Security restriction

We have  duplicate hierarchies in the system. I understand from that it is unsafe to delete the hierarchies in BCS, since the reporting cube architecture is sensitive to hierarchies.
Alternatively is it possible to restrict the access to BCS reporting in such a way that users can see only required hierarchies, while logging in? Can we restrict the access to the BCS report by restricting hierarchy access..Appreciate if you can you share some documentation on that.
Or is there any way to inactivate the hierarchies in BCS, so that users cannot visibly see it while report execution.
Appreciate your inputs..

The reporting authorization concept is defined on the BW side using RSECADMIN t-code (I assume that you want to restrict the access to the hierarchies in the BEX BCS reportings). These authorizations are called "analysis authorizations". With this concept you can define which hierarchies can be accessed during the report execution. You can select single values of companies, but also hierarchy node(s). If I remember correctly they are several options when you restrict to hierarchy node : you can for example define for which version/period validity, which childs you include, etc... Please read the documentation on this topic on help.sap.com

Similar Messages

  • Security restrictions , how to read access a txt file supplied in a jar

    I had written a simple application which uses file handling to display random line from a file on a swing window
    but I do not know how to give my web application permission to access a file
    when I set security permission to all, then error says the application cannot load because the code require unrestricted acess to system resources and is unsigned, I don't know how to get that certificate and I am only doing it for learning purposes.
    when I remove security permissions then it says
    access denied java.io.FilePermissions geekjoskes.txt readPlease help
    I locally signed the jar file, and give my jnlp fiel all permissions, worked fine in my system but when I access same file from local lan it sho errors ,
    please help, I have my txt file stored in my jar file with main class
    the whole jnlp file is
    <?xml version="1.0" encoding="utf-8"?>
    <!-- JNLP File for geek jokes -->     
    <jnlp spec="1.0+"
           codebase="http://localhost/javasoft/webstart/"
          href="geekjokes.jnlp">
       <information>
          <title>Geek Jokes</title>
          <vendor>Vaibhav Mishra</vendor>
          <description>Geeky jokes</description>
          <homepage href="http://scjpbeginner.blogspot.com"/>
          <description kind="short">shows random jokes</description>
          <offline-allowed/>
       </information>
       <resources>    
            <jar href="GeekJokes0.1.jar"/>  
         <j2se version="1.6+"
               href="http://java.sun.com/products/autodl/j2se"/>
         <icon href="geekjokes.gif"/>
       <icon kind="splash" href = "geekjokes.gif"/>
       </resources>
       <security>
          <all-permissions/>
       </security>
       <offline-allowed/>  
       <application-desc main-class="GeekJokes"/>
    </jnlp>Edited by: 76jsr on Aug 7, 2008 3:45 PM
    Edited by: 76jsr on Aug 7, 2008 3:49 PM

    >
    I am extremely thankful to you and finally my first little app is working thanks to you,
    here is it's link
    [http://profile.iiita.ac.in/IIT2006117/javasoft/webstart/geekjokes/geekjokes.jnlp|http://profile.iiita.ac.in/IIT2006117/javasoft/webstart/geekjokes/geekjokes.jnlp] >
    I am glad you got it working! But that launch file is still slightly invalid.
    Here is a corrected, and slightly optimized (you can leave the prefix off the href, if it is the same as the codebase), version of it.
    <?xml version="1.0" encoding="utf-8"?>
    <!-- JNLP File for GeekJokes 0.3 app -->
    <jnlp spec="1.0+"
          codebase="http://profile.iiita.ac.in/IIT2006117/javasoft/webstart/geekjokes"
          href="geekjokes.jnlp">
       <information>
          <title>GeekJokes App</title>
          <vendor>Vaibhav Mishra</vendor>
          <homepage href="http://scjpbeginner.blogspot.com"/>
          <description>Geeky Jokes</description>
          <description kind="short">Cshows random jokes</description>
          <offline-allowed/>
       </information>
       <resources>
           <j2se version="1.6+"
               href="http://java.sun.com/products/autodl/j2se"/>
           <jar href="GeekJokes0.3.jar"/>
       </resources>
       <application-desc main-class="Process"/>
    </jnlp>Very 'Geeky', BTW. ;-)
    Another few things I noted when I looked at it.
    1) There is a stray thread going after the JOptionPane is dismissed. The VM does not end, and the console (if you have it configured to pop-up for JWS apps.) stays on-screen.
    2) If all the jokes are prefixed by '* ' I would recommend removing it from every line of the source file and either re-adding it at runtime, or (preferably) not adding it at all (since it is redundant).
    3) Reconfigure the app. into a loop, and offer the user a JOptionPane with "Another Joke"/"End" instead of "OK".
    4) You can always remove that debugging line I inserted in the code to show the path to the Jar - it was just intended as a 'sanity check' during testing.
    5) Why is it Java 1.6+? JOptionPane was introduced in Java 1.2 with the first Swing implementations, and the I/O is compatible with Java 1.1.
    >
    Thanks again!!!!>Thanks are best expressed (to me) in the notation of a helpful/correct answer (which you have done), and the assignation of (the remaining) dukes*. ;-)
    * After all - checks the title - we have gotten entirely around those 'security restrictions' in a sandboxed application. The reason being that File objects are rarely the correct choice, for applets or JWS apps.

