essbase filters

7/24/2019 Essbase Filters

1/14

Controlling Access to Database Cells

In This Section:

Introduction

Understanding How Filters Define Permissions

Creating Filters

Managing Filters

Assigning Filters

IntroductionWhen securit le!els defined for a""lications# data$ases# users# and grou"s are insufficient#

%ss$ase securit filters gi!e ou more s"ecific control& Filters ena$le ou to control access toindi!idual data within a data$ase $ defining what 'ind of access is allowed to which "arts of the

data$ase# and to whom these settings a""l&

If ou ha!e Administrator "ermissions# ou can define and assign an filters to an users or

grou"s& Filters do not affect ou&

If ou ha!e Create(Delete A""lications "ermissions# ou can assign and define filters for

a""lications that ou created&

If ou ha!e A""lication Manager or Data$ase Manager "ermissions# ou can define and assign

filters within our a""lications or data$ases&

Understanding How Filters Define Permissions

Filters control securit access to data !alues# or cells& )ou create filters to accommodate securit

needs for s"ecific "arts of a data$ase& When ou define a filter# ou designate restrictions on

"articular data$ase cells& When ou sa!e the filter# ou gi!e it a uni*ue name to distinguish itfrom other filters# and the ser!er stores it in ess$ase&sec# the securit file& )ou can then assign the

filters to an users or grou"s on the ser!er&

For e+am"le# a manager designs a filter named ,%D and associates it with a data$ase to limit

access to cells containing "rofit information& The filter is assigned to a !isiting grou" called,%-I%W%,S# so that the can read# $ut cannot alter# most of the data$ase. the ha!e no access

to Profit data !alues&
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt_1http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1017997http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1014750http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016569http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt997509http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1017997http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1014750http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016569http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt997509http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt_1


2/14

Filters com"rise one or more access settings for data$ase mem$ers& )ou can s"ecif the

following access le!els and a""l them to data ranging from a list of mem$ers to one cell&

Access

LevelDescription

/one /o data can $e retrie!ed or u"dated for the s"ecified mem$er list&

,ead Data can $e retrie!ed $ut not u"dated for the s"ecified mem$er list&

Write Data can $e retrie!ed and u"dated for the s"ecified mem$er list&

MetareadMetadata 0dimension and mem$er names1 can $e retrie!ed and u"dated for the

corres"onding mem$er s"ecification&

/ote:

The metaread access le!el o!errides all other access le!els& If additional filters for data are

defined# the are enforced within an defined metaread filters&If ou ha!e assigned a metaread

filter on a su$stitution !aria$le and then tr to retrie!e the su$stitution !aria$le# an un'nownmem$er error occurs# $ut the !alue of the su$stitution !aria$le gets dis"laed& This is e+"ected

$eha!ior&Metadata securit cannot $e com"letel turned off in "artitions& Therefore# do not set

metadata securit at the source data$ase. otherwise# incorrect data ma result at the target"artition&When drilling u" or retrie!ing on a mem$er that has metadata securit turned on and

has shared mem$ers in the children# an un'nown mem$er error occurs $ecause the original

mem$ers of the shared mem$ers ha!e $een filtered& To a!oid this error# gi!e the original

mem$ers of the shared mem$ers metadata securit access&

An cells that are not s"ecified in the filter definition inherit the data$ase access le!el& Filters

can# howe!er# add or remo!e access assigned at the data$ase le!el# $ecause the filter definition#

$eing more data2s"ecific# indicates a greater le!el of detail than the more general data$ase access

le!el&

Data !alues not co!ered $ filter definitions default first to the access le!els defined for users

and# when %ss$ase is in nati!e securit mode# second to the glo$al data$ase access le!els&

Calculation access is controlled $ "ermissions granted to users and grou"s& Users who ha!e

calculate access to the data$ase are not $loc'ed $ filters3the can affect all data elements that


3/14

the e+ecution of their calculations would u"date& When %ss$ase is in nati!e securit mode#

calculation access is also controlled $ minimum glo$al "ermissions for the a""lication or

data$ase&

Creating Filters

)ou can create a filter for each set of access restrictions ou need to "lace on data$ase !alues&

