VPD (Row Level Security) Implementation at Middle Layer

Similar Messages

• SAP-BO SSO and Row Level Security

  Hi,
  We can configure the SAP authentication and able to login InfoView via SAP user name and password. And also, we can import the roles from the SAP system.
  When we create a connection to BW cubes from designer, we want to use "Use Single Sign On when refreshing reports at view time" to apply row-level security which is defined at the BW cubes.
  In our tests, we use "Use BusinessObjects credential mapping" while creating connection from designer to test the row level security. As you can guess, after importing the SAP user, in CMC screen > Users and Groups > Users, we manually enter the password of the user to the Database credentials part. However, as you can guess, the password of the user's is not static and that is not a good solution.
  My question is that, do I need to configure SSO between SAP and BO system or how can I enable row level security?
  System Information
  Business Objects XI 3.1
  SAP Intg. Kit 3.1
  Thanks a lot,
  Omer

  Hi Omer,
  please note that only row-level security implemented through authorization variables in BW queries can be used in BusinessObjects. Row-level security defined at cube level will not be applied.
  As long as you have used the SAP authentication to log on your BOBJ server, the SAP credentials will be used automatically to get the data from your SAP BW source as long as the "Use Single Sign On when refreshing reports at view time" option  is selected in the Database configuration panel (Found in the CMC when viewing the properties of your report) and the option "Use BusinessObjects credential mapping" is selected in your universe connection.
  Please note that this will only work for reports that are invoked directly in the infoview. If a user schedules such a report, she/he has to enter her/his SAP credentials explicitely in the Database Configuration Panel appearing in the scheduling assistant window. In this case you can activate SNC trust between your two servers in order to avoid entering a password when the report is scheduled.
  Regards,
  Stratos
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:16 AM
  Edited by: Efstratios Karaivazoglou on May 5, 2009 10:23 AM

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Row-level security(VPD) problem

  Hi,
  ADF BC, Jdeveloper 11.1.1.3.0
  We want to implement Row-level security in ADF by VPD, and do following:
  1, create VPD policy according to the following sample
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
  2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
  The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
  We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
  I appreciate your suggestion.
  thanks

  So how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.

• Urgent: row level security with VPD

  Has any one implemented the row level security in Virtual private database(VPD) for Discoverer.
  Please let me know how well does it work with discoverer and are there any flip sides that one needs to be aware of.
  Thanks

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• Row level security in OBIEE 11g: Which is better: VPD or RPD

  We can apply row level security in OBIEE by 2 ways.
  1. by Creating Initialize Block in RPD
  2. or Applying VPD in Database, which restricts source tables
  Which one is more efficient and why?
  Thanks,
  Sunil Jena

  you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• Row-level security problem using VPD

  Hi all,
  I've implemented row-level security for my application using the following procedure:
  1) Created a procedure for setting the context for the application:
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  2) Created the application context:
  CREATE CONTEXT emp_sel_context USING secman.app_security_context;
  In which secman is my security schema and app_security_context is the name of above procedure package.
  3) Created a function to access the application context:
  FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
  IS
  e_predicate VARCHAR2(2000);
  BEGIN
  e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
  RETURN e_predicate;
  END;
  END;
  4) Created a logon trigger:
  CREATE OR REPLACE
  TRIGGER INIT_CONTEXT AFTER
  LOGON ON DATABASE
  BEGIN
  SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
  END;
  5) Added a policy on scott.emp like this:
  begin
  dbms_rls.add_policy (
  object_schema => 'SCOTT',
  object_name => 'EMP',
  policy_name => 'EMP_SEL_POLICY',
  function_schema => 'SECMAN',
  policy_function => 'EMP_SECURITY.EMP_SEC',
  statement_types => 'SELECT',
  update_check => TRUE
  end;
  My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
  Any helps is really appreciated.
  S/\EE|)

  i,
  I suggest:
  create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
  procedure set_empno as
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP1
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  certainly ,you should grant select on emp1 to the user who will be test.
  lixinzhu
  2007/09/17

• How to implement Bursting(Row level security) in Xcelsius

  Hi,
  We are using Xcelsius 2008. We have created xcelsius dashboard using Qaaws but for authentication in qaaws we are suing enterprise authentication and default user.
  Now in my dashboard i have one combo box wich gives data fro diffrent states, now i need to restrict the user to see the state values. I implement the row level security in universe, when i create webi report and view that reprot in infoview, the row level security works. But when i publish the dashboard to infoview the row level security doesn't work.
  We are uisng XO 3.1 with SSO on IIS. So how and what are the diffrent option available to implement the row level security in Xcelsius Dashboard.
  Thanks for the help in advance.
  Thanks,
  Nimesh.

  Nimesh,
  Were you able to implement ? I have a requirement to use the same dashboard for 5 regional users.
  Row level security works.
  combo box intial value is Global , when I login as North America user, combo still shows Global but it will have the value of North America.
  i am curious to know how you implemeted this?
  Thanks
  Pushpa

• Row level security without using VPD

  I am wondering if there is a way to have row level security in APEX without having to use the virtual private database (VPD). I cannot afford the Enterprise Edition license that is required for VPD.
  I need a way to customize the list of rows that appear for each user on a report page.
  For example, I only want managers to be able to see their employees and not employees of other managers.
  Thanks for your help !
  -Reid

  While it wont provide all the features that Oracle RLS does, you can leverage Oracle 'Contexts' to provide a form of Row Level Security.
  This article describes how
  http://www.dbazine.com/oracle/or-articles/jlewis15
  Within APEX you can set your application to call the 'context' setting function in the 'VPD' section of the 'Edit Security Attributes' page.
  Varad

• Tips on Implementing Row Level Security

  Dear All,I am currently trying to implement row level security in Hyperion Intelligent version 8.2. The user guide is straight forward on explaining the steps. However, when I tried it, the row level security does not filter the information at all eventhough I have set the row level security setting in System Administration. Is there Anyone who can share their problems and experience when implementing row level security in Hyperion Intelligent version 8?Regards,Ricky

  I don't believe you need the bqy file anymore, as you set up the ODBC to connect to the database of the EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR).
  (I don't have an EPM instance with IR installed to check currently).
  Note: from the docs quoted earlier:
  If you want to implement row-level security in Reporting and Analysis, keep these points in mind:
  At least one Hyperion Interactive Reporting Data Access Service instance must be configured to access the data source storing your row-level security information.
  The database client library should be installed on the computer where the Hyperion Interactive Reporting Data Access Service is running.
  The data source for the Reporting and Analysis repository that has the row-level security table information should be configured.
  For security reasons, the user name and password to access the data source should differ from that used for the Reporting and Analysis user account.
  Regards, Iain

• Help with implementing Row Level Security in Interactive Reporting

  We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
  The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
  I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

  The 3 tables used with the RLS are stored in the same schema as your repository by default.
  The RLS store all the Rules for any database that you are using.
  You define the rules based on the tablename (owner.tablename) and the column name.

• ADFBC 10.1.3.3 Row Level Security

  Hello.
  Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
  We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
  In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
  Any help would be great.
  Thanks a lot.
  John

  Thanks for the response Frank.
  Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
  I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
  Thanks again