Tips on Implementing Row Level Security

Similar Messages

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Help with implementing Row Level Security in Interactive Reporting

  We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
  The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
  I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

  The 3 tables used with the RLS are stored in the same schema as your repository by default.
  The RLS store all the Rules for any database that you are using.
  You define the rules based on the tablename (owner.tablename) and the column name.

• How to implement row-level security in Discoverer?

  Dear all,
  I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
  The 2 folders are constructed by 2 SQL statements.
  There exists a set of tables controlling which product line's sales and inventory data a person can read.
  A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
  So, can you suggest how to integrate the 2 components in Discoverer?
  thanks
  George
  My blog: http://hktour.blogspot.com

  hi Rod,
  Thanks for your suggestions.
  I took your 1st option, ie.
  "You can use VPD at the database level to secure the tables."
  I have a view BUDGET_V with the following columns:
  PERIOD_YEAR
  PERIOD_MONTH
  PRODUCT_LINE
  BUDGET_AMOUNT
  Every salesman can only read the budget amount of certain product lines.
  I built the security function which will be binded to the view BUDGET_V (see below)
  FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
  return varchar2
  as
  begin
  if (user = p_schema) then
  return '';
  else
  return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
  end if;
  end;
  The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
  Then, I bind the security function security_policy_function() to the view BUDGET_V with
  begin
  dbms_rls.add_policy
  object_schema => 'APPS',
  object_name => 'BUDGET_V',
  policy_name => 'MY_POLICY',
  function_schema => 'APPS',
  policy_function => 'security_policy_function',
  statement_types => 'select',
  update_check => FALSE,
  enable => TRUE
  end;
  The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
  I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
  FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
  return varchar2
  as
  begin
  if (user = p_schema) then
  return '';
  else
  return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
  end if;
  end;
  This time, Discoverer returns only the records with product lines visible to user "A".
  So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
  Can you give me some light on this issue?
  thanks
  George (HK)
  My blog at http://hktour.blogspot.com

• VPD (Row Level Security) Implementation at Middle Layer

  Hi All,
  Is there any provison to implement Row Level Security at the Entity Object level?
  We have a table where in some rows need to be displayed based on the user logged in.
  We are aware of the VPD implementation using a function and adding a policy.
  We are looking for implementing VPD at the Middle Tier.
  Any help in this regard will be greatly appreciated.
  Thanks in Advance,
  Raghu

  Raghu,
  Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
  John

• How to implement row level secuirty at universe level

  Hi All
  How can we implement row level security in universe ?
  John

  HI,
  Can we try this?
  Open designer >>tools>>Manage security>Manage access retrictions
  Click on "new" under available restrictions area .
  Select "rows" tab click add select the table and an appropriate where condition.
  Click ok .
  Add a user\group on which the retriction is to be imposed Click Ok.
  Hope this will help
  Kultar

• Row level security with session variables, not a best practice?

  Hello,
  We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
  The problem is that this method is listed as a "non best practice" in the Oracle documentation.
  Alternative Security Administration Options - 11g Release 1 (11.1.1)
  (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
  Managing Session Variables
  System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
  How confusing... what is the best practice then?
  Thank you for your help.
  Joao Moreira

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• Row Level Security in EPM Workspace 11.1.2.2

  Hi All,
  I'm facing an issue while implementing Row Level Security in Workspace.
  The error goes like this: "Error Accessing Row level security information Server Error: 1012 Unable to acquire row level security information from repository ..........".
  I have configured ODBC,DAS as per the documentation and enabled the RLS using Navigate option.Given below are windows and db info
  OS:Windows Server 2008- 64 bit
  DB:MS Sql Server 2008
  DBUser: with full admin permission on database.
  Thanks in Advance

