[Security] Row-level security in ADF
Hi all,
I want to implement row-level security in my application, the scenario is like this:
There are several users that connect to the application
These users are authenticated in some way (XML file, OID, DB)
When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
I have tried VPD and it has some useful features but my problems are:
1) Where and how to define the 'where conditions'?
2) How to attach the 'where conditions' to the executing DML?
3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
4) What is the best authentication approach?
Any helps will be really appreciated.
S/\EE|)
Hi,
yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
public void prepareSession(SessionData SessionData)
super.prepareSession(SessionData);
oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
// Specify the user that connects through the proxy user and its roles
Properties prop = new Properties();
prop.put(OracleConnection.PROXY_USER_NAME,"hr");
//prop.put(OracleConnection.PROXY_ROLES, roles);
String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
java.sql.CallableStatement st= null;
// Open the proxy session (DB-authenticated users)
try
oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
st = getDBTransaction().createCallableStatement(appContext,0);
st.execute();
catch (SQLException e)
e.printStackTrace();
package oracle.sample.dbprxy.adfbc;
import oracle.jbo.server.DBTransactionImpl2;
import oracle.jbo.server.DatabaseTransactionFactory;
* TransactionFactory that returns PrxTransactionImpl, which is a subclass of
* DBTransactionImpl2
* @author Frank Nimphius
public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
public PrxyDatabaseTransactionFactory()
super();
* Override the create method to return an instance of PrxyTransactionImpl instead
* of DBTransactionImpl2
* @return PrxyTransactionImpl
public DBTransactionImpl2 create()
return new PrxyTransactionImpl();
package oracle.sample.dbprxy.adfbc;
import oracle.jbo.server.DBTransactionImpl2;
import oracle.jdbc.OracleConnection;
public class PrxyTransactionImpl
extends DBTransactionImpl2
public PrxyTransactionImpl()
super();
* The DBTransactionImpl2 does not expose the connection in a public
* method. This class is a wrapper to expose the connection to the
* BC app, so it can be accessed in the ApplicationModuleImpl class
* @return OracleConnection - SQL Connection
public OracleConnection getPrxyConnection()
return (OracleConnection) this.getJdbcConnection();
}Note that for EUS ApplicationModule pooling should be disabled
Frank
Similar Messages
-
Object Level Security,Data Level Security&Row level Security
can anyone explain main difference between "Object Level Security,Data Level Security & Row Level Security " and how to implement.
Thanks in advance,
KumarHi Kumar
Dashboards, Reports, Guided Navigation Links, Texts, briefing books are all Dashboard OBJECTS which are available at UI level of OBIEE..if you restrict them Say User 'A' wants to see 2 Dashboards and USer 'B' Wants to see 1 Dashboard....these settings & permission u r restricting in Object level called Object Level Security
lly datalevel security is restriction of Data.. consider the same above example and User 'B" wants to see 2-3 regions data where as User A will see only Single Region Data..which you will do/restrict at logical tables, using variables..
Row level security: http://groups.google.com/group/obiee-enterprise-methodology/browse_thread/thread/131ee938a5aefde0 refer this link, clearly explains you
Please mark Correct or helpful if this clears -
Row-level security(VPD) problem
Hi,
ADF BC, Jdeveloper 11.1.1.3.0
We want to implement Row-level security in ADF by VPD, and do following:
1, create VPD policy according to the following sample
http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
I appreciate your suggestion.
thanksSo how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.
-
VPD (Row Level Security) Implementation at Middle Layer
Hi All,
Is there any provison to implement Row Level Security at the Entity Object level?
We have a table where in some rows need to be displayed based on the user logged in.
We are aware of the VPD implementation using a function and adding a policy.
We are looking for implementing VPD at the Middle Tier.
Any help in this regard will be greatly appreciated.
Thanks in Advance,
RaghuRaghu,
Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
John -
Row Level Security not working for SAP R/3
Hi Guys
We have an environment where the details are as mentioned below:
1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
2. The SAP roles are imported in Business Objects CMC.
3. Crystal Reports are published on the Enterprise as well.
3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
Any help in this issue is greatly appreciated.
Thanks and Regards
KamalHi,
In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server. This is a server side tool which the Integration solution for SAP offers as a transport.
This tool defined which tables are to be restricted based on authorizations.
However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview. If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
thanks
Mike -
Row level security at universe design level
Hi,
I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
Regards,
Mishra Vibhav.Thanks for the reply.
Much Appriciated.
My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
Warm Regrads,
Mishra Vibhav -
Row level security in BI Publisher
Hi All ,
I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
Can anyone help me on this?
Thanks!!Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.
-
Setting up Row Level Security in EPM 11.1.1.3
I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
i) Enable row level security in Workspace.
Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
Any log I can inspect for the connectivity error?
ii) Configure Row Level Security setting
I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
thank you very much.I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
i) Enable row level security in Workspace.
Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
Any log I can inspect for the connectivity error?
ii) Configure Row Level Security setting
I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
thank you very much. -
How to check the row level security in TOAD for oracle
Hi ,
for ex, i have 2 types of users
normal user and super user
super user can see the group set (some column name) created by normal user
but normal user can not see the set created by super user
this set crestion aslso has 3 types "U','P',S'
P & S can be viewed by even normal user
but U should not
so here we are having some row level security for the normal user .....
