & also provide data security for data from SAP BW. Currently there are no roles & authorization defined in the sap System. My plan was
  Step 1:-  Implement AD SSO in Business Objects
  Step 2:  Map the AD users in SAP system
  Step 3:- Crate roles in SAP System
  Step 4:-  Assign the users roles
  Steps 5:- (Not sure) :-  Map the users (Now in SAP) to BO & then aliases them with the users from AD.
  Pleas let me know if this would be correct approach... if not please suggest.... I am kind of new to SAP BO integration with experience in BO admin

  Step 1: Setup Windows AD SSO on your BOBJ server
  Step 2: Import Windows AD groups in BO
  Step 2-  Setup Server-side SNC between BO and your SAP system
  Step 3:- Create roles in SAP System and import them in BO
  Step 4:-  Assign SAP users the created roles
  Step 5: - In the CMC create SAP aliases for your Windows AD accounts
  Step 6: - Setup your reports and/or universe connections to use SSO.
  For more information on server side SNC check the installation guide of the integration Kit.
  Regards,
  Stratos

• Issue with Data Access Profile

  Hi Experts,
       Facing issue while using Data Access Profiles:
  I have created a data access profile ,giving access to only limited members for  a particular model.
  While logging in using a particular user id which is assigned to this data access profile I am able to see all the members for which the access is denied
  and I am also able to manipulate the transaction data. But in data access profile I have provided only read access.
  Recently,the system has been upgraded with a new support package after which we are facing the issue.
  Please help us solving the issue.
  BPC version:  10.0 NW
  SP : 15
  Best Regards,
  Remya

  Dear Ramya,
  Again do the setting for data access profile.  Sometime it will not refresh.
  Regards,
  Nanny

• How to restrict employees from accessing managers data using custom security profile

  Hi,
  I am using custom security profile for restricting the employees from accessing supervisors details(PG.SEGMENT2=4). I have written the custom code as below :
  Responsibility :US Super HRMS Manager
  ASSIGNMENT.PERSON_ID
  IN
  (SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
  PER_ALL_ASSIGNMENTS_F PF,
  PAY_PEOPLE_GROUPS PG,
  PER_PERSON_TYPE_USAGES_F PPU,
  FND_USER FNU
  WHERE PAF.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
  AND PAF.EFFECTIVE_END_DATE
  AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
  AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
  AND PPU.PERSON_ID=PAF.PERSON_ID
  AND PPU.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PPU.EFFECTIVE_START_daTE AND PPU.EFFECTIVE_END_DATE
  AND PAF.PERSON_ID=FNU.EMPLOYEE_ID
  AND PAF.PERSON_TYPE_ID =2
  AND PPU.PERSON_TYPE_ID
  IN(2,62)
  and PAF.person_id = FND_PROFILE.value('user_id')
  AND PG.SEGMENT2=8)
  and using "restrict the people visible to each other using this profile".
  I have assigned the security profile to HR user responsibility
  But when I query the supervisor name in HR User responsibility , it is not restricting me from viewing supervisor details.
  When I query for first time, its restricting me to view others details, but when I close that click on torch button and try searching, its allowing me to access manages details.
  Can any one please let me know what setups need to be done for restricting employees from viewing supervisors data.
  I have gone through the document "Understanding and Using HRMS Security in Oracle HRMS" but didn't got any idea.
  Please suggest.
  Thanks & Regards,
  Anusha.

  Hi All ,
  i solved the problem by using event 01 of header view and using the table "Extract" .
  Regards,
  Neha

• Issue implementing Business security profile in IDT

  Hi,
  BO 4.1 SP3
  I created a WebI Report with ADMIN privileges with 3 objects and published to Public Folder.
  Then I created a Business security profile in IDT and Denied USER1 access to ‘Display Data’ on one of the above 3 objects say Object3 (i.e. Granted ‘Create Query’ and Denied ‘Display Data’ access on that object3).
  Now when USER1 logs to WebI -> Public Folders and refresh the report, it says 'No privlilege..contact admin' message.
  Is it possible to display Certain Users to have all 3 columns and hide Object3 to USER1 in the same WebI report ?
  Appreciate if anyone can give some directions ?
  Thanks.

