12-10 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer Example 1: No condition applied This example illustrates the results returned when you execute a query against two tables, where the master and detail tables are joined with an outer join. Discoverer displays: ■ rows of data from the master table dept and detail table emp ■ rows of data from the master table dept where no data exists for the detail table emp The query is defined using the following SQL statement, where the outer join is signified by the plus + symbol: select dname, ename, job from dept, emp where dept.deptno = emp.deptno+; The results returned from the query above will not change whether you switch the DisableAutoOuterJoinsOnFilters registry setting on or off. Example 2: Condition applied to query and DisableAutoOuterJoinsOnFilters set to 1 switched off This example applies a condition to the query in Example 1 and the DisableAutoOuterJoinsOnFilters registry setting is switched off. Discoverer displays: ■ the data specified in the condition Discoverer does not display: ■ master rows for which there is no detail data The following SQL statement is used, where the outer join is signified by the plus + symbol: select dname, ename, job from dept, emp where dept.deptno = emp.deptno+ and job = CLERK; DNAME ENAME JOB SALES GRIMES DIRECTOR SALES PETERS MANAGER SALES SCOTT CLERK SUPPORT MAJOR MANAGER SUPPORT SCOTT CLERK ADMIN MARKETING DISTRIBUTION DNAME ENAME JOB SALES SCOTT CLERK SUPPORT SCOTT CLERK Creating and Maintaining Conditions 12-11 Example 3: Condition applied to query and DisableAutoOuterJoinsOnFilters set to 0 switched on This example applies a condition to the query in Example 1 and the DisableAutoOuterJoinsOnFilters registry setting is switched on. Discoverer displays: ■ the data specified in the condition ■ master rows for which there is no detail data Null values The following SQL statement is used, where the outer join is signified by the + symbol: select dname, ename, job from dept, emp where dept.depno = emp.deptno+ and job = CLERK; Note : The database supports placing outer joins in IS NULL and IS NOT NULL clauses, but does not support placing outer joins in IN and OR clauses. How to create row level security using a mandatory condition You might want to restrict the data that end users can see in Discoverer workbooks. For example, you have a single table with profit data for all regions. Each row of profit data applies to a transaction in a single region. You would like a manager in the West region to only access the rows with profit data for the West region. To create row level security you must complete the following tasks: ■ Load the ALL_USERS table from the SYS view into the business area that contains the folder in which you want to apply row level security ■ Create a new calculated item in the folder where you want to apply row level security ■ Apply the list of values from the Username item in the ALL_USERS table to the new calculated item ■ Create a mandatory advanced condition to define row-level security in a folder for specified database users DNAME ENAME JOB SALES SCOTT CLERK SUPPORT SCOTT CLERK ADMIN MARKETING DISTRIBUTION REGION PROFIT DATE East 100 87 West 50 87 South 65 810 North 100 86 12-12 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer Load the ALL_USERS table from the SYS view into the business area that contains the folder in which you want to apply row level security This task enables you to obtain a list of all the database users to which you can subsequently apply conditions and achieve row level security. To load the ALL_USERS table into the business area where you want to apply row level security:

1.

Select the business area that contains the folder in which you want to create row level security. 2. Choose Insert | Folder | From Database to display the Load Wizard: Step 1 dialog .

3. Select the Online dictionary check box and click Next to display the

Load Wizard: Step 2 dialog .

4. Select the SYS user from the Select the users whose tables you want to load list

box and click Next to display the Load Wizard: Step 3 dialog . The SYS user contains a view that holds the names of all database users.

5. Expand the SYS user in the Available list box and drag the ALL_USERS view into

the Selected list box and click Next to display the Load Wizard: Step 4 dialog . This loads the ALL_USERS view into the current business area. The ALL_USERS view contains the names of all database user accounts.

6. Select the List of values for items of type check box and the Character check box,

leaving all the other check boxes in this area cleared. This will create a list of values of the names of all the database users. 7. Click Finish. This loads the ALL_USERS view from the SYS table into the current business area.

8. optional Edit the folder properties of ALL_USERS and set the Visible to user

property to No for more information about how to edit folder properties, see How to edit folder properties . This makes sure that Discoverer does not display the ALL_USERS folder to end users. Create a new calculated item in the folder where you want to apply row level security You create a calculated item so that you can subsequently apply the list of values item class of all the database users from the SYS table. To create a calculated item in the folder where you want to apply row level security:

1.

Highlight the folder in which you want to create row level security for example, the Video Analysis folder. 2. Choose Insert | Item.

3. Type Username into the Name field.

4. Type USER into the Calculation field.

5. Click OK to create the new calculated item. Creating and Maintaining Conditions 12-13 Apply the list of values from the Username item in the ALL_USERS table to the new calculated item To apply the list of values item class to the calculated item created in the previous task:

1.

