Security Filter Problem

Similar Messages

• Essbase Security Filter issue.

  Hi,
  Its regarding the security filter issue.
  The major problem is whosoever user is provisioned under that security filter, if the user is trying to connect to Application using Excel Addin / Smartview, it crashes the essbase server [Network Error [10061], timed out error)]
  When we figured out because of this filter essbase server is crashing, we tried to edit the filter. sometimes if we click on edit, it crashes the server or sometimes we can see some junk characters in the filter.
  We have applied the security on Entities dimension and problematic filter is ASP.
  Now the hirerachy is like this.
  Entities dimesnsion and then ASP member and under ASP we have our several members.
  Filter is like this:
  Write : @Idescendants("ASP")
  It was working fine for almost 15 days.
  Now if i edit the filter, i can see like this:
  Write : @Idescendants("ASP")
  Metaread:@Idescendants("*&^%?)
  Junk characters are coming in and no idea from where they are coming.
  I can't delete the filter also, again it crashes the essbase server.
  As a workaround i have created a temp filter and dome the assignation for this group, according to that.
  Everything is working fine.
  I just wanted to know, has anybody faced such kind of problem earlier.
  What cud be the root cause for this.
  How could I delete the filter.
  I have also get messages like security file is corrupted (we have restored it from old backup) but really worried about security file as we are moving the whole thing to production server this weekend.
  Please advise me on this, Please help me. Any help would be highly appreciated.
  I am really in trouble.
  Thanks,
  Pankaj Mehta.

  Try to edit the filter from MaxL command line using
  alter filter sample.basic.filt7 add write on '@IDescendants("ASP")';
  here sample=application
  basic=database
  filt7=filtername
  have good luck

• Security filter validation crashing essbase

  During security filter validation, Essbase froze and stopped responding. We had to re-start essbase service.We are on 6.2.3 and NT server. Any insights or similar problems with validating filters?Thanks

  We see same issue in 9.2.0.3, but only with 1 of our 5 applications. Was never able to get support to identify a cause, our resolution is to push users in small groups and save the essbase.sec file. Real pain. You could try stopping essbase service, using essbase.bak file and restarting then try to push and see if it works. I did identify issues with our openLDAP which I felt was the cause, I was able to clean it up in TEST and it works, but did same in Prod and worked once, then reverted back to crashing again, unless we push users in really small groups. Interested to see if you get a 'fix' from someone...

• Failed to refresh user's security filter

  Hi - I'm having an issue with a user ID. User was having a lot of problems doing Essbase retrievals in Excel, so tried refreshing their security filter in Hyperion Desktop. I get a 'security filters were created successfully except for: username."
  So I recreated her ID in Planning, removed her ID in Essbase and removed her filters in Essbase. I added back all the groups that she belongs to in Planning, now I am back in Hyperion Desktop trying to do a push down for her ID and I still get the same error message.
  Then I went to some other people's ID, highlighted their name and did a refresh, some of the say successful, some of them give me the same error message about security filter refreshed except for: username".
  What in the world can be causing this?
  Planning 3.5.1
  Essbase 7
  Edited by: CLAU on Feb 25, 2010 7:29 AM

  also<BR><BR>DISPLAY PRIVILEGE USER ALL; will list all privileges granted to a user directly. Any line that isn't "no access" means that the user has privileges assigned outside a group. I periodically do ann audit on our systems to ensure we have't got any direct users that have privileges granted outside groups.<BR><BR>Of course anyone tagged individually as a supervisor will come up on this check.

• Issue with write Security filter in ASO 9.3.1

  Hello All -
  I'm having a strange security filter issue in system 9.3.1 ASO cube. We've the native users for the ASO cube and created several write security filters based on cost centers in that cube.
  For example, the below security filter sometime works, and sometime not:
  Write "Adjustments", @RELATIVE ("S532179", 0), @RELATIVE ("S587724", 0), @RELATIVE ("S525701", 0)
  There are total 8 standard dimensions in the cube. I tried all possible combinations to make it work constantly, but it doesn't. Even modified the filter like below so that it has all dimensions (using LEVMBBRS, IDESCENDANTS, RELATIVE) , still users can't load data at level 0 members.
  Write @LEVMBRS ("Chart of Accounts",0),@LEVMBRS ("Full Year",0),@LEVMBRS ("Business Unit",0),@LEVMBRS ("Fixed/Variable",0),@LEVMBRS ("Source",0),@LEVMBRS ("Products",0),@LEVMBRS ("Scenario",0),@LEVMBRS ("Cost Center",0)
  It looks like the user and filter association is not working. If I give the user direct write access to the cube (bypassing filter totally), the users can write fine. Please help!