  I think you missed one more thing,
  IDT -> Business Layer -> Parameters -> AUTO_UPDATE_QUERY to YES
  Ref: xi4sp6_info_design_tool_en.pd Page: 225
  A user who is denied an object by a Display Data setting might refresh a report containing the denied object. You can specify what the refresh should do in this case by setting the SQL generation parameter AUTO_UPDATE_QUERY in the business layer.
  If this parameter is set to No, then refreshing the report generates an error message.
  If this parameter is set to Yes, then the denied objects are removed from the query and from any filters defined in the business layer. Data for other granted objects is retrieved and displayed to the user in a partial report.

• SAP PP: Security Profiles

  Hi All
  I want to find the PP relevant security profiles & the transactions associated with it..Kindly help in finding this.
  Thanks
  Tom

  Hi Mario,
  Let me try to break this down some more.
  The coverage profile is determining 30 days based on an average daily requirement of the forecast of a 3 month period.
  For example, April 20000, May 1000, June 1000.
  Let's assume 30 days in a month.  (20000 + 1000 + 1000) / 90 = 22000/90= 244.4 * 30days = 7333.
  So, In week 3 of April, purchases are being suggested to maintain 7333.
  I want the calculation to read more like 1 week in April remaining (20000/30 =666 a day * 7= 4666) + (1000/30=33.3*23=766)....so 30 days is really 4666+766= 5432.
  Is this possible?
  -Tim

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• Security Profile with Assignment-level Security limitations

  Hi, We are on an R12 installation, and have a security profile based on Organization Hierarchy (With Assignment-Level Security - i.e. 'Restrict on Individual Assignments' checkbox is ticked); this is based on a specific organisation as the 'Top Org' rather than the User's own Assignment.
  The profile option "HR: Access Non-Current Employee Data" is set to 'Yes', but the security profile still restricts access to Future-Dated Assignments and Ended Assignments. Is this expected behaviour, and is the only solution to develop a Custom security profile, and is this even feasible (to replicate organisation hierarchy security using SQL in the custom security tab), or would we have to use a different criteria, such as Payroll?
  Regards, Chris

  Further investigation reveals this is a limitation of the product - within security, the selection criteria which determines which individuals (or assignments) is handled seperately to Assignment-level security (i.e. whether individual assignments are restricted), it is not possible to get around this issue even using custom security, as that does not give one the power to determine how individual assignments are handled. Thus if assignment-level security is implemented, the user cannot see Ended or Future-Dated assignments, even if the profile option "HR: Access Non-Current Employee Data" is set to 'Yes'.
  The only workaround we have found for this is to:
  a) remove assignment-level security, and
  b) ensure that where an employee has multiple assignments that cross security groups, this individual is set up twice, as two separate employees.

• Minimum Security Profile for CCMS?

  Does anyone know the minimum security profile or roles needed to read counters for CCMS?
  I have added the following roles to a test user:
  SAP_BC_BASIS_ADMIN
  SAP_BC_BASIS_MONITORING
  SAP_BC_CSMREG
  I have added NO profiles to this test user.
  I noticed when I try to retrieve data using an in-house program operating under this user, all values are always 0.00
  However, once I add the profile S_A.SYSTEM, I can see actual values of 25.00 or 8.00, etc.
  Unfortunately, S_A.SYSTEM is too powerful to use -- is there a different, minimum profile I can use to access CCMS metrics from a in-house program?
  Much appreciated.

