Академический Документы
Профессиональный Документы
Культура Документы
DISTINCT 'HR_ORG'
,TO_CHAR(SEC_DET.ORGANIZATION_ID)
FROM
(
SELECT
'HR_ORG',
ASG.ORGANIZATION_ID
FROM
FND_USER_RESP_GROUPS URP
,FND_USER USR
,PER_SECURITY_PROFILES PSEC
,PER_PERSON_LIST PER
,PER_ALL_ASSIGNMENTS_F ASG
WHERE
URP.START_DATE < TRUNC(SYSDATE)
AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE
TO_DATE(URP.END_DATE) END) >= TRUNC(SYSDATE)
AND USR.USER_NAME == fnd_global.user_name
AND USR.USER_ID = URP.USER_ID
AND TRUNC(SYSDATE)
BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
AND PSEC.SECURITY_PROFILE_ID =
FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_PROFILE_ID', URP.USER_ID,
URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_APPLICATION_ID)
AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
AND PER.PERSON_ID = ASG.PERSON_ID
AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND
ASG.EFFECTIVE_END_DATE
AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
-1, URP.RESPONSIBILITY_ID,
NULL, URP.RESPONSIBILITY_ID,
FND_GLOBAL.RESP_ID)
UNION
SELECT DISTINCT 'HR_ORG',
ORGANIZATION_ID
FROM PER_ALL_ASSIGNMENTS_F ASG,
FND_USER USR
WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
AND USR.USER_NAME == fnd_global.user_name
AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND
ASG.EFFECTIVE_END_DATE
AND ASG.PRIMARY_FLAG = 'Y'
) SEC_DET
I have a question (which I have also raised with Support on Metalink) regarding the use of 'dynamic' HR
security profiles. OBI, out of the box, is only designed to handle HR security based upon
PER_PERSON_LIST being populated by the Security List Maintenance process, but if you use the
custom security code or a few other bits of the security profile, then the PER_PERSON_LIST table is not
populated.
I think we will probably need to create a custom function to call the HR_SECURITY package, but I
wondered if anyone else had come across this problem and had a working solution?
I have put further details below:
In OBI security we are using the initialization block 'HR Organizations' to restrict the view of employee
data based upon the HR security profile - the following extract from the OBI Security setup document
explains this in more detail...
2.4.6.2 Implementation Steps for HR Org-Based Security for Oracle EBS
The sequence for HR org-based security for Oracle EBS is described below:
1. When a user logs in to Oracle BI Applications, the session variable below is set
automatically.
USER (System variable)
2. The Oracle BI Server gets the HR organizations corresponding to the USER from
the following tables:
FND_USER_RESP_GROUPS
FND_USER
PER_SECURITY_PROFILES
PER_SEC_PROFILE_ASSIGNMENTS
PER_PERSON_LIST
Note: Before the PER_PERSON_LIST table can be used, you must ensure that
you have run the Oracle EBS HRMS Security List Maintenance process.
PER_ALL_ASSIGNMENTS_F
3. The following session variable is set automatically:
HR_ORG (Row-wise variable)
The initialization block 'HR Organizations', which sets the value for this variable,
is shown below.
Initialization block -- 'HR Organizations'
The initialization block 'HR Organizations' sets value for variable HR_ORG using
the following SQL. The actual SQL query differs depending on whether Multiple
Security Group (MSG) is set up or not.
