Security Framework in Discoverer

Similar Messages

• Rest Security Framework using Internal user

  We are planning to use ATG 10.0.3 REST framework to expose web APIs for other channels as REST services. These services will be called in session context and will be used to place an Order for registered external user.
  We would like to use REST Security framework to restrict certain method / repository access to certain client only. There are 2 set of users involved here in one session 1. The client making the Rest service call and we would like to restrict access by these client. 2. The end user, who will login and create order and checkout. But we don't want to setup access rule based on the external customer profile.
  How should we approach this scenario? Any suggestion.

  1) Report level security
  Using Discoverer you can control access to specific workbooks, so that only certain users have access to the workbooks you want. Also, you can also share workbooks to database roles, and not just users.
  2) Data Level security
  Discoverer relies on the Oracle database to implement data security. What this means is that the Discoverer user connecting to Discoverer to run a workbook that queries the database for data will never be able to get to data that they do not have access/privilege to. For e.g. is user 'A' is not authorized to view data in table 'B' then user 'A' cannot use Discoverer to get to the data in table 'B'.
  3) EUL/Business Area Access
  This can be done using Discoverer Administrator - using the relevant menu options. Users can either have full access to the Business area, or you can specify whether a user has access to a business area to begin with. Secondly, using the Privileges dialog, you can furthermore specify whether a user has 'Administration' privileges or not, and even as an administrator whether the user can create new BAs, summaries, manage scheduled workbooks, etc...
  4) Allowing user to view the report but restricting it to modify existing report(i.e removing conditions,some fields etc.)
  Using Discoverer Administrator, you can also specify whether users have privileges like drill-out, save a workbook, etc... If for example a user does not have drill privileges, then the drill icon is not displayed when running the workbook.
  For concepts like how to setup row/column level security, you should consult the Oracle database documentation:
  See the Oracle® Label Security Administrator's Guide, 10g Release 2 (10.2), Part Number B14267-01 at http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm
  and
  Oracle® Database Security Guide, 10g Release 2 (10.2), Part Number B14266-01 at http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/toc.htm
  Thanks
  Abhinav

• Security issues for Discoverer 10g apps 12i

  gurus,
  I have couple of things to get it done at client.
  We are on Oracle Apps rel 12i with dicoverer 10g.
  Did anyone setup MOAC to be enabled and operational in business areas?
  Setting up secure responsibilities in discoverer for MOAC?
  Any setup needs to be done for custom report security in discoverer ?
  thx

  Hi,
  I did setup new MOAC security profiles and assigned multiple organizations to that profile for testing purpose.
  After this, I did run concurrent program "Security List Maintennce" etc...
  Tested Upding profile at user level or responsibility level.
  On APPS side fine.
  I need the some basic steps on setup of security issues for discoverer side.
  1) Business areas (any security steps need to be followed in order to access data for single or multi-org)
  2) Custom Reports ( any security setup or any moac security profile setting against responsibilty for accessing single or multi-org data)
  Since we dont have default operating unit parameter as specified in the concurrent program, how do you restrict data?
  3) Reconciling security approach r12 with discoverer (any steps need to be followed here after r12 configuration with security issues)
  4) Custom Views ( any steps to be followed for single or multi-org data as security aspect)
  Looking for info on these setups.
  Thx

• [svn:bz-trunk] 20680: Tomcat 7 Login Module work, due to the Tomcat 7 Security framework change we need to work out the security integration piece for tomcat 7 .

  Revision: 20680
  Revision: 20680
  Author:   [email protected]
  Date:     2011-03-08 08:23:30 -0800 (Tue, 08 Mar 2011)
  Log Message:
  Tomcat 7 Login Module work, due to the Tomcat 7 Security framework change we need to work out the security integration piece for tomcat 7. So far the ValveBase and tomcat Realm had API changes which will impact on the Login integration with Tomcat 7
  Modified Paths:
      blazeds/trunk/modules/opt/build.xml
  Added Paths:
      blazeds/trunk/modules/opt/lib/catalina-708.jar
      blazeds/trunk/modules/opt/src/tomcat/flex/messaging/security/TomcatValve708.java

