Date post: | 20-Feb-2018 |
Category: |
Documents |
Upload: | pan-ranred |
View: | 257 times |
Download: | 2 times |
of 14
7/24/2019 Essbase Filters
1/14
Controlling Access to Database Cells
In This Section:
Introduction
Understanding How Filters Define Permissions
Creating Filters
Managing Filters
Assigning Filters
IntroductionWhen securit le!els defined for a""lications# data$ases# users# and grou"s are insufficient#
%ss$ase securit filters gi!e ou more s"ecific control& Filters ena$le ou to control access toindi!idual data within a data$ase $ defining what 'ind of access is allowed to which "arts of the
data$ase# and to whom these settings a""l&
If ou ha!e Administrator "ermissions# ou can define and assign an filters to an users or
grou"s& Filters do not affect ou&
If ou ha!e Create(Delete A""lications "ermissions# ou can assign and define filters for
a""lications that ou created&
If ou ha!e A""lication Manager or Data$ase Manager "ermissions# ou can define and assign
filters within our a""lications or data$ases&
Understanding How Filters Define Permissions
Filters control securit access to data !alues# or cells& )ou create filters to accommodate securit
needs for s"ecific "arts of a data$ase& When ou define a filter# ou designate restrictions on
"articular data$ase cells& When ou sa!e the filter# ou gi!e it a uni*ue name to distinguish itfrom other filters# and the ser!er stores it in ess$ase&sec# the securit file& )ou can then assign the
filters to an users or grou"s on the ser!er&
For e+am"le# a manager designs a filter named ,%D and associates it with a data$ase to limit
access to cells containing "rofit information& The filter is assigned to a !isiting grou" called,%-I%W%,S# so that the can read# $ut cannot alter# most of the data$ase. the ha!e no access
to Profit data !alues&
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt_1http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1017997http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1014750http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016569http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt997509http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1017997http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1014750http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016569http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt997509http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt_17/24/2019 Essbase Filters
2/14
Filters com"rise one or more access settings for data$ase mem$ers& )ou can s"ecif the
following access le!els and a""l them to data ranging from a list of mem$ers to one cell&
Access
LevelDescription
/one /o data can $e retrie!ed or u"dated for the s"ecified mem$er list&
,ead Data can $e retrie!ed $ut not u"dated for the s"ecified mem$er list&
Write Data can $e retrie!ed and u"dated for the s"ecified mem$er list&
MetareadMetadata 0dimension and mem$er names1 can $e retrie!ed and u"dated for the
corres"onding mem$er s"ecification&
/ote:
The metaread access le!el o!errides all other access le!els& If additional filters for data are
defined# the are enforced within an defined metaread filters&If ou ha!e assigned a metaread
filter on a su$stitution !aria$le and then tr to retrie!e the su$stitution !aria$le# an un'nownmem$er error occurs# $ut the !alue of the su$stitution !aria$le gets dis"laed& This is e+"ected
$eha!ior&Metadata securit cannot $e com"letel turned off in "artitions& Therefore# do not set
metadata securit at the source data$ase. otherwise# incorrect data ma result at the target"artition&When drilling u" or retrie!ing on a mem$er that has metadata securit turned on and
has shared mem$ers in the children# an un'nown mem$er error occurs $ecause the original
mem$ers of the shared mem$ers ha!e $een filtered& To a!oid this error# gi!e the original
mem$ers of the shared mem$ers metadata securit access&
An cells that are not s"ecified in the filter definition inherit the data$ase access le!el& Filters
can# howe!er# add or remo!e access assigned at the data$ase le!el# $ecause the filter definition#
$eing more data2s"ecific# indicates a greater le!el of detail than the more general data$ase access
le!el&
Data !alues not co!ered $ filter definitions default first to the access le!els defined for users
and# when %ss$ase is in nati!e securit mode# second to the glo$al data$ase access le!els&