)ou need not create se"arate filters for users with the same access needs& After ou ha!e created

a filter# ou can assign it to multi"le users or grou"s of users& Howe!er# onl one filter "erdata$ase can $e assigned to a user or grou"&

/ote:

If ou use a calculation function that returns a set of mem$ers# such as children or descendants#

and it e!aluates to an em"t set# the securit filter is not created& An error is written to thea""lication log stating that the region definition e!aluated to an em"t set&

4efore creating a filter# "erform the following actions:

Connect to the ser!er and select the data$ase associated with the filter&

Chec' the naming rules for filters in 5imits&

To create a filter# use a tool:

Tool Topic Location

Administration

Ser!ices

Creating or %diting

Filters

6racle %ss$ase Administration Ser!ices 6nline

Hel"

Ma+5 create filter 6racle %ss$ase Technical ,eference

Filtering Members ersus Filtering Member Combinations

Figure 789# How Filters Affect Data A/D(6, ,elationshi"sillustrates different was to control

access to data$ase cells& Data can $e "rotected $ filtering entire mem$ers or $ filteringmem$er com$inations&

Filtering mem$ers se"aratel affects whole regions of data for those mem$ers&
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/limits.htmhttp://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016909http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/limits.htmhttp://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsefilt.htm#dsefilt1016909


4/14

Filtering mem$er com$inations affects data at the mem$er intersections&

Figure !"#$ How Filters Affect Data A%D&'( (elations)ips

/ote:

Filtering on mem$er com$inations 0A/D relationshi"1 does not a""l to metaread& Metaread

filters each mem$er se"aratel 06, relationshi"1&

Filtering Members *eparatel+

To filter all the data for one or more mem$ers# define access for each mem$er on its own row in

Filter %ditor& Filter definitions on se"arate rows of a filter are treated with an 6, relationshi"&

For e+am"le# to $loc' access to Sales or an# assume that user ;Smith is assigned this filter:

Access Member *pecification

/one Sales

/one an

The ne+t time user ;Smith connects to Sam"le&4asic# she has no access to data !alues for the

mem$er Sales or for the mem$er an& Her s"readsheet !iew of the "rofit margin for


5/14

All data for Sales is $loc'ed from !iew# as well as all data for anuar# inside and outside of the

Sales mem$er& Data for C6=S 0Cost of =oods Sold1# a si$ling of Sales and a child of Margin# is

a!aila$le# with the e+ce"tion of C6=S for anuar&

Filtering Member Combinations

To filter data for mem$er com$inations# define the access for each mem$er com$ination using a

row in Filter %ditor& In filter definitions# two mem$er sets se"arated $ a comma are treated asunion of those two mem$er sets 0an A/D relationshi"1&

For e+am"le# assume that user ,Chinn is assigned this filter:


/one Sales# an

The ne+t time user ,Chinn connects to Sam"le&4asic# she has no access to the data !alue at theintersection of mem$ers Sales and an& Her s"readsheet !iew of the "rofit margin for


6/14

Sales data for anuar is $loc'ed from !iew& Howe!er# Sales data for other months is a!aila$le#

and non2Sales data for anuar is a!aila$le&

Filtering Using *ubstitution ariables

Su$stitution !aria$les ena$le ou to more easil manage information that changes regularl&

%ach su$stitution !aria$le has an assigned name and !alue& The Data$ase Manager can change

the !alue antime& Where a su$stitution !aria$le is s"ecified in a filter# the su$stitution !aria$le!alue at that time is used&

For e+am"le# if ou want a grou" of users to see data onl for the current month# ou can set u" a

su$stitution !aria$le named CurMonth and define a filter 0MonthlAccess1 wherein ou s"ecifaccess# using >CurMonth for the mem$er name& Using an am"ersand 0>1 at the $eginning of a

s"ecification identifies it as a su$stitution !aria$le instead of a mem$er name to %ss$ase& Assignthe MonthlAccess filter to the a""ro"riate users&