Highlight the folder in which you want to apply row level security for example, the Video Analysis folder. 2. Click Insert | Item Class to display the Item Class Wizard: Step 1 dialog .

3. Select List of values check box and click Next to display the

Item Class Wizard: Step 2 dialog select the item that generates the LOV . 4. Select the Username item from the All Users table that you loaded previously into the business area and click Next to display the Item Class Wizard: Step 3 dialog enter name and description . 5. Select the calculated item Username that you created in the previous step from the Available items: list and drag it into the Selected list. 6. Click Finish to apply the list of values to the calculated item ’Username’. Create a mandatory advanced condition to define row-level security in a folder for specified database users You create a mandatory advanced condition so that you can apply data conditions to specified database users. You must create a mandatory advanced condition that includes both: ■ a condition statement defining the database users ■ one or more condition statements restricting data access to the specified database users To create a mandatory advanced condition to define row level security for the specified database users:

1.

Highlight the folder in which you want to create row level security. 2. Choose Insert | Condition to display the New Condition dialog . 3. optional Enter a description for the new condition.

4. Click the Type drop down list and choose Mandatory.

The Type Mandatory specifies that a condition always applies to end users.

5. Click the Item drop down list and select the calculated item Username.

6. Click the Values drop down list and choose Select Multiple Values to display the

Values dialog. 7. Select a check box for each database user that you want row level security to apply then click OK. Discoverer displays the selected database users in the Values field. Note: You have now created a mandatory simple condition specifying the names of one or more database users. However, before you can apply row level security to the database users in the current folder, you must specify the data conditions that you want to apply to the specified database users. The remaining steps describe how you can apply row level security to the specified database users so that they can see only data from the West region. 8. Click the Advanced button and then the Add button. 12-14 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer

9. example Click the Item drop down list and select Store.Region.

This data condition will be applied to the specified database users.

10. example Click the Values drop down list and select the region West.

Note: To associate the database users Username with the data condition Region, the Username and Region condition statements must be grouped together by using the AND clause. Each Usernamedata condition statement must group using the AND clause. Pairs of Usernamedata condition statements, must group with other pairs using the OR clause. By grouping the pairs of Usernamedata condition statements using the OR clause ensures that each condition statement pair can be applied see figure below. Figure 12–4 Condition where one group of database users sees data from the ’West’ region and the other group sees data from the ’East’ region 11. Click OK. This creates a mandatory advanced condition that applies row level security to the database users specified that is, binding a group of users either to the West or the East region. In the example above, the database user ADMTEST can view data from the West region only.

12. optional Edit the Properties of the new condition and set the Visible to user

property to No for more information about editing condition properties, see How to edit condition properties . This ensures that Discoverer does not display the condition to end users, but it is always enforced. How to enable summary folders if a source folder includes a mandatory condition When you create a mandatory condition in a folder, database user queries must not use a summary folder that is based upon the folder that contains the mandatory Creating and Maintaining Conditions 12-15 condition. This is because the data in the summary table will be only for the database user that created the summary folder. To enable database user queries to use summary folders where the source folders use mandatory conditions for example, with row level security, you must perform the following steps before you create the mandatory condition. To enable summary folders for database user queries where the source folders contain a mandatory condition:

1.

Create a summary folder based upon folders where no mandatory condition for example, row level security has yet been set up. For more information about creating summary folders, see Chapter 14, Managing Summary Folders and Chapter 15, Creating Summary Folders Manually .

2. Set the summary property Available for Queries to ’No’.

This summary folder references data for the database user that created it. You must set this property to No to prevent end user queries from accessing this summary folder.

3. optional Set the summary folder properties Next Refresh and Refresh Interval

to suitable values. For more information, see the Summary Properties dialog . 4. Create a database view against your summary folder. Ask your database administrator for more information as this is done outside Discoverer. Use a WHERE clause to apply the mandatory condition for example, row level security to the view just created. For example: SQL WHERE Userid=’SMITH’ AND Region=’WEST’ 5. Register the view in Discoverer as an external summary. For more information, see How to create summary folders based on external summary tables .

6. Set the summary property Available for Queries to Yes.

You must set this property to Yes to enable database users to access this summary folder. The Next Refresh and Refresh Interval summary folder properties should be set to Never in Discoverer. For more information, see the Summary Properties dialog . 7. Create the required mandatory condition for example, row level security in a folder in Discoverer Administrator for more information, see How to create row level security using a mandatory condition . You now have two summary folders, one based on the data folder without the mandatory condition and one based on the view. By adding the mandatory condition to the folder after the first summary folder was created, subsequent queries will be rewritten to use the view-based summary folder, rather than the folder-based summary folder. For more information about summary rewrite, see Chapter 16, Additional Information about Summary Folders .