Calculation access is controlled $ "ermissions granted to users and grou"s& Users who ha!e
calculate access to the data$ase are not $loc'ed $ filters3the can affect all data elements that
7/24/2019 Essbase Filters
3/14
the e+ecution of their calculations would u"date& When %ss$ase is in nati!e securit mode#
calculation access is also controlled $ minimum glo$al "ermissions for the a""lication or
data$ase&
Creating Filters
)ou can create a filter for each set of access restrictions ou need to "lace on data$ase !alues&
)ou need not create se"arate filters for users with the same access needs& After ou ha!e created
a filter# ou can assign it to multi"le users or grou"s of users& Howe!er# onl one filter "erdata$ase can $e assigned to a user or grou"&
/ote:
If ou use a calculation function that returns a set of mem$ers# such as children or descendants#
and it e!aluates to an em"t set# the securit filter is not created& An error is written to thea""lication log stating that the region definition e!aluated to an em"t set&
4efore creating a filter# "erform the following actions:
Connect to the ser!er and select the data$ase associated with the filter&
Chec' the naming rules for filters in 5imits&
To create a filter# use a tool:
Tool Topic Location
Administration
Ser!ices
Creating or %diting
Filters
6racle %ss$ase Administration Ser!ices 6nline
Hel"
Ma+5 create filter 6racle %ss$ase Technical ,eference
Filtering Members ersus Filtering Member Combinations
Figure 789# How Filters Affect Data A/D(6, ,elationshi"sillustrates different was to control
access to data$ase cells& Data can $e "rotected $ filtering entire mem$ers or $ filteringmem$er com$inations&
Filtering mem$ers se"aratel affects whole regions of data for those mem$ers&
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/limits.htmhttp://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016909http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/limits.htmhttp://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt10169097/24/2019 Essbase Filters
4/14
Filtering mem$er com$inations affects data at the mem$er intersections&
Figure !"#$ How Filters Affect Data A%D&'( (elations)ips
/ote:
Filtering on mem$er com$inations 0A/D relationshi"1 does not a""l to metaread& Metaread
filters each mem$er se"aratel 06, relationshi"1&
Filtering Members *eparatel+
To filter all the data for one or more mem$ers# define access for each mem$er on its own row in
Filter %ditor& Filter definitions on se"arate rows of a filter are treated with an 6, relationshi"&
For e+am"le# to $loc' access to Sales or an# assume that user ;Smith is assigned this filter:
Access Member *pecification
/one Sales
/one an
The ne+t time user ;Smith connects to Sam"le&4asic# she has no access to data !alues for the
mem$er Sales or for the mem$er an& Her s"readsheet !iew of the "rofit margin for
7/24/2019 Essbase Filters
5/14
All data for Sales is $loc'ed from !iew# as well as all data for anuar# inside and outside of the
Sales mem$er& Data for C6=S 0Cost of =oods Sold1# a si$ling of Sales and a child of Margin# is
a!aila$le# with the e+ce"tion of C6=S for anuar&
Filtering Member Combinations
To filter data for mem$er com$inations# define the access for each mem$er com$ination using a
row in Filter %ditor& In filter definitions# two mem$er sets se"arated $ a comma are treated asunion of those two mem$er sets 0an A/D relationshi"1&
For e+am"le# assume that user ,Chinn is assigned this filter:
Access Member *pecification
/one Sales# an
The ne+t time user ,Chinn connects to Sam"le&4asic# she has no access to the data !alue at theintersection of mem$ers Sales and an& Her s"readsheet !iew of the "rofit margin for
7/24/2019 Essbase Filters
6/14
Sales data for anuar is $loc'ed from !iew& Howe!er# Sales data for other months is a!aila$le#
and non2Sales data for anuar is a!aila$le&
Filtering Using *ubstitution ariables
Su$stitution !aria$les ena$le ou to more easil manage information that changes regularl&
%ach su$stitution !aria$le has an assigned name and !alue& The Data$ase Manager can change
the !alue antime& Where a su$stitution !aria$le is s"ecified in a filter# the su$stitution !aria$le!alue at that time is used&
For e+am"le# if ou want a grou" of users to see data onl for the current month# ou can set u" a
