Using Group Level Permissions instead of User Level
For ease of catalog administration, only assign permissions at a group level (as opposed to an individual user level) for objects in the web catalog (i.e. reports, pages, dashboards, prompts, etc.). Adding individual users to these elements makes maintenance difficult and costly. Also, you will save yourself many hours of “hunting and pecking” to determine who has access to what.
Implementing Simple Column-Level Security
Some columns, such as Social Security Number (SSN), may contain sensitive information that should only be displayed to certain Users or Groups. A simple way to restrict the visibility of this data is to use column-level security. All you need to do is modify the Permissions for a given presentation column in the repository. By default, the Everyone group will have read access; you must uncheck this check box, and then explicitly grant access (check the boxes) only to the appropriate groups. Now let’s say that Basic_User does not have permission to view the SSN column, but Super_User does. If there is a Dashboard or Report that contains the SSN column, the Super_User will be able to run the report and see the SSN data, but the Basic_User will not even be able to run the report; the report will produce an error like this:
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 27005] Unresolved column: “Employees”.”SSN”. (HY000)
For the Basic_User, OBIEE will error out, because the SSN column will not be “recognized”. Here’s the trick to fix this: in the NQSConfig.ini file change the parameter PROJECT_INACCESSIBLE_COLUMN_AS_NULL which is under the security section. By default it is set to No. Instead, set the value to yes. Then stop and restart the BI Server and Presentation Server Services. Now, when Basic_User runs this same report containing SSN, the report will run correctly, but the SSN column will not be displayed at all.