  Hi,
  S_RZL_ADM authorization is required to administer CCMS. Please check if the SAP PDAGs that you are assigning have this authorization object. If not, you may experience similar errors.
  Also, refer SAP Note 135503 to identify the configuration parameters information required to work with CCMS.
  Hope this helps!!
  Regards,
  Raghu

• Importing custom created security profiles from a .csv or .xls document

  Hi Experts,
  We have a prerequisite where we need to create custome security profiles as per the requirement.
  These security profiles I have created in an excel sheet and wish to import it in the server.
  The reason behind creating the security profiles through excel sheet is that in the future we will be working on a new server. So instead of doing any rework we can directly import from this excel sheet.
  For creating a security profiles through an excel sheet, I have mentioned the following things in the excel sheet.
  1. In a "eso_security_profiles" i have mentioned the profile name,description,internal ID, etc..
  DISPLAY_NAME       DOCUMENT_DESCRIPTION    INTERNAL_NAME     CATEGORY  COLLAB_PROFILE    INTERNAL_TYPE     RESTRICTED
  DISPLAY_NAME:Category Manager    
  DOCUMENT_DESCRIPTION   : This profile is for the user who has full rights only at project business document but cannot approve and have no access rights to the master data
  INTERNAL_NAME  :  fci.profile.doc.category_manager
  CATEGORY  :   BUYSIDE     
  COLLAB_PROFILE    :   TRUE     
  INTERNAL_TYPE     :   
  RESTRICTED   :  
  2. And in the "eso_security_rights" I have mentioned the access rights as per requirement.
  RESOURCE        SECURITY_PROFILE                               ALLOW_PERMISSIONS       DENY_PERMISSIONS
  rfx.RFXDoc        fci.profile.doc.wft_category_manager     ODP_READ
  Please give some inputs on this. Am not sure if what I have done is the right way.
  Thanks.
  Vaishali.

  Hi Vaishali,
  I understand that you need these security profiles in another server going forward. I would suggest another way around rather.
  Please create the Security profiles in SAP Sourcing itself, then export the OMA file. When you move into another server please import this OMA file. This will serve the purpose of having the new security profiles in the new server.
  If you are modifing something in the workbook, then you should carefully review field details. As I am not sure which version of SAP Sourcing and details of workbook, so I would suggest the above way to try out.
  Hope this helps
  Thanks
  Jagamohan

• Override Security Profile for one employee

  Hi
  I have one employee who works in 'Accounts Department' and the HR user of accounts department can see only the employees of Accounts Department based on the security profile. This is working fine. But theres a different requirement. Some employees are transferred to other departments for 3-6 months for different purposes. During this time also the HR user of accounts department needs to view this employees details due to HR policies and procedures. Can we achieve this? If yes, how?
  - Gulzar

  Q 1 - When Employee is transferred from Dept 1 to Dept 2 for 6 months, Should the HR for both Dept 1 and Dept 2 be able to see his details for 6 months?
  Q 2 - After 6 months period, employee's organization is again updated to Dept 1, should again HRs of both Dept 1 and Dept 2 be able to see his details even after the 6 months period?
  Q 3 - If answer for Q 2 is - "after 6 months period, only HR of Dept 1 should see his details" , how to identify Employee's home department? Will it be the Employee's Organization effective as of Employee's hire date?

• First Day of Week in Data Entry Profile

  Does anyone know if there is a standard SAP RFC i can use in my Web Dynpro application to get the First Day of Week entry in a user's Data Entry Profile?
  Thanks,
  -Kevin

  Hello Kevin,
  Function Module returns the System Date from that SAP System(R/3). I have checked this BAPI with '200743 - current week' GET_WEEK_INFO_BASED_ON_DATE, it returns proper data like Start Date and End Date.
  I Assume, you are using this in your Java WD. You can write your own function for this. This will return the day of the week.
  Calendar xmas = new GregorianCalendar(2007, Calendar.SEPTEMBER, 23);
  int dayOfWeek = xmas.get(Calendar.DAY_OF_WEEK);
  wdComponentAPI.getMessageManager().reportSuccess("Day : "+dayOfWeek);
  Note : - week starts with 0 . 0 - Monday 6 -Saturday.
  Regards,
  Sridhar