su$stitution !aria$le named CurMonth and define a filter 0MonthlAccess1 wherein ou s"ecifaccess# using >CurMonth for the mem$er name& Using an am"ersand 0>1 at the $eginning of a
s"ecification identifies it as a su$stitution !aria$le instead of a mem$er name to %ss$ase& Assignthe MonthlAccess filter to the a""ro"riate users&
%ach month# ou need to change onl the !alue of the CurMonth su$stitution !aria$le to themem$er name for the current month# such as an# Fe$# and so on& The new !alue will a""l to all
assigned users&
See Using Su$stitution -aria$les&
Filtering wit) Attribute Functions
)ou can use filters to restrict access to data for $ase mem$ers sharing a "articular attri$ute& Tofilter data for mem$ers with "articular attri$utes defined in an attri$ute dimension# use the
attri$ute mem$er in com$ination with the ?ATT,I4UT% function or the ?WITHATT,
function&
/ote:
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dotcreat.htm#dotcreat1053369http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dotcreat.htm#dotcreat10533697/24/2019 Essbase Filters
7/14
?ATT,I4UT% and ?WITHATT, are mem$er set functions& Most mem$er set functions can $e
used in filter definitions&
For e+am"le# assume that user Pones is assigned this filter:
Access Member *pecification
/one ?ATT,I4UT%0@CaffeinatedFalseB1
The ne+t time user Pones connects to Sam"le&4asic# he has no access to the data !alues for an
$ase dimension mem$ers associated with CaffeinatedFalse& His s"readsheet !iew of first2
*uarter cola sales in California:
Figure !23$ (esults of Filter -loc.ing Access to Caffeine4free Products
Sales data for Caffeine Free Cola is $loc'ed from !iew& /ote that Caffeine Free Cola is a $ase
mem$er# and CaffeinatedFalse is an associated mem$er of the attri$ute dimension Caffeinated0not shown in the a$o!e s"readsheet !iew1&
Metadata Filtering
Metadata filtering "ro!ides an additional laer of securit in addition to data filtering& With
metadata filtering# an administrator can remo!e outline mem$ers from a users !iew# "ro!idingaccess onl to those mem$ers that are of interest to the user&
When a filter is used to a""l Meta,ead "ermission on a mem$er#
7& Data for all ancestors of that mem$er are hidden from the filter users !iew&
E& Data and metadata 0mem$er names1 for all si$lings of that mem$er are hidden from the
filter users !iew&
Managing Filters
)ou can "erform the following actions on filters: !iewing# editing# co"ing# renaming# and
deleting&
7/24/2019 Essbase Filters
8/14
iewing Filters
To !iew a list of filters# use a tool:
Tool Topic Location
Administration
Ser!ices
Creating or %diting
Filters
6racle %ss$ase Administration Ser!ices 6nline
Hel"
Ma+5 displa+ filter 6racle %ss$ase Technical ,eference
%SSCMD 5ISTFI5T%,S 6racle %ss$ase Technical ,eference
5diting Filters
To edit a filter# use a tool:
Tool Topic Location
Administration
Ser!ices
Creating or %diting
Filters
6racle %ss$ase Administration Ser!ices 6nline
Hel"
Ma+5 create filter 6racle %ss$ase Technical ,eference
Cop+ing Filters
)ou can co" filters to a""lications and data$ases on an %ss$ase Ser!er# according to our
"ermissions& )ou can also co" filters across ser!ers as "art of a""lication migration&
To co" a filter# use a tool:
7/24/2019 Essbase Filters
9/14
Tool Topic Location
Administration Ser!ices Co"ing Filters 6racle %ss$ase Administration Ser!ices 6nline Hel"
Ma+5 create filter 6racle %ss$ase Technical ,eference
%SSCMD C6P)FI5T%, 6racle %ss$ase Technical ,eference
(enaming Filters
To rename a filter# use a tool:
Tool Topic Location
Administration Ser!ices ,enaming Filters6racle %ss$ase Administration Ser!ices 6nline
Hel"
Ma+5 create filter 6racle %ss$ase Technical ,eference
%SSCMD ,%/AM%FI5T%, 6racle %ss$ase Technical ,eference
Deleting Filters
To delete a filter# use a tool:
Tool Topic Location
Administration Ser!ices Deleting Filters 6racle %ss$ase Administration Ser!ices 6nline Hel"
7/24/2019 Essbase Filters
10/14
Tool Topic Location
Ma+5 drop filter 6racle %ss$ase Technical ,eference
Assigning Filters
After ou define filters# ou can assign them to users or grou"s# which lets ou manage multi"leusers who re*uire the same filter settings& Modifications to the definition of a filter are
automaticall inherited $ users of that filter&
Filters do not affect users who ha!e the Administrator role& 6nl one filter "er data$ase can $e
assigned to a user or grou"&
