BusinessObjects Board

What are row level and object level security?

I am having a scenario like this.

  1. I am having a report , in that there are 4 objects I am displaying in the report.

I want to show only 3 objects for User A and 4 objects for user B.
How can I set hide option for User A on the 4th Object?

  1. I want to restrict select of rows on a table, based upon Users/User Groups.

how can I do this?

  1. If I want to hide some objects or classes for some list of users or user groups , How can I do this?

Thank you,
Regards,

Gowtham Sen.


GowthamSen :india: (BOB member since 2006-08-31)

Click here and here and uh oh wait a minute, why don’t you search??


zack :us: (BOB member since 2007-08-02)

Hello,

It is very simple to apply either row level or object level restriction.

On the universe,

Tools -> Manage Security -> Manage Access restrictions

Click NEW

Add the objects (which you want to hide to say lets user “A”) on “Objects” tab and the row level restrictions (which you want to apply for user “A”) on the “rows” tab.

Click “OK” and come out of the window.

Now on the window in front of you which is “Manage Access Restrictions”, click “Add User or group” -> Select the user/group (i.e., “A”). Click “Ok”.

Noww apply the only available restrictions to the user added on the right pane.

Click “OK” and enjoy. If there is any issue, follow “zack” directions.


BO_Stuffed (BOB member since 2008-03-29)

Although you can accomplish the same in the universe, in my humble opinion, the best way to control data security (based on login) is in the database.


substring :us: (BOB member since 2004-01-16)

Thanks to you all.

The information provided is really very helpful!!

Regards,
Gowtham Sen.


GowthamSen :india: (BOB member since 2006-08-31)

How do I this if my Oracle reporting DB uses a common login for all users running reports? What would be the best way to restrict records returned so that every user sees only data pertaining to his own group (or department, let’s say)…?


sdeshpan :us: (BOB member since 2005-06-28)

Hi there,

There is several posts explaining how to implement this and also a presentation but I cannot find it. Maybe someone could tell us.

BR
Sebastien

It requires some work on your side to set it up. You need to set up a security table and an organizational hierachy table (a slowly changing dimension table). By joining the two tables, you can tell who can see what. The single login is irrelevant because Business Objects is accessing the database through a universe connection. A universe connection has just one login.

If you are still not clear, you should sit down and discuss this with your datawarehouse DBA as this involves datawarehouse design.


substring :us: (BOB member since 2004-01-16)

Well, your suggested approach is what I wanted to follow to begin with. But the direction taken here by the folks is that the Reporting Mart will not be modified at all to accommodate this additional security table. In that case, I can only think of an SDK solution to force a condition on every report’s SQL such that the user sees data pertinent to only his department by something like “WHERE dept_id = <>” on the SQL.

Any ideas?


sdeshpan :us: (BOB member since 2005-06-28)

This is absurd. There is no reason whatsoever not to allow you to add a security table. It sounds like to me that your data mart is controlled by some “soup nazi” who has no knowledge on reporting. we have encountered the same obstacle at the beginning of our BI deployment. Our Data Warehouse Director is very good with database, and he can cites all the Kimball theories. But he has no experience in reporting. It took us a while to “convert” him.

If you are not building it the right way from the beginning, you are creating headaches down the road. And the problem tends to snowball. If I were you, I will start looking for another job.


substring :us: (BOB member since 2004-01-16)

LOL, what can I say! I am at a client-site only for a couple of weeks, and I have told them that the security table option is the right way to do it. But this client is actually doing this work for another client (yeah!) in the UK, and apparently, the UK client is not very flexible (add communication issues to it).

Anyway, I will try to force them to “convert”, but it is highly unlikely. Having said that, what are my other options? I can think of the SDK route, but I would rather avoid any custom code development and would like to do this on the Universe/Report side.

Thanks for the help!

I am glad that I am here only temporarily, so I don’t have to look for another job just yet! :wink:


sdeshpan :us: (BOB member since 2005-06-28)

What kind of mess you are getting yourself into?

Keep in mind that SDK route is going to be expensive. Java programmers are not cheap.

I have never done consulting in my whole life, so it might be easy for me to say this. But in my humble opinion, you don’t have to take the job if the term is not acceptable to you. A consultant has to keep up his/her reputation. If you get yourself into a mess, who do you think they will blame later on when things turn South? It is always the consultant’s fault. And it is going to affect your reputation. It is okay to turn down a job.


substring :us: (BOB member since 2004-01-16)