• UME using SAP R/3 as Data Source

  Hi,
  We are trying to set User authentication to SAP R/3 system, not load balanced system, on the User Management Configuration values: Client=501, Userid=sapjsf, Password=pwd, sys id=RS1, Group and Message server= blank, Application server= server.company.com, Sys. number=00, Max pool=10, Max wait=300000.
  When testing connection, I get this message:
  (System ID): com.sap.mw.jco.JCO$Exception: (101) RFC_ERROR_PROGRAM: 'mshost' missing
  (System ID & System Number): OK
  Is this an error? since our SAP R/3 is not a load balanced system.
  Did we miss any item for the setup, in dataSourceConfiguration_r3.xml? The SAPJSF "communication user" got the right sap role and authorizations.
  Portal version : EP6 SR1
  Regards
  Huzaifah

  Hi,
  If u want to Use The SAP R3 System as Data source u may
  do it from config tool if u got following message.
  WARNING! You are not allowed to select dataSourceConfiguration_r3.xml as active configuration file.
  (For Portal Patch less than SP13 u must download two data source file which is attached with note - 718383
  and upload it to portal which is described in the note)
  the following are the procedure which i apply ,
  Go to System Administration -> System Configuration ->UM  Configuration
  Now Do not change Data source from Here.
  Make sure  your data source is "Database Only"
  (dataSourceConfiguration_database_only.xml)
  Now enter the following value under SAP System Tab.
  Client : - Your sap system client
  User:-  Sap user
  password: - password
  System language:- your system language
  Application server: - Host name or IP of sap system
  System Number : -  SAP instance number
  Maximum Size of Connection Pool : -  As per req.
  Maximum Wait Time in Milliseconds :- 10000
  Now, save the changes and shutdown the portal server.
  Using Config Tool change the data source. Run the following
  <drive:\> usr\sap\<sid>\JC<instance number>\J2EE\configtool\configtool.bat
  (Make sure the portal system is shutdown)
  Under Cluster Data -> Global Server Configuration -> services -> com.sap.security.core.ume.services
  Now find the key: -  ume.persistence.data_source_configuration     
  The default was : - dataSourceConfiguration_database_only.xml
  change the value to :- dataSourceConfiguration_r3.xml     
  click on set and from flie-> apply
  Now restart the portal server ur data source changer to SAP R3 System
  Regards,
  Kaushal

• SQL Query in Custom Security when creating Security Profile

  Hello all,
  I've created a security profile with Custom security and provided a simple query in Custom Security tab-
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  Custom security option is "Restrict the people visible to each user using this profile"
  I am not able to see the record as expected.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to each user using this profile", I am able to see the record.
  If I Hardcode the person ID "PERSON.PERSON_ID = 13449" with "Restrict the people visible to this profile", I am able to see the record after running PERSLM and same is in PER_PERSON_LISTS.
  Am I correct in checking with FND_GLOBAL.EMPLOYEE_ID?
  (This was mentioned in system administrator guide :
  "+Oracle HRMS assesses the custom security when the user signs on. In addition, the custom security code can include references to user specific variables, for example, fnd_profile.value() and fnd_global.employee_id.+"
  docs.oracle.com/cd/E18727_01/doc.121/e13509/T2096T2098.htm).
  I have tried with FND_GLOBAL.USER_ID / FND_PROFILE.VALUE('USER_ID') / :ASG_ID (seeded query has a join with this bind variable) - not happening.
  I've given options as below :
  Employees = None
  Contingent Worker = Restricted
  Applicant = None
  Contacts = All
  Candidates = All
  All other options - Defaulted
  Thanks,
  Sumanth

  Resolved this - One cannot see self's employee record in the form for which this is setup.
  Hence the below query though correct in syntax did not show any data.
  PERSON.PERSON_ID = FND_GLOBAL.EMPLOYEE_ID
  My original requirement was that all employees belonging to one's Organization should be displayed, and this is working fine with an updated query for the same.
  Thanks,
  Sumanth

