System Privileges

This document is written to give system administrators and installation technicians a quick introduction to the Foundation1 System Privileges concepts in IFS Applications.

Contents

Purpose

System privileges are used to grant a user the necessary rights to use a specific functionality, unrelated to data or method authorization. Foundation1 defines four different system privileges:

It is not possible to create or modify system privileges.
 

Defined system privileges

These are the existing system privileges and their usage.

Privilege Purpose
ADMINISTRATOR This system privilege lets the logged on user act as Appowner, with the exception of method security. This system privilege also gives the user the ability to see more data, even though the intention with system privileges was not to filtering data. This privilege is granted to FND_ADMIN.
CONNECT Any user that wants to access IFS Applications through an IFS Client must have Connect system privilege. It is possible to access IFS Applications methods from non IFS Clients, like SQLPlus, without having this privilege.

Allow access to Extended Server activities and services. Without this privilege a user will never reach any method at all (will get a HTTP 401 Unauthorized response).
IMPERSONATE USER Allow the authenticated user the possibility to impersonate (run as) some other user. Used by PL/SQL Access Provider user.
DEFINE SQL Allows the user to enter SQL statements that should be executed by the application through some system service.
DEBUGGER This privilege gives ability to get server debug stack trace in the IFS Client debug console

Detailed information about system privileges

System privilege Used in
ADMINISTRATOR             Methods
  • Archive_API.Remove_User_Instance
    Allows you to delete any report
  • Batch_SYS.Init_All_Processes_
    Allows to execute
  • Batch_SYS.Process_Batch_Schedule_
    Allows you to execute any Scheduled Task
  • Batch_Queue_API.Delete___
    Allows you to delete any Batch Queue
  • Batch_Schedule_API
    Allows you to perform operations on all scheduled tasks
  • CONNECTIVITY_SYS.Init_All_Processes__
    Allows you to start Connectivity background process
  • Data_Archive_API.Init_All_Processes_
    Allows you to start Data Archiving background process
  • Fnd_User_API.Get_User_Security_Info_
    Returns % for ADMINISTRATOR, otherwise Fnd_User
  • Fnd_User_API.Set_Property
    Allows you to set properties on any user
  • Fnd_User_Properties_API
    Allows you to set properties on any user
  • Oracle_Account_API.Alter_User__
    Allows you to Alter any user
  • Oracle_Account_API.Expire_Password__
    Allows you to expire any users password
  • Oracle_Account_API.Lock_Account__
    Allows you to lock any user account
  • Oracle_Account_API.Unlock_Account__
    Allows you to unlock any user account
  • Performance_Analyze_API.Remove
    Allows you to remove any Performance Analyze
  • Replication_SYS.Init_All_Processes__
    Allows you to start Replication background process
  • Report_Definition_API.Count_Available_Reports
    Returns all reports
  • Report_Definition_API.Report_Definition__
    Returns all reports
  • Transaction_SYS.Init_Processing__
    Allows you to start Background Queues background process
  • Transaction_SYS.Init_All_Processing__
    Allows you to start all Background Queues background process

Views

  • ARCHIVE_DISTRIBUTION
    Lets you see all rows
  • BATCH_JOB
    Allows you to see all background jobs
  • BATCH_SCHEDULE
    Allows you to see all scheduled tasks
  • BATCH_SCHEDULE_METHOD
    Allows you to see all tasks
  • DEFERRED_JOB
    Allows you to see all background jobs
  • HISTORY_LOG
    Allows you to see all History logs
  • PRINT_JOB
    Allows you to see all Print Jobs
  • QUICK_REPORT
    Allows you to se all Quick Reports
DEFINE SQL Services
  • Define scheduled tasks
  • Define data archive objects and data archive orders
  • Define monitoring entries
  • Define quick reports

System privileges and the Extended Server authentication process

The privileges CONNECT and IMPERSONATE USER are a bit special since they are granted to the authenticated user during the authentication process. These two system privileges are mapped to the J2EE roles IFSUser and IFSTrustedExternalModule, respectively. Because these privileges/J2EE roles are granted to the user during the authentication process, depending on how authentication is performed, you may have to grant roles to users in the user registry used for authentication. For example, if LDAP authentication is used, you must grant the necessary roles there, not in IFS Applications.

Granting system privileges to users

System privileges are always granted to permission sets, never directly to users. Use IFS Solution Manager to administrate permission sets and the system privileges granted.

Note the exception mentioned above - if authentication is not performed using the Oracle database (database authentication), J2EE roles IFSUser (CONNECT) and IFSTrustedExternalModule (IMPERSONATE USER) must be granted in the used user registry. You also have to make sure that these roles are actually granted to the user during the authentication process.
If an external registry is used, granting or revoking any of these two privileges to/from a permission set using IFS Solution Manager will have no effect.