  Revision: 20680
  Revision: 20680
  Author:   [email protected]
  Date:     2011-03-08 08:23:30 -0800 (Tue, 08 Mar 2011)
  Log Message:
  Tomcat 7 Login Module work, due to the Tomcat 7 Security framework change we need to work out the security integration piece for tomcat 7. So far the ValveBase and tomcat Realm had API changes which will impact on the Login integration with Tomcat 7
  Modified Paths:
      blazeds/trunk/modules/opt/build.xml
  Added Paths:
      blazeds/trunk/modules/opt/lib/catalina-708.jar
      blazeds/trunk/modules/opt/src/tomcat/flex/messaging/security/TomcatValve708.java

• ADF Security Framework

  Hi,
  Has somebody successfully implemented ADF Security framework with LDAP provider?
  I followed this nice article by Frank http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  and it works but very slow - I must say I have maybe 100 VO's attributes on page, but to wait 3minutes to get rendered the page is too long. Maybe some bottleneck somewhere so I am asking...
  thanks,
  Branislav

  Hi
  I have also used ADF security using LDAP with less VO's per page without any problems.
  I must tell you however that during development I use file based security and change it to LDAP later on during deployment on the application server (I use 10.1.3.1).If you combine this with SSO then you end up with a neat solution -- that in my case more or less works satisfactorily. :-)
  Thanassis

• Advantages of Weblogic security framework over websphere security architecture

  Hi,
  Weblogic implement the security as a layer . And websphere, as far as I known
  implements security as plug ins.
  I'd like to known what are the advantages of weblogic security framework over
  Websphere security archirtecture ? performance point of view, features, reliability,
  robustness etc ...
  Thanks a lot !

  "walt" <[email protected]> wrote in message
  news:3fca2d60$[email protected]..
  >
  Hi,
  Weblogic implement the security as a layer . And websphere, as far as Iknown
  implements security as plug ins.
  I would consider the WLS security provider model to be a plugin model.
  I'd like to known what are the advantages of weblogic securityframework over
  Websphere security archirtecture ? performance point of view, features,reliability,
  robustness etc ...
  http://www.bea.com/content/news_events/white_papers/BEA_WLS_vs_Websphere_TCO_wp.pdf
  http://e-docs.bea.com/wls/docs81/secintro/archtect.html
  http://dev2dev.bea.com/products/wlserver/whitepapers/WLS_security_Framework.jsp
  http://dev2dev.bea.com/products/wlserver81/index.jsp

• Weblogic Security framework

  Hi,
  I am trying to implement the above mentioned on my jsp pages to achieve Authentication, Authorisation and Role Mapping.
  Please help me answer some doubts:
  1) Where are the usernames, passwords stored for Authetication. How shall i configure it ?
  2) If I were to implement the security framework directy from the jsp pages, instead of doing in the conventional way through portlets, which classes would i need from the bea api ?
  Please help me get started on this. Thanks a lot!

  "walt" <[email protected]> wrote in message
  news:3fca2d60$[email protected]..
  >
  Hi,
  Weblogic implement the security as a layer . And websphere, as far as Iknown
  implements security as plug ins.
  I would consider the WLS security provider model to be a plugin model.
  I'd like to known what are the advantages of weblogic securityframework over
  Websphere security archirtecture ? performance point of view, features,reliability,
  robustness etc ...
  http://www.bea.com/content/news_events/white_papers/BEA_WLS_vs_Websphere_TCO_wp.pdf
  http://e-docs.bea.com/wls/docs81/secintro/archtect.html
  http://dev2dev.bea.com/products/wlserver/whitepapers/WLS_security_Framework.jsp
  http://dev2dev.bea.com/products/wlserver81/index.jsp

• IPhone iPhone SDK (build 9M2199a, beta 8) Security.h Security-Framework

  Hi!
  I've downloaded and installed the iPhone SDK (build 9M2199a, beta 8).
  Now, i'm trying to write code to use the Keychain in iPhone but "SecItem.h" in "Security.h" (Security-Framework) is missing so the Attributes (kSecClass, ...) can't be found and the code doesn't compile.
  Where i can get it ?
  Thanks for help.
  Message was edited by: iPhoneProj

  I had the same issue. The security code seem to only work if you build for Device|Debug. You can't run the code in the simulator.

• Something is wrong with my Security.Framework, but I don't know what.

  I've been developing apps for the iPhone recently, and when I try compiling to test my app, I get an error. I tried the terminal alternative to Xcode's code signing, and this is the error it shows:
  dyld: Symbol not found: _kSecCFErrorArchitecture
    Referenced from: /usr/bin/codesign
    Expected in: /System/Library/Frameworks/Security.framework/Versions/A/Security
  in /usr/bin/codesign
  Trace/BPT trap
  How would I fix this? It seems to be a security framework problem, because I tried reinstalling the Xcode Dev tools, but I still get this problem.