%ach month# ou need to change onl the !alue of the CurMonth su$stitution !aria$le to themem$er name for the current month# such as an# Fe$# and so on& The new !alue will a""l to all

assigned users&

See Using Su$stitution -aria$les&

Filtering wit) Attribute Functions

)ou can use filters to restrict access to data for $ase mem$ers sharing a "articular attri$ute& Tofilter data for mem$ers with "articular attri$utes defined in an attri$ute dimension# use the

attri$ute mem$er in com$ination with the ?ATT,I4UT% function or the ?WITHATT,

function&

/ote:
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dotcreat.htm#dotcreat1053369http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dotcreat.htm#dotcreat1053369


7/14

?ATT,I4UT% and ?WITHATT, are mem$er set functions& Most mem$er set functions can $e

used in filter definitions&

For e+am"le# assume that user Pones is assigned this filter:


/one ?ATT,I4UT%0@CaffeinatedFalseB1

The ne+t time user Pones connects to Sam"le&4asic# he has no access to the data !alues for an

$ase dimension mem$ers associated with CaffeinatedFalse& His s"readsheet !iew of first2

*uarter cola sales in California:

Figure !23$ (esults of Filter -loc.ing Access to Caffeine4free Products

Sales data for Caffeine Free Cola is $loc'ed from !iew& /ote that Caffeine Free Cola is a $ase

mem$er# and CaffeinatedFalse is an associated mem$er of the attri$ute dimension Caffeinated0not shown in the a$o!e s"readsheet !iew1&

Metadata Filtering

Metadata filtering "ro!ides an additional laer of securit in addition to data filtering& With

metadata filtering# an administrator can remo!e outline mem$ers from a users !iew# "ro!idingaccess onl to those mem$ers that are of interest to the user&

When a filter is used to a""l Meta,ead "ermission on a mem$er#

7& Data for all ancestors of that mem$er are hidden from the filter users !iew&

E& Data and metadata 0mem$er names1 for all si$lings of that mem$er are hidden from the

filter users !iew&

Managing Filters

)ou can "erform the following actions on filters: !iewing# editing# co"ing# renaming# and

deleting&


8/14

iewing Filters

To !iew a list of filters# use a tool:

Tool Topic Location

Administration

Ser!ices

Creating or %diting

Filters


Hel"

Ma+5 displa+ filter 6racle %ss$ase Technical ,eference

%SSCMD 5ISTFI5T%,S 6racle %ss$ase Technical ,eference

5diting Filters

To edit a filter# use a tool:

Tool Topic Location

Administration

Ser!ices

Creating or %diting

Filters


Hel"


Cop+ing Filters

)ou can co" filters to a""lications and data$ases on an %ss$ase Ser!er# according to our

"ermissions& )ou can also co" filters across ser!ers as "art of a""lication migration&

To co" a filter# use a tool:


9/14

Tool Topic Location

Administration Ser!ices Co"ing Filters 6racle %ss$ase Administration Ser!ices 6nline Hel"


%SSCMD C6P)FI5T%, 6racle %ss$ase Technical ,eference

(enaming Filters

To rename a filter# use a tool:

Tool Topic Location

Administration Ser!ices ,enaming Filters6racle %ss$ase Administration Ser!ices 6nline

Hel"


%SSCMD ,%/AM%FI5T%, 6racle %ss$ase Technical ,eference

Deleting Filters

To delete a filter# use a tool:

Tool Topic Location

Administration Ser!ices Deleting Filters 6racle %ss$ase Administration Ser!ices 6nline Hel"


10/14

Tool Topic Location

Ma+5 drop filter 6racle %ss$ase Technical ,eference

Assigning Filters

After ou define filters# ou can assign them to users or grou"s# which lets ou manage multi"leusers who re*uire the same filter settings& Modifications to the definition of a filter are

automaticall inherited $ users of that filter&

Filters do not affect users who ha!e the Administrator role& 6nl one filter "er data$ase can $e

assigned to a user or grou"&

Assigning Filters in *)ared *ervices *ecurit+ Mode

In 6racles H"erion Shared Ser!ices securit mode# ou assign filters through 6racles

H"erion Shared Ser!ices Console&

To assign a filter to a user or grou"# seeAssigning Data$ase Calculation and Filter Access&