  • Remove 'Page Extraction' security restriction in PDF generated by ADS

    Hello Experts,
    I am currently working on a SAP CRM project where we are using Adobe Document Services (ADS) to generate some PDF documents from SAP.
    I have an issue with the Page Extraction security restriction associated to PDF generated by ADS.
    This cause a problem to us since we are expecting the PDF to be processed by Streamserve later on. Streamserve is then 'converting' the PDF in its proprietary format (.lxf) and is preparing a Post Script file for our printing partner.
    I have understood that Streamserve cannot processed our PDF because of the Page Extraction restriction (out from ADS, value is set to Not Allowed by default).
    I have seen the following posts in SDN:
    Page extraction property in PDF document  is set to 'not allowed'
    Document Restriction Interactive Form
    I am then getting concerned since it does not look as straightforward as I would have expected.
    --> Can anyone confirm if there is a way to set the Page Extraction restriction as Allowed?
    Via ADS configuration? Via code? Via some work in SAP (SFP, output device config...)?
    In the above SDN posts, I can read things about buying a policy server, using Adobe Acrobat Pro or Reader Extensions.
    Does anyone have a clear cut?
    Thanks a lot.
    Brice.

    Hello,
    I don´t know how to make this work. I would open the OSS message for this and want SAP to give a workaround or say clearly this cannot be done. Well... in one of the mentioned threads it is mentioned that SAP said this is the right behavior but there was not a word about if that can be changed.
    Otto
    p.s.: probably it would be better for you to send only RAW data (i mean only XML data) and make the partner work with it. If the PDF is converted to "something" by a machine, then you don´t need PDF (what is a user GUI), to send only the data should suffice, or not?

  • Security Restrictions disappear when webi is modified

    Hello,
    I have the following problem with Security restrictions.
    I have created a business security profile, and assign this profile to a user directly (I have tested the same assign the profile to a group and the problem occurs too).
    The business security profile is defined this way:
    1. At the first tap (Create query), I grant all the views of the business layer and all the objects.
    2. At the second tap (Data) all objects are granted.
    3. At the filter tap, I defined the row restrictions of the profile (3 conditions with and).
    4. I assign the business profile to the user.
    The steps to reproduce the problem are:
    1.  I create a webi (with an administrator user) that uses the universe that contains the business security profile
    2. The user that have the business security profile restrictions assign, open the webi refresh and show only his data.
        The SQL of the webi query shows the security restrictions (profile filters).
    3. I modify the report (for instance, I drag a dimension on it). Save the report.
    4. The user that have the business security profile restrictions, open the modified webi refresh and show all the data (as he was an administrator user).
        The SQL of the webi query does not show the security restrictions (filters). The restrictions desappear of the SQL.
    Please, could you help me?
    Thanks
    Pilar

    Enable the following auditing on the server either through domain
    policy or local policy:
    Audit logon events - Success
    Audit Object Access  - Success
    On the Auditing tab, add Everyone with the following audit settings.

