Having seen so many ways on how you can secure your presentation layer based on logged in user profile, I thought this would be a nice place to consolidate the list together and give you step by step guides on these implementations.
Ways of hiding stuff .. one way I call it.. are
1. Column Level Security
2. Row Level Security
3. Hiding certain sections of the dashboard
4. Hiding certain tabs of the dashboard
How do we implement each of these techniques and when is an interesting concept. Lets delve in further.
For demo purposes, I am using the Famous free paint dashboard and creating two users into the rpd.
One user is adminTest, who can see all the pieces of the dashboard and is member of Administrator group. Other is executiveTest, who can see only certain pieces of the dashboard and each of them being implemented using above hiding scenarios explained.
Open rpd.. Go to Manage –> Security –> Security Manager pops up as below. To add a new user in Security Manager, go to Action –> New –> User and type in the new user name and password.
Column Level Security:
Let’s say you want to hide all dollar amounts from “executiveTest” user of Paint Subject area. Open up your rpd, go to presentation layer, choose “Paint” subject area, choose “Sales Measures” and columns corresponding to $ as shown below (all selected).
Lets start with “Dollars” column. Right Click on it, Choose Properties and then click on “Permissions” button as hsown below.
When you click “Permissions”, a new window pops up. Check “All Users” button on the top and Uncheck “EveryOne” “Read” access.
See the “Above ” picture. Everyone except “executiveTest” user and its group have the access rights on this column. Click “OK”. Remeber that if there is no red cross mark or the checkbox is unchecked, it means its disabled.
Lets repeat the same for all the column that we want to hide from this user. Now Click “Ctrl +K” for doing a consistency check. Or Click “Ctrl + E” for opening up the consistency checker window and click “Check All Objects”. Also, save the repository once the consistency checker has come up with no errors.
Restart your services once the repository is saved. Go to the presentation layer as “Administrator” and create an answers query using “Paint” subject area and the dollars columns as shown below.
Save the report. See the results as shown below.
Now Login using the “adminTest” account and you will see the same report with all columns visible to the user. When you select “Paint” subject area, and in the left pane, you will see all columns (including columns refering to $).
Now Login using “executiveTest” and see at the left pane of “Paint” subject area. All the columns referring to $ have been invisible.
Also, when you try to open the previously saved report with “executiveTest” user name, the answers throws in an error.
Now to fix this error, go to c:\Oracle BI\Server\Config\NQSConfig.ini file
Look for the word “POPULATE_AGGREGATE_ROLLUP_HITS” inside this file. The default value for this parameter is “NO”. Change that to “YES”. Save the file. Now restart your services.
Go back and login as “executiveTest” and open up the same answers report we saved before. This time, the report does not show up any errors.
Also, see that all the $ columns we had before are invisible and the answers work perfectly.
Now, lets see what happens if “executiveTest” is given exclusive access even if the “Executive” group access has been disabled as follows or vice versa.
In both these cases, there is no effect of security and the answers report works fine as if any other user has logged in.
In essence, to implement column level security, the user and its group both should be restricted access to that column. Lets think of this in the real implementation. All projects that I worked on always have users being part of some group rather than an individual.
Until next time.. Kudos to all OBIEE evangelists..
Check out how sections of your dashboard can be hidden from certain users/groups of users…
As always, I appreciate your comments.
OBIEE Step by Step Guide 