  I didn't know that the logs didn't work; I tested it and they are not generated for ASO updates in 9.3.1. I didn't see any other setting that would cause them to be created; my guess is that the logs are created based on block manipulations that Essbase does internally using BSO. As there are no blocks in ASO then the same algorithm doesn't apply.
  We log Essbase changes in our Dodeca product but we use a different algorithm. We evaluate the update in our server before committing the changes and generate a relational log that has the datapoint information plus the old value, new value and standard 'who' information for the person making the update.
  Tim Tow
  Applied OLAP, Inc

• [OBIEE 11g] Enforce star-schema without security filter?

  I have imported my first OLAP cube using the instructions <a href = 'http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r1/olap/biee/createbieemetadata.htm'>here</a> and have applied the necessary security filter to force the star join between the cube and dimension views. However, the security filter does not apply to users in the BI Administrator user group. Is there any way to do this without a security filter, or somehow apply the security filter even when the user is an administrator?
  Edited by: islan on Jan 22, 2013 7:56 AM
  Edited by: islan on Jan 22, 2013 7:57 AM

  The link in your first posting points to the old-way of creating OBIEE metadata for OLAP objects.
  Starting with OBIEE 11.1.1.5, it is much simpler as Oracle-OLAP is one of the data sources in BI-Admin Tool.
  So do not use the old way.
  Start with this doc:
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/bi/bi11115/olap/olap.htm
  For your other issue, you need this troubleshooting doc:
  http://www.oracle.com/technetwork/database/options/olap/troubleshootingbieeconnections-504856.pdf
  Note that even though it says OBIEE 11.1.1.5, the above two docs are applicable to 11.1.1.6 and future releases.
  For security, you should define it in OBIEE instead of doing in OLAP.
  .

