Database Object Security¶
IFS Cloud uses different type of Database Objects such as tables, views, packages and methods. There are several security mechanism which has been applied for them when enforcing security in IFS Cloud. These security mechanisms complements the Database Object security which is enforced by Oracle.
The core Database Objects which are deployed with IFS Cloud are owned by the Application Owner, and resides in its database schema. The application also uses Oracle in-built packages and views.
In IFS Cloud, end users are not given direct access to tables. Access is granted through views and PL/SQL package methods. When a user wants query data in a table, it is done so through a read only Oracle view. When a user wants to modify data in the table it is done using a server interface. It is not allowed to administering security grants for tables through IFS Applications.
The possibility to query data is given to users through Oracle views. These views should only be used to query data, therefore they are created as Read Only. When a user is granted read access to data in a particular logical unit/entity, grants are given to the view(s) of that logical unit. Views are also used to enforce row level security.
PL/SQL Package and Method Security¶
PL/SQL packages contains methods which are used to manipulated or calculate data in the database. In Oracle, grants are given at package level. Therefore when a user is granted access to a package, they can execute any method within that package.
To provide a more fine grain security mechanism, method level security has been implemented in IFS Cloud on top of the existing package level security provided by Oracle. Method level security is only enforced for methods which can be accessed from outside of the PL/SQL package. Implementation methods which can only be accessed within the package will not have method level security checks.
If a method is not required to have method level security then annotate it with @UncheckedAccess. Use this for read-only methods or methods where modification of data is not required to be protected. Keep in mind that, if a users gets the grants to execute a PL/SQL package, then they can execute all methods which are marked as @UncheckedAccess.
A method which should only be called from the database code can be annotated as @ServerOnlyAccess. If a client tries to call such a method, an error will be raised.
If no annotation is put then method level security is enforced. This is done with the call to General_SYS.Init_Method which will be automatically added by the code generator.
PROCEDURE New__ () ... BEGIN General_SYS.Init_Method(Background_Jobs_API.lu_name_, 'Background_Jobs_API', 'New__'); Base(info_, objid_, objversion_, attr_, action_); END New__;
Additionally there is another annotation, the @SecurityCheck annotation, which can be used to enforce security checks related to application business logic. This could be used to verify whether the current user has the rights to modify data related to a particular company.
Database Object Grant Administration¶
Database Objects are not directly granted to end-users. They are granted through Permission Set.
When granting privileges to system defined Permission Sets, e.g. FND_ADMIN, note that only the component owning the permission set can grant privileges directly to the role. Other components grant their privileges to a sub-role, which you grant to the top role.
Upon creation of new entity, you need to grant the package to IFS System User (IFSSYS). This is done by calling method Installation_SYS.Grant_Ifssys.
Using Oracle In-built Objects¶
IFS Cloud uses database objects which belongs to Oracle users such as SYS, SYSTEM, CTXSYS. These are granted to the Application Owner (APPOWNER) with the ability to grant to others (WITH GRANT OPTION). Some of these objects are also granted to IFS System User (IFSSYS) and other predefined IFS Users.
Granting Oracle system objects directly to end-users or end-user permission sets/role are not recommended.
If there is a requirement to expose an Oracle system object to an end-users, create a wrapper object in the Application Owner schema and then grant this object to the end-users.