  The email address that shows for the reset link will be the rescue email address that you put on your account. If you don't have access to that email account (you won't be able to change the rescue emai address until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
  Contacting Apple about account security : http://support.apple.com/kb/HT5699
  When they've been reset you can then use the steps half-way down this page to view/updat your rescue email address for potential future use : http://support.apple.com/kb/HT5312

• Mapping Apps security profiles in Discoverer

  Hello
  We wish to implement a 2-tiered security architecture. We already have the 1st tier in place in Disco Admin by assigning specific Business Areas to responsibilities.
  However, we also want to use the Apps custom Security Profiles to restrict access to tables and views through Discoverer Admin.
  How can this be implemented? Any examples would be most welcome.
  Thanks
  Sanjib Manna
  Oracle Practice
  IBM Business Consulting

  You can use the following query to look for all the security profiles. You can join the hr_operating_units to fnd_profile_option_values.level_value to get the desired result.
  SELECT psp.security_profile_name,
         psp.security_profile_id,
         hou.NAME,
         hou.organization_id
    FROM per_security_profiles psp,
         per_security_organizations pso,
         hr_operating_units hou
  WHERE pso.security_profile_id = psp.security_profile_id
     AND pso.organization_id = hou.organization_id;Additionally, you can also have a look at the below MOS docs.
  How To Check If a Profile Option Is Set In Oracle Applications? [ID 470102.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To List E-Business Suite Profile Option Values For All Levels Using SQLPlus [ID 201945.1]
  Script To List The Values Of A Profile Option At All Levels [ID 803587.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To Find All Users With A Particular Profile Option Set? [ID 367926.1]
  How to Change Profile Option Value Without Forms? [ID 943710.1]
  Cheers,
  ND
  Use the "helpful" or "correct" buttons to award points to replies.

• Disable security rules in discoverer report

  I have a discoverer report on GL with security rules applied, it displays data based on the responsibility thro which we have logged in. Users dont want this functionality, they want all the data to be displayed in a single reponsibility, which implies that the security rule be disabled for this report. The report doesnt have any custom folders and also I couldnt find anywhere the GL_SECURITY_PKG being called to implement security rules. Can anyone help me in disabling the security rules.

  Hi,
  Where did you look for the security rule? in the underlying objects or in the discoverer?
  First thing you should do to see whether this rule is applied is from within the discoverer take the SQL (from the view-> sql inspector) and start analyzing the views in the from clause, i am sure that you'll find one of them that holds this rule.
  If you are using oracle BA then for sure you'll find it in the "Journal Lines" folder (based on view : GLFG_JOURNAL_LINES)
  Your request is not that simple as "Disable the security rule".
  If you are using Oracle views then you cannot disable it without changing those views and you will have to verify you are not changing any of the views that the application uses.
  If you will create a new responsibility for "Cross Set Of Books" then you can exclude it from the rule by changing the security rule from :
  Gl_Security_Pkg.Validate_Access(Journal_Line.Set_Of_Books_Id,Journal_Line.Code_Combination_Id) = 'TRUE'
  To something like:
  decode(fnd_global.RESP_ID,<your new resp_id>,'TRUE',Gl_Security_Pkg.Validate_Access(Journal_Line.Set_Of_Books_Id,Journal_Line.Code_Combination_Id)) = 'TRUE'
  If it is a specific request they have then you can create a new view and use the GL tables to avoid the usage of the GL security rule.
  Tamir