• Issue in Implementing OR Logic in Security Filter for Essbase in OBIEE

  I am implementing OBIEE using Essbase as the data source. The requirement is to implement OR logic in the security filter. And I got error message from the MDX query generated by OBIEE. Below is the details. Anyone knows how to solve this issue? Thank you very much.
  1.     The &ldquo;Booking Location&rdquo; dimension has three hierarchies (ragged hierarchies).
  http://img.photobucket.com/albums/v216/stewart_life/1.png
  2.     I only want to take the first hierarchy, which is &ldquo;Total booking&rdquo;. Thus, I filter the Logical Table Source of &ldquo;Booking Location&rdquo; in the business model layer.
  http://img.photobucket.com/albums/v216/stewart_life/2.png
  3.     The &ldquo;Incorporation Country&rdquo; dimension doesn&rsquo;t have any multiple hierarchies.
  http://img.photobucket.com/albums/v216/stewart_life/3.png
  4.     Thus, I don&rsquo;t filter the Logical Table Source of &ldquo;Incorporation Country&rdquo; in the business model layer.
  http://img.photobucket.com/albums/v216/stewart_life/4.png
  5.     I filter the permission of a user. This filter applied to the fact table (RISK) in the business model layer.
  http://img.photobucket.com/albums/v216/stewart_life/5.png
  6.     Then the filter applied so that the particular user can only see the data where the Incorporation Country level is Singapore OR the Booking Country level is Singapore:
  "Risk"."Incorporation Country"."Country" = 'SINGAPORE (INC)' OR "Risk"."Booking Location"."Booking Country" = 'SINGAPORE (CBE)'
  http://img.photobucket.com/albums/v216/stewart_life/6.png
  7.     Here is the first report that is working fine if run by a user without any security filter.
  http://img.photobucket.com/albums/v216/stewart_life/7.png
  8.     The result of that report when run by the user whose security filter above has been applied to.
  http://img.photobucket.com/albums/v216/stewart_life/8.png
  9.     The MDX query generated from that report is shown below. Note that the error refers to the line 4, which is in bold below. Somehow, the query generated always include Incorporation Country and Booking Location in the &ldquo;With&rdquo; clause, since both of them are placed in the security filter.-----
  Sending query to database named Risk-MI Essbase (id: &lt;&lt;399750&gt;&gt;):
  With
  set [Booking Location2|http://forums.oracle.com/forums/] as '{[Booking Location|http://forums.oracle.com/forums/].[Total booking|http://forums.oracle.com/forums/]}'
  set [Booking Location4|http://forums.oracle.com/forums/] as 'Generate({[Booking Location2|http://forums.oracle.com/forums/]}, Descendants([Booking Location|http://forums.oracle.com/forums/].currentmember, [Booking Location|http://forums.oracle.com/forums/].Generations(4),SELF), ALL)'
  *set [Incorporation Country4|http://forums.oracle.com/forums/] as ''*
  set [Time3|http://forums.oracle.com/forums/] as 'Time.Generations(3).members'
  set [Year2|http://forums.oracle.com/forums/] as 'Year.Generations(2).members'
  member Measures.[MS1|http://forums.oracle.com/forums/] as 'Rank(Time.Generations(3).Dimension.CurrentMember, Time.Generations(3).Members)'
  set [Axis1Set|http://forums.oracle.com/forums/] as 'crossjoin ({[Booking Location4|http://forums.oracle.com/forums/]},crossjoin ({[Incorporation Country4|http://forums.oracle.com/forums/]},crossjoin ({[Time3|http://forums.oracle.com/forums/]},{[Year2|http://forums.oracle.com/forums/]})))'
  select
  {Measures.[Netted EAD|http://forums.oracle.com/forums/],Measures.[Netted Nominal|http://forums.oracle.com/forums/],Measures.[Wt_LGD|http://forums.oracle.com/forums/],
  MS1} on columns,
  NON EMPTY filter({[Axis1Set|http://forums.oracle.com/forums/]}, [Incorporation Country|http://forums.oracle.com/forums/].currentmember IS [Incorporation Country|http://forums.oracle.com/forums/].[SINGAPORE (INC)|http://forums.oracle.com/forums/] OR [Booking Location|http://forums.oracle.com/forums/].currentmember IS [Booking Location|http://forums.oracle.com/forums/].[SINGAPORE (CBE)|http://forums.oracle.com/forums/]) properties ANCESTOR_NAMES, GEN_NUMBER on rows
  from [http://RISK-P.RISK]
  where ([CRG (ORG)|http://forums.oracle.com/forums/].[Good Book (ORG)|http://forums.oracle.com/forums/], Method.ADV)
  +++stewart:370000:370021:----2009/02/17 13:56:06
  Query Status: Query Failed: Essbase Error: Syntax error in input MDX query on line 4 at token '''

  From what I have read on this forum, people have managed to get the DC In Board replaced for a little over US $100. This would be at an Apple authorized repair shop rather than by Apple itself. This is much less than the cost of a new MacBook. I don't know what might be available in your area, but it would be worth asking at a repair shop.
  Good luck!

• Substitution Variable in Security Filter

  Hi,
  my filter looks like below.
  Write : @idesc("Accounts"),Oct,"07 10 + 2",@idesc("SiteName")
  here 07 10 + 2 is the version name which am using. the same version is used in so many security filters.
  i want to replace this by the substitution variable name CURR_VER.
  is it possible to use the substitution variable name in a security filter (s)??

  What version of Essbase are you using? In System 9 (9.2 and higher I think) variables are allowable in filters and formulas. In version 7 and below, they are not