• SAP R3 Connection in Data Services - Configuration is

  Dear all,
  We are having an error when going through the steps in the configuration of BusinessObjects Data Services 3.2 with R3. The error is in the SAP R3 server.
  Herewith the steps in regular font (based on the SAP BusinessObjects guide) and our output results in bold. If you can take a look on it, it will be great for us.
  To install provided functions using the CTS system:
  1.     Copy the provided transport files to the appropriate directories on the SAP server.
  Installing Functions on the SAP Server Installing the functions using CTS
  Note:
  In these steps, 900XXX.SXX is a variable. To substitute the correct file name for the current release, see the readme.txt file in the ...\DataServices\admin\R3_Functions\transport directory.
  -     Copy R900XXX.SXX to the /usr/sap/trans/data directory.
  -     Copy K900XXX.SXX to the /usr/sap/trans/cofiles directory.
  As we have R3 connection we have moved the R63 file. Complete name of the files are:
  -     R900086.R63
  -     K900086.R63
  2.     Log on to the SAP server and run the transaction /nSE37 to determine if function group ZAW0 already exists. The CTS system will install the Data Services functions into a single function group ZAW0 that it automatically creates on the SAP server if it does not already exist.
  -     If function group ZAW0 exists and contains previously installed Data Services functions, add an unconditional mode 2 option (parameter U2) to the tp import command described in step 4 below (tpimport S<xx>K900<xxx> <SID> U2).
  -     If function group ZAW0 exists and is used for another purpose, modify the transport file to use a different function group (such as ZAW1) to install the Data Services functions. Make sure the function group you use does not already exist in your system.
  -     If you are installing the transport files on a Unicode-enabled SAP server, manually create the function group ZAW0 with the Unicode attribute set.
  In our case we have found there is already a ZAW0 created -> nothing to do in this step
  3.     From a command window, run the following transport command:
  -     tp addtobuffer S<xx>K900<xxx> <SID>
  (where SID is the SAP system ID)
  You receive the response:
  This is tp version <SAP TP and SAP versions> for <database type> database.
  Addtobuffer successful for S<xx>K900<xxx> tp finished with a return code: 0 meaning:
  Everything OK
  This is the command we have run and the error retrieve
  The SID is NDV.
  C:\tp addtobuffer R63k900086 NDV
  This is tp version 372.04.57 (release 700, unicode enabled)
  E-TPSETTINGS could not be opened.
  EXIT
  Error in TPSETTINGS: transdir not set.
  tp returncode summary:
  TOOLS: Highest return code of single steps was: 0
  ERRORS: Highest tp internal error was: 0208
  tp finished with return code: 208
  meaning:
  error in transportprofil (param missing, unknown, ....)
  We have modified the statement with different names for the R63 file, but we didnu2019t success. We are retrieving same error.
  We also have applied the command in the following link:
  http://sap.ittoolbox.com/groups/technical-functional/sap-basis/etpsettings-could-not-be-opened-875506
  and retrieve another error. The following step would be doing the u201CSAPEVTPATHu201D downloading, but, we are not sure if this would fix the issue or if the issue is related to something else.
  4.     Run the next transport command:
  tp import S<xx>K900<xxx> <SID>
  (where SID is the SAP System ID)
  We couldnu2019t reach this point, as we are having an error in the command below.
  Thanks for your help on this!
  Beatriz Minguez

  There is a problem in the transport file supplied with BODS installation folder. Pls refer to the SAP Note :
  1616269 - Problems when installing Data Services 4.0 SAP transport files (900155.R63)
  We have used the new transport files but we are still getting the below warnings in the log files and it returned with return code 4 :
  Maximum length ("255") for "CHAR" in transparent tables exceeded
  The SAP Note 1446648 - Warning Messages installing SAP R3 transports for Data Services sayou can ignore those warnings but we are still not able to see the ZAW0 Function group in SE37.
  Let me know if you are able to do it successfully.