Security in OBIEE

Hi Guru's,
I have a challenge where i need to enhance my existing security setup by customising or by following short cut.Currently with the existing set up we have database authenciation for users by setting up two user group. we have have heerarchy as L5,L4,L3,L2,L1 we are applying security at L5 for one group and L4 for another group.Now there is a new requirement where i need to apply security for L3.we can leverage the existing standard security (Databse Authorisation,by creating session variables and intialisation blocks including SSO) but this is dependent on various different teams,to say in short cut its cost included and more of time consuming to communicate to all the groups who are part of the existing set up.Is there any way where i can implement data security for L3 in repository by creating Repository groups and applying data filters in the RPD.
I tested by creating RPD user and RPD group by applying data filters in test groups,But i am not see the data filter in the queries.
Any suggestions or ideas are really appreciated.
Sorry for the long explanation and thanks in advance.

Do you mean you have five level of groups For example :
L1 belongs to L2
L2 belongs to L3
and so on?
Am I right? Correct me if I am wrong.....

Similar Messages

Row level security in OBIEE 11g: Which is better: VPD or RPD

We can apply row level security in OBIEE by 2 ways.
1. by Creating Initialize Block in RPD
2. or Applying VPD in Database, which restricts source tables
Which one is more efficient and why?
Thanks,
Sunil Jena

you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

Data Level Security in OBIEE Enterprise Edition

HI,
would like to know how to implement row-level security in OBIEE Enterprise Edition
Setting up the context right here, considering a hierarchy of an organization that goes up to 4 levels as below:
VP >Senior manager>Manager>clerk
Now, the situation is such that a manager should be able to view its subordinates data but not the data of any other team to which he does not have access. And also the manager should view only his regions data.Same goes for other hierarchies in the organization.
Any pointers in this regards i.e OBIEE ADMIN TOOL: SECURITY AUTHENTICATION THROUGH EXTERNAL DATABASE would be of great help.
Source system is SIEBEL CRM 7.8
THanks
Gutha

Hi,
I can help you for Authentication using BI Server.
For teh same you can use admin tool then manage>security> users and Groups.
You can create different groups as well as users accrording to you hierarchy and then provide privilages users or groups according to your need like particular user can view the data of particular level.
When you create users then in the user page you can provide the filter conditions in filter tab and same as in groups.
Regards
Tarang Jain

Row Level Security in OBIEE using OID as authentication Mechanism

Hi OBIEE Gurus,
I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
I want to implement RLS by doing the following :
1. Have Security Groups defined in OID and assign users with group membership.
2. Import these Security Groups into OBIEE metadata
3. Apply filters to these Security Groups
4. Run Answers requests to see if RLS works or not
Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
Appreciate your help.
Edited by: drakesh on Sep 26, 2008 7:09 AM

Follow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita

How to provide Responsiblity level security in OBIEE 11g

Hi all,
Can any one tell me how to provide the responsibility level security in OBIEE 11G.

Hi,
You need to create group of users and then apply filters over that groups.
you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
- Manage -> Security...
- Groups -> click right group1 and select propierties.
- Select button 'Permissions...'
- Select tab 'Filters' -> add new filter.
- On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
you should add the Customer table to your Sales-fact LTS add apply the filter to this combined LTS as well
For more:
http://oraclebizint.wordpress.com/2008/06/30/oracle-bi-ee-1013332-row-level-security-and-row-wise-intialized-session-variables/
also try http://www.biblogs.com/1969/12/31/obiee-11gr1-security-explained-an-11g-security-overview/
http://forums.oracle.com/forums/thread.jspa?threadID=1120336
Thanks
Deva
Edited by: Devarasu on Oct 11, 2011 6:08 PM

How to create Database level Security in OBIEE

Dear Experts,
Can you kindly tell me the steps on how to create a database level security on OBIEE.
Please can some one give me the scripts and tell me how to implement tht in the RPD.
Thanks in advance,
Anand

If you are looking for Database Level security in OBIEE the only route to truly accomplishing this is using the Oracle Virtual Private Database concept.
http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
http://gerardnico.com/wiki/dat/obiee/vpd

Data Security in OBIEE Repository

I applied Data Security in OBIEE Repository,created testuser and assigned to Test group.Applied security in the Test group for specific column using Logical Fact.When i login using the testuser i am not able to see the applied data filter in the Test Group.Am i missing anything.
Thanks in Advance

I tried but still i don't see the security filter.Do i need to configure my NQSconfigfile.ini.Security filter status in Repository is Enable.We implemented fragmentation in logical fact,anyway that shouldn't matter as per my guess.