  • Page Extraction security restriction

    Hi Experts,
    I have an issue with the Page Extraction security restriction associated to PDF generated by ADS.
    This cause a problem to us since we are expecting the PDF to be processed by Streamserve later on. Streamserve is then 'converting' the PDF in its proprietary format (.lxf) and is preparing a Post Script file for our printing partner.
    I have understood that Streamserve cannot process our PDF because of the Page Extraction restriction (out from ADS, value is set to Not Allowed by default).
    I have seen the following posts in SDN:
    http://forums.sdn.sap.com/thread.jspa?threadID=1366329
    http://forums.sdn.sap.com/thread.jspa?messageID=8793858
    I am then getting concerned since it does not look as straightforward as I would have expected.
    --> Can anyone confirm if there is a way to set the Page Extraction restriction as Allowed?
    Via ADS configuration? Via code? Via some work in SAP (SFP, output device config...)?
    In the above SDN posts, I can read things about buying a policy server, using Adobe Acrobat Pro or Reader Extensions
    Can you throw some light on this or am I at a wrong section to post this question. Can you suggest a approporiate place to post this thread?
    Thanks
    Rohit

    Hello,
    I don´t know how to make this work. I would open the OSS message for this and want SAP to give a workaround or say clearly this cannot be done. Well... in one of the mentioned threads it is mentioned that SAP said this is the right behavior but there was not a word about if that can be changed.
    Otto
    p.s.: probably it would be better for you to send only RAW data (i mean only XML data) and make the partner work with it. If the PDF is converted to "something" by a machine, then you don´t need PDF (what is a user GUI), to send only the data should suffice, or not?

  • Security restriction in LoginModule?

    I have implemented my own LoginModule. In the module, I try to reference an
    EJB.
    When I call PortableRemoteObject.narrow(), I get the following error:
    java.lang.ClassCastException: Cannot narrow remote object to
    net.lm.uams.service.ejb.UserAccountManagementServiceRemoteHome
    Is this because of some security restriction related to the LoginModule, or
    do you think that the problem stems from having two copies of the same EJB
    classes? If the problem is related to having two copies of the classes, how
    would I go about referencing the classes from the LoginModule without having
    them in that .jar file?
    Note that this problem isn't at weblogic startup - I have written code to
    handle this initial administrator authentication. The problem occurs later
    during form-based authentication. The publicly available pages/EJBs work
    fine.
    using WLS 7.0 on win2000.
    I'd appreciate any pointers.
    thanks
    Sean

    Bill,
    I haven't added anything at all to the classpath in my startup script. WL
    just picks up my jar in WL_HOME/server/lib/mbeantypes. I've done a
    System.getProperty() for the classpath at runtime, and it doesn't include my
    ejb.jar.
    Yesterday, I re-wrote my class to do a straight JDBC lookup to the database
    for username/pwd/roles. It's not the solution I'd prefer, because it
    introduces a reliance on the underlying database schema into the
    LoginModule. But, I don't really have time at the moment to spend
    experimenting with my original idea. Hopefully I can come back to it in the
    future.
    thanks again,
    Sean
    "William Kemp" <[email protected]> wrote in message
    news:[email protected]...
    Each enterprise application has it's own classloader hierarchy, whichmeans the
    ejbs and webapps in an EAR file are loaded by a classloader hierarchy thatis
    parented by the boot, system, and application classloaders that load theboot
    classes, java core classes, and weblogic.jar classes, and any classes thatyou
    put in the classpath when you start weblogic. The EAR file classes areloaded
    below these, hierarchically speaking.
    I am assuming that you have put your LoginModule classfile in the javaclasspath
    when you start the server. Are you perhaps putting the jar file generatedby the
    ejbc process in the java classpath when you start the server, too? Couldyou
    post your start script? Also, remember that the start script that comeswith
    weblogic prepends it's jars and what not to the existing classpath. So,that
    while you may not be explicitly adding the ejb jar file to the classpathin the
    start script, it may be already in the classpath in the currentenvironment and
    the start script is tacking that on at the end.
    Just a guess.
    Bill
    Sean Ryan wrote:
    Thanks for the response William. I have tried what you suggested, but
    the
    problem is still the same.
    If I do the jndi lookup without the narrow() part, I can execute methodson
    the resultant object using reflection. This is a bit of a hack, and not
    really a satisfactory solution.
    I have written a main() method in my class, and when I execute it (fromthe
    .jar), it can do the lookup and narrow without any difficulty.
    As I understand it, each container has its own classloader, however myclass
    is essentially executing from within weblogic. Is there a bit of a greyarea
    here in relation to class loading? Because, as I said my class worksfine
    when it is executing in a separate jvm.
    again, I would appreciate any input you can offer.
    Sean
    "William Kemp" <[email protected]> wrote in message
    news:[email protected]...
    If this was because of a security restriction, you would see a
    different
    Exception. Try putting just the compiled Home and Remote interfaces inthe
    classpath used by the LoginModule and not the jar file with thegenerated
    and
    compiled code for the stubs. You don't need them in the client becuase
    you
    are
    coding to the inteface, not the stubs.
    Bill
    Sean Ryan wrote:
    I have implemented my own LoginModule. In the module, I try to
    reference
    an
    EJB.
    When I call PortableRemoteObject.narrow(), I get the following
    error:
    >>>>
    java.lang.ClassCastException: Cannot narrow remote object to
    net.lm.uams.service.ejb.UserAccountManagementServiceRemoteHome
    Is this because of some security restriction related to theLoginModule,
    or
    do you think that the problem stems from having two copies of the
    same
    EJB
    classes? If the problem is related to having two copies of the
    classes,
    how
    would I go about referencing the classes from the LoginModule
    without
    having
    them in that .jar file?
    Note that this problem isn't at weblogic startup - I have written
    code
    to
    handle this initial administrator authentication. The problem occurslater
    during form-based authentication. The publicly available pages/EJBs
    work
    fine.
    using WLS 7.0 on win2000.
    I'd appreciate any pointers.
    thanks
    Sean