Assigning Filters in %ative *ecurit+ Mode

To assign a filter to a user or grou"# see @Assigning FiltersB in the 6racle %ss$aseAdministration Ser!ices 6nline Hel"&

'verlapping Filter Definitions

If a filter contains rows that ha!e o!erla""ing mem$er s"ecifications# the inherited access is set

$ the following rules# listed in order of "recedence:

7& A filter that defines a more detailed dimension com$ination list ta'es "recedence o!er a

filter with less detail&

E& If the "receding rule does not resol!e the o!erla" conflict# the highest access le!el among

o!erla""ing filter rows is a""lied&

For e+am"le# this filter contains o!erla" conflicts:
http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178http://docs.oracle.com/cd/E12825_01/epm.111/esb_dbag/dsemain.htm#dsemain1079178


11/14


Write Actual

/one Actual

,ead Actual# ?ID%SC%/DA/TS0@/ew )or'B1

The third s"ecification defines securit at a greater le!el of detail than the other two& Therefore#

read access is granted to all Actual data for mem$ers in the /ew )or' $ranch&

4ecause write access is a higher access le!el than none# the remaining data !alues in Actual are

granted write access&

All other cells# such as 4udget# are accessi$le according to the minimum data$ase "ermissions&

If ou ha!e write access# ou also ha!e read access&

/ote:

Changes to mem$ers in the data$ase outline are not reflected automaticall in filters& )ou must

manuall u"date mem$er references that change&

'verlapping Metadata Filter Definitions

)ou should define a Meta,ead filter using multi"le rows onl when the affected mem$er set in

an gi!en row 0the metaread mem$ers and their ancestors1 has no o!erla" with Meta,ead

mem$ers in other rows& It is recommended that ou s"ecif one dimension "er row in filters thatcontain Meta,ead on multi"le rows& Howe!er# as long as there is no o!erla" $etween the

ancestors and Meta,ead mem$ers# it is still !alid to s"ecif different mem$er sets of one

dimension into multi"le Meta,ead rows&

For e+am"le# in Sam"le 4asic# the following filter definition has o!erla" conflicts:


Meta,ead California

Meta,ead West


12/14

In the first row# a""ling Meta,ead to California has the effect of allowing access to California

$ut $loc'ing access to its ancestors& Therefore# the Meta,ead access to West is ignored. users

who are assigned this filter will ha!e no access to West&

If ou wish to assign Meta,ead access to West as well as California# then the a""ro"riate method

is to com$ine them into one row:


Meta,ead California#West

'verlapping Access Definitions

When the access rights of user and grou" definitions o!erla"# the following rules# listed in orderof "recedence# a""l:

7& An access le!el that defines a more detailed dimension com$ination list ta'es "recedenceo!er a le!el with less detail&

E& If the "receding rule does not resol!e the o!erla" conflict# the highest access le!el is

a""lied&

56ample !7

User Fred is defined with the following data$ase access:

FINPLAN R

CAPPLAN W

PRODPLAN N

He is assigned to =rou" Mar'eting# which has the following data$ase access:

FINPLAN N

CAPPLAN N

PRODPLAN W

His effecti!e rights are set as:

FINPLAN R

CAPPLAN W

PRODPLAN W

56ample 87

User Mar is defined with the following data$ase access:

FINPLAN R

PRODPLAN N


13/14

She is assigned to =rou" Mar'eting# which has the following data$ase access:

FINPLAN N

PRODPLAN W

Her effecti!e rights are set as:

FINPLAN R

PRODPLAN W

In addition# Mar uses the filter artifact ,%D 0for the data$ase FI/P5A/1& The filter has two

filter rows:


,ead Actual

Write 4udget# ?ID%SC%/DA/TS0@/ew )or'B1

The =rou" Mar'eting also uses a filter artifact 45U% 0for the data$ase FI/P5A/1& The filter has

two filter rows:


,ead Actual# Sales

Write 4udget# Sales

Mars effecti!e rights from the o!erla""ing filters# and the "ermissions assigned to her and hergrou":

, %ntire Fin"lan data$ase

W For all 4udget data in the /ew )or' $ranch


14/14

W For data !alues that relate to 4udget and Sales

essbase filters

Documents