  Hi All,
  Given below is the DAS log..
  [2013-06-25T10:16:21.761-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host:] [nwaddr: 10.24.206.86] [tid: 20] [userId: epmt] [ecid: 0000JxqQx2C4ulmLwqH7iW1Hm49K00000D,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: xxxxxxxx] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] SQL API: [SQLExecDirectW], SQL RETURN: [-1], SQL STATE: [42S02], SQL NATIVE ERROR: [208], SQL MESSAGE: [[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'RLSUser1.BRIOSECG'.][[
  [2013-06-25T10:16:21.761-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host: xxxxx] [nwaddr: 10.24.206.86] [tid: 22] [userId: epmt] [ecid: 0000JxqQx2F4ulmLwqH7iW1Hm49K00000E,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: gmarichetty] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] Unknown exception handled in RequestProcessor::GetRowLevelSecurityInfo()@D:\talleyrand\views\buster_talleyrand_bi_code\v1_bi_code\services\com\brio\one\services\das\proc\reqproc.cpp:1284[[
  [2013-06-25T10:16:21.762-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host: xxxxxx] [nwaddr: 10.24.206.86] [tid: 20] [userId: epmt] [ecid: 0000JxqQx2C4ulmLwqH7iW1Hm49K00000D,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: xxxxxxx] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] DAS Exception handled in IDataAccessServiceImpl::getRowLevelSecurityInfo()@D:\talleyrand\views\buster_talleyrand_bi_code\v1_bi_code\services\com\brio\one\services\das\idl\impl\idasimpl.cpp:1560[[
  Exception Message: Unable to acquire row level security information from repository.
  Please note that ODBC/DAS are configured as per the documentation.I am able to see BRIOSECG table in SQL Server,IR Studio and Web Client "Invalid object name 'RLSUser1.BRIOSECG'.][[" ,but when i select some fields from this tables in web client and process,then getting stated above error..
  Any Suggestions are appreciated...

• Row Level security in OLAP universe

  Hi,
  We have a OLAP universe based on a BeX query and we are planning to implement the row level security on it.
  As it is not possible to use the normal @BOUSER in the OLAP universe, what is the way to implement the same?
  Is it possible to have it in the BeX query itself? Any thoughts on this please.
  indus

  Hi,
  right now you can not implement row level security in an OLAP Universe, you need to setup BI Authorizations and use Authorization variables in the query.
  Ingo

• ADFBC 10.1.3.3 Row Level Security

  Hello.
  Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
  We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
  In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
  Any help would be great.
  Thanks a lot.
  John

  Thanks for the response Frank.
  Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
  I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
  Thanks again

• Row-level security problem using VPD

  Hi all,
  I've implemented row-level security for my application using the following procedure:
  1) Created a procedure for setting the context for the application:
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  2) Created the application context:
  CREATE CONTEXT emp_sel_context USING secman.app_security_context;
  In which secman is my security schema and app_security_context is the name of above procedure package.
  3) Created a function to access the application context:
  FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
  IS
  e_predicate VARCHAR2(2000);
  BEGIN
  e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
  RETURN e_predicate;
  END;
  END;
  4) Created a logon trigger:
  CREATE OR REPLACE
  TRIGGER INIT_CONTEXT AFTER
  LOGON ON DATABASE
  BEGIN
  SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
  END;
  5) Added a policy on scott.emp like this:
  begin
  dbms_rls.add_policy (
  object_schema => 'SCOTT',
  object_name => 'EMP',
  policy_name => 'EMP_SEL_POLICY',
  function_schema => 'SECMAN',
  policy_function => 'EMP_SECURITY.EMP_SEC',
  statement_types => 'SELECT',
  update_check => TRUE
  end;
  My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
  Any helps is really appreciated.
  S/\EE|)

  i,
  I suggest:
  create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
  procedure set_empno as
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP1
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  certainly ,you should grant select on emp1 to the user who will be test.
  lixinzhu
  2007/09/17

• Row-level security(VPD) problem

  Hi,
  ADF BC, Jdeveloper 11.1.1.3.0
  We want to implement Row-level security in ADF by VPD, and do following:
  1, create VPD policy according to the following sample
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
  2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
  The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
  We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
  I appreciate your suggestion.
  thanks

  So how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.