• How to handle multiple SSO in ADF Security Framework

  Hello All,
  I have a question about ADF security with multiple SSO provider.
  What I am trying to achieve:
  Assume there are SSO provider A, B and C. Each provider will grant a different role to the ADF application (A grant Admin, B grant Business Manager, C grant Configuration Manager). Sign out from the ADF application will log all the SSO out at the same time.
  What I know:
  Each SSO will need to have information about the role it provides. I will also need to write code like the following: (modified from an old answer from Frank Nimphius before)
      try {
          IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore(); //Need to get the specific IDM store based on the SSO the user is using.
          try {
              UserManager userManager = idstore.getUserManager();
              RoleManager roleManager = idstore.getRoleManager();
              Role role = idstore.searchRole(Role.SCOPE_APPLICATION,idmRole); //Again, idmRole based on which SSO the user is using.
                  // create user
                  //TODO check for empty username and password
                  User user = userManager.getUser(SecurityContext.getUserName()); //the user may already login from another SSO.
                  if (user == null)
                      user = userManager.createUser(this.username,this.password.toCharArray());
                  roleManager.grantRole(role,user.getPrincipal());
              } catch (IMException e) {
                  // TODO
          } catch (JpsException e) {
              // TODO
          return null;
  }Also a logout code like this
        doLogout()
           if(A) logoutFromA(user);
           if(B) logoutFromB(user);
           if(C) logoutFromC(user);
        } My Question:
  Would the code above handle what I described? Also, how do I set the SecurityContext for ADF security - Or the grantRole automatically does that for me?

  Hello Sudipto,
  Yeah, I had watched that tutorial, it is pretty helpful on getting 1 SSO working with the ADF security.
  I am confused when there is multiple provider - do I setup the web gate so that "http://myapp:7777/LoginViaA" point to SSO Provider A, "http://myapp:7777/LoginViaB" point to SSO Provider B and so forth? **Note: the login/username can be different on different SSO provider.
  In that case, I will still need to set the value in SecurityContext to say "This current user login as [email protected] via SSO A and [email protected] via SSO B", or is there some other way to handle this?
  Thanks,
  Louis

• Security framework

  Hi,
  I would like to learn about the security (user authentication)
  implementation in OC4J. More specifically on how to extend the
  security API and implement a form-based authentication.
  Could you point me to any documentation, sample code about this?
  Thanks.
  - ranga

  Hi.
  Have a look at http://www.orionsupport.com
  They have an article about writing your own plug-in to use with OC4J. (User authentication/authorization).
  Best Regards /Anders

• How to store Custom principal in Oracle ADF security Framework

  Hi guys, hope somebody will help me out.
  I am facing the following issue, i need to have a custom principal instance after oracle adf security frame work does authenticate and authorize user.
  My custom principal instance should have per say addition attribute, say clientId. I am using Jdeveloper 11.1.2.4 and i setup weblogic to use ReadOnlySQLAuthenticator(it does most of desired functionality).
  As far as i get it, i would have to implement a custom provider to have a chance to implement a custom LoginModule, so i can set it up to use my custom principal, am i right ? and i am not sure how ReadOnlySQLAuthenticatorImpl that i chose in weblogic is bound to
  DBMSAtnLoginModuleImpl (i mean how does it knows what LoginModule should it use) and if i can , how can i make  ReadOnlySQLAuthenticatorImpl  use my custom LoginModule.
  Sorry if i violated forum rules.

  and i am not sure how ReadOnlySQLAuthenticatorImpl that i chose in weblogic is bound to
  DBMSAtnLoginModuleImpl (i mean how does it knows what LoginModule should it use)
  This info is returned by getLoginModuleConfiguration(): AuthenticationProvider (BEA WebLogic Server 10.0 API Reference)
  Dario

• Discoverer 3.1 & Applications 11i Security

  I'm currently using Discoverer 3.1 in applications modewith 11i.
  I was under the impression that using an Applications username/responsibilty to log on would only allow the user to access the same data they could access in Applications. i.e The Applications security would be applied within Discoverer.
  I've since been told that this is not the case. Users will have access to ALL data within any tables they have permission to see within the business area.
  However I have also been told that the applications security may work if I base the business area on the apps views that already have the security built into them. I've tried attaching some of the apps views and the results seems to be the same as for the tables i.e users can see all the data within the view.
  Has anyone managed to build folders in Discoverer that inherit the security from applications? Or is it just a case of manually replicating all the apps security again in Discoverer?
  null

  James
  I had similar problems and the solution I found is..
  If you are trying to use the Hierarchy Security in HRMS then you should build your Business Area on views. Do not use the tables to retrieve the data. The HRFV_ , HRV_, views have the security built into them.
  If you are trying to apply the Flexfield Security rules to apply to discoverer then the business area should be created using the GLFG_ views. These views can be created from Oracle Applications using the "Business Views Setup" responsibility.
  You cannot look at the data in the above GL views if you are using SQL*PLUS or Toad. You need to launch discoverer user edition with the GL Responsibility to look at the data. Also make sure that the name of icon is "Dis31usr" if not it will not work.
  I have tested the above and they work fine.