External Table Security with OBIEE 11G is not working properly.

Hello Everyone,
we just upgraded for OBIEE from 10G to 11G.
not what we had in 10G for object level and data level security is that we were using "External table" and LDAP Authentication.
Now for User we are capturing Groups in that table, so basically we have Group-level security.
so in that case we are creating Groups in External Table, RPD & Catalog.
Now we upgraded OBIEE to 11G, there we have totally different concept for security.
So here in what we have to do to implement the same concept. because we have created the Application Roles in Admin Console and Groups in Enterprise Manager with same name, and assigned same Groups to same Application Role.
now while applying security in frontend we can catalog groups options too!!! so do we have to create the same groups in catalog too?? and while applying the security to catalog which one do we need to use? "Application Role" OR "Catalog Groups"???
Thanking You..

Hi,
which version r u using? until obiee11.1.1.5 its bug but solve it by workaround method . also the bug fixed in obiee.11.1.1.6
11700314 REPORT NOT EXPORTED FULLY INTO EXCEL WHEN DOWNLOADING FROM PAGES OTHER THAN 1
1) stop it all u r bi serivices then take a back of u original instanconfig.xml file then do the below changes
D:\Oracle\Middleware\instances\instance1\config\OracleBIPresentationServicesComponent\coreapplication_obips1
instanceconfig.xml
just add below content then
<Views>
<Pivot>
<MaxCells>6500000</MaxCells>
<MaxVisibleColumns>100</MaxVisibleColumns>
<MaxVisiblePages>1000</MaxVisiblePages>
<MaxVisibleRows>65000</MaxVisibleRows>
<MaxVisibleSections>25</MaxVisibleSections>
<DefaultRowsDisplayed>500</DefaultRowsDisplayed>
<DefaultRowsDisplayedInDelivery>75</DefaultRowsDisplayedInDelivery>
<DefaultRowsDisplayedInDownload>64000</DefaultRowsDisplayedInDownload>
<DisableAutoPreview>false</DisableAutoPreview>
</Pivot>
<Table>
<MaxCells>6500000</MaxCells>
<MaxVisiblePages>1000</MaxVisiblePages>
<MaxVisibleRows>65000</MaxVisibleRows>
<MaxVisibleSections>25</MaxVisibleSections>
<DefaultRowsDisplayed>500</DefaultRowsDisplayed>
<DefaultRowsDisplayedInDelivery>75</DefaultRowsDisplayedInDelivery>
<DefaultRowsDisplayedInDownload>64000</DefaultRowsDisplayedInDownload>
</Table>
</Views>
Restart all u r bi services..
then test it out.
Thanks
Deva

Object Level Security in OBIEE 11.1.1.5

Hi All,
I am trying to implement object level security for certail groups. We have BI Apps 7.9.6.3 implemented in whch obiee 11.1.1.5 is integrated with EBS R12. Users are able to login through diffrent responsiblities to OBIEe. I need insight into how to implement object level security. Below are the steps whihc i have followed but still i am facing strange issues i.e. some users are able to see dashboards which they have no access with view display error. I checked in dashboard permission. They do not have access
1) Created application roles in OBIEE with the same resposiblity names
2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
4) Restarted the BI server and presentation servers.
Are there any other steps which should be followed apart from above mentioned steps. Do i have to make use of groups.
Regards,
Sandeep

Sandeep Saini wrote:
I checked the inheritance. I did a lot of investigation but it is weird. My purpose of asking the question was to find out if there are any bugs in version 11.1.1.5 otherwise i didn't see any issues.
There are a couple of bugs related to the issue but I have checked that on 11.1.1.5.5 and its works as expected.
Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY
In case you see anything like this -> QA:USER WITH NO ACCESS OVER A FOLDER IS ABLE TO RUN ANALYSIS REPORT CONTAINED then [Patch ID 15626966]
1) I want to check if there are any components i.e. BI server, presentation server or any other service that should be started after creation of application roles. I started only BI server after creating application rolesAny changes made to the Application policies should need a restart of admin and managed server however if you are not creating policies just Roles with similar names OPMN restart should be good to see the changes made.
2) I made use of application roles throughout in object level security . Is it the correct approach ?Yes that is the right approach to use application roles for defining object level permission settings throught, do not go for catalog groups its makes it nasty to manage. Here is the quote from Sec Guide : " Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems."
3) To check if there are any object level security related bugsThere might be more than once mentioned above since 11.1.1.5 .. I do not trust that version it bites a lot ;)
And to explain step 2 lets say there are n number of application roles which should have same object level security but diffrent data level security. In that case i made all such application roles member of another application role and configured object level security for that group only. For ex in manage previlege i configured "Access to Answer" for one application group and made other application group member of this group. I hope its clear now .Grouping of Roles with other similar roles is what needs to done to get functionality like catalog groups.However a reference of the 5 basic rules is always a lifesaver : [Rules for Inheritance for Permissions and Privileges|http://docs.oracle.com/cd/E29505_01/bi.1111/e10543/mgrgrpsusers.htm#autoId16]
Hope this helps.!
SVS

