Skip to content

Users

A quick introduction of the IFS Cloud user concept for system administrators and installation technicians. IFS Cloud users are divided into 3 categories name as System User, Service User and End User. Most business logic authorization rules are mapped to the IFS End User.

These users synchronized with IFS Identity and Access Manager.

There are also a few other Oracle users that are of great importance to IFS Cloud.

End Users

To be able to logon to IFS Cloud you need to be a IFS End User. IFS Cloud has its own User Registry in the database where all users need to be registered. These users can be synchronized from an external user registries using IFS SCIM

IFS System Users

IFS Cloud comes with a few pre-defined accounts that are granted pre-defined permission sets. These accounts are created during installation.

These users must not be mapped to external user registries even if an external user registry (for example Azure AD) is used for interactive user authentication.

User Purpose Permission Set
IFS Admin user Used to administrate IFS Cloud using IFS Solution Manager, especially right after installation when no other user accounts have yet been created. This is the first user to log in to the IFS Cloud in a fresh installation. FND_ADMIN
&APPOWNER Appowner account. This user has access to all most everything in IFS Cloud. Highly recommend deactivating this user from Solution Manager Users page.  
Application Monitoring user Used by IFS Monitoring tool (e.g. AMM container) to test application loging periodically. This user granted with only the permissions to login.
DO NOT update permissions, availability and password!
FND_WEBRUNTIME, FND_WEBENDUSER_MAIN, FND_WEBENDUSER_B2B
IFS Support User User for support. Granted all projections with read only access.    
IFSSYNC Used by the Data Synchronization functions. This user is used to configure the required environment setups and also to route data among sites.  FND_SYNC

Service Users

Use for integration purposes. Mainly as Service Accounts for authentication through Client Credential flow. These users are not allowed to login to the IFS Cloud Web directly and do not synchoronized through external user registry.

User Purpose Permission Set
IFSPRINT Used by the IFS Report Formatter. FND_PRINTSERVER
IFSPRINTAGENT Used by the IFS Print Agent  
IFSSSRSORINT Used by the IFS SSRSOR Integration  
IFSBRES BR Execution Server  
IFSCONNECT Used by IFS Connect FND_CONNECT
IFS_IOT_GATEWAY Used by the IFS IOT Gateway Controller. FND_MONITORING
IFSMOBILITY Used by the IFS Cloud Mobile Synchronization Service to connect to the database. FND_AURENA_NATIVE_SYSTEM
IFSSCHEDULING Used by the IFS PSO Integration framework to send/receive scheduling data with IFS PSO (Planning and Scheduling Optimization) FNDSCH_WEBSERVICE
IFSREM Used by the IFS Remote Assistance Service FND_REM_ASST_SERVICE
SYNC_MASTER Used in exchange sync (CRM)
DEMANDSERVER Used by Demand Server Application
IFSMIG Used by IFS Smart Data Manager
IFSBOOMI Used by Boomi IFS Rest Partner connector to communicate with IFS Cloud

Special Oracle Users in IFS Cloud

There are some "users" which are not mapped to IFS Users but only for technical purposes. These users all have some elevated privileges and should be considered security critical.

User Name Purpose Special privileges
Application owner
Appowner
Any name, but often called <IFSAPP> Provides views, tables, packages methods for IFS Applications. Database schema owner.
Grants on SYS views and system privileges grants.
IFS System User IFSSYS IFS Middleware Server always connects to the database as user IFSSYS. SELECT on all views,
EXECUTE on all methods,
SELECT, UPDATE, INSERT on tables with LOB columns
IFSINFO Owner Any name, but often called <IFSINFO> Owner of schema that contains specific integration views used by IFS Tabular Models framework. SELECT on all views
Oracle System user SYS and SYSTEM The System accounts for the database, owns or is granted most Oracle internal tables.
Some installation steps must be run as SYS.
Has privileges to perform anything in the database
IFS IAM System User IFSIAMSYS Uses for configuring identity and Access Manager(IAM). Used to configure IFS IAM.
IFS Print User IFSPRINT Uses for Print Server
IFS Monitoring IFSMONITORING Used by the IFS System Monitoring functions (AMM container). Create session privileges, and access to the FND_MONITOR_ENTRY_API package to fetch DB values.
IFS Read only user IFSDBREADONLY User with read only access  
IFS Demand Server User DEMANDSERVER Uses for Demand Server Application SELECT on all views.
EXECUTE on all packages.
INSERT/UPDATE/DELETE privileges for Demand Forecast and IPR specific tables.
IFS CAMSYS User IFSCAMSYS Owner of the Camunda schema in the database. Used by Workflow.
Maintenix User MAINTENIX Owner of the Maintenix schema when the Maintenix and IFSapps schemas are co-deployed to the same database server. This service user executes business logic and must correspond to the maintenix.username value provided during installation of the Maintenix database schema. If you created the Maintenix database schema with a different maintenix.username value than 'maintenix', then you must create a corresponding service user in IFS applications.     
IFS Smart Data Manager User IFSMIG Used in IFS Smart Data Manager to create DB links for the purpose of data migration in IFS Cloud. SELECT on all views
SELECT/INSERT/UPDATE on all tables
EXECUTE on all packages.

Special Users for IFS Cloud Mobile Apps

For some mobile apps there are some "users" which are not mapped to actual end-users (as in humans). These users have no elevated privileges and are used to collect data that is to be synchronized to the mobile users for the mobile apps. These users should not be set active or used for any purposet than that, which they are intended so to not be considered a security risk.

User Name Purpose
Grouped Push User for mobile app IFS<APP_NAME> Used by the Grouped Push functionality in mobile apps to collect data that will be sent to the mobile users.
A Grouped Push User will be created for each mobile app that is deployed into the environment that has at least one entity defined in Synchronization Rules with Grouped Push as the Delivery Method. For these entities the Grouped Push User must have access to all business roles that are used to filter the data to the mobile users. These business roles could be access to all Companies and/or Sites that will be used by the mobile users running the mobile app.