OBIEE security boils down into 2 different types:
- Object level security
- Data level security
Each object in the RPD can be secured by user group to restrict access.
In this picture everyone has access to this presentation table. To restrict access you click on the tick to change it to a cross for everyone. You can then give access only to specific groups by changing the box to a tick for those groups.
Data Level Security
Data level security is also controlled by user group, filters are defined against user groups and these filters then restrict the data returned to each user by manipulating the WHERE clause in the SQL generated by the server.
For instance:
Here you can see the filters that are defined for the user group "Primary Org-Based Security". If we take one example:
When a user creates a query including the logical table Core."Dim - Opportunity" the OBIEE server will look up the physical column for the logical column Core."Dim - Opportunity".VIS_PR_BU_ID, and add a clause for this column to the WHERE clause of the SQL query generated. In the case above we are using a session variable called ORGANIZATION, this is generated at login by row-wise initialisation.
So we end up with this on the end of the SQL Query:
WHERE W_OPTY_D.VIS_PR_BU_ID IN ('1-A1233','1-D453G','1-98GT2')
And so the user will only see data from their organizations. This exact example is based on Analytics Apps 7.9.5 using Siebel as the source OLTP system. So the ORGANIZATION variable is initialised by getting all the user's orgs from the Siebel DB in a SQL statement; you may need to create something similar for your application yourself.
Hi Matt,
ReplyDeleteNice to see a new OBIEE blog! Keep upt the good work!
Regards
John
http://obiee101.blogspot.com/
Thanks John,
ReplyDeleteI'll be a crawler and say I was inspired to start it after reading yours and remembering how much stuff I forget. A blog seems like a great place to store it all, and share with others :-)
Matt
How do you limit access to OBIEE base services such as XMLViewService, etc so no one can access the reports by just writing an additional service?
ReplyDeletehi guys keep the posts running why you guys are not posting new ones
ReplyDeleteI have been very busy with lots of projects going on a the moment, I'll tey and make more time for more content here soon :-)
ReplyDeleteHey, thanks for this inspiring blog. I am developing a report in OBIEE where I would like to view all users and their roles(subject areas) they can access. But then I also want to view each report the users are able to access. The various reports are stored in the subject areas(folders). How can I achieve this?
ReplyDeleteHi, can we change the security group hierarchy
ReplyDeleteHi,
ReplyDeletewhat is the default logical level for production users.
Thanks for your information, which made me to join OBIEE online training @www.monstercourses.com
ReplyDeleteThank you provide valuable informations and iam seacrching same informations,and saved my time Cognos Online Training
ReplyDeleteI think mimicking popular posts on other blogs is one of the best ways to get a good idea which will be popular.Such a lovely blog you have shared here with us. Really nice.
ReplyDelete-------------------
Cctv installation
I think you are right. I was pleased when I heard one of my student saying, "I like it here because you are not a bunch of eggheads." We definitely hire tutors who can develop a positive rapport with the student.
ReplyDeleteBT autopilot
Stunning! I am primarily shocked by the way you interesting out practically each and every little detail. It can be really making a beeline for help me an awesome offer. Much obliged for sharing your proposals so certainly.I am going to subscribe, so I can take in more. I can hardly wait to get redesigns through email.
ReplyDeletefloor graphics new orleans
Understudies has obligation to get things rapidly and can perform in a split second since training need of everybody while they get online or ofline at home.
ReplyDeleteRettungsplan