Tuesday, June 10, 2014

OBIEE 11g: Object Level Security Implementation

Object Level Security Implementation


Object Level Security in OBIEE deals with access restriction to various OBIEE objects for different application roles and users.
Object level security controls the access to different objects based on user roles.

Object level security is achieved by granting or denying access to application role or user. The properties applied to application role gets  applied to all the users under it.
We have already seen the Application role, Groups and Users management in my previous post here.

We can restrict access to following objects using object level security,
        1.  Presentation Tables
        2.  Presentation table columns
        3.  Subject area
        4.  Reports
        5.  Dashboards
        6.  Dashboard Pages
        7.  Catlog Folders

If a user is a direct member of an application role, they will have access to the reports allowed by that application role. If a user is not a member of an application role, they will not have access to the reports allowed by that application role.

Object level security can be implemented at presentation layer of repository and web catlog.

Repository Level :

We can set object level security at repository on presentation layer.
We can grant/deny access to user/application roles to access subject area, table or column.

Object level security applied on columns is also called as Column Level Security.

In presentation layer go to properties of a subject area,table or column.
Select permissions.
Select ‘Show all users/application roles’
Here you can see all the users and application roles and properties such as read, read/write, no access and default.
You can set these properties as per your requirements and achieve object level security.




  


Web Catlog Level:

We can set object level security at web catlog level on folders, dashboards, dashboard pages and reports. User can only see object for which it possess authorization.
Similar to object level security on repository level, we can set permissions for application role or users.

Select any folder, dashboard, dashboard page or report.  
Go to its Permissions.

  

Here you can see the list of application roles/users and permissions set for them.
Following is the list of permissions we can set,


We can also set the custom permissions.


Following are the Permissions and their description.

Permission
Description
Read
Use this option to give authority to access, but not modify, the object.
Write
Use this option to give authority to edit the object.
Delete
Use this option to give authority to delete the object.
Traverse
Use this option to give authority to access objects in folders within the selected folder when the user does not have permission to the selected folder. For example, if you grant usersTraverse Folder permission to the /Shared Folders/Test folder, they cannot access objects in the/Shared Folders/Test folder but can access objects stored in lower-level folders, such as the /Shared Folders/Test/Guest folder.
Run Publisher Report
Use this option to give authority to read, traverse the folder that contains the object, and regenerate the report so that it includes the most recent data.
Schedule Publisher Report
Use this option to give authority to read, traverse the folder that contains the object, and schedule the report.
View Publisher Report
Use this option to give authority to read, traverse the folder that contains the object, and view, but not regenerate the report.
Execute
Use this option to give authority to run an object, such as an action, agent, or a briefing book.
Change Permissions
Use this option to give authority to change the object's permissions.
Set Ownership
Use this option to give authority to reassign ownership of the object.
Full Control
Use this option to give authority to perform all tasks (modify and delete, for example) on the object.
No Access
Use this option to deny access to the object. Explicitly denying access takes precedence over any other permission.
Modify
Use this option to give authority to read, write, and delete the object.
Open
Use this option to give authority to access, but not modify, the object. If you are working with an Oracle BI Publisher object, this option enables you to traverse the folder that contains the object.
Custom
Use this option to display the Custom Permissions dialog, where you grant read, write, execute, and delete permissions.
Granted
Use this option to give authority to access a section in a dashboard. This permission can be set in the dashboard, only. This permission overrides any catalog permissions set on the section's objects that would prevent the corresponding roles, Catalog groups, and users from accessing them (for example, No Access).
Denied
Use this option to deny access to a section in a dashboard. This permission can be set in the dashboard, only. This permission overrides any catalog permissions set on the section's objects that would allow the corresponding roles, Catalog groups, and users to access them.
Source : Oracle Documents.

Here we can see more options such as,

Apply effective permissions - It applies set permission to role/user.
Replace with parent’s folder permissions – It inherits the permissions of parent folder.



Apply permissions to sub-folders allows permissions to get applied on all sub folders under that folder.
Apply permissions to items within folders  allows permissions to get applied to the objects under that folder.



Also we can add more application roles and users as,




Relevant Links :

1.  Application Role, Groups and Users Management

2.  Data/Row Level Security
Posted by at
Labels: , , , , , , ,

1 comment:

  1. Srinu VasuMay 3, 2019 at 6:54 AM

    Thank you for sharing valuable information.This article is very useful for me valuable info about
    OBIEE Online Training.
    OBIEE Training
    OBIEE Online Course keep updating.........

    ReplyDelete

Subscribe to: Post Comments (Atom)