  • Security restrictions on offline form

    In my application, I have a form with a submit button of control type 'regular'. It can be downloaded on local hard disk filled and saved. But for the same form, I changed the control type of submit button to 'submit' and ran the application again. Now when I download the form and fill it, I cant save any of the form data. I see that the security restrictions on the form now have changed. Any idea if I can set these security restrictions so that I can still save the form data?

    Marlon,
    We also have similar requirement. So we logged an SR with Oracle. We got response as
    =============================================================================================================================
    No but there is an enhancement request
    OER does not provide the ability to enforce assignment of specific asset tabs to specific users/roles. 
    True need to file enhancement request
    Oracle® Fusion Middleware Configuration Guide for Oracle Enterprise Repository
    11g Release 1 (11.1.1)
    Part Number E16580-04
    http://docs.oracle.com/cd/E14571_01/doc.1111/e16580/rbac.htm
    10309159 - TAB LEVEL SECURITY - AUTHORISATION
    Use Case
    If I give a user with Tester Role and a user with Lead Developer Role
    approval capability (ie. Tester Role should only approve "Testing" tab and
    Lead Developer Role should only approve "Technical" tab).  They should only
    be able to see the other tabs but not approve anything. e.g. the Lead
    developer should only approve the "Technical" tab.
    ================================================================================================================================

  • Do the security restrictions on applets apply to local applets?

    Hi,
    I read:
    "Current browsers impose the following restrictions on any applet that is loaded over the network:
    An applet cannot load libraries or define native methods.
    It cannot ordinarily read or write files on the host that's executing it.
    It cannot make network connections except to the host that it came from.
    It cannot start any program on the host that's executing it.
    It cannot read certain system properties.
    Windows that an applet brings up look different than windows that an application brings up. "
    What if I have a directoy called "test" on my computer with a *.html site that contains an applet (lets say testApplet.class). Can this applet then establish network connections (for example) or do the security restrictions still apply?

    Any unsigned applet running in a browser is restricted regardless of where it was loaded from. That's just the way it is.
    Either change the program to an application or look into how to "sign" the applet so that it has more freedom.

  • Security restriction while executing Flash file

    Hi,
    I am a beginer with Flash and I developed some sample Flash
    files(swf) using Flash MX 2004. The files were able to run with IE
    with out any issue on my XP machine which is having IE 6. The same
    files when I tried with IE 7 on Windows Vista, it is not letting me
    to run initially. It says ".... IE has restricted this web page
    from running scripts or Activex controlls that could access your
    computer....". Though I can right click and click 'Allow Blocked
    Content' to execute the file, I am wondering whether I can do some
    setting on the file itself to make it trusted or something like
    that. I can also change the IE settings not to restrict the file.
    But I think it won't be a general solution.
    I wanted embedd this flah file on an html page and I want to
    make sure that the file will execute with out the security warning
    or change in the IE settings.
    Most of the internet sites that I used access has flash
    content and my IE does not used to show any warning. How can I
    achieve the same with my flash file?
    Thanks in advance
    Seb

    If you embed the swf in the HTML it will not display that
    warning. The warning is something that IE displays when you open
    the SWF directly.