• Web Center app with ADF Security - login problem

  I have a custome Oracle Web Center app.
  I have a page.html with an embedded login form posting to j_security_check. I've configured the ADF security policies to redirect to a JSPX on successful login.
  When I try the correct username/password, I get redirected not to the page I defined in ADF, but to the root page http://127.0.0.1:7101/MyApp-ViewController-context-root/
  and i get
  Error 403--Forbidden
  I've checked the weblogic.xml as per http://andrejusb.blogspot.com/2009/12/solving-error-403-forbidden-in-adf.html, all the required entries are there.
  This works fine if i use a Login link with
  destination="#{'/adfAuthentication?login=true&amp;end_url=/faces/postLogin.jspx'} "
  which redirects to the default login.html and then to the right page. I've copied the form from the default login.html into my master HTML page.
  Hope my question is clear. Any suggestions why it is going to the wrong URL after login.
  Is there anything specific I should see in the jazn-data.xml or web.xml regarding the post-login URL since i cant see that in either.
  P.S. Have been advised to try here when I originally asked this in the WebCenter forum. Web Center app ADF Security - login problem
  Edited by: new_to_webcenter on 18-Jan-2011 05:25

  Thanks for your response Frank.
  The web.xml has
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>valid-users</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/error.html</form-error-page>
  </form-login-config>
  </login-config>
  When configuring ADF Security via JDev , I chose "Redirect upon successful authentication" to the Welcome Page
  "/faces/postLogin.jspx"
  this then adds into web.xml
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <init-param>
  <param-name>success_url</param-name>
  <param-value>/faces/postLogin.jspx</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
  </servlet>
  So the sequence which works is:
  Login via the '/adfAuthentication?login=true&end_url=/faces/postLogin.jspx' and this redirects to login.html (OOTB form which posts to j_security_check) and then to the postLogin.jspx
  I'm trying to do away with a Login link, and trying the simple login form embedded in my page alongwith other content.
  So should the form be posting to j_security_check directly or to the adfAuthentication ?

• Essbase Security filter in OBIEE 11.1.1.6 request

  Hello Experts
  I have got a requirement whereby I need to apply Data Level Securityfor the Essbase sourced cube in OBIEE11g. But the issue is the dimension value where I need to apply security filter has 25K distinct values and is Unbalanced Hierarchy where the leaf members is distributed across differnet level . Actually it is ragged heirarchy in Cube which when imported in OBIEE becomes a Level Based Heirarchy where the leafs becomes shared across differnet level. Now the general OBIEE rule says - Create separate application groups for each lowest level dimension vales and apply security filters for each values respectively for each group and assign users in those groups.
  But the issue is :
  1. Here there are 25 K members in the dimesional value where I need to apply Data Level Security . So it is not possible to create 25K distinct group.
  2. The dimension which needs to be used for Data level security has Ragged Hierarchy where the lowest leaf (which would eb used in security filter) is shared across differnet levels.So there is no single column that I can select in RPD to apply security filter.
  Pls. suggest a solution.
  Is there a way that I can source the Essbase Filters to work as Data Level security in OBIEE 11.1.1.6

  You can upgrade to 11.1.1.7 and use Weblogic to assign security, then EAS to apply filters, and then OBIEE Enterprise Mgr to apply the application roles (i.e. via Essbase Filters). The gotcha is that you need to install OBIEE 11.1.1.7 and include the Essbase component as part of the install.
  If you need more info let me know.
  Daniel Poon

• Financial Reporting prompt-Show only members as defined by security filter?

  Hello all,
  Maybe another simple question but i have been unable to perform this task so far-
  We have created a security filter against the Company dimension in essbase, assigned it to a user, and that works ok.
  We have a report that prompts the user to choose members from for the Company Dimension.
  We would like this prompt to present the users only the members that are accessible per the security filter (i.e. al the descendants of the 'Northwest' member) for that particular user, since by default it presents all members of the Dim.
  Is this possible to do?
  Thank you very much for your help
  Hector

  I think what you want are METAREAD filters.Not that you're on Planning, but Planning goes to Essbase (eventually) and when it does so, it inexplicably uses READ instead of METAREAD -- it's the same issue.
  Here's an overview of it: http://camerons-blog-for-essbase-hackers.blogspot.com/2009/07/fixing-plannings-filters.html
  It should be as simple as clicking on the filter type dropdown in EAS to test if it works.
  Regards,
  Cameron Lackpour

