Forum Stats

  • 3,851,490 Users
  • 2,263,988 Discussions


BI security

user634293 Member Posts: 331

we are currently implementing BI APPS 7.9.6 and EBS 11.10.5. we start to look at Data security reading "Oracle® Business Intelligence Applications Security Guide",I am trying to find out what to do next after creating/configure initialization block ? from my understanding there are filters need to be added on the logical model to limit the data the user can view. Is there any instruction on how to setup this filers ?


Best Answer

  • mod100
    mod100 Member Posts: 282
    Answer ✓

    I am not sure how the orgs are selected for EBS as I am mainly from a Siebel as a source background, but in the case of Siebel an initialisation block called 'Orgs for Org-Based Security' gets the users orgs and stores them in a variable called 'ORGANIZATION'.

    The data filters are then defined here: Manage -> Security -> Goups (select a web group) to apply security to (in the case above of Siebel as a source there is a default group called 'Primary Org-based Security' which has org based security set). Double click on the group and then click the permissions folder and go to the filters tab. These are the data filters that are applied for any member of this group. So for instance.

    Name = Core.Dim - Opportunity
    BM Filter = Core."Dim - Opportunity".VIS_PR_BU_ID = VALUEOF(NQ_SESSION."ORGANIZATION")

    So, what happens is this:

    1) User logs in 'Orgs for Org-Based Security' initialisation block fires off and stores the user's orgs in the variable ORGANIZATION.
    2) User is a member of the web group 'Primary Org-based Security'.
    3) User goes to answers and makes a request in the pipeline subject area.
    4) As this includes the Core."Dim - Opportunity" dimension table and the user is in a web group with a filter defined for that table the server applies data level security by appending to the where clause of the sql. So for instance if the query before data security is:


    It becomes

    SELECT ROW_WID FROM W_OPTY_D WHERE VIS_PR_BU_ID IN (<list of org ids from variable ORGANIZATION here>)

    While some of that is Siebel specific the way the security is applied is exactly the same, the only difference will be how the user's orgs are selected and the initialisation block etc.




  • 66787
    66787 Member Posts: 484
    If you want to integrate security between EBS and OBI, then users will have single sign-on and same access as EBS will apply (conceptually). You do not need to build logical or VPD like solution.
  • user634293
    user634293 Member Posts: 331
    thx for your answer, what if i want to add new fact/dimensions ?

  • 66787
    66787 Member Posts: 484
    you can control them via the OBIEE RPD metadata as the security will eventually be at the presentation catalog level of obiee
  • user634293
    user634293 Member Posts: 331
    Could you please give me more details ?

  • 66787
    66787 Member Posts: 484
    users will only access data in facts and dims via the presentation catalog of obiee. Therefore, then you map the new facts and dims in the metadata layer, put them in a folder which only certain users have access too.....
  • user634293
    user634293 Member Posts: 331
    thx for your fast reply, but i think this you are talking about object security. but i need to implement data security
    "Data-level security defines what a user in an OLTP application can access inside a
    report. The same report, when run by two different users, can bring up different data"

    thx again for your help
  • 66787
    66787 Member Posts: 484
    for data security you have options like:

    1) EBS orgs will flow through from the single sign on, so two people of different org will see different rows
    2) for custom facts if they do not have same orgs, then you need to code for it using VPD at DB level or where clauses in the init blocks
    3) or use views on top of facts with security built in and point rpd to views (ebs uses views too very often)
  • user634293
    user634293 Member Posts: 331
    thx a lot of this helpful information i would like to ask some more questions :

    1 EBS orgs will flow through from the single sign on, so two people of different org will see different rows

    what i want to know how the data is filtered in BIEE, now assume the user logon to EBS then to BI and the different initalization block intialized and
    populated different variable, how BIEE uses this information to filter the data i looked in most of the logical table i could not find any filter related to security.

  • 66787
    66787 Member Posts: 484
    Please try reading this, if you have specific questions after that, please ask here:

    Oracle® Business Intelligence Applications
    Security Guide
    Version 7.9.6
  • user634293
    user634293 Member Posts: 331
    Of course I've read this doc, but it does not give clear explanation how the data security works.
    let us have an example :

    Assume we want to implement data security using operating unit org-based security, according to my understanding from the doc , i need to do the following:
    1. Oracle BI Applications Authorization for Oracle EBS
    2.and according to the doc. when the user logs in the session variables /initialization will be initialization
    USER (System variable)
    OU_ORG (Row-wise variable)

    then what to do next ? , where these variables are used ? is there any filters ?

This discussion has been closed.