Managing Query Execution Privileges

Embed Size (px)

Citation preview

  • 7/31/2019 Managing Query Execution Privileges

    1/4

    Managing Query Execution Privileges

    The Oracle BI Server allows you to exercise varying degrees of control over the repository information that a

    user can access.

    Controlling query privileges allows you to manage the query environment. You can put a high level of querycontrols on users, no controls, or somewhere in between. The following list contains some types of activities

    you may want to limit:

    Restricting query access to specific objects, including rows and columns, or time periods Objects. If you explicitly deny access to an object that has child objects, the userwill be denied access to the child objects. For example, if you explicitly deny access to aparticular physical database object, you are implicitly denying access to all of the physicaltables and physical columns in that catalog.

    If a user or group is granted or disallowed privileges on an object from multiple sources (forexample, explicitly and through one or more groups), the privileges are used based on theorder of precedence, as described inGroup Inheritance.

    You can grant or disallow the ability to execute direct database requests for a user orgroup.

    Time periods. If you do not select a time period, access rights remain unchanged.If you allow or disallow access explicitly in one or more groups, the user is granted the leastrestrictive access for the defined time periods. For example, suppose a user is explicitlyallowed access all day on Mondays, but belongs to a group that is disallowed access duringall hours of every day. This means that the user will have access on Mondays only.

    Controlling runaway queries by limiting queries to a specific number of rows or maximumrun time

    Limit queries by setting up filters for an objectAll restrictions and controls can be applied at the user level, at the group level, or a combination of the two.

    To limit queries by objects for a user or group

    1. From the Administration Tool menu bar, choose Manage > Security.2. In the Security Manager dialog box, in the tree pane, select Users or Groups.3. In the right pane, right-click the name that you want to change and select Properties.4. In the User or Group dialog box, click Permissions.5. In the User/Group Permissions dialog box, click the General tab and perform the followingsteps:

    a. In the General tab, to explicitly allow or disallow access to one or more objects inthe repository, click Add.

    b. In the Browse dialog box, in the Name list, select the objects you want to change,and then click Select.

    c. In the User/Group Permissions dialog box, assign the permissions by selecting orclearing the Read check box for each object.

    (Default is a check) If the check box contains a check, the user has read privileges on theobject. If the check box contains an X, the user is disallowed read privileges on the object.If it is blank, any existing privileges (for example, through a group) on the object apply.

    http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security4.html#wp1005469http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security4.html#wp1005469http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security4.html#wp1005469http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security4.html#wp1005469
  • 7/31/2019 Managing Query Execution Privileges

    2/4

    For more information about assigning permissions, refer toSetting Permissions forRepository Objects.

    6. To explicitly allow or disallow populate privilege or the ability to execute direct databaserequests for specific database objects, perform the following steps:

    a. Click the Query Limits tab and select the database.b. In the Populate Privilege drop-down list, select Allow or Disallow.NOTE: For the selected user or group, this overrides the database property Allow populatequeries for all.

    c. To explicitly allow or disallow the ability to execute direct database requests forspecific database objects, in the Execute Direct Database Requests drop-down list, selectAllow or Disallow.

    NOTE: For the selected user or group, this overrides the database property Allow directdatabase requests for all.

    7. Click OK twice to return to the Security Manager dialog box.

    To limit queries by number of rows received by a user or group

    1. From the Administration Tool menu bar, choose Manage > Security.2. In the Security Manager dialog box, in the tree pane, select Users or Groups.3. In the right pane, right-click the name that you want to change and select Properties.4. In the User or Group dialog box, click the Permissions tab.5. In the User/Group Permissions dialog box, click the Query Limits tab and expand the dialogbox to view all columns.

    6. To specify or change the maximum number of rows each query can retrieve from adatabase, in the Query Limits tab, perform the following steps:

    a. In the Max Rows column, type the maximum number of rows.b. In the Status Max Rows field, select a status usingTable 39as a guide.