Regarding Security in OBIEE

Hi,
We have 4 regions like UK, India, US, Japan.. when ever UK users logins to OBIEE the dashboard should get defaulted to UK region and user should see UK reports only.
Similarly if a Japan, US users logins he should see reports corresponding to his region.
At present we have a prompt where user select the region from the prompt . How to implement the security for this..
Thanks

Hi,
Do the following steps and let me know if it was helpful:
1. Create a separate table say table1 which will contain the USERID and REGION columns.
Eg. User1 Region1
User1 Region2 and so on
2. Import the table in the physical layer. No need to create BM for it.Check in and save.
3.Go to Manage - Variables and create a Session - Initialization Block with connection pool pointing to above table and query as select 'REGION1' ,REGION from table1 where USERID=(':USER')
4. After the block is created go to Business Model and the table in which you want to implement the security.
Table - Sources - Content tab - add the following in the where clause
MAINTABLE.REGION IN (VALUEOF(NQ_SESSION."REGION1"))
Save the rpd. Log in and check if it is working.
Regards,
Swati

Data Level Security In OBIEE 11g based on the filters setup in RPD

Hello All,
We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
Regards,
-Amith.

A.Y wrote:
Hello All,
We are trying to implement the data level security on a BI publisher report that is using BI server as the data source. The filters are created in the RPD based on user login ( session variable USER). From the documentation of BI publisher, I see that you have to enable the option Use Proxy Authentication to pass the user information down to BI publisher from OBIEE when using BI server as the data source to implement row-level security. After checking that option, the BI pub report does not render anymore. This is all in 11g. Can anyone help me with where I am going wrong?
Regards,
-Amith.Not sure, if anyone has yet ran into this issue, but the workaround we have implemented is to build a report in OBIEE and use the analysis query as the source for BI Publisher.

BIP Security (and OBIEE) doesn't seem to work with Subgroups

Bottom Line Question:
Can security groups be used as subgroups under XMLP_ADMIN, XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE and XMLP_TEMPLATE_DESIGNER and OBIEE Administrators? Or do the tools expect that only users can be added here?
Enterprise BIP (10.1.3.3.3) has been configured with BI Server Security. In the BI Repository, 3 groups were created: Repository Administrators, Repository Developers and Report Developers.
Repository Administrators group was added to XMLP_ADMIN and Administrators. The users in the group do not see the Admin Tab.
The Report Developers group was added as a subgroup to XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE, XMLP_TEMPLATE_DESIGNER. BIP Developers were then added to the Report Developers group in the BI Repository. In BIP, Report Developers was given permissions to the top level report folders under Shared Folders.
When a BIP developer logs in, they are able to see View the reports and look at History but not Edit or Configure.
I have tried other combinations of this set up with various results but none of them the desired result.
Has anyone tried this?

Bottom Line Question:
Can security groups be used as subgroups under XMLP_ADMIN, XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE and XMLP_TEMPLATE_DESIGNER and OBIEE Administrators? Or do the tools expect that only users can be added here?
Enterprise BIP (10.1.3.3.3) has been configured with BI Server Security. In the BI Repository, 3 groups were created: Repository Administrators, Repository Developers and Report Developers.
Repository Administrators group was added to XMLP_ADMIN and Administrators. The users in the group do not see the Admin Tab.
The Report Developers group was added as a subgroup to XMLP_DEVELOPER, XMLP_SCHEDULER, XMLP_ANALYZER_EXCEL, XMLP_ANALYZER_ONLINE, XMLP_TEMPLATE_DESIGNER. BIP Developers were then added to the Report Developers group in the BI Repository. In BIP, Report Developers was given permissions to the top level report folders under Shared Folders.
When a BIP developer logs in, they are able to see View the reports and look at History but not Edit or Configure.
I have tried other combinations of this set up with various results but none of them the desired result.
Has anyone tried this?