So, in TOAD for oracle how to check that......
Let me know if i'm not clearLike
I'm the super user....
And some records are inserted to a table by different users ('a' , 'b', etc....)
So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
how to see in TOAD where such type of scripts (filter conditions) are written..... -
Row level security in Hyperion System 9 - 9.3.1
Hi Gurus,
I have a requirement where the users get to see records in a table based on their localization code. This is currently implemented using views.
The view has a set of conditions which checks the localization table with te employee table. For example, if any of the first manager, second manager etc.. localization code
matches then they get to see records for that location.
The RLS in Hyperion uses Groups to assign security rules. But in my case, the determination is dynamic based on the localization code. And these things change depending on employee movement, transfer, promotion etc..
In such a scenario, can I use RLS only if I know a set Groups of users and where they belong to? Can RLS accomodate my above said requirement?
zFollow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita -
Crystal reports LOV cascading prompts row level security not working
Crystal report LOV cascading prompts with row level security is not woking when the crytal report cache server/page server cache (Oldest On-Demand Data Given To a Client (in minutes)) is turned on. But its working fine when the cache is turned off.
Using XIR2 environment.
Appreciate the response.
Thanks
ChenthilHi Chen,
In terms of what could be done on the Crystal Reports end, there is no such controls available. However, your question may be better answered if it was posted to our Business Objects Enterprise forum.
It is at "BusinessObjects Enterprise Administration" section of the forums.
FYI. -
Obi 11g row level security not working
All,
I am very familiar and have worked with obi 10g row level security and it works pretty easily. Now in 11g not so easy. I am basically setting permissions on data filters on app roles as per the new 11g instructions and meta data guide, however, I never see the filters being applied in the report and also in the nqquery.log. I have tried in vain, and nothing. The filters are never being applied for the test user. I even verified the user is in the specified app role via their my account->app roles tab. Now has anyone had this experience or now is there something that must be done additionally now.
Very frustrated... ;(Ok, so I have found the solution and ultimately the answer to why the object level and row level security was not being applied. It so happens that the app policy: 'resourceType=oracle.bi.server.permission, resourceName=oracle.bi.server.manageRepositories all' not only allows the management and access to online RPDs; but, IT ALSO DOES NOT APPLY SECURITY/PERMISSIONS IN THE RPD TO THAT USER thus you are super user. So the OOTB BIAdministrator app role which my AD user was being assigned never had any security applied due to this. How I tested:
1) I created a test user
2) Assigned that user to the BIAuthor app role and saw that they had the security applied that I was testing, which was simple object denial and row-level security to just one year on the date dim.
3) Since it was working, I then assigned that user to the BIAdministrator role. This produced that the test user now does not have any restrictions that I set and that were working before. Thus, security/perms in the RPD are not applied.
4). I removed the user from the BIAdministrator app role, kept in the BIAuthor app role and then created new test app role. I mapped that user to this new role along with the BIAuthor role. I then proceeded in creating new app policy with just that policy and assigning the new app role to it.
5) I logged into the presentation services again with this test user after assigning to new app role and policy. My test user again does not have the security being applied and does not get any perms/security that I set and applied in the RPD. On top of that my test user is now able to login in online mode to the rpd via the bi admin tool. -
Row level security not working if I hit the aggregate
I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...
Hi Ingo,
Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
This custom auth object is maintained for the PA0001 table.
This object is added at the role level with the restricted access to the Company Code.. -
Row Level Security Not working for the ECC table.
Hi All,
We have created a crystal report using SQL Driver.
We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
But when I run the report, it bypasses the row level security and gives access.
Am I missing some configuration?Hi Ingo,
Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
This custom auth object is maintained for the PA0001 table.
This object is added at the role level with the restricted access to the Company Code.. -
Row level security in OBIEE 11g: Which is better: VPD or RPD
We can apply row level security in OBIEE by 2 ways.
1. by Creating Initialize Block in RPD
2. or Applying VPD in Database, which restricts source tables
Which one is more efficient and why?
Thanks,
Sunil Jenayou will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.
Maybe you are looking for
-
Out of memory when rendering...mystery! urgent help!
ok, this is mysterious. and stressful, because of course it happens when i have to output this and get on a plane. I created a stereo sequence which is high def, 3840x1080. photo jpeg. it has stills, and embedded hdv sequence content. out of memory e
-
Problem in financial statement version
Dear all, I have a problem relating to Financial statement version.my client copy th eold FSV and created a new one .but after that in the F.01 the new and old showing different results.and in the new FSV in F.01 the data is also not coming under var
-
I am using a slightly modified version of this script to export icons. http://www.ericson.net/content/2011/06/export-illustrator-layers-andor-artboards-as-pngs-a nd-pdfs/ Say I have a document with three artboards named @1x, @2x, @3x, I am using the
-
HFM11.1.1.3 in workspace communication error
hi, i have multiple hfm applications in server.But i created new appplication and when i try to access t from workspace i get communication error. All other applications are still working fine. I cannot see that application in register and delete opt
-
I bought a CS6 disk a few years ago and I am trying to reinstall it onto my new laptop, however it is saying that I have to renew my subscription when I attempt to open up the program. Someone please help!