    7. Click OK twice to return to the Security Manager dialog box.

    To limit queries by maximum run time or to time periods for a user or group

    1. From the Administration Tool menu bar, choose Manage > Security.2. In the Security Manager dialog box, in the tree pane, select Users or Groups.3. In the right pane, right-click the name that you want to change and select Properties.4. In the User or Group dialog box, click the Permissions tab.5. In the User/Group Permissions dialog box, click the Query Limits tab and expand the dialogbox to view all columns.

    http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_ToolBasics13.html#wp1006072http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_ToolBasics13.html#wp1006072http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_ToolBasics13.html#wp1006072http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_ToolBasics13.html#wp1006072http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_ToolBasics13.html#wp1006072http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_ToolBasics13.html#wp1006072
  • 7/31/2019 Managing Query Execution Privileges

    3/4

    6. To specify the maximum time a query can run on a database, in the Query Limits tab,perform the following steps:

    a. In the Max Time column, select the number of minutes.b. From the Status Max Time drop-down list, select a status usingTable 39as aguide.

    7. To restrict access to a database during particular time periods, in the Restrict column, clickthe ellipsis button.

    8. In the Restrictions dialog box, perform the following steps:a. To select a time period, click the start time and drag to the end time.b. To explicitly allow access, click Allow.c. To explicitly disallow access, click Disallow.

    9. Click OK twice to return to the Security Manager dialog box.

    To limit queries by setting up a filter on an object for a user or group

    1. From the Administration Tool menu bar, choose Manage > Security.2. In the Security Manager dialog box, in the tree pane, select Users or Groups.3. In the right pane, right-click the name that you want to change and select Properties.4. In the User or Group dialog box, click Permissions.5. In the User/Group Permissions dialog box, click the Filters tab.

    6. In the Filters tab, to add an object to filter, perform the following steps:a. Click Add.b. In the Browse dialog box, in the Names list, locate and double-click the object onwhich you want to filter.

    c. Select the object and click Select.7. In the User/Group Permissions Filters dialog box, perform the following steps:

    a. Scroll to the right to view the Business Model Filter column.b. Click the Business Model Filter ellipsis button for the selected object.

    8. In the Expression Builder dialog box, create a logical filter, and then click OK.9. In the User/Group Permissions Filters dialog box, from the Status drop-down list, select astatus usingTable 39as a guide.

    10. Click OK twice to return to the Security Manager dialog box.

    http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095http://docs.oracle.com/cd/E12096_01/books/admintool/admintool_Security13.html#wp1006095
  • 7/31/2019 Managing Query Execution Privileges

    4/4

    10.

    Assigning Populate Privilege to a User or Group

    When a criteria block is cached, the Populate Stored procedure writes the Cache/Saved Result Set value tothe database.

    NOTE: Any Marketing user who writes a cache entry or saves a result set needs to be assigned thePOPULATE privilege for the target database. All Marketing segmentation users and groups need to beassigned this privilege. Typically, all Marketing users are associated with a group and this group is granted

    the privilege. For more information about marketing cache, refer to the topic about setting up cache fortarget levels in the documentation for Oracle's Siebel Marketing application.

    To assign Populate privilege to a user or group

    1. From the Administration Tool menu bar, choose Manage > Security.2. In the Security Manager dialog box, in the tree pane, select Users or Groups.3. In the right pane, right-click the name that you want to change and select Properties.4. In the User or Group dialog box, click Permissions.5. In the User/Group Permissions dialog box, select the Query Limits tab.6. In the Query Limits list, expand the dialog box to view all columns.7. From the Populate Privilege drop-down list, select Allow or Disallow.NOTE: For all Marketing data warehouses, set Populate Privilege to Allow.

    8. Click OK twice to return to the Security Manager dialog box.

    Disable Status Max Rows or Status Max Time. When selected, disables any limits set in the Max Rowsor Max Time fields.

    Filter. The filter is not used and no other filters applied to the object at higher levels ofprecedence (for example, through a group) are used.

    Enable Status Max Rows or Status Max Time. This limits the number of rows or time to the valuespecified. If the number of rows exceeds the Max Rows value, the query is terminated.

    Filter. The filter is applied to any query that accesses the object.

    Ignore Status Max Rows or Status Max Time. Limits will be inherited from the parent group. If there isno row limit to inherit, no limit is enforced.

    Filter. The filter is not in use, but any other filters applied to the object (for example, through agroup) are used. If no other filters are enabled, no filtering will occur.