The following SQL should be used when MSG is not in place:
SELECT
DISTINCT 'HR_ORG'
,TO_CHAR(SEC_DET.ORGANIZATION_ID)
FROM
(
SELECT
'HR_ORG',
ASG.ORGANIZATION_ID
FROM
FND_USER_RESP_GROUPS URP
,FND_USER USR
,PER_SECURITY_PROFILES PSEC
,PER_PERSON_LIST PER
,PER_ALL_ASSIGNMENTS_F ASG
WHERE
URP.START_DATE < TRUNC(SYSDATE)
AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_
DATE) END) >= TRUNC(SYSDATE)
AND USR.USER_NAME = ':USER'
AND USR.USER_ID = URP.USER_ID
AND TRUNC(SYSDATE)
BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
AND PSEC.SECURITY_PROFILE_ID = FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_
PROFILE_ID', URP.USER_ID, URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_
Integrating Data Security for Oracle EBS
Integrating Security for Oracle BI Applications 2-19
APPLICATION_ID)
AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
AND PER.PERSON_ID = ASG.PERSON_ID
AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND
ASG.EFFECTIVE_END_DATE
AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
-1, URP.RESPONSIBILITY_ID,
NULL, URP.RESPONSIBILITY_ID,
FND_GLOBAL.RESP_ID)
UNION
SELECT DISTINCT 'HR_ORG',
ORGANIZATION_ID
FROM PER_ALL_ASSIGNMENTS_F ASG,
FND_USER USR
WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
AND USR.USER_NAME = ':USER'
AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND
ASG.EFFECTIVE_END_DATE
AND ASG.PRIMARY_FLAG = 'Y'
) SEC_DET
As you will see from this document extract, this expects to use the table PER_PERSON_LIST. This is ok
when you have a static security model and the PER_PERSON_LIST is populated by the Security List
Maintenance process. In many cases that works for us, however, the majority of HR security profiles we
use are dynamic, for example, we restrict access to data based upon the organization assigned to the
employee. In EBS, the security is dynamically applied when the user logs in and the access is continually
assessed by the HR_SECURITY package.
I should add also, that we use other HR Security Profile features such as restricted lists of organizations,
payrolls, and the custom code restriction.
The problem is that when a user who normally accesses a dynamic security profile tries to access data
through OBI, they currently do not see any employee data because there are no records in the
PER_PERSON_LIST for their security profile
http://www.integrigy.com/tags/oracle-businessintelligence-obiee
OBIEE and Oracle E-Business Suite Integration
Configuring OBIEE to use the Oracle E-Business Suite for authentication is straight forward
and can be completed in a test environment with only a small amount of effort. It is
technically accomplished through the sharing of the E-Business Suite session cookie.
Further documentation on the specific steps to configure OBIEE to use the E-Business Suite
for authentication can be found on Metalink as well as in the OBIEE documentation. A high
level summary is as follows:
1.
2.
3.
4.
5.
6.
Using the BI Admin client tool, modify the RPD file to add a connection to the EBusiness Suite database.
Add an initialization block to the RPD file that calls the E-Business Suite API
APP_SESSION.validate_icx_session and then call FND_GLOBAL to collect the variables
resp_id, resp_appl_id, security_group_id, resp_name, user_id, employee_id and
user_name.
Edit the OBIEE configuration files authenicationschema.xml and instanceconfig.xml
Create a menu function to launch OBIEE. You must use the SSWA
OracleOasis.jsp$mode=OBIEE
Populate the system profile option FND: Oracle Business Intelligence Suite EE base
URL with the url for OBIEE. For example:http://theobieeserver.yourcompany.com:9704
Upload the modified RPD file using Enterprise Manager and bounce all OBIEE services
Technical Summary
Authentication integration between OBIEE and the E-Business Suite is through a combination
of a shared session cookie and a dynamic URL. The key to making it work are edits to
OBIEEs instanceconfig.xml configuration file. It is in this file that OBIEE instructed is to look
for the E-Business Suite session cookie.
download.png
https://obibb.wordpress.com/2012/08/16/simulate-oracle-ebs-to-oracle-bi-loginvia-sql/
Oracle BI EE 11.1.1.6.0
Oracle BIA 7.9.6.3
Setup
The setup consists of a few different parts
Data Security
The Data Security is based on different Roles and a Profile Option assigned to
the responsibilities in Oracle eBS
Oracle eBS
Oracle BI
In Oracle BI, there is a Initialization Block which populates the; ROLES
Session Variable
select ( select sector
from apps.xx_obia_user_groups_v
where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
16
Out-of-the-Box
BIAdministrators
Administration privileges.
BIAuthors
BIConsumers
BISystem
In the Identity Manager, the Business Model Filters are applied to the Data
Security Application Roles
The Business Model Filters are based on the Initialization Blocks. Some outof-the-box, others custom.