Assigning Filters in *)ared *ervices *ecurit+ Mode
In 6racles H"erion Shared Ser!ices securit mode# ou assign filters through 6racles
H"erion Shared Ser!ices Console&
To assign a filter to a user or grou"# seeAssigning Data$ase Calculation and Filter Access&
Assigning Filters in %ative *ecurit+ Mode
To assign a filter to a user or grou"# see @Assigning FiltersB in the 6racle %ss$aseAdministration Ser!ices 6nline Hel"&
'verlapping Filter Definitions
If a filter contains rows that ha!e o!erla""ing mem$er s"ecifications# the inherited access is set
$ the following rules# listed in order of "recedence:
7& A filter that defines a more detailed dimension com$ination list ta'es "recedence o!er a
filter with less detail&
E& If the "receding rule does not resol!e the o!erla" conflict# the highest access le!el among
o!erla""ing filter rows is a""lied&
For e+am"le# this filter contains o!erla" conflicts:
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain10791787/24/2019 Essbase Filters
11/14
Access Member *pecification
Write Actual
/one Actual
,ead Actual# ?ID%SC%/DA/TS0@/ew )or'B1
The third s"ecification defines securit at a greater le!el of detail than the other two& Therefore#
read access is granted to all Actual data for mem$ers in the /ew )or' $ranch&
4ecause write access is a higher access le!el than none# the remaining data !alues in Actual are
granted write access&
All other cells# such as 4udget# are accessi$le according to the minimum data$ase "ermissions&
If ou ha!e write access# ou also ha!e read access&
/ote:
Changes to mem$ers in the data$ase outline are not reflected automaticall in filters& )ou must
manuall u"date mem$er references that change&
'verlapping Metadata Filter Definitions
)ou should define a Meta,ead filter using multi"le rows onl when the affected mem$er set in
an gi!en row 0the metaread mem$ers and their ancestors1 has no o!erla" with Meta,ead
mem$ers in other rows& It is recommended that ou s"ecif one dimension "er row in filters thatcontain Meta,ead on multi"le rows& Howe!er# as long as there is no o!erla" $etween the
ancestors and Meta,ead mem$ers# it is still !alid to s"ecif different mem$er sets of one
dimension into multi"le Meta,ead rows&
For e+am"le# in Sam"le 4asic# the following filter definition has o!erla" conflicts:
Access Member *pecification
Meta,ead California
Meta,ead West
7/24/2019 Essbase Filters
12/14
In the first row# a""ling Meta,ead to California has the effect of allowing access to California
$ut $loc'ing access to its ancestors& Therefore# the Meta,ead access to West is ignored. users
who are assigned this filter will ha!e no access to West&
If ou wish to assign Meta,ead access to West as well as California# then the a""ro"riate method
is to com$ine them into one row:
Access Member *pecification
Meta,ead California#West
'verlapping Access Definitions
When the access rights of user and grou" definitions o!erla"# the following rules# listed in orderof "recedence# a""l:
7& An access le!el that defines a more detailed dimension com$ination list ta'es "recedenceo!er a le!el with less detail&
E& If the "receding rule does not resol!e the o!erla" conflict# the highest access le!el is
a""lied&
56ample !7
User Fred is defined with the following data$ase access:
FINPLAN R
CAPPLAN W
PRODPLAN N
He is assigned to =rou" Mar'eting# which has the following data$ase access:
FINPLAN N
CAPPLAN N
PRODPLAN W
His effecti!e rights are set as:
FINPLAN R
CAPPLAN W
PRODPLAN W
56ample 87
User Mar is defined with the following data$ase access:
FINPLAN R
PRODPLAN N
7/24/2019 Essbase Filters
13/14
She is assigned to =rou" Mar'eting# which has the following data$ase access:
FINPLAN N
PRODPLAN W
Her effecti!e rights are set as:
FINPLAN R
PRODPLAN W
In addition# Mar uses the filter artifact ,%D 0for the data$ase FI/P5A/1& The filter has two
filter rows:
Access Member *pecification
,ead Actual
Write 4udget# ?ID%SC%/DA/TS0@/ew )or'B1
The =rou" Mar'eting also uses a filter artifact 45U% 0for the data$ase FI/P5A/1& The filter has
two filter rows:
Access Member *pecification
,ead Actual# Sales
Write 4udget# Sales
Mars effecti!e rights from the o!erla""ing filters# and the "ermissions assigned to her and hergrou":
, %ntire Fin"lan data$ase
W For all 4udget data in the /ew )or' $ranch
7/24/2019 Essbase Filters
14/14
W For data !alues that relate to 4udget and Sales