Data level security in OBIEE

We have implemented data level security by applying filters on groups in Obiee Administration tool. Here we have set filter on division(which is a column in Customer table). This is done so that user can see data for division for which he has access.
When user creates report which consists of division column filter is working fine. E.g. if user1 has access to division1
and when user1 cretes a report for (customerName,division,sales columns) he can see sales of customers belong to division1. But if user1 cretes report which does not contain division column e.g.(customerName,sales columns report) he can see all the customers sales data. How can we aoide that. We want User1 to see division1's data only irrespective whether division column is there in report or not.
Can any one suggest what should be done to achive this.
Thanks,
Avdhut

Hi friend,
You need to create group of users and then apply filters over that groups.
you should establish an additional filter for group1 (user1 belongs to group1 in your example). Follow next steps:
- Manage -> Security...
- Groups -> click right group1 and select propierties.
- Select button 'Permissions...'
- Select tab 'Filters' -> add new filter.
- On the column name select the metric you need filter, in your example, customer sales. On the column 'Business model filter' put table.division=division1
I hope this can help you.
Good luck.

Row level security in OBIEE 11g

Hi guys,
We have a business intelligence project in OBIEE, and I have a question regarding row level security (RLS).
Specifically, I have an hierarchical organization with users belonging to different structures. If one user belongs
to a structure that is above another structure in hierarchy, then he should see both data from his structure and
the of the users in structures bellow it. In the reports, we must have filters implemented respecting this requirement,
i.e. if one logs in OBI and accesses the report, he should see in the filter "Users" only subordinate users and respectively
data displayed in the report should be filtered accordingly. How would you suggest to implements this type of security
in the data model? And how could I create the type of filter mentioned above?

This needs to be implemented in 3 different levels. 1. in database 2. in RPD 3 in reports
1. You need to have facts or dimensions which have columns through which you can filter based on their hierarchy. e.g position in an organisation or department in the hierarchy table which can be joined to fact.
2. In rpd you need to create a session variable and initialize it using init block based on the user who is logging in. This variable will be you position or department through which you want to filter based on hierarchy. e.g select position from hierarchy_table where user= 'NQSession(user)' . The resulting position value will be used as a filter.
3. Add this position variable as a content filter in your LTS in you BMM layer.
4. You can also use this session variable as a filter in you reports too.
hope this helps.
Senthil

Data level security in OBIEE 11g

Hi all,
I am using OBIEE 11g. I have a table called "USER_ACCESS_T" which has four columns user_name,Access_level_name,Access_level_type,status_flag.
User_Name Access_Level Access_Type Status_Flag
XX Project ABC Project Group Yes
YY Project DEF Project sub Group Yes
ZZ Project GH Project Yes
My requirement is
When user XX logs in BI answers, he has to access only Project group ie.., Project ABC.
When user yy logs in BI answers, he has to access only Project sub group ie.., Project DEF.
Kindly Guide me.
Thanks and regards
Haree
Edited by: Haree on Dec 23, 2011 11:44 AM

Hi Haree,
Please follow the follow steps to restrict users on the project dimension.
1) Create an init block to populate the list of project a user belongs to. You have to do this row - wise initialized as a user can belong to multiple projects.
Select 'PROJECT_NUMBER', project_number from w_project_d where UPPER(user_name)=UPPER(':USER');
2) Now as you have all the project numbers for a particular user in a variable, you can use that to filter on the dimension table.
3) In the rpd, go to the group/role - Permissions - Select the dimension table project - and put the following filter.
"Core"."Dim - Project.Project Number" = VALUEOF(NQ_SESSION.PROJECT_NUMBER)
That's it. Your security is now in place for projects.
i think this will give you an solution.

Need help on Data level security in OBIEE

Hi All,
Currently there are for few users who are accessing OBIEE dashboard. Here each user is responsible for 2 or 3 regions.
Requirement:
User wants there should be 2 dashboards First and Second. When a user login he should see the data for only those regions to whom he belongs in first dashboard. If user want to see data for all regions then he want to click on second dashboard which contains all regions data. Default dashboard for the user should be first dashboard to whom he is responible for the regions when he login.
I have created users and groups in the security and am able to restrict the data in the first dashboard as per the filters applied on the user. Is this possible to show all regions data in second dashboard for the same user?
Any Suggestions/help would be appreciated.
Regards,
Rajkumar.

Hi,
It looks like your problem is not the security, but the displaying.
You can use repository variables (in this case session type). This variable gets filled when the user logon. You then store his 'own' regions (the 3 regions) in this variable. On the report(s) shown on the dashboard you add a filter on the region and base it on the repository variable. Of course you have to remove the security filter otherwise the user will never see more than his own regions.
Regards

Security in OBIEE

Similar Messages

Maybe you are looking for