This setup should be sufficient to apply Data Security to all queries, which
query the Logical Tables with the Business Model Filters applied to it.
Note: Application roles data filters wont apply for users with BI
Administrator role.
By definition the BIAdministrator application role is granted the
oracle.bi.server.manageRepositories permission, which is equivalent to the
10g Administrator user who also had unrestricted access. Hence, data
filters wont affect users with BIAdministrator Role. (source: Oracle Support)
Simulate Oracle eBS to Oracle BI login via SQL
There is an interesting (for me at least) topic on OTN about integrating Oracle eBS
security into Oracle BI. It is a topic about getting Oracle eBS HR-Security to work in
Oracle BI. Robin Moffat has a blogpost about; Validating EBS-BI authentication,
without BI. He refers to an My Oracle Support article (758392.1), which provides some
(additional) troubleshooting details.
When I want to simulate Oracle eBS to Oracle BI login via SQL, I use some SQLstatements / scripts, to see what happens or at least should happen. If I need to know
which HR-Orgs I could expect based on the Oracle eBS HR-Security I use the following
scripts;
Query User Responsibility Rol
Check which responsibilities a user has within Oracle eBS.
select fu.user_id
, frv.responsibility_id
, fa.application_id
, frv.responsibility_key
, frv.responsibility_name
from apps.fnd_responsibility_vl frv
, applsys.fnd_application fa
, applsys.fnd_request_groups frg
, apps.fnd_user_resp_groups_all furga
, applsys.fnd_user fu
where fa.application_id = frv.application_id
and TRUNC ( SYSDATE ) between fu.start_date
and NVL ( fu.end_date
, to_date ( '31-DEC-4712'
, 'DD-MON-YYYY' ) )
and fu.user_id = furga.user_id
and TRUNC ( SYSDATE ) between furga.start_date
and NVL ( furga.end_date
, to_date ( '31-DEC-4712'
, 'DD-MON-YYYY' ) )
and furga.responsibility_id = frv.responsibility_id
and frv.request_group_id = frg.request_group_id(+)
and fu.user_name like :p_user_name
1
BEGIN
apps.fnd_global.apps_initialize(user_id, resposnsibility_id, resposnsibility_applicati
2
END;
3
Validate the Context
Check the output of the previous step
1
select fnd_global.resp_id
2
, fnd_global.resp_appl_id
3
, fnd_global.security_group_id
4
, fnd_global.resp_name
5
, fnd_global.user_id
, fnd_global.employee_id
6
, fnd_global.user_name
7
, ( select distinct responsibility_key
8
from fnd_responsibility
9
where responsibility_id = fnd_global.resp_id )
10
responsibility_key
from DUAL
11
12
Validate HR-Security
If all the above steps have completed like expected, you are able to check the query
within the Oracle BI Initialization Block (IB) related to HR-Security. In my case its IB;
HR Organization. This IB has the following query;
11
12
13
14
15
SELECT
DISTINCT 'HR_ORG'
,TO_CHAR(SEC_DET.ORGANIZATION_ID)
FROM
(
SELECT
'HR_ORG',
ASG.ORGANIZATION_ID
FROM
FND_USER_RESP_GROUPS URP
,FND_USER USR
,PER_SECURITY_PROFILES PSEC
,PER_PERSON_LIST PER
,PER_ALL_ASSIGNMENTS_F ASG
WHERE
URP.START_DATE < TRUNC(SYSDATE)
AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_DATE) END) >
AND USR.USER_NAME = 'VALUEOF(NQ_SESSION.USER)'
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
You should replace the VALUEOF(NQ_SESSION.USER) part with either the user or
fnd_global.user_name.
Now you are able to see whether the Initialization Block is working like expected and
retrieves the same values as it does in Oracle eBS. If you can conform these steps and
the the Security isnt working, its probably because one of the related IBs doesnt
retrieve (all) the necessary values.
https://obibb.wordpress.com/2012/08/16/simulate-oracle-ebs-to-oracle-bi-login-via-sql/