  • Item Security - 'Restricted Characters' option causing unexpected error

    Hi,
    I have a form with some fields on which I would like to enable restricted characters.
    In the *'Edit Page Item'* form, in the *'Security'* section, there is a setting called *'Restricted Characters'*.
    When I change this to something other than - All Characters Allowed - , i.e. one of the 'Blacklist' options, I try to test this from the front end form but putting an ampersand character in (or another blacklisted char).
    When I try to submit the form I get an "unexpected internal application error" rather than an error that is caught and displayed nicely on the page.
    Should this be out of the box?
    Or do I have to catch this using a custom error handling function?
    APEX Version: 4.2
    Regards,
    Amanda.

    Have you tried with email scanning disabled in your anti virus? Your using SSL and anti virus companies are using hacking techniques to hack into the encrypted data stream to scan for a virus. For years they warn us Hackers break in and corrupt your data. Well now the A/V vendors are doing it.

  • OBIEE Prompt  - Drop Down List security restrictions .... Helppp

    Hi all,
    How can I put the security on a Drop Down Select List ?
    For Example, I have a Department Prompt for a dashboard.
    So I want put something like:
    the User of Department 1 can see and select our department (1)
    the User of Department 2 can see and select our department (2)
    the Admin can see and select All Departments.
    How can I do that?
    thanks.

    You need to implement security filters in your RPD to automatically restrict the values returned by the BI Server.
    You will need a way of mapping User of department 1 to the filter value , you can hold this in table if you want - Use an initialization block to populate a session variable per user , then filter the Department logical table using that session variable.
    Its been covered in a few blogs - just search OBIEE security filters.
    Regards
    Alastair

  • Error refreshing report after applying security restrictions in IDT

    Hi,
    I have created a report and now the requirement is that the user should be able to view data of his profile only for which i have created restricstions at universe at Business layer.. But after applying these if i refresh by the user id i get the error where as on removing this no error.
    "An internal error occured while calling 'porcessDPCommandsEx' API. (Error: ERr_WIS_30270) (Error: INF)".
    If i refresh using any other id other than used at restrictions the reports is getting refreshed. Please advise.
    This is on BOXIR4 SP3.
    Thanks in advance.

    I believe you are implementing Row level restrictions either in UDT or IDT, The below video is for IDT, the concept is same for UDT.
    http://scn.sap.com/docs/DOC-8461
    Create a data security profile that restricts access to specific rows: Information design tool 4.x - YouTube
    Regards,
    Ashok Vemulapalli
    Search is out best friend

  • SSM KPI Security:Restricting the measures to Users

    Hi
    I want to restrict only few KPIS(measures) to be accessed by a particular user. I was able to restrict only 22 measures(4 KPIs), beyond which i get an error.But this user should be able to access 20 KPIs(20*5 measures).  The syntax that i used:
    INDEX USER
         CASE USER1
              SELECT VARIABLES KPI59_ACT,KPI59_TAR,KPI59_TRD,KPI59_TARDEV,KPI59_TRDDEV,KPI20_ACT,KPI20_TAR,KPI20_TRD,KPI20_TARDEV,KPI20_TRDDEV,KPI58_ACT,KPI58_TAR,KPI58_TRD,KPI58_TARDEV,KPI58_TRDDEV,KPI57_ACT,KPI57_TAR,KPI57_TRD,KPI57_TARDEV,KPI57_TRDDEV,KPI2_ACT,KPI2_TAR,KPI2_TRD,KPI2_TARDEV,KPI2_TRDDEV
    ENDINDEX
    1. Is there any way that i can restrict the access to 20 KPIs (20*5 measures)?
    I also tried the following syntax but of no avail:
    For example here i tried restricting access to 3 KPIs(each of which has 5 measures:Tar,Act,Trend,Gap Performance,score)
    SELECT VARIABLES KPI1_* , KPI21_* , KPI33_*
    2. Is there a limit on the number of characters used in the select statement because of which only few measures were included in my case?

