Installation and Security¶
This document will highlight some part to consider regarding installation and security
Lobby Runtime Security¶
Lobby Runtime Security is mainly based on Presentation Objects
Lobby overview shows only granted pages(Presentation Objects) for the user.
When the user opens a lobby page the layout of the page is loaded without any PO check. Data is loaded individually in lobby elements. In this case presentation Object grants are checked for each data source used by the element. If the relevant data source is not granted, a cross sign is displayed on the element.
Figure: Element with no grants
With the Power BI element a Power BI Report or visual can be embedded into a Lobby page. A report or the underlying data source optionally can use row level security (RLS), when this is the case the identity of the logged in user is used to send to the Power BI Server. In this way the logged in user cannot see data that he shouldn't have access to.
Lobby Designer Security¶
Lobby page designer, lobby element designer and lobby data source designer can be taken as tools for designing lobbies. Lobby Designer Security is mainly base on projections. There is a separate projection for each designer.
- LobbyDatasourceConfiguration.projection: Datasource designer
- LobbyElementConfiguration.projection: Element Designer
- LobbyConfiguration.projection: Page designer
The logged in user must have grants for these projections in order to,
- Open designers
- View metadata of Lobby items
- Do CRUD operations on Lobby items
There are two permission sets which created to grant access to above all three lobby designers.
-
FND_LOBBY_ADMIN¶
Following projections are granted for FND_LOBBY_ADMIN permission set
- LobbyConfiguration
- LobbyElementConfiguration
- LobbyDatasourceConfiguration
Datasource designer is a special tool among three lobby designers. The user is able to access any table/view in the database and execute any query through the Datasource designer. So an extra layer of protection has been implemented (LOBBY DATASOURCE DESIGNER system privilege) on Datasource designer to protect data from unauthorized users.
A user who has grants for LobbyDatasourceConfiguration.projection will be able to
- Open Datasource designers
- View metadata of data sources
- Export data sources
- Plug a data source into an element
In order to do following operations in the data source, the user must have grants for LOBBY DATASOURCE DESIGNER system privilege
- Create / import data sources
- Edit data sources
- Delete data sources
- Preview data in a data source
A user who has FND_LOBBY_ADMIN permission set can create lobby elements, create lobby pages and only view the data source definition.
FND_LOBBY_ADMIN permission set does not include LOBBY DATASOURCE DESIGNER system privilege.
-
FND_LOBBY_SQLDS_ADMIN¶
Following permission sets are granted for FND_LOBBY_SQLDS_ADMIN permission set
- FND_LOBBY_ADMIN
- QUERY_DESIGNER_ADMIN
Apart from that FND_LOBBY_SQLDS_ADMIN permission set includes the LOBBY DATASOURCE DESIGNER system privilege.
Since this permission set includes QUERY_DESIGNER_ADMIN permission set, the user can navigate to Query Overview and Query Designer screens and consume it's functionalities.
So a user who has FND_LOBBY_SQLDS_ADMIN permission set can create lobby elements, create lobby pages, manipulate data sources, preview data sources and can consume the functionalities of Query Overview and Query Designer screens.
Power BI Security¶
In the Power BI element designer the report dropdown is automatically filled with the reports that are available within the Power BI Workspace the Power BI Service is linked to, this is not a per user list but the same for all the users. The data in preview mode will use the RLS security meaning that the logged in user cannot see data that he is not allowed to see. The sequence and security tokens used of a Lobby designer creating a new Power BI Element and a Lobby page viewer visiting a page which has a Power BI Element on it are drawn in the below diagram.
The Install and Reconfigure process¶
The Lobby items included with IFS Applications are automatically deployed to your database when running the IFS Cloud Installer. Note that every time the Installer is run, the Lobby items that ship with IFS Cloud will be redeployed and overwritten
Important: If configuration changes (i.e.: not Personalization changes) are needed on any Lobby item that was included with IFS Cloud, be sure to create a copy of that item and do the necessary configuration changes on the newly copied item..