A quick introduction of the IFS Cloud user concept for system administrators and installation technicians. IFS Cloud users are divided into 3 categories name as System User, Service User and End User. Most business logic authorization rules are mapped to the IFS End User.
These users synchronized with IFS Identity and Access Manager.
There are also a few other Oracle users that are of great importance to IFS Cloud.
To be able to logon to IFS Cloud you need to be a IFS End User. IFS Cloud has its own User Registry in the database where all users need to be registered. These users can be synchronized from an external user registries using IFS SCIM
IFS System Users¶
IFS Cloud comes with a few pre-defined accounts that are granted pre-defined permission sets. These accounts are created during installation.
These users must not be mapped to external user registries even if an external user registry (for example Azure AD) is used for interactive user authentication.
|IFS Admin user||Used to administrate IFS Cloud using IFS Solution Manager, especially right after installation when no other user accounts have yet been created. This is the first user to log in to the IFS Cloud in a fresh installation.||FND_ADMIN|
|&APPOWNER||Appowner account. This user has access to all most everything in IFS Cloud. Highly recommend deactivating this user from Solution Manager Users page.|
|Application Monitoring user||Used by IFS Monitoring tool (e.g. AMM container) to test application loging periodically. This user granted with only the permissions to login.
DO NOT update permissions, availability and password!
|FND_WEBRUNTIME, FND_WEBENDUSER_MAIN, FND_WEBENDUSER_B2B|
|IFS Support User||User for support. Granted all projections with read only access.|
|IFSSYNC||Used by the Data Synchronization functions. This user is used to configure the required environment setups and also to route data among sites.||FND_SYNC|
Use for integration purposes. Mainly as Service Accounts for authentication through Client Credential flow. These users are not allowed to login to the IFS Cloud Web directly and do not synchoronized through external user registry.
|IFSPRINT||Used by the IFS Report Formatter.||FND_PRINTSERVER|
|IFSPRINTAGENT||Used by the IFS Print Agent|
|IFSSSRSORINT||Used by the IFS SSRSOR Integration|
|IFSBRES||BR Execution Server|
|IFSCONNECT||Used by IFS Connect||FND_CONNECT|
|IFS_IOT_GATEWAY||Used by the IFS IOT Gateway Controller.||FND_MONITORING|
|IFSMOBILITY||Used by the Mobile App Synchronization Service to connect to the database.||FND_AURENA_NATIVE_SYSTEM|
|IFSSCHEDULING||Used by the IFS PSO Integration framework to send/receive scheduling data with IFS PSO (Planning and Scheduling Optimization)||FNDSCH_WEBSERVICE|
|IFSREM||Used by the IFS Remote Assistance Service||FND_REM_ASST_SERVICE|
|SYNC_MASTER||Used in exchange sync (CRM)|
|DEMANDSERVER||Used by Demand Server Application|
|IFSMIG||Used by IFS Smart Data Manager|
Special Oracle Users in IFS Cloud¶
There are some "users" which are not mapped to IFS Users but only for technical purposes. These users all have some elevated privileges and should be considered security critical.
|Any name, but often called <IFSAPP>||Provides views, tables, packages methods for IFS Applications.||Database schema owner.
Grants on SYS views and system privileges grants.
|IFS System User||IFSSYS||IFS Middleware Server always connects to the database as user IFSSYS.||SELECT on all views,
EXECUTE on all methods,
SELECT, UPDATE, INSERT on tables with LOB columns
|IFSINFO Owner||Any name, but often called <IFSINFO>||Owner of schema that contains specific integration views used by IFS Tabular Models framework.||SELECT on all views|
|Oracle System user||SYS and SYSTEM||The System accounts for the database, owns or is granted most Oracle internal tables.
Some installation steps must be run as SYS.
|Has privileges to perform anything in the database|
|IFS IAM System User||IFSIAMSYS||Uses for configuring identity and Access Manager(IAM).||Used to configure IFS IAM.|
|IFS Print User||IFSPRINT||Uses for Print Server|
|IFS Monitoring||IFSMONITORING||Used by the IFS System Monitoring functions (AMM container).||Create session privileges, and access to the FND_MONITOR_ENTRY_API package to fetch DB values.|
|IFS Read only user||IFSDBREADONLY||User with read only access|
|IFS Demand Server User||DEMANDSERVER||Uses for Demand Server Application||SELECT on all views.
EXECUTE on all packages.
INSERT/UPDATE/DELETE privileges for Demand Forecast and IPR specific tables.
|IFS CAMSYS User||IFSCAMSYS||Owner of the Camunda schema in the database. Used by Workflow.|
|Maintenix User||MAINTENIX||Owner of the Maintenix schema when the Maintenix and IFSapps schemas are co-deployed to the same database server. This service user executes business logic and must correspond to the maintenix.username value provided during installation of the Maintenix database schema. If you created the Maintenix database schema with a different maintenix.username value than 'maintenix', then you must create a corresponding service user in IFS applications.|
|IFS Smart Data Manager User||IFSMIG||Used in IFS Smart Data Manager to create DB links for the purpose of data migration in IFS Cloud.||SELECT on all views
SELECT/INSERT/UPDATE on all tables
EXECUTE on all packages.
Special Users for IFS Cloud Mobile¶
For some mobile apps there are some "users" which are not mapped to actual end-users (as in humans). These users have no elevated privileges and are used to collect data that is to be synchronized to the mobile users for the mobile apps. These users should not be set active or used for any purposet than that, which they are intended so to not be considered a security risk.
|Grouped Push User for IFS Cloud Mobile||IFS<APP_NAME>||Used by the Grouped Push functionality in mobile apps to collect data that will be sent to the mobile users.
A Grouped Push User will be created for each mobile app that is deployed into the environment that has at least one entity defined in Synchronization Rules with Grouped Push as the Delivery Method. For these entities the Grouped Push User must have access to all business roles that are used to filter the data to the mobile users. These business roles could be access to all Companies and/or Sites that will be used by the mobile users running the mobile app.