    Hello!
    I would suggest in these cases to use the folowing syntax:
    INDEX USER
    CASE USER1
    SELECT VAR KPI59*
    SELECT VAR PLUS KPI20*
    SELECT VAR PLUS KPI58*
    SELECT VAR PLUS KPI57*
    ENDINDEX
    When you are trying to just exclude one (or even just a few) measure(s), it will be more effective to type it like this:
    INDEX USER
    CASE USER1
    SELECT VAR *
    SELECT VAR MINUS KPI20*
    SELECT VAR MINUS KPI58*
    ENDINDEX
    After creating the SECURITY procedure, run it with
    job SECURITY
    command in IDQL command line. You will then be able to see right away if and where any syntax error occurs.
    Hope this helps!
    BR,
    Ricardo Vieira

  • IPhone 4 - More secure restrictions passcode

    Hello All,
    We're just about to equip our 16 year old with an iPhone 4 ... I've gone through and setup certain restrictions on the phone, assigned the required passcode ... however, is there any way at all to enable something more secure than just a 4 digit code?  In the end, a 16-year old and enough banging away on it and sooner or later they'll crack it, given only 4 digits.
    Appreciate all advise and guidance.
    Ken

    I don't believe so. If you have that little trust for your 16 year old, perhaps you should not be giving them a smartphone to begin with.

  • Is this a bug or a security restriction in s1as7

    From within a servlet my code checks for a file whether it exists or not. The files directory is on the network, but mapped on to the local machine.
    sample code:
    File f = new File ("P:\\directoryName\\fileName");
    f.exists(); // results into false - although file is there!
    note: P is the mapped drive for a network location.
    If instead, this is on the local drive ( C: ) then it does show true (file found). I have tested this.
    There is no error on the server log, however, if this is due to some security settings then it is weird that S1AS7 does not display any helpful message, which could help tracking the problem.
    Your help is much appreciated.

    From within a servlet my code checks for a file whether it exists or not. The files directory is on the network, but mapped on to the local machine.
    sample code:
    File f = new File ("P:\\directoryName\\fileName");
    f.exists(); // results into false - although file is there!
    note: P is the mapped drive for a network location.
    If instead, this is on the local drive ( C: ) then it does show true (file found). I have tested this.
    There is no error on the server log, however, if this is due to some security settings then it is weird that S1AS7 does not display any helpful message, which could help tracking the problem.
    Your help is much appreciated.

  • Security restrictions on any pdf file...???

    Hiii
                        As for my knowledge, I want to know that can we protect any pdf file from printing,copying,modifying without password. i have tried a litle bit but it asks for the password for its restrictions. If anybody know how to restrict the pdf file without password then please help me out of this.
                                                 Thanks...

    Anders,
    In using Administrator Access Control to create your administrator groups, how can one prevent someone assigned to a new category from viewing the existing categories that were created prior to the administrator group functionality?
    Edited by: user2411301 on Jan 5, 2012 12:43 PM

Maybe you are looking for

  • New Family Sharing and iTunes Match

    Hello to all. With the release of iOS8 and the Beta of Yosemite, I have decided to leverage the new family sharing of the iTunes accounts. The set up works fine and I have gotten it working, just wondering how to get iTunes match to work with it. So

  • IPhone 5 (16GB) iOS 7.0.4 Mail App size is 1GB and continuously increasing. How to reduce the size of the Mail App?

    Hi, I am using an iPhone 5 (16GB) iOS 7.0.4. Currently the size of the mail app is 1GB and is continously increasing, even though the advanced settings in the mail account have been set as following: MOVE DISCARDED MESSAGES INTO: Deleted Mailbox DELE

  • Adobe lightroom and photoshop

    past year I had cc for students. I change this year because I only need as student photoshop and lightroom. I pay for that but my question is. It is at the moment not possible to open my photoshop of lightroom. My adobe CC is coming up and tell me th

  • Form is asking for do you want to save the changes made in the query mode

    hi all, according to my previous thread {thread:updating the nondatabase column} i have set the lockrecord to yes for the non_db_field but when i query the form with help of f8 and try to close it with out any changes then too its asking for the comm

  • First bluray - share, compressor or DVD SP4?

    Want to create my first bluray - have an internal bluray burner in my early 2008 Mac Pro...have a pro res timeline in FCP 7. Not yet rendered. So if I go to share, bluray, do I have to first render the timeline? Or does it just do it for me? How can