• Security filter verification failed

  Hi All,
  We are trying to create security filter which is combination of 4 sparse dimensions.
  The relationship between members in the filter is AND (so the filter will be created under one row).
  We encountered the below error in applying security filter
  ====
  [Mon Apr 13 03:42:16 2009]Local/GLOBAL///Error(1200467)
  Error parsing formula for [REGION DEFINITION]: status code [1130203] in function [@_U]
  [Mon Apr 13 03:42:16 2009]Local/GLOBAL///Error(1200467)
  Error parsing formula for []: status code [1130203] in function []
  ====
  It seems like if the combination of the members on the filter hit the limit of allocated memory, the filter got failed.
  Is there any way to calculate how many memory absorb in one filter?
  or is there any memory limitation for security filter?
  It will be great If anyone can share the experience of this issue.
  Thanks.
  Regards,
  Ai

  That's interesting, I have never head of a limit on the number of members that a filter can address. How many accounts do you have in your database?
  I took a look at the Limits section of the DBAG and found the following re filter limits:
  Filter name
  * Non-Unicode application limit: 30 bytes
  * Unicode-mode application limit: 30 characters
  Number of security filters
  * Per Essbase Server, 65535
  * Per Essbase database, 32290See: http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_esb_dbag/limits.htm#limits_1
  That's it -- nothing on the number of members that can be addressed in a filter. Of course it is possible (insert sacarsm, irony, or wonder per your personality) that the documentation is not correct.
  I have never run into what you described, but Essbase is vast and mysterious country, so perhaps that isn't so surprising.
  I'm glad you were able to find a workaround.
  Regards,
  Cameron Lackpour

• Security filter couldn't refresh to Essbase from Planning but could create

  Please kind help on look at this issue.
  I updated some dimension access in Planning,and did a security refresh in management database menu.But the access didn't refresh to Essbase filter.
  Then created filter in management security filter menu,it refreshed to Essbase successfully.
  I would grateful if someone could tell me why the first way unsuccessful.
  Thanks,

  If you go to Oracle Support and search on "planning security refresh" you will see lots of articles on this subject.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Using Essbase security filter in OBIEE request ?

  Hello,
  We would like to use OBIEE 11.1.1.6 with Essbase source. We already use Essbase security filter (on dimensions).
  For example, "userA" is allowed to access to Entity A and not Entity B and the opposite for "userB".
  If I loggin as "userA" in OBIEE, is it possible for OBIEE to connect to Essbase with "userA" so that Essbase return data only on Entity A and not Entity B ?
  Thanks!

  Hi,
  The way let OBIEE users, have Essbase security filters running for them, is by integrating OBIEE and EPM using Single Sign On. When, both OBIEE and EPM talk to the same Identity Store like OID/MSAD, you can set this up. For more integration steps, refer to http://www.google.com.sg/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.oracle.com%2Ftechnetwork%2Fmiddleware%2Fbi-foundation%2Fhfm-sso-obiee-1112x-1835570.pdf&ei=O7ElUeCTApGzrAeelIHwCw&usg=AFQjCNE1BzMQU6Cwny-0IwcvxkfxeqlONg&bvm=bv.42661473,d.bmk
  Hope this helps.
  Thank you,
  Dhar

• "OR" function in Security filter

  HI All,
  I am trying to implement "OR" function in security filter. i mean for security i have created on group and i am trying to implement following query i am getting error. if i replace "AND" with "OR" then report is showing data. but that is not perfect data because of AND
  "Employee ID" = VALUEOF(NQ_SESSION."”EMPLOYEEID”") OR T_CLBI_SV_VISIBLE_OPTY."Employee ID" = VALUEOF(NQ_SESSION."”EMPLOYEEID”") OR T_CLBI_SV_VISIBLE_OFFICE."Employee ID" = VALUEOF(NQ_SESSION."”EMPLOYEEID”") AND T_CLBI_SV_VISIBLE_OFFICE.INHERITED_FLAG = 'F'
  my question is how i can i use OR in security filter.
  Please help me to solve this issue. really appreciate for your help.

  Thank you for your response.
  but it is not working even i did try with following simple query
  "Employee ID" = VALUEOF(NQ_SESSION."”EMPLOYEEID”" OR T_CLBI_SV_VISIBLE_OPTY."Employee ID" = VALUEOF(NQ_SESSION."”EMPLOYEEID”")
  it is giving following error
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 14026] Unable to navigate requested expression: Pipeline Fact.Office ID. Please fix the metadata consistency warnings. (HY000)
  any idea?????????